Slashdot Mirror
Blue Security Gives up the Fight
bblboy54 writes "According to The Washington Post, Blue Security has closed its doors, which can be confirmed by the Blue Security application failing to work today and their domain no longer resolving. Blue Security's CEO is quoted in the article: "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing." You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
Anyone want to state the obvious answer?
Hey, wait a minute, I've followed Blue Security since I first read about them on /., and I can't believe they're just gonna fold up shop and give up! Isn't this what they got into the business for? Can't they take this attack and use it to demonstrate the validity of their concept? I wish they could think up another tactic besides, 'you win' -- perhaps diversifiying their URLs/IPs so that they're more spread out...less vuln to an attack on one IP? Come on, what do readers think...I know there's got to be some way to use BS software and reroute things through an Onion style network to fight back.
fak3r.com
"When the company's founders first approached the broader anti-spam community and asked them what they thought of the idea, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage," Underwood said. "But it's also extremely unfortunate, because it shows how much the spammers are winning this battle."
Hell, the idea of flooding the spammers network is older then a reasonably aged Armagnac and was discounted even when it came up.
Building a business model on such an innane idea looks as if the company execs are a few fries short of a happy meal. Speceifically since they where warned by more experienced people.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
This episode proves that the spammers own and control the internet.
The internet is no longer free (not as in beer). We must pay obesience to the owners by allowing their spam in out inboxes.
I, for one, do NOT welcome our spam-spewing overlords.
Ignorance is curable, stupid is forever.
I'm a recent new Blue member. Spam to my work, gmail and home accounts has plummetted thanks to Blue Frog. And to whiners who moan about "vigilantism", blow me. Fight fire with fire.
Trolling is a art,
It's hard not to fall to vigilantism when there's no sherriff in town to keep the peace on your behalf...
Was about to post the same thing. Make a distributed app, receive spam, post "unsubscribe" link to app, (assuming this is how blue worked) instant mass traffic for spammer. The problem here is that if you don't have a central authority controlling what gets hit the someone will sooner or later abuse the P2P DDoS machine that you've effectively just created.
Evidently your comments are modded so far down not even the spiders bother to read them.
It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start
Funny, not having the authority to do it didn't stop them before...
This guy's the limit!
If you want to be an anti-spam advocate, if you want to write software or maintain a list or provide a service that identifies spam or blocks spam or targets spam in any way, you will be attacked. You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all. They want to make money, this is how they have decided to make money, they really can make a lot of money, and youre getting in their way.
[...]Someone challenged me, Well, how am I supposed to continue hosting these low-barrier discussions? I'm sorry, but I don't know. To quote Bruce Schneier, "I feel rather like the physicist who just explained relativity to a group of would-be interstellar travelers, only to be asked, 'How do you expect us to get to the stars, then?' I'm sorry, but I don't know that, either."
From Dive Into Mark (which doesn't seem to be responding, so try Google's cache.)
Carousel is a lie!
but anyone who's still getting spam in their inbox should install some nice filtering software.
That's not the point. If you run your own mail server or rely on filtering at your client end the spam uses up your bandwidth, your storage, your CPU resources to filter it, etc. Spammers like to use zombie machines around the net. Their operations cost them very little as they steal the capability from everyone else.
Trolling is a art,
Blue Security Ceases Anti-Spam Operations
When we founded Blue Security in 2004, we believed that if we automated a way for users to rise up and exercise their rights under the CAN-SPAM Act, we could reduce the amount of spam on the Internet.
Over the past few months we were able to leverage the power of the Blue Community and convince top spammers responsible for sending over 25% of the world's spam to comply with our users' opt-out list. We were making real progress in eliminating spam from the lives of our users.
However, several leading spammers viewed this change as a strategic threat to their spam business. The week before last, these spammers launched a series of attacks against us, taking down hundreds of thousands of other websites via a massive Denial-of-Service attack and causing damage to ISPs, website owners and Internet users worldwide. They also began a relentless campaign of email intimidation against many members of the Blue Community.
