-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Steven J. Sobol Sent: Thursday, June 20, 2002 8:45 PM To: Dan Hollis Cc: Regis M. Donovan; nanog@nanog.org Subject: Re: SPEWS?
On Thu, 20 Jun 2002, Dan Hollis wrote:
On Thu, 20 Jun 2002, Regis M. Donovan wrote:
On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
*Spamming* or launching a DoS attack in response to
spam is definitely
abusive. and black-holing "innocent bystander" networks not a denial of service?
Its my box, my hardware, my property. No one has an inherent right to force speech on an unwilling recipient.
Hear, hear. Dan sounds like he agrees with my assessment of property rights taking priority over rights to expression.
Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or *any* arbitrary list of abusive ISPs or ISP customers does so voluntarily, and I consider the action to be similar to companies sharing credit information. You can deny credit or employment, or refuse to do business with an individual or company based on the information in a credit report.
But credit reports *are* legislated, whether you want them to be or not. The reason they are is that since two or three large warehousers of information are used by a substantial portion of the populace, it gives them inherent power. That power is both intentionally and unintentionally abusable. You can also say that credit reports should be unregulated since companies don't have to use them, but you and I both know that's unrealistic. A critical mistake is failing to recognize that the *consumer does not subscribe to credit reporting agencies*, much like those who are reported to blacklists do not subscribe to the blacklists, yet are affected by them. Many of the operators on this list are experiencing this today due to a bad experience with an errant spammer.
Likewise, you can choose to communicate or not communicate with an AS or network (or server) based on whether you think the people running the server(s) are good net-neighbors.
Sometimes legislation occurs to regulate the principle, even though reality has shown regulation to be unnecessary. Sometimes legislation occurs to regulate the reality of what in principle shouldn't need regulation. Credit reports and blacklists (they are basically the same thing) in principle are a subscription service--and therefore in principle exempt from any legal standing to provide good information. But the reality is that credit services (and if not now, then soon blacklists) have become such a prevalent tool as to make them a de-facto public record, whether the owners says they are or not! In credit services this happened because the usefulness of the credit reports depends on a limited number of repositories--forcing a sort of oligopoly. In blacklists, it occurs because people distribute software that uses these lists by default. Yes--it is subscription, but at some point it becomes de-facto public record, and everyone simply trusts them because they don't know any better and everything occurs behind the scenes. Eventually that too will become an oligopoly (if it isn't already). This occurs frequently with credit reporting agencies--both they and the clients who report entries make errors very, very often. This is why legislation exists to protect consumers that allow them a free copy of their credit report if they are ever turned down, as well as a legislated means to resolve disputes with the credit reporting agency. So in general, I tend to agree in principle with your views on private property--but in reality it's useful to recognize when the line is crossed between "good service" and "public utility". The telephone company started by Bell didn't start life as a "lifeline" service, but it became that due to adoption. There are numerous other examples of the line, and companies (or individuals) that cross it. It took decades of high prices and lousy service to force regulation on the telephone industry. I'd rather force appropriate controls to be in place before I get bent over for a few years waiting for the government to poorly regulate what may very well become an abusive industry. Cheers, Ben ------ Benjamin P. Grubin, CISSP, GIAC Information Security Consulting bgrubin@pobox.com