Slashdot Mirror
Open Relays, Free Speech, and Virus Propagation
sirsnork writes: "There is a story about John Gilmore running an open relay that is being used by a virus to propagate running over at Newsbytes. His defence? He wants his friends to be able to send email through his server from whereever they are. You'd think he'd know better." Gilmore has been skirmishing with Verio for some time over his open mail relay. Is it a good thing because it promotes the free flow of information? Is it bad for promoting the free flow of spam? Do the ethics change because someone writes a virus that uses the server to propagate? Interesting questions.
This guy is a jackass. There are a number of ways to allow his friends to send mail without running an open relay.
Gilmore should know better. Verio's being majorly blocked by this person, and when Verio gets a clue, they may get their laywers in on the game and sue him.
He should at least know how to lock the server down to use SMTP Authorization. Even better, if he wants his friends to communicate freely, he should give them Unix shell access. Open relays being free speech? YEAH RIGHT! There's no goverment there, so the First Admendment does not apply! (If you think otherwize, REREAD your Admendments.)
--
# Canmephians for a better Linux Kernel
$Stalag99{"URL"}="http://stalag99.net";
An open relay is a public nuisance, like leaving loaded weapons out where anyone can take them.
someone would use a little common sense. Perhaps his "friends" need to do what the rest of the world does and get a shell account or a webmail account. If the janitor of a school left the door unlocked so that his wife could come in after hours and drop off his dinner and a bunch of kids came in through the unlocked door and trashed the place, the kids would be at fault, but the janitor would be guilty of neglegence. If the janitor didn't lose his job, he probably would be smart enough to leave the door locked in the future.
If it ain't a Model M, it's a piece of crap.
John Gilmore assertion that he wants his freinds to be able to send through the server are invalid, as he could always allow authenticated relaying instead of open relaying. This would allow authorized users to relay from anywhere without allowing abuse of the system.
Of course, everyone knows that this isn't the reason for his running of the relay - it's simply an issue of free speech, as I understand.
--
Beauty is in the eye of the beholder... Oh, no. It's just an eyelash.
I wonder how long it will take him to get a clue when his domain gets on all the major blacklists now it's well known. His view of the internet is going to get very small very fast. He needn't worry about being DOS'ed by angry netizens. Most of their packets will no longer be able to get through soon.
The truth shall set you free!
Verio has every right not to sell Internet service to people who want to use it to run open mail relays. John Gilmore has no right to demand Internet service form Verio.
MAPS, ORDB, ORBZ, and the other blackhole lists have every right to tell me that John Gilmore is running an open relay. John Gilmore has no right to gag the blackhole lists' truthful speech about him.
I have every right to refuse to accept email from John Gilmore's open relay. I may do this on my own information, or on the advice of a blackhole list. John Gilmore has no right to force me to allow him or his traffic on my property.
So everyone's right, as long as everyone stays within their rights.
It really is.
It's also your right as an end user or mail server administrator to block traffic from his server / network.
A common carrier, however, does not have the right to block his traffic because they want to stop spam.
This is really clear-cut.
A little bit more explanation.
/etc/passwd (or shadow) but that would mean the passwords would have to be sent in the clear. So one would use smtp ssl (runs on different port) or smtp-tls (runs on port 25, and uses a start-tls command to start the encrypted session).
/etc/passwd, but in something like /etc/poppasswd) and give it a password like "opensesame" and then tell anyone who needs to use this smtp server remotly the username and password. If this info ever gets compromised and used by spammers, just change it.
SMTP supports an authentication mechanism. Normally one would think you would want this hooked up to
One also can use a One Time Password (OTP) scheme. In this case, the password will be stored on the server in plaintext, and we use a challange/response system to authenticate. The server sends a challange, and then you do some cryptographic hash functions with the password and the challange to create a response, you then send the response back. The server can duplicate the steps, and if they match you are authenticated.
This way, one can setup a "smtp account" with a name like relay (not a real unix account in
I do this with qmail (with a patch for qmail-smtpd.c) and I use the same smtp server from my parents house, my apt in NYC and Columbia University (and multiple other places I have visited)
I suppose he leaves his front door unlocked too so his friends can watch cable whenever they like?
