North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
- From: Benjamin P. Grubin
- Date: Thu Jun 20 22:20:00 2002
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com] On
> Behalf Of Steven J. Sobol
> Sent: Thursday, June 20, 2002 8:45 PM
> To: Dan Hollis
> Cc: Regis M. Donovan; firstname.lastname@example.org
> Subject: Re: SPEWS?
> On Thu, 20 Jun 2002, Dan Hollis wrote:
> > On Thu, 20 Jun 2002, Regis M. Donovan wrote:
> > > On Thu, Jun 20, 2002 at 02:35:16PM -0400, Steven J. Sobol wrote:
> > > > *Spamming* or launching a DoS attack in response to
> spam is definitely
> > > > abusive.
> > > and black-holing "innocent bystander" networks not a
> denial of service?
> > Its my box, my hardware, my property. No one has an
> inherent right to
> > force speech on an unwilling recipient.
> Hear, hear. Dan sounds like he agrees with my assessment of property
> rights taking priority over rights to expression.
> Anyone using SPEWS, the MAPS RBL+, SpamCop's blacklist, or
> *any* arbitrary
> list of abusive ISPs or ISP customers does so voluntarily,
> and I consider
> the action to be similar to companies sharing credit
> information. You can
> deny credit or employment, or refuse to do business with an
> individual or
> company based on the information in a credit report.
But credit reports *are* legislated, whether you want them to be or not.
The reason they are is that since two or three large warehousers of
information are used by a substantial portion of the populace, it gives
them inherent power. That power is both intentionally and
unintentionally abusable. You can also say that credit reports should
be unregulated since companies don't have to use them, but you and I
both know that's unrealistic. A critical mistake is failing to
recognize that the *consumer does not subscribe to credit reporting
agencies*, much like those who are reported to blacklists do not
subscribe to the blacklists, yet are affected by them. Many of the
operators on this list are experiencing this today due to a bad
experience with an errant spammer.
> Likewise, you can
> choose to communicate or not communicate with an AS or
> network (or server)
> based on whether you think the people running the server(s) are good
Sometimes legislation occurs to regulate the principle, even though
reality has shown regulation to be unnecessary. Sometimes legislation
occurs to regulate the reality of what in principle shouldn't need
regulation. Credit reports and blacklists (they are basically the same
thing) in principle are a subscription service--and therefore in
principle exempt from any legal standing to provide good information.
But the reality is that credit services (and if not now, then soon
blacklists) have become such a prevalent tool as to make them a de-facto
public record, whether the owners says they are or not! In credit
services this happened because the usefulness of the credit reports
depends on a limited number of repositories--forcing a sort of
oligopoly. In blacklists, it occurs because people distribute software
that uses these lists by default. Yes--it is subscription, but at some
point it becomes de-facto public record, and everyone simply trusts them
because they don't know any better and everything occurs behind the
scenes. Eventually that too will become an oligopoly (if it isn't
This occurs frequently with credit reporting agencies--both they and the
clients who report entries make errors very, very often. This is why
legislation exists to protect consumers that allow them a free copy of
their credit report if they are ever turned down, as well as a
legislated means to resolve disputes with the credit reporting agency.
So in general, I tend to agree in principle with your views on private
property--but in reality it's useful to recognize when the line is
crossed between "good service" and "public utility". The telephone
company started by Bell didn't start life as a "lifeline" service, but
it became that due to adoption. There are numerous other examples of
the line, and companies (or individuals) that cross it.
It took decades of high prices and lousy service to force regulation on
the telephone industry. I'd rather force appropriate controls to be in
place before I get bent over for a few years waiting for the government
to poorly regulate what may very well become an abusive industry.
Benjamin P. Grubin, CISSP, GIAC
Information Security Consulting