Staying on topic (was Re: EFF whitepaper)

Tue Nov 16 01:41:23 UTC 2004

At a meeting a few weeks ago, a bunch of us made the claim that the NANOG
list could in most cases be self-policing.  In that spirit, it seems worth
pointing out that this discussion of the Russian Mafia, Chechen freedom
fighters, the EFF, and China, seems to be heading in a direction that
would be a bit off-topic for the NANOG list.

-Steve

On Mon, 15 Nov 2004, Steven Champeon wrote:

> > on Mon, Nov 15, 2004 at 02:47:14PM -0800, Tom (UnitedLayer) wrote:
> > On Mon, 15 Nov 2004, Steven Champeon wrote:
> > > And this affects those of us with not-so-old, not-so-slow machines how?
> >
> > By the fact that there is no way in hell that he could relay a large
> > amount of spam...
>
> You seem to be confusing the single instance with the widespread
> application of the policy. My problem is with the latter, which is
> what the EFF is pledged to defend in the face of widespread damage
> to the medium they hope to save thereby.
>
> Put simply, I'm fine with a few well-known anonymizing mail servers.
> I also reserve the right to reject mail from them.
>
> I am not fine with an organization pledged to defend the principle
> for /all mail servers and spam sources/ regardless of whether they
> are under the control of spammers (and with no mind paid to the fact
> that a great deal of spam is sent via compromised machines that are
> unlikely to be used by freedom fighters or whistleblowers, etc.)
>
> Come on - do you really think the Russian mafia is going to allow free
> use of their botnets so that Chechnian freedom fighters can post
> propaganda? I don't. Not even if they were paid for it.
>
> > > The bottom line is that Gilmore, and the EFF, have taken a very soft
> > > stance on spam, believing it to be less important than "free speech" or
> > > "anonymous speech".
> >
> > By definition, the EFF's main concern is free speech and privacy.
>
> And I have supported them in the past for exactly their dedication to
> that concern. However, they now confuse government censorship on the one
> hand, with the abuses of a system by fraudsters and others (often in
> league with the very same countries whose censoring governments the EFF
> opposes) on the other.
>
> Alan Ralsky hosts his servers in China. Do you really think that the
> goal of protecting freedom is served by encouraging everyone not to
> reject mail from those servers? Given that China's rDNS is so hosed or
> nonexistent as to make local, automated judgements difficult to
> impossible, it's far easier for those of us who don't want Ralsky's junk
> to simply reject all mail from China. If China doesn't like it, they
> should reconsider hosting Ralsky. The same goes for any country or ISP
> hosting or enabling spammers. And yes, I know that's a broad brush, and
> may not be appropriate for everyone. That's my whole point - that by
> ceding the spam battle over a misguided idea of protecting free speech,
> the EFF is actually encouraging others to paint with similarly broad
> brushes in their own defense - and undermining their own intentions.
>
> I didn't make the decision to allow 419/AFFers to post through Tiscali's
> webmail servers - Tiscali did, and they continue to let the abuses occur.
>
> Bigpond has largely fixed their 419/AFF problem, by disallowing use of
> their webmail accounts to non-AU users (in the process, they also broke
> their Received: header trace information, but hey). Got a problem with
> their policy? I don't.
>
> I had a user here who got upwards of 100/day - nearly all 419/AFF spam.
> Much of that has disappeared, thanks to the implementation here of
> policies that others were incapable of making, in order to deal with
> /their/ abuse problem, not mine.
>
> Privacy is a great goal. In my mind, it has its price. If I want to vote
> to protect my privacy, I register. If I want to drive a car, I get a
> license and get insured, and can prove it in case I run into someone else.
> If you want to be on the Internet, I damn well better be able to contact
> you (or someone who has taken responsibility for your presence here) in
> the event that you run dictionary attacks against my mail server, or try
> to send a million spam messages through your broadband channel, or run
> a worthless and buggy OS without a firewall and thereby let yourself get
> owned by anyone and become a vector for abuse.
>
> Barring that, I'll just block you and anyone who looks like you, and
> call it a day, and selectively unblock or whitelist once you've met my
> policy criteria.
>
> Those who prattle on about rights forget about their corresponding
> responsibilities, and undermine their very case by appearing to lack
> any sense of the price we pay for the former through the latter.