:[
I've done this plenty of times. I guess that's why the last time I came home my air conditioning was set on 50, the oven was still on, and all my french bread pizzas were gone.
Jokes aside, there are sometimes that you just have to take responsibility for something. And this is one of those times. His refusal to close it is just plain a) apathy b) want for attention c) pathetic.
Ok, maybe his defense is the same of that used by file sharing programs, which unfortunately might make hypocrites out of a lot of us who complain, but anybody with common sense would know how to handle this situation. Don't be rude, Gilmore, close the damn relay!
This is a perfect example of why ethical issues like freedom of speech, fair use, and the right to carry a gun are not as cut and dried as we would like them to be.
It all boils down to this: While 99% of any given set of a population may be honest, ethical or safe, there is always that 1% that will take advantage of that very fact. In this case, Gilmore wants the freedom to do what he wishes with his mail server, and though most people respect that, a malious few have used that trust to damage others.
You can extend this to any argument: While most of us respect fair-use laws, there are those that take advantage of those laws and pirate music and movies. While most people with concealed gun permits have honorable intentions, there is always a small contingent that does not.
I always say, you have the right to [ speak freely, copy music, carry a gun ] until it infringes on my rights. The problem is, determining who's rights are being infringed on.
This episode is a great reminder that the issue is much more complicated that most people are willing to admit.
Do you have Linux and a DotPal? Click here now!
At least it's well known so it's easy to add to the spam blockers. Hope he didn't have anything he wanted to send me in an email.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
then use of email through his gateway is free expression. however, people blacklisting his box is also free expression.
additionally, i gather he has an account with verio, which has certain provisions you must agree with to have an account, one of which i imagine compells him to avoid running an open relay. If he has a problem with these provisions, he needs to find a new provider, and if he can't find a provider w/out those provisions, he needs to suck it up and realize that in the civilized world, open relays are bad.
Yelling anything during a movie is expression, but unless you're at Rocky Horror, it just isn't appropriate, and could get you kicked out of the theatre. If you take passing spam as yelling, and the internet as the theatre, it makes a decent analogy.
Need a Catering Connection
Everybody's pissed that this guy is somehow contributing to spam, but the reality is that all this guy's providing is a tool - an email server. What people do with the server is up to them. It's the same as all these P2P networks like Napster and Gnutella. It's a tool. It doesn't mean that if you use it you're necessarily using it to steal music. Everybody's quick to defend the P2P networks but quick to condemn this guy. What if P2P networks became sources of worms and spam? Then will we side with the RIAA to shut them down?
The gentleman in question has a home page here He also has an e-mail address of gnu@toad.com and gnu@eff.org so you can e-mail him here and here
May I suggest instead of bitching on slashdot you take a second and send an e-mail to the John and let him know how you feel. Practice your first amendment rights. Visit his web page as well. Perhaps the "slashdot affect" can do some good. Take a second and stop being so apathetic and send John Gilmore an e-mail.
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Frater wrote:
Verio has every right not to sell Internet service to people who want to use it to run open mail relays.
No, actually, Verio doesn't. It's bound by the terms under which it (indirectly) acquired The Little Garden (tlg.net), which very clearly specified that there was to be no blocking of service on grounds of content.
Remember this, if you're ever tempted to business with Verio: It breaks its commitments. Accordingly, you can't believe a word it says.
The address of the server, Toad.com, is one of 25 open mail relays hard-coded by its unidentified author into the W32.Yaha worm, according to analyses by anti-virus firms Symantec and Sophos.
Quoth my shell:
# nslookup toad.com
/etc/mail/BannedIPs /etc/rc.d/init.d/sendmail restart
Non-authoritative answer:
Name: toad.com
Address: 140.174.2.1
# echo 140.174.2.1 >>
#
UNIX? They're not even circumcised! Savages!
ISPs are out there to make a living, like the rest of us. The reality is that spammers are people who don't care about inflicting what we call a "negative externality" on everybody else. That means they are inflicting a cost on those who have to read through spam, or figure out how to block/filter it, and the ISPs who have to carry large volumes of unsolicited commercial email. While ORBZ, MAPS, etc. may be annoying, these organizations do serve a function. Gilmore is free to run his open relay on his T1, but it's akin to parking your Ferrari in the middle of Harlem, with the keys in the car, and the driver's side door open. Technically, you may not be legally responsible, but ethically, if somebody walks into that car and goes joy riding and gets into a crash killing/maiming others, well, what the hell did you expect?
