Open Relay == Bad? (Was Re: [oclug] Rogers sucks)

Brad Barnett bbarnett at L8R.net
Sun Mar 10 19:31:42 EST 2002 

On Sun, 10 Mar 2002 16:18:23 -0500
Kevin Everets <kevin at everets.org> wrote:

> On Sun, Mar 10, 2002 at 10:39:29AM -0500, Brad Barnett wrote:
> 
> > This isn't taken as a poke at you Kevin, but next time please read my
> > whole message first _then_ respond to points as you see fit. ;) 
> > You've nicely responded to every paragraph I've written, but taken
> > those paragraphs out of context, separate from the whole.
> 
> No problem about the potential poke <g> ... I did in fact read your
> entire message first, but with the exception of the last paragraph you
> seemed to be discussing the opposing point of view (which I felt the
> need to discuss in more detail).  It seemed an odd about-face, but I
> thought it was worthy of discussion, anyway.

Cool.

> 
> > Anyhow, my entire point in the previous email was that laws are there
> > for a reason and if it isn't illegal, the ISP shouldn't be restricting
> > your service.  You seem to support this as you indicate in your reply.
> > Anything else is a form of mob rule, enacted by self appointed
> > vigilantes. When addressing the point of legislation and spam, I was
> > trying to get at the following : 
> > 
> > 1) eventually laws will be passed to outlaw or control spam.  These
> > laws may make an open relay illegal, and hopefully will.
> 
> I don't believe that laws should make open relays illegal... They
> should (if such a thing were to exist) make spamming illegal.  Laws
> should (in my view at least) be about the act itself, and not
> something that may sometimes be conducive to the act.

I completely understand where you are coming from here, but there are
obviously exceptions to every rule.  With SMTP authentication, there is
little need for a relay that allows spamming.  Keep in mind that whatever
MAPs calls an open relay is, is not what I want the legal definition of
one to be. ;)  I want an open relay to equate to something that can be
used to spam.  SMTP authentication is enough to make me happy with regard
to this. 

SPAM, because of its current nature, needs to be controlled by making spam
illegal, and open relays (as I defined them above) illegal.  While SPAM
obviously does not have the same result as a gun left out of a gun
cabinet, the parallel is there.  You are required to store your gun in a
certain way, to make sure the minors are uncapable of playing with it. 
There are many parallels where tools, equipment or possessions have to be
stored or kept in a certain way because of the potential for malicious
use.  I put spam in this category.  Close those servers.  Make sure they
are unable to relay without a login/pass, or not at all.

The important part is that the LAW states so, not some ISP or vigilante
group.  

> 
> > 2) Anyone  _needs_ to be liable if they provide an open relay for
> > these people, however ONLY if the law stipulates so.  That means that
> > if the ISP has a misconfigured relay, it can be sued and found liable,
> > especially if negligence is shown.
> 
> If maintaining an open relay was illegal (again, a sad state of
> affairs), then the owner of the illegal entity should be held liable,
> otherwise the law is not very useful (and probably in the wrong).

Of course.  This is what I said above.  I said "if the ISP", not "if the
ISP's user".  There is a difference between the two. ;)  

> 
> > 3) The same needs to be true of software authors/vendors.  If they
> > have huge gaping holes and bugs that cause their software to perform
> > outside of the law, they need to be liable.  
> 
> That depends on the use that the software is put.  For instance, say
> that I write a small program, and license it with the GPL so that
> anyone can use it for any purpose (as long as they give out the
> source, of course).  Someone comes along, picks that up and uses it in
> a way that I had never thought of (controlling a train, say), and the
> software malfunctions (I didn't notice a buffer overflow, at least not
> in the version they picked up).  Say that malfunction caused someone
> to die.  Should I be held accountable for manslaughter?  If that was
> so, then I think we would quickly see an end to sharing code. 
> 

Your entire argument is flawed though.  If I buy a shovel and use it to
hold up my car while I work on it, that's my fault.  A shovel was not
designed to be used in such a manner.  

However, if I bought a stand to hold up my car while I worked on it, and
the legs bent, crushing me, I would have a right to sue.  Negligence.  A
faulty product.

The same can be said for software.  

> Or, on a more recent note, say I write a program which allows ebooks
> to be read aloud to people.  This (legal) ability has the side effect
> of allowing illegal activity (copying of the book).  Should I be
> arrested and thrown in jail without a trial if I set foot on US soil
> for allowing the circumvention of a form of copy protection?  Sounds
> like a dangerous position to be taking.
> 

Well yes, if that's how the law is written. ;)

Keep in mind here that I stipulated fault where insufficient care was
taken to ensure that the product would be sound and bug free.  Beta
software would obviously be exempt, because it is labelled as such.  Only
release software would be liable in such a way, and only if sufficent code
audits were not done to ensure it's quality and security.

More information about the OCLUG mailing list