Slashdot Mirror
Blue Security Gives up the Fight
bblboy54 writes "According to The Washington Post, Blue Security has closed its doors, which can be confirmed by the Blue Security application failing to work today and their domain no longer resolving. Blue Security's CEO is quoted in the article: "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing." You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
I'm a recent new Blue member. Spam to my work, gmail and home accounts has plummetted thanks to Blue Frog. And to whiners who moan about "vigilantism", blow me. Fight fire with fire.
Trolling is a art,
Was about to post the same thing. Make a distributed app, receive spam, post "unsubscribe" link to app, (assuming this is how blue worked) instant mass traffic for spammer. The problem here is that if you don't have a central authority controlling what gets hit the someone will sooner or later abuse the P2P DDoS machine that you've effectively just created.
If you want to be an anti-spam advocate, if you want to write software or maintain a list or provide a service that identifies spam or blocks spam or targets spam in any way, you will be attacked. You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all. They want to make money, this is how they have decided to make money, they really can make a lot of money, and youre getting in their way.
[...]Someone challenged me, Well, how am I supposed to continue hosting these low-barrier discussions? I'm sorry, but I don't know. To quote Bruce Schneier, "I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked, 'How do you expect us to get to the stars, then?' I'm sorry, but I don't know that, either."
From Dive Into Mark (which doesn't seem to be responding, so try Google's cache.)
Carousel is a lie!
What about a solution like the SETI project? A nice graphical screensaver that uses spare processor cycles to send email spam to known spammers. It could even display something funny like a graph showing how much harassment you're causing.
However, I don't think any kind of attack spam with spam solution is worth it. We need to either redesign the protocol, marginalize the spammers, or make it very illegal and put them in jail. Sure, you might argue that direct marketing through email really isn't illegal (junk snail mail sure isn't), but I think if you don't respect the don't spam lists and requests to stop, or even go so far as to launch a DOS attack as TFA describes, then you definitely belong behind bars or without access to a computer.
I'd agree with the parent comments but for one issue. The company's clients were directly threatened. The spammers didn't just threaten Blue Security, they threatened Blue Security's customers. As the article stated, Blue Security's customers didn't sign up for a war. They signed up to not get spam. Getting bombarded by viral attacks wasn't part of the deal.
That said, I too am disappointed, but until effective means of finding and holding accountable the people behind the attacks this kind of extortion will continue.
Welcome to the wild-west. Where's Sherrif Bart and the Waco Kid when you need them?
----- Connection reset by beer
This really drives home how important it is for Average-Joe users to have decent security. Time was, if you got infected with a virus you'd get your hard drives wiped and have to reboot your machine. Then, viruses stole information instead. Nowadays, it seems like anyone with the inclination to do so can set up their own botnet using relatively simple tools.
And of course, if you're in the business of breaking the law online (or rather just being generally anti-social) it's simply prudent to gather an army of computers, and then use that power to make others give into your demands. The actions of one hacker and his botnet caused an entire company to shut down operation - that's scary.
And scarier still is that the thousands of people whose computers were hammering away at the server, contributing to the victory of evil over good, are unaware of the part their machines played, and will doubtless play again.
This really is the computing equivalent of creating massive private armies with a mind-control drug - and while the email system really needs an overhaul, while the possibility to harness this kind of power exists there'll be the opportunity for extortion on this scale.
My, that was a yummy potato!
It's a sad day indeed. /. Nothing like keeping your community informed of what's going on.
However, if they close up shop this easy, were they the right ones to be leading this fight?
I also just love how I had to hear about this on
The worst part is they probably picked up 50,000 or more subscribers over the period of the DDOS. It was actually much better advertising than they could have ever bought. Heck, it got me to join!
I am Homer of Borg. Resistance is Fut.. Mmmmmmmm, Donuts!
I find it very hard to believe that it is this straight-forward for one individual to potentially bring down the entire internet infrastructure. The Register reported on this story and said, "Anti-spam firm Blue Security is to cease trading after deciding its escalating conflict with a renegade spammer was placing the internet as a whole in jeopardy." It went on to say, "During an ICQ conversation, PharmaMaster told Blue Security that if he can't send spam, there will be no internet."
I suppose the most concerning part of this story is the bit where bribery appears to persuades a top ISP to make some dodgy configs:
"According to Blue Security, a renegade Russian language speaking spammer known as PharmaMaster succeeded in bribing a top-tier ISP's staff member into black holing Blue Security's former IP address (194.90.8.20) at internet backbone routers. This rendered Blue's main website inaccessible outside Israel."