Society does get to set rules about permissible behavior, and we do get to enforce them by exclusion. Hell, if 40% of ISPs (by volume, or by number, I don't know) use MAPS, ORBZ, by their own choice it's probably for a reason. And frankly, I'd rather use an ISP that does, because I don't want to be on the receiving end of any more spam than I already get.
Gilmore may be right that RBLs are not the correct long term solution. I've heard it said before, so I won't take credit for it - the correct solution is a change in Internet standards - make it more "costly" in some way (bandwidth or other) to send bulk emails. This would bring the economic cost back to the spammer and remove or reduce the negative externality. Make it so it doesn't pay to spam. And no, I don't have the solution to this problem, but I could imagine alternatives to SMTP/mail routing procedures that address the problem. Of course somebody might argue that this just reduces the utility of email. Ah well. Until then, for god sakes, close your open relays.
The following text of the e-mail that I sent
To: gnu@toad.org
Cc: gnu@eff.org, drg@verio.net
Subject: RE: Your fight with Verio
Dear Sir,
I find myself in an unusual position, agreeing with Verio. They (Verio) isn't trying to censor your mail, it is trying to prevent your mail server from being used by people to spread SPAM, viruses and other vermin of the e-mail world. It has nothing to do with trying to censor your free speech, or your opinions.
Allow me to provide a parallel this for you. Say you maintain a building on public property with a printing press. You leave the building unlocked so that your neighbor can use it as well. You do this because making a key for your friend is "just too much trouble". The building starts being used by violent gangs and an anarchist who builds his bombs there. The public ask you nicely to lock the building so that this activity will stop. You refuse saying that they are trying to censor you because you have a printing press in the building. That is patently untrue you are in affect aiding and abetting criminals by your negligence.
As an administrator that has to defend against SPAM attacks, sometimes coming by the hundreds and thousands for small domain that has at most 10 mailboxes I have no sympathy for you. This is not about free speech, this is about theft, denial of service and common sense.
aaron@NoitalianSpam-carsPlease.com
"Science is about ego as much as it is about discovery and truth " - I said it, so sue me.
Because, if you read the history of it, Gilmore has this fucked up, romantic view of the Internet that worked in 1990, but fails in 2002. He's an arrogant romantic who cannot be convinced that his failure to take even the most mundane, non-intrusive steps to secure his open mail server can and did cause harm to many people.
I didn't have any sympathy last year, and I have even less now. Just because one is an 'Internet pioneer' does that abdicate him of *any* responsibity for being a poor sys-admin?
What verio wanted was symple. He just wanted some publicity and attention.
No sig is worth reading.
What makes it bad today is Microsoft and it's lack of security, and the burgeoning of spam.
OK, while I loathe MS, and will dis them every chance I get, I gotta say that they're not at fault here.
Spam is the only reason that open relays are bad. MS's security isn't. Worms or virii, while disturbingly common in MS-land, have no bearing on open SMTP servers at all - they use the victim's SMTP server to spread.
and waited a bit for them to have their effect, I'd like to make a couple points.
One, John Gilmore is not some dipshit with DSL. Take a look at <a href="http://www.toad.com/gnu/">his webpage</a>. He is one of the founding members of the EFF. He knows what he's doing-- technically, morally, and legally.
Two, he's not sending spam. He's not enabling it, or allowing it. This "virus" doesn't exploit his computers, it exploits other dipshits, and then sends mail through his relay. But Spammers could send their mail through any other open mail relay (there are plenty0) -- but plenty don't. There are other ways to send spam. The virus could be written to use any open relay, why does it target his?
Maybe his definition of "friends" include people he wouldn't necessarily trust with personal accounts on his service. Maybe they include people he hasn't met personally. Would you deny strong encryption to people in countries whose government would supress their opinions, if expressed openly? No, but you would deny them the ability to send email?
