taylor@hplabsc.UUCP (Dave Taylor) (06/25/86)
--------
Computers and Society Digest, Number 20
Friday, May 2nd 1986
Topics of discussion in this issue...
Some C&S related thoughts...
----------------------------------------------------------------------
From: Dave Taylor <taylor@hplabs>
Date: Fri, 2 May 86 21:42:16 PDT
Subject: Some C&S related thoughts...
The group has been rather quiet for a while now, so I thought I'd provoke
some conversation based on recent events...
1. I think that the impact of the Challenger explosion has
been quite interesting to see - when compared, say, to
the earthquake of about the same time in Mexico City,
the shuttle was pretty meaningless. (that is, seven people
died in the Challenger explosion, and THOUSANDS of people
died in the earthquake).
Somehow, though, the shuttle got considerably more attention
from the media.
My suspicion (and hence the tie in with this group) is because
of the availability of "instant replay" of the event. With a
remote disaster like the Mexico City earthquake, there was no
coverage by the ubiquitious media AT THE TIME, whereas the
shuttle had all sorts of 'glamourous' technology involved with
in (not to mention the shuttle itself, an impressive feat).
What do I mean by this? Just that I think people were secretly
reassured that our current technology isn't flawless, and that
while it was certainly unfortunate that people died in the
incident, our society seemed to breath a collective sigh of
relief, as if the 1984 of Orwellian vision was getting pretty
close but suddenly moved further into the future again.
2. The recent disaster in the Soviet Union, with the Nuclear
reactor, is also interesting in it's effects on society.
I've seen a small resurgence of "we TOLD everyone atomic power
is dangerous!" and anti-nuclear groups...I've also seen people
question if it was a cunning 'act of war' on the part of the
Societ Union, if it was a good way to test some 'Nuclear Winter'
scenarios, if it was a way to permanently condemn nuclear power
and (conviniently) the USSR at the same time in the next
general assembly of the United Nations, and so on and so on.
Interestingly, though, almost a direct opposite of the Challenger
accident, no-one has talked about the technical issues. There is
no "See - the danger of TECHNOLOGY" or anything of that nature...
Even the people claiming that nuclear power is, ex post facto,
dangerous aren't talking about the TECHNOLOGICAL reasons...just
the emotional ones (of course, that's in the classic vein of this
type of person, but not exclusively).
It strikes me as odd, and it's certainly significant to our
society! Should we in fact ban such potentially dangerous
technologies? But what of ICBMs and H-Bombs then? Are, in
fact, technologies intrinsically dangerous or safe, or is it
all a function of the people that wield them?
These first two points are probably pretty heretical, and I
certainly don't mean to make light of the tragedies, but I
do encourage discussion herein!!!
In a less dramatic vein, however;
3. Recently an unknown 'video hacker' stole some air time from
HBO (a pay movie station broadcast throughout the United States
via satellite) to display a protest message about the company
deciding to scramble their video signal when bouncing off of
satellites (thereby cutting off all the people who have satellite
dishes turned to that particular satellite unless they are willing
to purchase an HBO signal decoder).
It's an interesting, hi-tech, form of hijacking, isn't it?
4. Finally, there's an on-going heated debate on the Usenet/Internet
bulletin board (in "net.mail") about the security and rights of
privacy of electronic mail.
It's a much more general problem so I've excerpted some of what I
consider the more interesting parts...
------
[The original message was from a chap named John Gilmore, a response to
someone or the other...]
I don't know about Bandy, but any time you dump your data into my
machine, I'll do what I want with it. If you don't want me looking at
it then don't phone me up and hand it to me.
I get curious about whose router is putting what on my phone bills; the
uucp and sendmail logs scroll by in real time at the bottom of my screen;
and I know my own root password. Who's gonna stop me?
-------
[then next is a reply to John from Kenn Barry]
How do the people with accounts on your machine feel about
this? The rest of us can make sure our mail doesn't go through your
machine, but they're sort of stuck with you, aren't they?
Nobody's going to stop you, I guess. Nor could anyone stop
you from deleting mail you don't like, or counterfeiting mail. Do
you do that, too?