After recovering from the attack, we determined that once we reactivated the Blue Community, spammers would resume their attacks. We cannot take the responsibility for an ever-escalating cyber war through our continued operations.
As we cannot build the Blue Security business on the foundation we originally envisioned, we are discontinuing all of our anti-spam activities on your behalf and are exploring other, non spam-related avenues for our technological developments. As much as it saddens us, we believe this is the responsible thing to do.
You need not do anything as a result of this change. We will continue to protect your names and addresses and honor all privacy commitments we made to you.
We have concluded we should not take Blue Security to the full deployment stage we originally planned to achieve, but we are proud of what we have accomplished thus far as a young startup company.
We are extremely proud to have had the chance to work with such a devoted and dedicated community: thank you for the vote of confidence you gave us over the past few months as well as the particularly vocal support you have shown over the last two weeks.
We will be innovating and building our technology in new, other directions and will continue to give back to you, our Community.
Thank you for your support,
The Blue Security Team.
What about a solution like the SETI project? A nice graphical screensaver that uses spare processor cycles to send email spam to known spammers. It could even display something funny like a graph showing how much harassment you're causing.
However, I don't think any kind of attack spam with spam solution is worth it. We need to either redesign the protocol, marginalize the spammers, or make it very illegal and put them in jail. Sure, you might argue that direct marketing through email really isn't illegal (junk snail mail sure isn't), but I think if you don't respect the don't spam lists and requests to stop, or even go so far as to launch a DOS attack as TFA describes, then you definitely belong behind bars or without access to a computer.
Fine, I'm happy for you. You obviously don't own an active domain, or a business. Because otherwise I could guarantee that it gets to be a problem for you.
But the problem is not you, it's not me, it's not my little kid sisters dog.
The problem is that a couple of hundred big time spammers are getting rich by shitting into the communal water supply!
If you think that's acceptable within a society then you will apologise that I have no respect for you and the likes of you.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
It seems that the problem here is that they were brought down by the spammer's huge number of bots running on compromised machines. Why has no one tackled this problem? It seems to me that this should be the responsibility of the ISP's. I'm no expert but I believe that if someone reports to an ISP that a particlular IP address is running a bot, that it should be a simple process for the ISP to do some tests to see if that is true by checking the nature of the traffic coming out of the machine. If they decide that the machine has been compromised, they should shut down it's connection and redirect port 80 requests to a web page explaining to the owner that their machine has be compromised and how to fix it.
This does not seem to me to be a difficult technical problem and it is in everyone's interest to get the compromised machines off the net.
The difference between Canada and the USA is that in Canada healthcare is a right and gun ownership is a privilege.
This really drives home how important it is for Average-Joe users to have decent security. Time was, if you got infected with a virus you'd get your hard drives wiped and have to reboot your machine. Then, viruses stole information instead. Nowadays, it seems like anyone with the inclination to do so can set up their own botnet using relatively simple tools.
And of course, if you're in the business of breaking the law online (or rather just being generally anti-social) it's simply prudent to gather an army of computers, and then use that power to make others give into your demands. The actions of one hacker and his botnet caused an entire company to shut down operation - that's scary.
And scarier still is that the thousands of people whose computers were hammering away at the server, contributing to the victory of evil over good, are unaware of the part their machines played, and will doubtless play again.
This really is the computing equivalent of creating massive private armies with a mind-control drug - and while the email system really needs an overhaul, while the possibility to harness this kind of power exists there'll be the opportunity for extortion on this scale.
My, that was a yummy potato!
I know the flip side of the spam problem is bandwidth wastage, but anyone who's still getting spam in their inbox should install some nice filtering software.
I have a catch-all email address set up on my domain - so $anything@$mydomain gets to me.
For years, I used to get a very small amount of spam to addresses like info@, sales@, etc, and a throwaway account I used on a website that I never used for any real mails.
Then, a few months ago, some scum-sucking shit-brained low-life motherfucker* decided to use my domain name in forged From: addresses.
