EFF whitepaper

Mon Nov 15 23:51:28 UTC 2004

on Mon, Nov 15, 2004 at 02:47:14PM -0800, Tom (UnitedLayer) wrote:
> On Mon, 15 Nov 2004, Steven Champeon wrote:
> > And this affects those of us with not-so-old, not-so-slow machines how?
> 
> By the fact that there is no way in hell that he could relay a large
> amount of spam...

You seem to be confusing the single instance with the widespread
application of the policy. My problem is with the latter, which is
what the EFF is pledged to defend in the face of widespread damage
to the medium they hope to save thereby.

Put simply, I'm fine with a few well-known anonymizing mail servers.
I also reserve the right to reject mail from them.

I am not fine with an organization pledged to defend the principle
for /all mail servers and spam sources/ regardless of whether they
are under the control of spammers (and with no mind paid to the fact
that a great deal of spam is sent via compromised machines that are
unlikely to be used by freedom fighters or whistleblowers, etc.)

Come on - do you really think the Russian mafia is going to allow free
use of their botnets so that Chechnian freedom fighters can post
propaganda? I don't. Not even if they were paid for it.

> > The bottom line is that Gilmore, and the EFF, have taken a very soft
> > stance on spam, believing it to be less important than "free speech" or
> > "anonymous speech".
> 
> By definition, the EFF's main concern is free speech and privacy.

And I have supported them in the past for exactly their dedication to
that concern. However, they now confuse government censorship on the one
hand, with the abuses of a system by fraudsters and others (often in
league with the very same countries whose censoring governments the EFF
opposes) on the other.

Alan Ralsky hosts his servers in China. Do you really think that the
goal of protecting freedom is served by encouraging everyone not to
reject mail from those servers? Given that China's rDNS is so hosed or
nonexistent as to make local, automated judgements difficult to
impossible, it's far easier for those of us who don't want Ralsky's junk
to simply reject all mail from China. If China doesn't like it, they
should reconsider hosting Ralsky. The same goes for any country or ISP
hosting or enabling spammers. And yes, I know that's a broad brush, and
may not be appropriate for everyone. That's my whole point - that by
ceding the spam battle over a misguided idea of protecting free speech,
the EFF is actually encouraging others to paint with similarly broad
brushes in their own defense - and undermining their own intentions.

I didn't make the decision to allow 419/AFFers to post through Tiscali's
webmail servers - Tiscali did, and they continue to let the abuses occur.

Bigpond has largely fixed their 419/AFF problem, by disallowing use of
their webmail accounts to non-AU users (in the process, they also broke
their Received: header trace information, but hey). Got a problem with
their policy? I don't.

I had a user here who got upwards of 100/day - nearly all 419/AFF spam.
Much of that has disappeared, thanks to the implementation here of
policies that others were incapable of making, in order to deal with
/their/ abuse problem, not mine.

Privacy is a great goal. In my mind, it has its price. If I want to vote
to protect my privacy, I register. If I want to drive a car, I get a
license and get insured, and can prove it in case I run into someone else.
If you want to be on the Internet, I damn well better be able to contact
you (or someone who has taken responsibility for your presence here) in
the event that you run dictionary attacks against my mail server, or try
to send a million spam messages through your broadband channel, or run
a worthless and buggy OS without a firewall and thereby let yourself get
owned by anyone and become a vector for abuse.

Barring that, I'll just block you and anyone who looks like you, and
call it a day, and selectively unblock or whitelist once you've met my
policy criteria.

Those who prattle on about rights forget about their corresponding
responsibilities, and undermine their very case by appearing to lack
any sense of the price we pay for the former through the latter.

> >  http://eff.org/wp/?f=SpamCollateralDamage.html
> >
> > Wow. So, any collateral damage is unacceptable?
> 
> To me, and people who rely on email for reliable communication, yes
> absolutely. Collateral damage is unacceptable, period.

Then it would behoove you to support efforts to make email accountable
rather than decry such attempts as censorship. Lacking other solutions
to the spam problem, everyone tries their own. Which is more important?
That we can all get behind industry-wide proposals, or that we all
uniquely splinter useful protocols due to our own necessities, dictated
by the demands of real usage? I'd love to stop wasting time chasing the
rats out of my mail server. Until then, I am doing what I can to analyze
inbound spam and adjust my policies accordingly to keep it out.

Rather than fight for the rights of the vast majority of the suffering
masses just yearning to send email reliably, the EFF has chosen, de
facto, to defend the rights of the spammers, who benefit enormously from
the existence of unaccountable servers/proxies.

> Its even worse when administered punitively (like SPEWS/etc) because
> its done with the intent of disrupting other people's lives.

Sure - in order to get their attention (or their ISP's attention) and
presumably alert them to, and get them to fix, their abuse problems. I
don't use SPEWS here (for various reasons) but I don't have any problem
at all with someone else building a policy that includes the use of
SPEWS.

> If you're going to fight something, and you feel its worthwhile, fight
> it on the high-road.

That's what I'm doing. I am fighting the widespread lack of
accountability of email senders by implementing policies that demand
same; if I can't report abuse to a living person with some expectation
of a change in the behavior of their customers, I don't accept mail from
them. Sadly, this has meant that sometimes legitimate mail is rejected,
with an informative message saying why. The EFF, on the other hand,
wants email to remain an unaccountable medium for the sake of a
miniscule amount of potential messages whose content could well be
delivered in other ways.

> > In a nutshell, email requires accountability. The EFF apparently thinks
> > that is too high a price to ask for email.
> 
> I think you're missing the point. Anonymous communication saves lives,
> allows people to "blow the whistle", and in general it serves the greater
> good to have it exist.

At what expense? 

> Email already has an "audit trail" built into it,

No, it does not. More accurately, the mail server /you control/ has a
minor amount of tracing information that it can insert into a message;
all else is untrustable - and the EFF wants to further undermine the
remainder in the case of relayed mail (by defending the principle of
anonymous relay transmissions). I already reject mail from servers whose
webmail implementations do not include useful tracing information (just
as I reject mail from those systems if the origin is a common source of
Nigerian 419/AFF junk). Don't like it, and you're a user/supporter of
said systems? Put pressure on the systems in question /to fix their
servers/ so that the fraudsters are kept out, or so that they can be
tracked and dealt with.

> and you can at least track it to some extent if you know what you're
> doing.

No, sorry, that's false, too. You can /make an effort/ to rely on
untrusted information, to posit a source beyond the last relay; that
is all.

> Does email need a DNA signature for the sender? In my mind no, you
> can get that if you use PGP signatures and look how few people actually
> use that.

You undermine your own case here. Let the anonymous senders create and
post keys via public servers then encrypt their messages with those
keys. Authentication is not the same as encryption or identification,
nor do any of them necessarily compromise anonymity or demand
unaccountability in sending mail.

Anyway, the bottom line is that I no longer pay the EFF to fight on
the side of my enemies. All else boils down to "my network, my rules"
and "it'd be great if we all had the same rules and could talk to all
the other networks".

-- 
join us!   http://hesketh.com/about/careers/web_designer.html       join us! 
hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
join us!   http://hesketh.com/about/careers/account_manager.html    join us!