Re: Motion for a new POST NSF AUP
Tim, Presume that we've all met, decided a policy, figured out who it takes to "officially" make it an Internet policy, and made it happen. Simply amazing progress has occurred, and it's still morning on the Internet... Now, let's talk about the hard part: enforcement. Since the sender of a bulk, unsolicited advertisement may not even be affiliated with the beneficiary of such mail, how do you intend catch the culprit? There is nothing in an email message that provides hard proof of identity, and there is nothing to stop me from sending all of my advertising as "Tim Bass". Since any host connected to the Internet can forge email with very little trail, relying on the purported sender of the message is clearly not possible for enforcement. Of course, one could always look towards the beneficiary of the message (i.e. the firm which gains the business as the result of this "misuse") but that's actually no better than relying on the sender. It doesn't matter whether the enforcement method is loss of Internet service or large fines, it will be very difficult for anyone to actually safely invoke such methods without incurring immense liability. Since anyone can send a bulk, unsolicited advertisement with "The Silk Road Group" as the beneficiary, you've now created the ultimate denial of service attack. Don't like a firm? Send out a massive forged advertisement for their latest product and watch them get disconnected from the net... :-) Despite postings to the contrary, this is an extremely difficult problem to solve in the absence of authentication. While the current ad-hoc methods of managing such bulk advertising are not perfect, they may be far better than the quick fixes being proposed. /John --- At 10:54 AM 10/15/95, Tim Bass wrote:
Ladies and Gentlemen......
A couple of interesting points have developed as a result of the latest 'spam event'. The first one is debatable, but I would like to comment, that my mailbox received 'one spam message' (which I deleted in a few milliseconds) that generated hundereds of 'anti-spam messages'. Causal to the 'spam' I would like to refer to the anti-spam messages as 'son-of-spam' :-)
Second, it is somewhat clear that as long as we have 'spam' we will have a causal event 'son-of-spam' . Neither 'spam' nor 'son-of-spam' are welcome e-mail in most in-boxes, and I assume by the responses, many people find 'son-of-spam' just as annoying as 'spam'. Given that both sides of the coin are correct (in their own perception space) as we have seen, I would like to put this on the table to the network:
Should we define an new 'postNSF AUP' that addresses what types of messages are Acceptable Use of the Internet? Should transit and end user providers require customers to agree to 'the new "agreed upon someday" commercial AUP'?
Could we even agree on what a new AUP would look like? Most everyone agrees that spam and son-on-spam are a waste of precious bandwidth, time, and energy; and unacceptable messages detract everyone from more important daily issues and ideas.
I motion we create a working group to develop a draft POST NSF AUP. ------------------------------------------------------------------
We all agree we need to manage what type of messages are acceptable use of the net..... Can we make POST NSF AUP a reality?
Any seconds to the motion?
Tim
-- +--------------------------------------------------------------------------+ | Tim Bass | #include<campfire.h> | | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ | | The Silk Road Group, Ltd. | take_one_down(); | | | pass_it_around(); | | http://www.silkroad.com/ | } | | | back_to_work(); /*never reached */ | +--------------------------------------------------------------------------+
John Curran and I are in total agreement on John's premise that any Post NSF AUP is either a) unenforceable or b) subject to abuse. I suggest that for the moment, that we agree with John that any AUP is both: a) Unenforceable; b) Subject to abuse; and c) Virtually impossible to authenticate. Giving the above, the question still remains and the original motion is still valid for this reason. If we define a Post NSF AUP, then at least everyone who uses the Internet will have had the opportunity to have read and understood what the current Internet AUP describes. It is possible that having a clearly defined AUP will not stop spam and other unacceptable uses of the net, and clearly an AUP is not enforceable ( and for IP security reasons should not be enforced without absolute authentication as John correctly points out). On the other hand, having a clearly defined AUP may discourage potential spammers and child pornographers, etc. (not that we consider spammers and child pornography peddlers in the same vein..). Also, having a clearly defined Internet AUP will send a signal to the news media and government officials that the providers of Internet services are capable of formulating policy in an area that, without self-regulation, has a strong potential to continue degenerating. Is a self-formulated Post NSF AUP, without enforcement, still a good idea? The answer, I suggest, is not obvious, but a debate on the subject does have considerable merit, given the events of the past week or so. Tim -- +--------------------------------------------------------------------------+ | Tim Bass | #include<campfire.h> | | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ | | The Silk Road Group, Ltd. | take_one_down(); | | | pass_it_around(); | | http://www.silkroad.com/ | } | | | back_to_work(); /*never reached */ | +--------------------------------------------------------------------------+
For my two cents: I also agree with John. I think the current system where 'civic-saviors' protest spams to the spammers' provider works fairly well. It works as a pressure to resist spamming. The only thing I don't like about it are the militant-son-of-spams. If the current unstructured system stays, I think there should be a simple addition to govern son-of-spammers to prevent the kind of frontier justice used on those lawyers. I myself will usually forward the complaint on to the spammers. After 2 complaints I add that they need to stop the activity, but sometimes it's simply a lag-time or long time-to-live on a spam that keeps complaints coming in long afterward. ... ---------------- Brian Curnow -------------- On Sun, 15 Oct 1995, Tim Bass wrote:
John Curran and I are in total agreement on John's premise that any Post NSF AUP is either a) unenforceable or b) subject to abuse. I suggest that for the moment, that we agree with John that any AUP is both:
a) Unenforceable; b) Subject to abuse; and c) Virtually impossible to authenticate.