(* But I'm not bitter)
I now receive on the order of a thousand spams, bounces and assorted related crap per day. Now, of these, only a tiny handful make it to my inbox, and they're all easy to spot. I've not done the stats, but I'd image that Thunderbird's filtering is 99% accurate or better.
It's still a pain in the arse though, and it's still utterly unacceptable behaviour on the part of the morons responsible.
I don't necessarily think that vigilantism is the answer, but something has to be done.
(Yes, I could switch off the catch-all addressing, but I actually find it useful, inconsiderate wankers trying to ruin the entire net for everyone not withstanding)
It's official. Most of you are morons.
I find it very hard to believe that it is this straight-forward for one individual to potentially bring down the entire internet infrastructure. The Register reported on this story and said, "Anti-spam firm Blue Security is to cease trading after deciding its escalating conflict with a renegade spammer was placing the internet as a whole in jeopardy." It went on to say, "During an ICQ conversation, PharmaMaster told Blue Security that if he can't send spam, there will be no internet."
I suppose the most concerning part of this story is the bit where bribery appears to persuades a top ISP to make some dodgy configs:
"According to Blue Security, a renegade Russian language speaking spammer known as PharmaMaster succeeded in bribing a top-tier ISP's staff member into black holing Blue Security's former IP address (194.90.8.20) at internet backbone routers. This rendered Blue's main website inaccessible outside Israel."
This story smells a bit.
The bad guys won this time because we tried to match force with force. I've said it multiple times in this forum - we have to accept that spam isn't going to go away. The only way we're going to get it down to an acceptable level is to make it not worth doing.
Filtering is one way, but basing it on the raw content of the email won't work. If there was a public key repository where legitimate users placed a public key for decryption, and all legitmate email were sent encrypted with the corresponding private key, the authenticity of the email could be known. Then, if someone starts making a nuisance of themselves, they could get their public key revoked. If this method were used, filters could be made to only let through emails that decrypted with the public key of the sender.
Let's face it, spam is a fact of life. Remember that you're up against people who do this as their 9-5er with no regard for law, ethics or their public image if you want to go the force-vs-force route.
DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
Be pretty hard to get a murder conviction ... after all, there are literally MILLIONS of people with a motive ... I can picture it now ... the jury is deliberating, and says "the spammer got his skull crushed in ... sounds like he got off too lightly, dah?"
And underground, it'd be also be helpful to DDoS the fuckers. The problem with that is that the dickhead 13 year old kids running the botnets don't care about spam.
Bastards! They deleted the source files! They could at least give the source code for us to share.
Anyway, this clearly gives us one choice: Decentralizing Blue Frog.
The concept has been proven. Flooding the servers with opt-out requests.
So I propose this: Make a decentralized "black frog" which directly analyses the e-mails and begins doing what Blue Frog did. But this time, it's per-user.
If anyone wants to start the Black Frog project, give me a message (my gmail address is posted in my account).
The concept is this. Instead of asking the spammers to download the "do not intrude" list, hash your own mails using the following formula:
hash = substr(SHA1(e-mail),32). And in the post tell the spammer to remove this hash from their mailing list. (We can include random hashes to make it blurry).
If anyone wants to start the project, I'd be happy to organize it.
We need:
* At least one person with access to the Blue Frog sourcecode, or someone who has helped in programming the Blue Frog
* Lots of programmers
"Our users never signed up for this kind of thing. You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"
/. style, I haven't *yet* done), but can we please at least try to make somewhat clear what an article is about, so that everyone can decide for himself whether this subject is of interest to them in the first place?
What kind of thing? What kind of effective method has been found to do, what exactly? What is "this" concept we are talking about?
I read this site (almost) daily but have never ever heard of this company before. As it is apparently some kind of small startup, I'd imagine many others around here have never heard of them, either.
Without any context, this "article" is pure gibberish. Maybe it makes sense after reading the linked article (which, I'll admit in good
Every expression is true, for a given value of 'true'
Back when it was possible to track down the spammers and e-mail them easily (~1998) I did this sort of thing on my own.