I have a suggestion, John: stop doing the net world such a
big favor; stop being so kind as to provide your machine as a UUCP
link, and take the sucker off the net. Then maybe you can find something
more constructive to do with your time than reading other people's
mail.
------
[next, from Eric Black,...]
Ken, and numerous others:
You are COMPLETELY missing John's point. His comments were not stating
that he personally does this [read or interfere with mail going through
his machine]. Those were sarcastic statements spoken from the point
of view of some hypothetical SA. THE POINT OF THEM was to say that
users of uucp mail transport (indeed, UNIX in general) too often forget
that there is no such thing as absolute privacy on a unitory system,
and that we ALL operate under the unstated assumption that SA's and
other superusers, while omnipotent and all-knowing (in the sense of
access privileges), are benevolent, reasonable, and TRUSTWORTHY
people.
If you send mail through someone's machine, DON'T FORGET, not even
for a second, that that machine has superusers who have the power
to read that mail, or even alter it. This is not to say that they
necessarily will, and that is NOT what John was saying. But be
aware of the possibility, and if that possibility is bothersome,
don't send sensitive cleartext via that path.
How many messages containing sensitive corporate information
are sent via nodes over which the sender & recipient have no
control? I suspect there are far more than there should be
(there should be none!). Encrypt it, use a trustworthy link (i.e.
one under your control, such as a direct uucp link, or via a commercial
data network), or BOTH.
Come on, folks! Don't be stupid! (wishful thinking...)
Do you blindly believe the bank when they tell you "the computer made
a mistake"?? Do you change the spelling of your last name because
it has too many characters for your gas company billing department to
handle??
[interesting questions - I wonder if people do? I know some people are
willing to "live with" erroneous things on, say, computer billing, like
an incorrect middle name]
Then don't attribute more security, or reliability for that matter,
to the uucp network than it deserves. It's a convenience, and only
that! Be thankful to the unknown and unseen SA's who have to take
time to keep it running, eliminate logjams and clogs, and make it
possible for you to send mail to nearly anyone in the world who
works with/on a unitory system! Fortunately, 99.999999% are
good folks. There may be some who aren't. I wish the percentages
of good folk in other collections in the world were so high!
[another interesting comment...]
Enough flaming of my own. The series of articles which fired my
sensibilities is just another example of how satire and sarcasm
are not communicated well by this medium. But then, my sense of
humor leans heavily toward making the same sorts of outrageous and/or
unreasonable comments as John made above, and often people don't pick
it up even in person.
[Another problem worthy of discussion in this group - electronic
communication and the loss of visual/auditory cues...]
------
[and now something from Ben Cranston...]
[quoted from someone else]
>I am very sympathetic with John wanting to know who is running up his
>phone bills and why (in a routing sense) they are doing it. Still, it
>seems to me that the contents of private mail should be sacrosanct.
>Other than incidental exposure in the course of normal maintenance or
>firefighting, we should avoid at all costs reading people's private
>mail.
It is possible to ascertain "who is running up .. phone bills and why" by
examining the message headers. I occasionally run the off-this-machine and
InterNet <-> BitNet parts of my (non-UUCP) mail system in a "debug" mode.
This reports, for each message:
1. The Out-Of-Band addresses
2. The message header (up to first blank line)
3. The total number of lines in the message.
This is sufficient to find out who (if anybody) is creating an inappropriate
level of loading.
Caveats:
The "Subject:" line is sort of a "no man's land". As part of the header, I
get to see it, but many people don't realize this. And I get a real kick out
of seeing obscenity in the subject lines of mail from the person here who is
primarily responsible for disciplining student users for using obscenity.
[another interesting point - is this an example of "power brokers" of the
information age???]
-----
[and now from John Woolley...]
I have to disagree with John Gilmore about whether he should read private
mail piped through his machine.
[quoted from John Gilmore]
> ...the uucp and sendmail logs
>scroll by in real time at the bottom of my screen; and I know my own
>root password. Who's gonna stop me?
