On 7/7/02 10:46 PM, "J C Lawrence" <claw @
> Without full biometric and willing consent verification yada yada across
> the transmission you can't guarantee full veracity, and even then there
> are cheesy little holes along with the big one that really can't ever be
> verified: intent.
The big one is this. It's easy to deal with e-mail from people you know.
The tough part is this -- how do you deal with email of people you don't
know? If you don't know them, all the verified ID in the world means
nothing. I can show you my driver's license, my passport and three credit
cards, and none of that does a thing to solving the question of "is this guy
going to hit me over the head and take my wallet"?
All it does is make it easy to know to run the 2nd time. But if the person
involved has lots of different Ids, and worse, they're easy to make and get
validated, even THAT gets lost in the noise. You fall back on recognizing
the face and running, with or without being shown ID.
> Yup, the same thing is true of digital certs/signatures tied to your
> posting account. It pretty rapidly heads for external trust mechanisms
> where 3rd parties attempt to ensure the veracity/non-abuse of a given
> certificate -- and we all know the problems that walks straight into.
But those fail if certs/signatures are trivial to create. Which, in all
honesty, they are. Anyone can generate an infinite number of PGP signatures,
and you can spend the rest of your life marking them all as "do not accept
email from this sig", and they won't care, because you won't...
Nick made a number of comments I mostly don't agree with (HTML is not a
programming language. It's a markup language. His statement, if true, also
makes the statement "wordstar is really a compiler" also true, which it's
applets or activex or whatever, and those things ARE active code pieces --
but they are NOT HTMl. Pure HTML is benign. It can be used to bring in
non-benign pieces, but that doesn't mean HTML is non-benign, and that's
where you get the ability to protect the user from those non-benign
pieces...) -- and other than the previous, I'll disagree without comment
because most of the disagrements are philosophical.
But he also said something on the order of "stop protecting against viruses,
too" -- and in many ways, he's correct. We CAN, actually, simply go to a
caveat emptor approach. There are a number of advantages to it, including
likely a reduction in potential legal liability. But at the same time, I
feel it's the wrong approach. The list geeks are folks who tend to be more
sophisticated technologically and more aware of what's going on out there (I
was having this funky discussion about the Klez virus with a friend one day
before it hit any public discussion, because I was seeing something, it
didn't add up, and we were trying to figure out what the hell was going on.
It'd hit my radar screen, wasn't anything known, and seemed to be (but
wasn't) coming from him, which was weird, because he doesn't do windows. And
then Klez hit, and...).
Nick is running up the strawman that if we can't do everything, all the
time, then don't do anything. That obviously fails, but it's a wonderful
My counter-argument is that we have a responsibility to do what we can
safely and reasonably, help users understand the risks where we can't
provide that safe harbor, but at the same time, we have to be very careful
about what things we choose to put into our purview of responsibility.
Protecting end-users form viruses is a no-brainer. We can do it for the most
part pretty well. Viruses serve no useful or constructive purpose. Even if
Joe sixpack doesn't care if he gets infected, we do, because his infection
impacts other users elsewhere (and from the public health real world
analogy, there's a precedent of isolation and forced innoculation even
against the wishes of the user we can adopt).
But when you start talking about HTML and web bug issues, it gets a lot less
clearcut. YOU may feel strongly about privacy issues, but does running a
mail list give you the right to force your privacy views on your users? With
viruses, there's a clear "protection of the commons" need here. You can't
have someone with mumps running around the pregnant women. But that is far
from clear on privacy. If the user doesn't care about web bugs, what gives
you the right to force your view of that on them? Where does that privacy
issue become one of the commons, where failing to protect users causes
damage to that commons?
I just don't believe it's there. I do believe list admins can evangelize
their views, but where virus fighting is an attempt to mitigate damage
caused ot the commons we all use, this privacy stuff is instead an attempt
to force a personal agenda on the users of the list, where you effectively
are telling the users what they have to believe -- and that coercion doesn't
come with any justification of common need like the virus hacks do.
So in one case you're taking action for common good and protecting users who
may be incapable of that action themselves. But in another, it's effectively
saying "you have to do it my way", but without the damage to the commons
that comes from inaction. One is the health department locking up people
with active TB so others don't get it. The other is Greenpeace blockading an
Esso station because they feel you shouldn't be buying gas there.
Do you, as list admin, have the right to act as greenpeace? I don't believe
JC and Nick, I'm sure, disagree. And wombat is probably ready to kill me....
Chuq Von Rospach, Architech
com -- http://www.chuqui.com/
IMHO: Jargon. Acronym for In My Humble Opinion. Used to flag as an opinion
something that is clearly from context an opinion to everyone except the
mentally dense. Opinions flagged by IMHO are actually rarely humble. IMHO.
(source: third unabridged dictionary of chuqui-isms).