>
> > >  http://eff.org/wp/?f=SpamCollateralDamage.html
> > >
> > > Wow. So, any collateral damage is unacceptable?
> >
> > To me, and people who rely on email for reliable communication, yes
> > absolutely. Collateral damage is unacceptable, period.
>
> Then it would behoove you to support efforts to make email accountable
> rather than decry such attempts as censorship. Lacking other solutions
> to the spam problem, everyone tries their own. Which is more important?
> That we can all get behind industry-wide proposals, or that we all
> uniquely splinter useful protocols due to our own necessities, dictated
> by the demands of real usage? I'd love to stop wasting time chasing the
> rats out of my mail server. Until then, I am doing what I can to analyze
> inbound spam and adjust my policies accordingly to keep it out.
>
> Rather than fight for the rights of the vast majority of the suffering
> masses just yearning to send email reliably, the EFF has chosen, de
> facto, to defend the rights of the spammers, who benefit enormously from
> the existence of unaccountable servers/proxies.
>
> > Its even worse when administered punitively (like SPEWS/etc) because
> > its done with the intent of disrupting other people's lives.
>
> Sure - in order to get their attention (or their ISP's attention) and
> presumably alert them to, and get them to fix, their abuse problems. I
> don't use SPEWS here (for various reasons) but I don't have any problem
> at all with someone else building a policy that includes the use of
> SPEWS.
>
> > If you're going to fight something, and you feel its worthwhile, fight
> > it on the high-road.
>
> That's what I'm doing. I am fighting the widespread lack of
> accountability of email senders by implementing policies that demand
> same; if I can't report abuse to a living person with some expectation
> of a change in the behavior of their customers, I don't accept mail from
> them. Sadly, this has meant that sometimes legitimate mail is rejected,
> with an informative message saying why. The EFF, on the other hand,
> wants email to remain an unaccountable medium for the sake of a
> miniscule amount of potential messages whose content could well be
> delivered in other ways.
>
> > > In a nutshell, email requires accountability. The EFF apparently thinks
> > > that is too high a price to ask for email.
> >
> > I think you're missing the point. Anonymous communication saves lives,
> > allows people to "blow the whistle", and in general it serves the greater
> > good to have it exist.
>
> At what expense?
>
> > Email already has an "audit trail" built into it,
>
> No, it does not. More accurately, the mail server /you control/ has a
> minor amount of tracing information that it can insert into a message;
> all else is untrustable - and the EFF wants to further undermine the
> remainder in the case of relayed mail (by defending the principle of
> anonymous relay transmissions). I already reject mail from servers whose
> webmail implementations do not include useful tracing information (just
> as I reject mail from those systems if the origin is a common source of
> Nigerian 419/AFF junk). Don't like it, and you're a user/supporter of
> said systems? Put pressure on the systems in question /to fix their
> servers/ so that the fraudsters are kept out, or so that they can be
> tracked and dealt with.
>
> > and you can at least track it to some extent if you know what you're
> > doing.
>
> No, sorry, that's false, too. You can /make an effort/ to rely on
> untrusted information, to posit a source beyond the last relay; that
> is all.
>
> > Does email need a DNA signature for the sender? In my mind no, you
> > can get that if you use PGP signatures and look how few people actually
> > use that.
>
> You undermine your own case here. Let the anonymous senders create and
> post keys via public servers then encrypt their messages with those
> keys. Authentication is not the same as encryption or identification,
> nor do any of them necessarily compromise anonymity or demand
> unaccountability in sending mail.
>
> Anyway, the bottom line is that I no longer pay the EFF to fight on
> the side of my enemies. All else boils down to "my network, my rules"
> and "it'd be great if we all had the same rules and could talk to all
> the other networks".
>
> --
> join us!   http://hesketh.com/about/careers/web_designer.html       join us!
> hesketh.com/inc. v: +1(919)834-2552 f: +1(919)834-2554 w: http://hesketh.com
> join us!   http://hesketh.com/about/careers/account_manager.html    join us!
>

--------------------------------------------------------------------------------
Steve Gibbard				scg at gibbard.org
+1 415 717-7842	(cell)			http://www.gibbard.org/~scg
+1 510 528-1035 (home)