Well, obviously, nobody can stop you; I don't think anyone *should* be
able to stop you -- it's your machine. But I don't think you ought to
do it, and I don't think people are out of line when they get mad at you
for it.
If you simply refused to pass mail, nobody would have any gripe coming.
*But*, you (a backbone site) have (generously) made your machine
available for mail transmissions (which everyone, as you know, considers
private stuff). You have the (moral, not legal) obligation, therefore,
not to take advantage of people's trusting you to do what they very
reasonably think you've agreed to do -- pass on their mail unread.
[do readers of this group agree with this "moral obligation"?? It's
sort of like going up to someone in an anarchistic state and saying
"but there're laws about that..." isn't it??]
It's as if I had agreed to let somebody use my house as his mailing
address -- I don't have any right to hold his letters up to the light,
steam them open, whatever, just because they're arriving at my house.
[I think this is a particularly poor example, though. A common phrase
is "a <persons> home is their Castle" and if that's truly the case then
this is indeed a poor example. On the other hand, if not, then what is
the line of 'rationality'?]
------
[Now from George Robbins]
Perhaps the best course is to look at a parallel service - handling third party
traffic in radio service.
The essence is that you may read the messages, but may not divulge them, or use
the information for your own benefit. You are also responsible for checking
that the messages you retransmit do not violate appropriate regulations - i.e.
obscenity or illegal content.
[strikes me that the Securities and Exchange commision wouldn't appreciate
this level of security...]
As a system/mail administrator it is perfectly reasonable to monitor the mail
through your site, however one should do so in the role of a dispassionate
observer. You are not interested in who the messages are from or why the were
sent - just that the content is allowable and that the use of your system is not
abusive.
Mail originating from your site is somewhat different, since you should observe
local ethics. At some sites, looking at another users mail or mailbox is a
mortal sin, at other sites anything that hasn't been explicitly protected is
fair game.
[yet another interesting topic - computer ethics and the rights to privacy of
data and information...]
While I don't agree with the mail is sacrosanct view, I think John goes a little
far the other way. By posting hoptoad's links in the usenet map, he is offering
these links for outside usage. A typical mail user may have no control over the
uucp links available on his system. A user also has no way of knowing where on
the net rerouting mailers are lurking that may toss his message through hoptoad.
On my system, I may read any mail that seems strange, comes through a weird
path, or falls on the ground. I won't tell anybody about what I read, but will
send a message back to the originator if he seems to be having problems.
I would like to see mailer information added to the netmap database, but that
project seems to be under considerable strain, without adding to the burden.
Adding information/guidelines about network mail, and how to mail to different
networks to the net.announce.newusers stuff would also seem to be a worthwhile
effort.
-----
[now Landon Dyer give us his "Golden Rule of Computer Security"]
Here is the Golden Rule of computer security:
IF YOU WANT IT KEPT PRIVATE
DON'T PUT IT ON A COMPUTER!
Go ahead -- use `super-mega-turbo-RSA' encryption. Who wrote your
operating system? Who has the system password? Have any dial-in
lines? Did you use `crypt(1)'? Foolish mortal!
The Golden Rule of telecommunications might be:
IF YOU WANT IT PUBLIC
PUT IT ON A PHONE LINE!
Would you REALLY trust usenet with something important?
-----
[from the other direction, herre's Phil Ngai]
> `little apples'. He has also read mail from csuh!shark going to me though
> lll-crg. (csuh only connects to lll-crg).
Even if csuh only connects to lll-crg, you have no right to tell other
sites what to do with your mail. I don't make a practice of reading
mail going through my site but that's no promise I won't. UUCP is
always leaving little [things] around for me to clean up. Sometimes I
look at them to figure out what they are. And my users have access
also. (I run uucp 777 mode, to keep things simple.)
[777 mode means anyone can read or write to the files in question]
If you don't like it, set up your own connection. I have no
responsibility for your traffic.
-----
[and my two cents worth in the discussion...]
Sooo...pretty interesting topic we're all talking about here.
I'm rather disgusted by the attitude John Gilmore has towards the whole
issue though.
