Open Relay == Bad? (Was Re: [oclug] Rogers sucks)

Michael P. Soulier michael.soulier at rogers.com
Sun Mar 10 20:10:11 EST 2002 

On 10/03/02 Brad Barnett did speaketh:

> I completely understand where you are coming from here, but there are
> obviously exceptions to every rule.  With SMTP authentication, there is
> little need for a relay that allows spamming.  Keep in mind that whatever
> MAPs calls an open relay is, is not what I want the legal definition of
> one to be. ;)  I want an open relay to equate to something that can be
> used to spam.  SMTP authentication is enough to make me happy with regard
> to this. 

    It doesn't seem to prevent spammers from using Rogers, but yes, at least
they're making an effort. :)

> SPAM, because of its current nature, needs to be controlled by making spam
> illegal, and open relays (as I defined them above) illegal.  While SPAM

    Lets be sure of that second point. While I can't see a need, does anyone
have a good example of why you'd ever want an open relay? 
    Somehow, keeping an open relay and permitting it to be used for spam seems
like depraved indifference to me.

    Ex. I walk by a man who's beaten and bleeding on the street. I know that
whomever beat him broken the law, but I walk on by and do nothing to stop it.
In the eyes of the law I'm now guilty of depraved indifference.

    Ex2. Even worse. I know that drug deals are going down on a regular basis
in my restaurant. However, they're my best customers and they tip really well,
so I do nothing about it. I even look the other way when they kill someone in
my place. Now I'm benefitting from their crimes. I didn't commit the crimes
mind you, but I don't think a judge would look too kindly on me.

    Ex3. UUNET looks the other way while spammers use open relays to broadcast
spam across the world. But, they're my best customers so I do nothing to stop
it. 

> Your entire argument is flawed though.  If I buy a shovel and use it to
> hold up my car while I work on it, that's my fault.  A shovel was not
> designed to be used in such a manner.  

    His entire argument is not flawed. He was simply responding in the context
of your words. Your words:

>> 3) The same needs to be true of software authors/vendors.  If they have
>> huge gaping holes and bugs that cause their software to perform outside of
>> the law, they need to be liable.  

    Hence, his response that the purpose of said software should be taken into
account, something that you did not mention at all. Thus, while I am not
taking sides in this, I would argue that his argument was not in fact flawed. 
    It bothers me to see entire points thrown out like this by the first
party when said first party did not bother to look at their own words first.
If his argument was flawed then so was yours. 

> However, if I bought a stand to hold up my car while I worked on it, and
> the legs bent, crushing me, I would have a right to sue.  Negligence.  A
> faulty product.
> 
> The same can be said for software.  

    Absolutely. The vendor needs to stipulate valid uses for their products,
and if you use their products for one of said valid uses and it fails, they
should be held liable. If you knowingly use something with no guarantee, then
you knew it had no guarantee to begin with. 
    Hell, read the EULA for winblows. You're not allowed to use it in air
traffic control, or any other critical application. MS knows their software
sucks and they don't want to be held liable.

> Keep in mind here that I stipulated fault where insufficient care was
> taken to ensure that the product would be sound and bug free.  Beta
> software would obviously be exempt, because it is labelled as such.  Only
> release software would be liable in such a way, and only if sufficent code
> audits were not done to ensure it's quality and security.

    I tend to agree, but where does this put open source software? Say I buy a
Linux distro from a vendor who guarantees its quality for me, because I'm a
big corporation and I demand those kind of guarantees. Now, do I really
believe that vendor has gone and inspected every line of code in everything
they ship to me? It's not likely. I realize that, chances are, it's been
looked at a lot. However, "chances are" isn't good enough. How could I, as CTO
for a big company, recommend an open source product when I know that there
were no real standards behind its construction besides, "chance are"?

    I ask this because I get asked that all the time at work. :)

    Mike

-- 
Michael P. Soulier <msoulier at mcss.mcmaster.ca>, GnuPG pub key: 5BC8BE08
"...the word HACK is used as a verb to indicate a massive amount
of nerd-like effort."  -Harley Hahn, A Student's Guide to Unix
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20020310/a9517ef3/attachment.bin

More information about the OCLUG mailing list