This is a ridiculous scenario. No one in China or Iraq is going to use John Gilmore's mail server. But he's making a point. And the point isn't just about radicals in bad bad countries. Wouldn't it be nice if there were phones on every block and they were free to use? If everyone who could chipped in a little, the cost of sending email would drop sufficiently. Not to mention the increase in efficiency. Why should the email I send to my neighbor have to go to MAE-WEST and back? Do I really want every piece of mail I send to be routed through Verio or UUNet once they've got carnivores in place. The FBI can't put one in every geek's basement, but they can place them at strategic upstream locations and catch a huge majority the way we're currently set up.
The problem is spam, not open relays. Don't ban guns, or cars, or forks because people may do bad things. Spam will still come, in larger amounts than ever, even if all open relays are closed.
You wouldn't accept a company that has multiple expliots in their product to just advice all their customers to just disable the service that has the most frequently used exploit. Should we ban all webservers because Code Red took advantage of a vulnerability in IIS? Browsers because of bubble boy (an Active X exploit)?
This is a flawed analogy because there are other products that do not suffer from these exploits, and because these were coding flaws by one company. But other implementations could potentially be dangerous. Netscapes brown alert?
What about porn -- should we let net filters block anything that may be considered inappropriate for children?
Let's treat the problem, not one of the symptoms. Open relays enable spam. So does DSL. So does weak passwords. So does Hotmail. Is there any question where more spam comes from, toad.com or hotmail.com?
Wouldn't it be nice to live in a would where spam is not sent? You won't get there by ignoring the problem. Blackhole lists are like burying your head in the sand. They don't even save much on bandwidth. And they're getting further behind in the battle against spammers.
Just because you leave your door unlocked, doesn't mean strangers can legally come into your home.
I'd love to see your statement if a cable company went after someone whoi did that.
In other news: Just because you leave your car unlocked doesn't mean you want it stolen, either.
The Kruger Dunning explains most post on
If you want to apply the usual ethics about freedom of speech, you ought to require him to use some form of authentication for his friends, to ensure that their speech is accessable (since he won't be blacklisted) and free of excessive noise (spam, viruses). VPN tunneling, IMAP, shell accounts, webmail, authenticated POP, and POP over SSH come to mind.
Of course, I'm assuming that spam and viruses are not valuable examples of free speech in action, a view that may be difficult to justify. I consider them to not be speech for the same reason that I don't think the signals generated by a garage door opener are speech--they are signals, possibly meaningful in some context, whose intended purpose as used is to cause some event to occur. The spammer says, "I push this button, and our monthly page views go up!"; the virus distributor says, "I push this button, and 3y3 0wnz j00!"; I say, "I push this button, and my garage opens!" In none of these cases is the button pusher trying to convey any information to another person. If the signal (virus, merchandise, scam) is itself an object of conversation, I can see it being speech, but that context isn't relevant to open mail relays.
Isn't it obvious that the reason he wants to keep his relay open is so that his cypherpunk friends can send less-traceable e-mails? A noble goal, even though it has unfortunate side-effects regarding spam and this new virus.
/., surely the hypocrites here can retract their heads from their asses long enough to see the adantages of a static open relay for helping to safeguard the privacy of e-mails. Does it have unwanted side effects? Yeah. Freedom always does.
In this day and age of government snooping, Carnivore, shutting down anti-globalization websites, justifying mass surveillance of all citizens under the rubric of anti-terrorism, and the other atrocities reported every damn day on
Look, let's be frank here: spammers will always find open relays in Asia. Always. China's recent baby steps forward notwithstanding, you know that this is true. This is part of the spammer's job. If spammers couldn't find open relays, they'd just purchase ISP accounts, start flooding out of their own servers, and move on when they get cut off. They sometimes do it now, even though open relays aren't hard to find.
Toad, on the other hand, is just a way for the privacy conscious to have a little conrol over how their e-mail gets routed without having to work like a spammer to keep up-to-date lists of Asian relays. It's just an added layer of obfuscation. Shutting it down won't curb spam or viruses, it'll just take away a privacy tool.
Chasing Amy
(We all chase Amy...)
"The more corrupt the state, the more numerous the laws"-Tacitus
I've posted numerous times here about Gilmore's open relay. Each time I think it will be the last time this silly topic arises, and each time I'm wrong. Here I am posting again.
Many others here have reiterated the things I've been saying all along, that there's no excuse for his open relay and that there are numerous solutions he could easily employ to stop spammers from using his mail server, so I won't belabor those points.
