RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

["Vivien M." <vivienm () dyndns org>]

> -----Original Message-----
> From: owner-nanog () merit edu [mailto:owner-nanog () merit edu] On 
> Behalf Of David Schwartz
> Sent: April 19, 2004 12:57 PM
> To: 'Dr. Jeffrey Race'
> Cc: nanog () nanog org
> Subject: RE: Microsoft XP SP2 (was Re: Lazy network operators - NOT)
>
>
> > Firstly, who enforces it? The reason it "works" with cars 
> is that the 
> > state (or province for those of us north of the border) effectively 
> > says "you can't drive a car without this lovely piece of 
> paper/plastic 
> > that we'll give
> > you" and "if we find you driving a car without the lovely piece of
> > paper/plastic, you're going to be in serious trouble". Are 
> you proposing
> > that each jurisdiction that currently licences drivers also
> > licence Internet
> > users and tell ISPs "sorry, but if they don't give their licence,
> > you can't
> > give them an account"?
>
>       That's not a problem. The state licenses drivers but it 
> also owns the roads.

Yes... And the state doesn't own the Internet, and can't SEE the Internet
(or its component networks). How does it enforce who uses it?

> > Secondly, HOW do you enforce it? Motor vehicles only 
> require a licence 
> > to be operated on public roads in all jurisdictions I'm aware of. 
> > IANAL, but if some 14 year old kid without a licence wants to drive 
> > around on his parents'
> > private property, that is not illegal.
>
>       So? If you want to mess around on your private network, 
> I don't care either.

And exactly how do you separate public and private networks, from the point
of view of law enforcement? In the driving world, public roads are easy
enough to enforce things on... 

Besides, there are no [major] public networks, if by public, you mean
taxpayer-owned... If you mean publicly accessible, that's another story, of
course... 

> > Now, the instant that
> > vehicle leaves
> > the private property, it's another story (assuming, of course, cops 
> > around to check licences. In some jurisdictions, this is more true 
> > than in others).
>
>       Exactly. You want to go on someone else's roads, you do 
> so only by their rules.

But my point is, they can SEE you. If I drive out on the roads of whatever
state/province/municipality/etc, their authorized agents (read: cops) can
SEE me and stop me. Try and do that with my IP packets. You try and track
the IP packet that you are getting from my machine to me as a human... Sure,
you can do it, if you have an army of lawyers in a bunch of jurisdictions,
but it's not like the cop who sees a moron driving badly and just pulls them
over, at which point they HAVE the moron in their hands... You can have my
packets going around into your network without having physical access to me,
but you CAN'T have my car driving around (unless I'm not driving it :P) in
your roads without me being in it. 

So, how do you ask my packets for my computer licence?

> > My point is, driving is ONLY regulated when it is done in 
> public view, 
> > for obvious reasons. Computer use is an inherently private 
> activity, 
> > so how do you propose to verify that the person using a 
> computer is in 
> > fact licenced? Mandatory webcams? :P
>
>       So you can drive however you want on *my* driveway? 
> That's not public view, is it? If there only private roads, 
> I'll bet you that private road owners would have come up with 
> a licensing system quite similar to what we have today, for 
> liability reasons if nothing else. You might also notice that 
> you can't get liability insurance without a license even 
> though that insurance is issued privately, and there aren'y 
> many road owners who let you drive on their roads without insurance.

If I drive on YOUR driveway without a licence, assuming I can GET to your
driveway without driving on a public road (e.g. someone with a licence
drives me to your driveway), I'm guilty of tresspassing on your property,
but I don't think I'm guilty of driving without a licence. 

And why would any insurer insure somebody without a licence? Sounds to me
like financial suicide, assuming driver licencing actually DOES keep morons
off roads...

> > Thirdly, WHO do you enforce it against? It's pretty difficult (and 
> > illegal) for $RANDOM_JOE (or $RANDOM_KID, etc) to just go out and 
> > drive someone's car
> > without their explicit knowledge and permission. (Okay, so you
> > can hotwire a
> > car, but...) It's very easy for someone other than the computer
> > owner or ISP
> > contractholder to have access to it and abuse it and stuff.
>
>       I'm not sure I understand why you think this is so. My 
> kids know that my computer is off-limits to them just like 
> they know my car is off-limits to them. They are physically 
> capable of obtaining access to either without my permission.