This story smells a bit.
Be pretty hard to get a murder conviction ... after all, there are literally MILLIONS of people with a motive ... I can picture it now ... the jury is deliberating, and says "the spammer got his skull crushed in ... sounds like he got off too lightly, dah?"
Bastards! They deleted the source files! They could at least give the source code for us to share.
Anyway, this clearly gives us one choice: Decentralizing Blue Frog.
The concept has been proven. Flooding the servers with opt-out requests.
So I propose this: Make a decentralized "black frog" which directly analyses the e-mails and begins doing what Blue Frog did. But this time, it's per-user.
If anyone wants to start the Black Frog project, give me a message (my gmail address is posted in my account).
The concept is this. Instead of asking the spammers to download the "do not intrude" list, hash your own mails using the following formula:
hash = substr(SHA1(e-mail),32). And in the post tell the spammer to remove this hash from their mailing list. (We can include random hashes to make it blurry).
If anyone wants to start the project, I'd be happy to organize it.
We need:
* At least one person with access to the Blue Frog sourcecode, or someone who has helped in programming the Blue Frog
* Lots of programmers
Back when it was possible to track down the spammers and e-mail them easily (~1998) I did this sort of thing on my own.
If I got spam from someone, I sent them an e-mail asking them to stop. When I got another one from them, I sent two. Then three, four, and so on. I made liberal use of free e-mail so they couldn't filter out my addressed, and eventually spammed one guy with 98 e-mails before he relented.
Multiply that by 500,000 users and you'd get one nasty spam attack. That's what these guys deserve: to get one e-mail for every e-mail they've sent to each address. Tens of millions of e-mails flooding their inboxes.
120 characters for a sig? That's bloody useless.
Coral cache (http://coralcdn.org/) with mod_expires to tweak the cache time and adjust length for high traffic times and mod_rewrite to drive everyone but Coral servers to the Coral cache. Not perfect but it could keep an otherwise dead site to appear alive for an extra day or so. Add in it's completely free, doesn't alter your pages and the only limits are a max single file size is ~35M and a daily bandwidth cap at 250G it's not a bad way to go.
The question is would this take enough heat off of Blue Security to keep going?
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
If you read up on Blue Security's actual implementation they never sent more unsubscribe requests than emails recieved. They sent one on behalf of the whole community first, then if that was ignored they sent one unsubscribe request for every email recieved from that spammer to a Blue Security customer.
It's exactly the same amount of traffic as everybody who recieved the email sending their own "Piss off and leave me alone" request.
On the subject of OS DoS, it won't work because the network will be too easily exploitable. However, something which used a supernode system to distribute the load would work quite well.
Personally I'm waiting for Google to step in, collect the pieces of Blue Security, then offer it as an automatic feature built into gMail. Spam gMail (x million accounts), someone checks that it really is spam, and then the spammer effectively gets a message saying "Stop spamming Google customers". Ignore it, and that's x million identical requests sent by one mother of a system.
How many people can read hex if only you and dead people can read hex?
Privateye is a tool that our network security admin here at Middlebury College, Mike Halsall, wrote to automatically quarentine computers into a VLAN (that stays with their mac address) that only has access to a help page, anti-virus tools, and windows update.
Due to the use of this and campus manager (I believe it's the software that actually manages the VLANs, could be wrong), viruses have gone from taking down the campus network several times a year, to being a non-issue. From the project page:
- Adam
"When ideology and theology couple, their offspring are not always bad but they are always blind." -- Bill Moyers
I do both (well, I work for a guy who owns a business), but neither my home account nor my coworkers' inboxes get nontrivial amounts of spam. I've written instructions on how I did it, and if you follow them, you can probably get rid of your spam problem as well.
It's not easy if you're J. Random Enduser, but any qualified system administrator should be able to take the steps needed to win back control of his servers. You can choose to do this - with today's software - if you're willing to exert a modest amount of effort.
Dewey, what part of this looks like authorities should be involved?
Pin a medal on their chests! Thats one less piece of shit filling my inbox.
My patience is infinite, my time is not.
Can you say Russian Mafia? Can you imagine just how embarrasing closing up shop and calling it quits is for them after of the PR over the last week. I can't imagine they called it quits just because they thought they would have to deal with more DDoSs...infact they seemed to enjoy the fact that they got DDoSed.
If you must!