-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Schwartz Sent: April 19, 2004 12:57 PM To: 'Dr. Jeffrey Race' Cc: nanog@nanog.org Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
Firstly, who enforces it? The reason it "works" with cars is that the state (or province for those of us north of the border) effectively says "you can't drive a car without this lovely piece of paper/plastic that we'll give you" and "if we find you driving a car without the lovely piece of paper/plastic, you're going to be in serious trouble". Are you proposing that each jurisdiction that currently licences drivers also licence Internet users and tell ISPs "sorry, but if they don't give their licence, you can't give them an account"?
That's not a problem. The state licenses drivers but it also owns the roads.
Yes... And the state doesn't own the Internet, and can't SEE the Internet (or its component networks). How does it enforce who uses it?
Secondly, HOW do you enforce it? Motor vehicles only require a licence to be operated on public roads in all jurisdictions I'm aware of. IANAL, but if some 14 year old kid without a licence wants to drive around on his parents' private property, that is not illegal.
So? If you want to mess around on your private network, I don't care either.
And exactly how do you separate public and private networks, from the point of view of law enforcement? In the driving world, public roads are easy enough to enforce things on... Besides, there are no [major] public networks, if by public, you mean taxpayer-owned... If you mean publicly accessible, that's another story, of course...
Now, the instant that vehicle leaves the private property, it's another story (assuming, of course, cops around to check licences. In some jurisdictions, this is more true than in others).
Exactly. You want to go on someone else's roads, you do so only by their rules.
But my point is, they can SEE you. If I drive out on the roads of whatever state/province/municipality/etc, their authorized agents (read: cops) can SEE me and stop me. Try and do that with my IP packets. You try and track the IP packet that you are getting from my machine to me as a human... Sure, you can do it, if you have an army of lawyers in a bunch of jurisdictions, but it's not like the cop who sees a moron driving badly and just pulls them over, at which point they HAVE the moron in their hands... You can have my packets going around into your network without having physical access to me, but you CAN'T have my car driving around (unless I'm not driving it :P) in your roads without me being in it. So, how do you ask my packets for my computer licence?
My point is, driving is ONLY regulated when it is done in public view, for obvious reasons. Computer use is an inherently private activity, so how do you propose to verify that the person using a computer is in fact licenced? Mandatory webcams? :P
So you can drive however you want on *my* driveway? That's not public view, is it? If there only private roads, I'll bet you that private road owners would have come up with a licensing system quite similar to what we have today, for liability reasons if nothing else. You might also notice that you can't get liability insurance without a license even though that insurance is issued privately, and there aren'y many road owners who let you drive on their roads without insurance.
If I drive on YOUR driveway without a licence, assuming I can GET to your driveway without driving on a public road (e.g. someone with a licence drives me to your driveway), I'm guilty of tresspassing on your property, but I don't think I'm guilty of driving without a licence. And why would any insurer insure somebody without a licence? Sounds to me like financial suicide, assuming driver licencing actually DOES keep morons off roads...
Thirdly, WHO do you enforce it against? It's pretty difficult (and illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and drive someone's car without their explicit knowledge and permission. (Okay, so you can hotwire a car, but...) It's very easy for someone other than the computer owner or ISP contractholder to have access to it and abuse it and stuff.
I'm not sure I understand why you think this is so. My kids know that my computer is off-limits to them just like they know my car is off-limits to them. They are physically capable of obtaining access to either without my permission.
You're an IT professional. This isn't about you. This is about the random family with the "family computer" that everybody installs random crapware onto in the kitchen or den. Does the same apply in that situation?
So what do you propose? Mandatory cardreaders on all computers? Fingerprint scanners integrated into keyboards? How else can you avoid Mom logging online, and then letting the unlicenced kids roam free online, allegedly to do "research for school"? Do you want to fine/jail/etc Mom if the kids download a trojan somewhere?
I would presume that a license would include the rights to allow others to use your access under appropriate supervision or with appropriately restrictive software.
Again, without enforcement officers in your house, HOW do you propose to enforce this? Besides, last I checked, driver's licences don't give you the right to have your kids drive without a licence if you're in the vehicle. The kids (at least in the jurisdictions I know of, this may not apply to all 60+ jurisdictions in North America) first have to prove to the regulatory authority that they know the rules of the road, and THEN they're allowed to drive around with a parent. How do you propose to enforce a similar thing for the kitchen computer?
Fourthly, as someone pointed out, the first generation always complains. I hate to show how young I probably am compared to many on this list, but my jurisdiction introduced graduated driver's licencing a few years before I was old enough to get a driver's licence, and it angers me that the random guy who's out on the road driving like a moron had to go through way less bureaucracy, road tests, etc than me simply because he was born ten years before me. That said, if no reforms are made to make this system stricter, I'm sure the next generation won't see this system as an outrage simply because they won't remember an era when the bureaucracy. Currently, people can buy computers/Internet access/etc unregulated at the random store down the street. You're proposing that some regulatory authority require licencing... Why should these voters accept it?
Because their failure to cooperate will result in ostracism. That's how the Internet has always worked.
How do you get ostracised when you're the majority? The majority of people think computers are glorified toasters. WE are the minority here, and if we start giving too many lectures, WE get ostracized. You have any idea how many people think I'm insane because I've told them HTML email is bad? In YOUR world, they'd be ostracized for using HTML email. In the REAL world, I'm the SOB out to spoil their fun by insisting on archaic modes of communication.
Especially since, unlike with cars, the damage done by poorly-operated computers is rather hard to explain to a technologically-unskilled person. Most would respond something like "well, it's not my fault some criminal wrote a virus/exploit/whatever. Put that person in jail, and let me mind my own business." Good luck educating them on the fallacies in that statement.
The point is, you don't have to. You just have to not let them on your roads. If they think the things they have to do to get on your roads are worth the value of those roads, they'll do them. If not, not. You don't care why people comply with your rules. People don't get driver's licenses because they think the piece of paper makes them a better driver, they do it because that is what's required for them to get insurance and avoid tickets and even jail.
See below.
Fact is, until home computer security issues result in a pile of bloody bodies to show on CNN, no one in the general public and/or the legislative branches of government has any incentive to care...
They don't have to. It's the road owners who decide who gets to drive on their roads. All it would take is a certificate infrastructure and companies issuing certificates to people who demonstrate competence. Then sites could start restricting traffic to certificate holders immediately.
So you propose some form of access control? If someone's packets don't identify themselves the way you want, you want your network to send them to the great null0 in the sky? So, you want to balkanize the Internet? If my network accepts packets signed by licencing board A, and is licenced by A, and your network wants licencing board Z and is licenced by D, then your network won't accept my packets and mine won't accept yours. How does that leave anybody better off? This is as silly as each town alongside a major regional highway saying "we will only allow vehicles registered in our jurisdiction, or in jurisdictions who pay us a tax to drive through our 2 mile stretch of road." Seems to me like you'd be throwing a whole maternity ward full of babies out with that bathwater... Vivien