You're an IT professional. This isn't about you. This is about the random
family with the "family computer" that everybody installs random crapware
onto in the kitchen or den. Does the same apply in that situation?

> > So what do you
> > propose? Mandatory cardreaders on all computers? 
> Fingerprint scanners 
> > integrated into keyboards? How else can you avoid Mom 
> logging online, 
> > and then letting the unlicenced kids roam free online, 
> allegedly to do 
> > "research for school"? Do you want to fine/jail/etc Mom if the kids
> > download a trojan
> > somewhere?
>
>       I would presume that a license would include the rights 
> to allow others to use your access under appropriate 
> supervision or with appropriately restrictive software.

Again, without enforcement officers in your house, HOW do you propose to
enforce this?

Besides, last I checked, driver's licences don't give you the right to have
your kids drive without a licence if you're in the vehicle. The kids  (at
least in the jurisdictions I know of, this may not apply to all 60+
jurisdictions in North America) first have to prove to the regulatory
authority that they know the rules of the road, and THEN they're allowed to
drive around with a parent. How do you propose to enforce a similar thing
for the kitchen computer?

> > Fourthly, as someone pointed out, the first generation always 
> > complains. I hate to show how young I probably am compared 
> to many on 
> > this list, but my jurisdiction introduced graduated 
> driver's licencing 
> > a few years before I was old enough to get a driver's 
> licence, and it 
> > angers me that the random guy who's out on the road driving like a 
> > moron had to go through way less bureaucracy, road tests, 
> etc than me 
> > simply because he was born ten years before me. That said, if no 
> > reforms are made to make this system stricter, I'm sure the next 
> > generation won't see this system as an outrage simply because they 
> > won't remember an era when the bureaucracy. Currently, 
> people can buy 
> > computers/Internet access/etc unregulated at the random 
> store down the 
> > street. You're proposing that some regulatory authority require 
> > licencing... Why should these voters accept it?
>
>       Because their failure to cooperate will result in 
> ostracism. That's how the Internet has always worked.

How do you get ostracised when you're the majority? The majority of people
think computers are glorified toasters. WE are the minority here, and if we
start giving too many lectures, WE get ostracized. You have any idea how
many people think I'm insane because I've told them HTML email is bad? In
YOUR world, they'd be ostracized for using HTML email. In the REAL world,
I'm the SOB out to spoil their fun by insisting on archaic modes of
communication. 

> > Especially
> > since, unlike with cars, the damage done by poorly-operated 
> computers 
> > is rather hard to explain to a technologically-unskilled 
> person. Most 
> > would respond something like "well, it's not my fault some criminal 
> > wrote a virus/exploit/whatever. Put that person in jail, and let me 
> > mind my own business." Good luck educating them on the fallacies in 
> > that statement.
>
>       The point is, you don't have to. You just have to not 
> let them on your roads. If they think the things they have to 
> do to get on your roads are worth the value of those roads, 
> they'll do them. If not, not. You don't care why people 
> comply with your rules. People don't get driver's licenses 
> because they think the piece of paper makes them a better 
> driver, they do it because that is what's required for them 
> to get insurance and avoid tickets and even jail.

See below.

> > Fact is, until home computer security issues result in a pile of 
> > bloody bodies to show on CNN, no one in the general public 
> and/or the 
> > legislative branches of government has any incentive to care...
>
>       They don't have to. It's the road owners who decide who 
> gets to drive on their roads. All it would take is a 
> certificate infrastructure and companies issuing certificates 
> to people who demonstrate competence. Then sites could start 
> restricting traffic to certificate holders immediately.

So you propose some form of access control? If someone's packets don't
identify themselves the way you want, you want your network to send them to
the great null0 in the sky?

So, you want to balkanize the Internet? If my network accepts packets signed
by licencing board A, and is licenced by A, and your network wants licencing
board Z and is licenced by D, then your network won't accept my packets and
mine won't accept yours. How does that leave anybody better off?

This is as silly as each town alongside a major regional highway saying "we
will only allow vehicles registered in our jurisdiction, or in jurisdictions
who pay us a tax to drive through our 2 mile stretch of road." 

Seems to me like you'd be throwing a whole maternity ward full of babies out
with that bathwater...

Vivien