If I got spam from someone, I sent them an e-mail asking them to stop. When I got another one from them, I sent two. Then three, four, and so on. I made liberal use of free e-mail so they couldn't filter out my addressed, and eventually spammed one guy with 98 e-mails before he relented.
Multiply that by 500,000 users and you'd get one nasty spam attack. That's what these guys deserve: to get one e-mail for every e-mail they've sent to each address. Tens of millions of e-mails flooding their inboxes.
120 characters for a sig? That's bloody useless.
I don't necessarily think that vigilantism is the answer,
Why not? It obviously is. Nothing else is working. Once a few spammers have died horrible deaths, or have been mutilated, tortured, branded and hung out in the marketplace covered in honey with a big ant colony nearby, there just might be a reduction of spam.
Spamhaus knows the top 200 or so spammers, many with addresses. $1 from everyone who hates spam and there's a pretty good bounty, and it is cheaper than installing new filters all the time.
Assorted stuff I do sometimes: Lemuria.org
There's nothing stopping me shitting in the reservoir. Does this mean that tapwater is dead?
If you do that sort of thing enough, you will be tracked down and (if caught) prosecuted.
The same apparently cannot be said of spammers - or at least, not the ones that pick on individuals. I imagine that the story would be different if they chose to forge addresses from amazon, google, microsoft, etc.
It's official. Most of you are morons.
A new protocol will help greatly, but it won't stop the REAL problem which is people shitting in communal waters.
Interesting metaphor. Fact is that public waters tend to be full of shit, and there's nothing we can do about it. Reservoirs are routinely colonized by fish, waterfowl and aquatic arthropods, which eat the plants and each other and shit out the waste. Water supplies can only minimize this; they can't prevent it. So, rather than fighting a hopeless battle and delivering contaminated water, they accept the situation. They try to keep the reservoir somewhat clean, but they also filter and sterilize the water while delivering it.
It's likely that the same situation with email is permanent. Attacks can cut down somewhat on spammers, but like the insect larvae in the reservoirs, there will always be spammers in the internet. Delivering clean email will require filtering and decontamination software. We already have lots of it in place, and it's likely that we will always need it.
There will always be hucksters and scammers out there trying to separate us from our money.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Pin a medal on their chests! Thats one less piece of shit filling my inbox.
My patience is infinite, my time is not.
I understand the idea was to SPAM the Spammers.
But who exactly did they span? The spoofed addresses? The owner of the original IP?
In the USA there is legislation that attempts to legitimise sending of unsolicited commercial email. This is the Can-Spam act and says among other things that if you want to send such, you must provide an opt-out method for people who dont want to receive it.
Obviously this only applies to US businesses who want to send junk emails, but there are plenty of those - and they think that because they follow the rules and provide an opt-out that its legitimate business.
Now, these companies contact or are contacted by somebody who is willing to send out bulk emails on their behalf for a fee. Often this turns out to be a scumbag bot operator in another country and as such is not subject to the US rules. These guys are beyond any law except the law of supply and demand.
What the Blue Frog people did was set up a system where you could forward junk mails to them, and they would discover the originating business and automatically fill out an opt-out request for you. This costs the US companies who are trying to run a business time and money to process and makes it less attractive for them to pay the spam kings to send the bulk mail and thus reduces demand.
Less demand is less money for the spam king and one or more (I would not be surprised to find a cartel) decided to attack Blue Frog.
While I do hope someone does something about spam, I'm not certain if vigilantism is such an answer... just think if one of Spamhaus's 200 spammers is mis-identified.
We have been mistaken for spammers once, and it's not nice, we were blacklisted for 3 days before we convinced the blacklisters that we were a legitimate business, during that time our sales people had a hard time (and no we don't send newsletters or nothing of the kind, just business email).
Being DOS'd or some of the scarier options proposed does not sound good to me.
There are three kinds of lies: lies, damned lies, and statistics.