I can just imagine sending someone encrypted mail because I DON'T WANT
ANYONE along the way reading it and getting a message back from
john_gilmore@hoptoad saying "You were using my machine for your mail and
I couldn't ascertain if it was legit or not so I removed it. If you
don't like it, USE ANOTHER MAIL ROUTE!"
Such a friendly attitude. So willing to help.
As one of the local mail "folks" here in HP, I've actually been known to
propose built-in encryption routines that would be part of SENDMAIL or
some other ``second level'' transport mechanism that would know the
public encryption keys for specific machines. The mail packet going off
of the local machine would then be encrypted as it left (regardless of
the protocol - SMTP/UUCP/ACSnet/??) and then decrypted as it was received
on the destination machine.
While nosy twits (no names needed) could still go through the pain of
decrypting, it would in reality be such a hassle that they'd just find
themselves out of a source of amusement.
By the same token, that's why my mailer, Msg, has a built-in encryption
facility that's so incredibly easy to use...
On the other hand, it seems we're all dealing with this in an
adversarial sort of way...
That is, if John wants to limit the mail that goes through his system to
small packets only, or whatever, then what we need to do is to modify the
SYSTEM to support that. For example, let's have mailers that use
different routes according to the size of the message...think of it -
machines that could perhaps direct connect long-distance phone line type
connections NOW if the message is small (under 2K, say) or queue any
larger messages for that evening (or a different route even).
This is, from what I understand, somewhat akin to the ACSnet bit
about prioritized message packets...
If I had a machine of my own I'd make my uucp map entry something
that made calling to my machine reasonably cheap, but calling OUT of
my machine, even if to a local host, incredibly expensive. This would
mean that my machine would be a 'last resort' route if absolutely needed,
but otherwise I'd never see mail.
You can't have it both ways - you can't be a "mini-hub" and still
ask not to have too much mail go through your system...
------
[ Ken Perlow brings up moral responsibility again...]
> Even if csuh only connects to lll-crg, you have no right to tell other
> sites what to do with your mail. I don't make a practice of reading
> mail going through my site but that's no promise I won't. UUCP is
> always leaving little turds around for me to clean up. Sometimes I
> look at them to figure out what they are. And my users have access
> also. (I run uucp 777 mode, to keep things simple.)
>
> If you don't like it, set up your own connection. I have no
> responsibility for your traffic.
You have a moral responsibility, Phil [Ngai]. The very concept of mail
assumes privacy between sender and receiver. You know that.
I can't stop you from reading my mail (if it happens to blow by
in the night), but if you do snoop you are doing something wrong.
I'm glad you "don't make a practice" of reading mail. You should,
as a generic upstanding human being, promise that you won't.
[is this a fine line??]
I'm flabbergasted at how many system administrators feel it's
permissible to snoop simply because they own or maintain the computer
resource. It's sad what happens when people are well trained but
poorly educated. Get your heads out of your respective tty's and
into some Maimonides, Aquinas, Aristotle, or Kant. Or even Mill.
[but does bandying about Philosophers names change the moral act? :-) ]
------
[Phil fights back...]
>You have a moral responsibility, Phil. The very concept of mail
>assumes privacy between sender and receiver. You know that.
Nonsense. UUCP mail has always been unreliable and insecure. Don't go
comparing UUCP mail with USmail. If you don't like the (free) service
my site provides, don't use it. I didn't ask you to send mail through
my site. I didn't set it up as a relay site. Relaying happens by default
and it would be an effort to turn it off.
[an interesting attitude - somewhat akin to the "if you don't like the
way I drive, stay off the sidewalk" bumperstickers, I think]
>I'm glad you "don't make a practice" of reading mail. You should,
>as a generic upstanding human being, promise that you won't.
You missed my point that as a system admin one cannot promise not to.
-------
[Byron Howes pipes in...]
>If you rely on any utility of mail being private, especially if it
>goes through machines not controlled by sender or recipient, you are
>fooling yourself.
I don't rely on it being private. I do rely on it being unmolested by
other Systems Administrators. Mail's utility is predicated on it being
as reliable as the network will allow.