There is one point that still needs to be made, though. Despite his past record as champion of the Internet oppressed, John Gilmore is a danger to the rights of anyone who gets in his way, be they oppressed or oppressor. He is *filthy* rich from his days at Sun (and perhaps other things), and is apparently willing to throw his weight around with no regard for legal costs if he feels like making some sort of point. The problem is, he's a cantankerous, arrogant person with often strange views on right and wrong. There is a seeming randomness to the causes he takes on these days, and in cases like this, where the entity he opposes is clearly in the right, he does nothing but hurt the Internet community at large. Not only is his relay a spam engine, causing immediate but somewhat localized harm, his fight with Verio threatens to undermine an ISPs ability to enforce reasonable acceptable use policies. This latter point has broad implications for the entire Internet.
I see him as a sort of "legal terrorist". His cause is on the side of a very small faction (spammers, lazy admins, and himself - though he might also fall into one of the preceding categories), he has an undue amount of firepower (vast quantities of money to pay lawyers) and has a fanatic will to use that firepower. He is known for taking on causes, sometimes without due research, simply because it offends his often skewed viewpoint. And with the EFF behind him, with its history of legal success against the toughest of opponents, most people quail when confronted with his opposition. Spammers generally do not have the werewithal or the reputation to stand against an ISP who shuts them down. Gilmore has indirectly taken on their cause, and because of the size of his guns, might actually help them in ways they could never help themselves.
I have had dealings with Mr. Gilmore in the past, and feel obliged to say that, in my opinion, he was arrogant, uninformed and misguided. He is the quintessential kneejerk activist. He has done good things for Internet freedom, but his obtuse actions in recent history seem to say that it's time for this horse to be put out to pasture. Mr. Gilmore, I think it's time to pack your bags and move to a beach in Bermuda and enjoy your piles of money. Or perhaps feelings of guilt at being uncommonly rich are what drives you to do these things?
The Internet used to be about openness and trust. Back before Canter & Siegel; the "Green Card Lawyers", back before the Net was opened-up for the Dot Com's and commercial postings.
Back then, having an open relay was no big deal (it was even expected) because we were all friends working for the betterment of the Net, and each other. There was no "cut off their air" because the Internet was a cooperative; their air was our air. A network gains strength as a whole whenever any part of it is strengthened.
That was the Internet that Gillmore grew-up on (and helped found). Perhaps you can't remember, or perhaps you were just too young to remember what it was like back then.
That was back before the Fall of '93.
First it was spamming shutting down USENET groups, which begot CancelMoose.
Next we started seeing email SPAM, which begot procmail and it's necessary filters.
Then port 25 was blocked, and peer-to-peer email was to be nevermore.
Now we're starting to reap what we have sown.
The Internet will soon be owned by one or maybe two large network providers (AOL/Time Warner and/or MSN) and every packet you send will travel only with their permission; through paid transport or non at all. Intelligent routers will give these network providers the ability to block (or charge for) any activity they think they can make a buck off of.
And once there's a single majority player, it's all over. Internetworking always benefits the smaller organization more than the larger one (because it gains access to more resources in the bargain) but only benefits both sides until one gains a majority (at which point providing network access for your competitor cost more incrementally than providing the resource yourself).
We have lost the Internet to those who would claim it as their own and carve it up over those who come in good faith and trust to build and to share.
Think about those whom you loath the most, and what characterizes them all. We hate airline shoe bombers because they exploit the trust inherent in our air travel system to harm us where we are vulnerable. As a result, we must all remove our nail clippers when we fly.
We hate the RIAA and the MPAA because their actions to shutdown legitimate sharing of copyright materials. Their actions are a response not to the person who wants to rip the CD for their car, but to those who abuse the trust by ripping a track and making it available to all comers over the internet. And we (most of us here, anyway) hate them because of the price we must now pay as a result. We may find ourselves losing Fair Use forever because of the actions of a few individuals who's use was anything but fair.
We rant for columns on end about Microsoft's abuses of the market; and what we complain about is the abuse of trust we have placed with them. Then we complain about the latest Microsoft security vulnerability, and again it's about trust misplaced.
