sorbs.net

Robert_Bonomi · March 15, 2005, 8:56pm

From owner-nanog@merit.edu Tue Mar 15 14:28:29 2005
To: Robert Bonomi <bonomi@mail.r-bonomi.com>
Cc: nanog@merit.edu
Subject: Re: sorbs.net
From: Valdis.Kletnieks@vt.edu
Date: Tue, 15 Mar 2005 15:28:17 -0500

> As with any other 'voluntary use' blocklist, it's "clout" is only as good
> as the number of people using it. If serious questions arose as to the
> 'integrity' of the list, or the list operator, the vast majority of the
> mail-server operators using it would *stop* doing so. And any lack of
> integrity would be a moot issue, since 'practically nobody' would still
> be using it. It is _textbook_perfect_ "self regulation" at work.

This is, of course, making the rather big assumption that the person who
decided to use said blocklist:

a) was fully cognizant of the list's goals and policies when they chose to use it.

nope.

*and*
b) is willing and able to track deviations on an ongoing basis.

Yup. That _is_ an implicit part of *any* filtering/blocking job -- and many
other tasks as well. That you _check_ on an ongoing basis, to make sure that
the automation *is* doing what you "think" it is doing.

*and*
c) whoever replaces them is also able to do so.

If they aren't competent to do the job, they shouldn't *have* the job.
If management doesn't know what all the job requirements are, that is
managements failing, and they _deserve_ the consequences thereof. <wry grin>

If it was in fact "textbook perfect", we'd never hear about stuff breaking
when a block list goes belly up with six month's warning, and people *still*
being surprised when suddenly everything returns 127.0.0.2 and a lot of mail
goes kaboing.

Beg to differ. "textbook perfect" self-regulation means that when the list
starts returning excessive numbers of false positives, that 'practically
everybody' _stops_using_it_. And in fairly short order. Which is, in fact,
precisely what DID happen. The list operator was relying on the effectiveness
of said "self regulation" mechanism to "get the word out" to those who had
_not_ heard about the shutdown from other sources.

Valdis_Kletnieks · March 15, 2005, 9:19pm

If they aren't competent to do the job, they shouldn't *have* the job.
If management doesn't know what all the job requirements are, that is
managements failing, and they _deserve_ the consequences thereof. <wry grin>

To misquote Randy: "I encourage my competitors to choose managers that way."

The fact is that there's a *lot* of clue-deficient people in those jobs.

Beg to differ. "textbook perfect" self-regulation means that when the list
starts returning excessive numbers of false positives, that 'practically
everybody' _stops_using_it_. And in fairly short order.

The fact that so many people get caught and surprised when it goes to 100%
false positives indicates that they'd likely have had *no clue* what was wrong
if the false positive rate was down in to 5% to 10% range. Remember that your
analysis is leaving out the fact that a lot of these people *are* clueless and
subscribe to "wave a dead chicken 3 times, sacrifice money to Redmond, and
reboot and hope that things have miraculously changed, even with no actual
change of configuration"...

If it *actually* worked right, why do I *ever* encounter people that don't even
know what block lists they're using?

Because enough people running networks are idiots. Why do these network even stay
in business?

Because their competitors are often equally mercifully free of the ravages
of intelligence....

Jerry_Pasker · March 15, 2005, 9:46pm

If it *actually* worked right, why do I *ever* encounter people that don't even
know what block lists they're using?

Because enough people running networks are idiots. Why do these network even stay
in business?

Because their competitors are often equally mercifully free of the ravages
of intelligence....

I'm sorry, but the correct answer that we're looking for is :

"Customers." Because they have customers who don't just put up with it, but encourage them by *PAYING THEM MONEY*

All "really stupid" companies that make "really stupid" products, stay in business because"really stupid" customers pay them them "really stupid" money. So, who's stupid?

This is not only relevant to network operation, but life, as a whole.

It's not my opinion, it's the truth. (is it not a fun world we live in?)

-Jerry

Paul_A_Vixie4 · March 15, 2005, 10:02pm

> If it *actually* worked right, why do I *ever* encounter people that
> don't even know what block lists they're using?

As MAPS found out during some early legal imbroglios, it is very easy to
convince a judge that at least one ISP has subscribed to a blackhole list
without understanding the full effects that this choice would produce.

The whole "click to agree" (or "press F8 after scrolling to the last page")
thing from software vendors is no better. There's no way a judge (nor, one
assumes, a jury) will ever believe that everyone who signalled agreement,
understood. The last couple of times I've signed closing papers for a
house I've had to write several times "I agree, and I understand english"
longhand and then sign my name -- but I don't think that'd hold up to a
challenge of nonunderstanding, either.

Every non-P2P non-anonymous reputation system will be vulnerable to this,
and every P2P or anonymous reputation system will be full of sludge. We
don't have a mature enough system of accountability, anywhere in meatspace,
to account for the kinds of relationship and transactions the Internet
makes possible.

william_at_elan.net · March 15, 2005, 11:32pm

Mortgage agreement is not the best choice for comparison on how blocklists
are used, its slightly different concept.

Blocklist use is example of delegating responsibility which is common and rooted in our political system (and concept is in use both by government and private businesses). Since one person can not possibly make a decision
about each and every detail of their life (although libertarians claim otherwise) we choose to delegate responsibility for certain tasks to certain
other people or organization that specialize in those areas. This is both
more manageable and as far as overall costs are concerned.

By delegating the task we accept the consequence that somebody else would be making decision on our behalf on this particular subject but this is done by choice and either each person participates in directly choosing who would be doing the decision or accepts decision make by majority social group he's in or delegates making decision on who would be doing
involved to somebody else (delegation chain).

In terms of use of blocklists, the end-user directly delegates responsibility
for making decisions about which emails are good or bad to his ISP. In parcticular if user uses email with ISP's domain name than in fact ISP has full rights to make decisions about their domain and user has to accept it by default as he/she just buys partial use with that domain, but if user has his own domain, then he/she makes decisions by buying mail hosting service and delegating responsibility regarding how email is delivered has to be explicit as part of such mail hosting service agreement. Now ISP then delegates responsibility further by choosing select list of organizations they believe are better qualified to make decision if the source of the email is good or bad - these are blocklist operators, so
there exists delegation chain from end-user to blocklist operator
(just like there exist delegation chain about regulations regarding telecom services which we buy, thse regulations are made by FCC which
is in turn chosen by the government and approved by the parliment
to which end-users deligated this reponsibility by selecting it).

In each case by delegating responsibility you accept consequence that somebody else would make a decision and you have to live with such consequence, such as that those others may occasionally be wrong (and
if they are wrong too often you can be vocal about it and they either
change based on your comments or you make different choice). If you do
not like all this, feel free (with your own domain name) to not use
filtering service and make decision about every email by yourself, however the problem is that you'll spend more time on that that you could be spending on something else more productive and as such this time in fact does cost you something even if it provides you better granularity and direct access to the decisions. At the same time by delegating responsibility
you accept (often free) service provide by blocklist and it is usually more cost-effective (both to each individual and definetly to society costs in general).