> It has been my observation that
>all mail administrators that I have dealt with have very few qualms
>about reading others mail. Perhaps, it shouldn't be that way, but
>it's not going to change any more quickly than any of the other
>problems which result from a system of decentralized control of the
>network.
I'm sorry that's the case. *I* figure my users have some right to
privacy. For those SAs that go out of their way to read mail, I hope
they read something about themselves.
------
[and now a word from the UK, specifically Andrew Macpherson...]
First, let me go on record: I have neither the time, nor the
inclination to read any mail not addressed to me, and not causing
a snarl-up in stc's e-mail system.
On the other hand I think one has to regard e-mail much as a picture
postcard, ie as published material, and any defamatory comments in
an e-mail message as libel - it is easy to apply any sort of encryption
to secure your message from casual snooping (Rot13 for instance
would, I believe, suffice to change it to a private communication)
Hmm yes I think this picture-postcard is a good analogy, since there is
the text right alongside the address... comments?
[indeed an interesting analogy, and one that a lot of managers in companies
like my own, companies that use electronic mail for confidential purposes,
would be very disturbed to hear...]
-------
[and another comment from Byron Howes]
>Perhaps the best course is to look at a parallel service - handling third party
>traffic in radio service.
>
>The essence is that you may read the messages, but may not divulge them, or use
>the information for your own benefit. You are also responsible for checking
>that the messages you retransmit do not violate appropriate regulations - i.e.
>obscenity or illegal content.
>As a system/mail administrator it is perfectly reasonable to monitor the mail
>through your site, however one should do so in the role of a dispassionate
>observer. You are not interested in who the messages are from or why the were
>sent - just that the content is allowable and that the use of your system is
>not abusive.
I both agree and have problems with this. I agree that the role of the
systems administrator with respect to others' mail that must be read should
be that of a dispassionate observer. I think also, however, that one should
*avoid* reading others' mail unless it is unavoidable. With respect to
abuse of the system, it would take considerable probable cause for me to
want to regularly monitor mail (yuck -- distasteful!) Obscenity is
somthing I'm not qualified to judge on.
[shades of censorship?]
------
[then, from Phil Ngai again]
>> It has been my observation that
>>all mail administrators that I have dealt with have very few qualms
>>about reading others mail. Perhaps, it shouldn't be that way, but
>>it's not going to change any more quickly than any of the other
>>problems which result from a system of decentralized control of the
>>network.
>
>I'm sorry that's the case. *I* figure my users have some right to
>privacy. For those SAs that go out of their way to read mail, I hope
>they read something about themselves.
I'm not sure but I think Scott meant that mail admins read mail going
through their machine. As far as I'm concerned, my machine is there
for my users and they have a right to as much privacy as can
reasonably be given. (if they leave a temporary file in /tmp and I
need to clean out /tmp, I'll read it before rm'ing it.) But people
who send mail *through* my machine have no rights to privacy.
[that's a pretty strong statement!! I wonder how this person feels about
people walking through his backyard or sitting on his car...]
------
[Finally, Gordon Moffet says]
On the one hand, you can use the -d flag of Peter Honeyman's
pathalias(1) to declare as DEAD any site which you do not
want your mail to go thru. That way that site will only be used
when it is the only available choice.
[fine technical point - most machines use an automated routing scheme
on Usenet, usually generated by a program that Peter Honeyman wrote,
called "pathalias". One of the options when invoking this program is
to list "dead" sites, that is, sites that you don't ever want mail to
be routed through. It seems that Peter was anticipating this very
discussion, almost]
On the other hand, I doubt that such exclusions from the network
would improve the security or privacy of electronic mail. I suspect
there are many many mail peekers out there that we will never know
about.
[Enough quoting. Any comments, oh faithful readers???]
-----------------------------------
To have your thoughts included in this digest, or to join the mailing
list, please send electronic mail to Dave Taylor at any of the following
addresses:
taylor@HPLABS.{CSNET,ARPA -- or -- ..hplabs!taylor
This digest is published approximately bi-monthly and does not necessarily
express the views of HP nor anyone else other than the individual authors
of the messages.
***********************************
End of Computers and Society Digest
***********************************