Giving the above, the question still remains and the original motion is still valid for this reason.
If we define a Post NSF AUP, then at least everyone who uses the Internet will have had the opportunity to have read and understood what the current Internet AUP describes.
It is possible that having a clearly defined AUP will not stop spam and other unacceptable uses of the net, and clearly an AUP is not enforceable ( and for IP security reasons should not be enforced without absolute authentication as John correctly points out).
On the other hand, having a clearly defined AUP may discourage potential spammers and child pornographers, etc. (not that we consider spammers and child pornography peddlers in the same vein..). Also, having a clearly defined Internet AUP will send a signal to the news media and government officials that the providers of Internet services are capable of formulating policy in an area that, without self-regulation, has a strong potential to continue degenerating.
Is a self-formulated Post NSF AUP, without enforcement, still a good idea?
The answer, I suggest, is not obvious, but a debate on the subject does have considerable merit, given the events of the past week or so.
Tim
-- +--------------------------------------------------------------------------+ | Tim Bass | #include<campfire.h> | | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ | | The Silk Road Group, Ltd. | take_one_down(); | | | pass_it_around(); | | http://www.silkroad.com/ | } | | | back_to_work(); /*never reached */ | +--------------------------------------------------------------------------+
The only question that I have is what does this do to your position as a "common carrier like" organization? It weakens it horrendously. I wish that it didn't, and when I start my ISP up, Jan 1st (as opposed to the one I am working for now), I will have an AUP, but just be aware, it /does/ weaken your position as a "common carrier like" organization. It is at that point that you should start to seriously consider removing binaries groups and other things, and finding a way to act immediately on things like someone saying that one of your users violated a copyright law or the like. I am not advocating one way or the other, just saying that you should stand to one side of the road or the other, not the middle. I plan to stand on the side where I can have an AUP, and plan to have my lawyer make a fair number of decisions on things like what do I do when someone tells me a user has violated copyright, etc etc. I also plan to purchase news services from someone else in the beginning so that I am not a news distributor, I am only giving people a way to view it (News will never be stored on my systems). Maybe when the water gets a little less rocky I'll start using my own news server. Those decisions are mine, not yours, you can of course make your own. I made mine after hours of consultation with my lawyer, as well as talking to several other lawyers. You should do the same. On Sun, 15 Oct 1995, Tim Bass wrote:
John Curran and I are in total agreement on John's premise that any Post NSF AUP is either a) unenforceable or b) subject to abuse. I suggest that for the moment, that we agree with John that any AUP is both:
a) Unenforceable; b) Subject to abuse; and c) Virtually impossible to authenticate.
Giving the above, the question still remains and the original motion is still valid for this reason.
If we define a Post NSF AUP, then at least everyone who uses the Internet will have had the opportunity to have read and understood what the current Internet AUP describes.
It is possible that having a clearly defined AUP will not stop spam and other unacceptable uses of the net, and clearly an AUP is not enforceable ( and for IP security reasons should not be enforced without absolute authentication as John correctly points out).
On the other hand, having a clearly defined AUP may discourage potential spammers and child pornographers, etc. (not that we consider spammers and child pornography peddlers in the same vein..). Also, having a clearly defined Internet AUP will send a signal to the news media and government officials that the providers of Internet services are capable of formulating policy in an area that, without self-regulation, has a strong potential to continue degenerating.
Is a self-formulated Post NSF AUP, without enforcement, still a good idea?
The answer, I suggest, is not obvious, but a debate on the subject does have considerable merit, given the events of the past week or so.
Tim
-- +--------------------------------------------------------------------------+ | Tim Bass | #include<campfire.h> | | Principal Network Systems Engineer | for(beer=100;beer>1;beer++){ | | The Silk Road Group, Ltd. | take_one_down(); | | | pass_it_around(); | | http://www.silkroad.com/ | } | | | back_to_work(); /*never reached */ | +--------------------------------------------------------------------------+
Justin Newton * You have to change just to stay caught up. Vice President/ * System Administrator * Digital Gateway Systems *
[This message with my ISP-related hat off and my Usenet newsgroup moderator hat on.] John writes:
Despite postings to the contrary, this is an extremely difficult problem to solve in the absence of authentication. While the current ad-hoc methods of managing such bulk advertising are not perfect, they may be far better than the quick fixes being proposed.
Just as a warning, some of us on the recieving end of more than our fair share of net abuse (the collected Usenet moderators) are starting to get more than a little short fuzed about this. There was a strong move last week by numerous moderators to demand that spammers real name, address, and phone number be released by ISPs following abuse events, presumably to make the sort of ad hoc counterattack which seems to be the only effective response today more effective. I argued against it, for the obvious reasons for anyone who's an ISP (customer confidentiality being a very touchy issue...), and the moderators are back to simmering without a coherent policy. That particular proposed solution aside, something is going to have to be done about the problem. Not so soon that we do the wrong thing, but there has to be an industrywide public acknowledgement that certain behaviours are abusive to the net as a whole and are not acceptable. -george william herbert gherbert@crl.com moderator, sci.space.tech & sci.space.science
A better use for your effort is to develop some hacks into majordomo or another mailing list manager that can trivially make a list only accept PGP signed (or whatever your favorite authentication system is) messages that it can confirm with a public keyserver. At the very least all of the major mailing lists that get regularly nailed by spams can transition and we can get some authentication of the culprit. ---> Phil
participants (6)
-
bcurnow -
George Herbert -
John Curran -
Justin Newton -
Philip J. Nesser -
Tim Bass