We complain about spyware, about online privacy, about the rights we've lost, about abuses of the GPL, and in each case it's the trust we've lost, and usually about how many Karma points we're going to grant to whichever post points this out in the funniest way.
So when Gillmore sticks his nose out and actually still trusts the community he helped to create, you shoot the messenger when you should be shooting the message.
It's not the open relay that's harming your computer; it's the virus, and the impure pond scum who wrote it!
You want the RIAA off your back? Give them a reason to trust you.
You want Microsoft to change their ways? Stop paying them for the trust they've stolen from you.
You want to keep spammers from sending UCE to you? Spread the word that spammers lie.
And if you want a free (speech) Internet where ideas are judged by their merits, rather than by the forum where they are delivered? Speak up and be heard.
Or don't. This Internet is already lost. Trust takes decades to build and seconds to destroy, and all of it which was once here is now gone for good.
You want to know what built the free software community? Trust is the operating system of the free software movement. Destroy that trust and free software will not survive. That's one reason why it's so important to assign your copyrights to the FSF (so they can defend them) and to contribute to the EFF (who understand all this stuff).
The thing about things we don't know is we often don't know we don't know them.
John Gilmore is not just a clueless know-nothing who refuses to close his mail server out of ignorance.
Unfortunatly, you are correct. He is not doing this out of ignorance. He is doing this out of malice.
News for Nerds. Stuff that Matters? Like hell.
It looks like the majority of /.ers are siding with Verio on this one. I read Gilmore's web site and he has some interesting views on a lot of things. His opinons on SMTP blacklisting and list operators control over ISP's is a very good read. I think Gilmore makes some valid points and raises some valid concerns. For example, The current list of anti-spam restrictions is not written down anywhere that I could find; you only find out when a blacklist notice appears in your inbox, telling you that you are going to be thrown off the Internet unless you immediately change. Next week they could demand that any ISP which is also a phone company must cut off phone service to alleged spammers; the following month demand that every ISP turn over credit card and/or customer address information on demand. (Some people claim that thir "fee" for reading a spam is $50 or $500; I'm sure they would like to immediately charge somebody's credit card for it,and let the details and legalities sort themselves out later).
One thing that is being missed is he was once the co-founder of this ISP which over time and various mergers is now Verio. When he founded his ISP their policy was to give the subscribers the ability to do what they wanted. My ISP has changed hands several times in the last three years. With each change of hands there is a new TOS agreement. What is acceptable use today might not be acceptable use by the owners of tomorrow. As it stands my service is getting cut down one port at a time. Rather than educate its customers about viruses and exploits my ISP would rather just block the ports that are exploited. In their mind as long as they provide a portal web site to thier subscribers they are providing service.
I'm glad there are people like Gilmore who have the resources to challenge ISP's. Who else is there who stand up for the rights of the customers? Surely its not our government who passes laws like the DMCA which strips away our privacy when it comes to the internet. Today Gilmore's battle is with SMTP relays and blacklist operators. Tomorrow it might very well be the RIAA and ISP's blocking ports of known P2P clients.
Call the guy crazy if you want but I think his fight is a good one. Its about freedom, something which is slowly dying on the internet.
'Same speed C but faster'
The classic example is to ask what you think of the ethics of throwing an old woman to the ground and beating on her. I'm sure that most people would agree that it is wrong. But add the additional data that she was on fire and you were beating out the flaims, and the whole picture changes.
Gillmore whines Any measure for stopping spam should have as its first goal "Allow and assist every non-spam message to reach its ecipients." That is bogus, as I'm sure he knows. The first goal should be to use all available ethical and legal means to impede and penalize those who spam or support spam. Gilmore's open realy is one of the legitimate targets. Gilmore can set his own goals, but for him to presume to tell us what our goals should be is chutzpah, and, IMHO, ample reason to add him to private deny lists.
Gilmore, throughout his diatribe, ignores the first principle of the anti-spam community: It's not about content. Nobody is searching his messages for naughty words or non-PC text. Rather, they are processing whatever messages he choses to send from IP blocks that they are willing to accept traffic from.
My ISP blocks traffic from certain addresses. Are they censoring my correspondents? No. Are they interfering with my personal liberty? No: in fact, they are enhancing it: I dropped my previous provider because they were not willing to impliment blocking, for technical rather than ideological reasons.