Keep GoDaddy's history in mind
on
GoDaddy Backs SOPA
·
· Score: 5, Informative
1. They were founded by spammer Bob Parsons. (Yes, spammer. Check
the archives of Usenet's news.admin.net-abuse.email.)
2. They have a very long and ongoing history of supporting more spammer,
phishers, scammer, forger, etc. domains than anyone else. (See same source,
plus archives of the spam-l mailing list.) The reason? They run an "abuse desk"
that passes on complaints to the spammers, who can then of course target
complainers for retaliation. (Yes, they do occasionally make a show of removing
spammer domains -- but only when sufficient public exposure has turned up the
heat enough. And even in those cases, they (a) help the spammers move the
domains to another registrar and (b) sell the same spammers more domains.)
3. They confiscated the SecLists.org domain out of sheer spite and stupidity.
(See the Wayback Machine's archives of the NoDaddy web site. Read the rest of
it while you're at it.)
4. They run offensively sexist, sleazy TV commercials. (Yes, I like boobies
too -- who doesn't? -- but these ads are insulting and degrading to women.)
5. They frequently bungle/obstruct domain changes and transfers and make it
effectively impossible for domain owners to fix the situation.
6. Spammer Bob Parsons likes to kiil endangered, sentient animals for fun.
Think about that for a minute: just for the thrill of the kill, this complete asshole
is willing to extinguish the life of a beautiful, compassionate, free animal.
That's one of the most selfish, low, vicious things that someone can do --
whether that animal happens to be an elephant or a fellow human being.
And it tells you everything that you need to know about him: he'll
do anything for self-interest/profit...including selling out the entire Internet.
7. The bottom line is this: there is no point in threatening GoDaddy. If they
take it sufficiently seriously, they'll just lie about it and then quietly go back
on their word once the furor dies down. So don't threaten. Just act.
Get your stuff out of there, tell everyone else you know to get their stuff
out of there, and let's be down with it. Spammer Bob Parsons has already
made far too much money and done far too much damage in the process;
it's time to blacklist him and his company forever. They don't deserve the
privilege of your business, and they certainly don't deserve to be part of
the Internet community.
1. Dump all "reality" shows.
2. Get rid of the incredibly annoying pop-ups during programs. Seriously, I stopped
watching "Rubicon", which had at least some promise, because these are horribly disruptive
and offensive.
3. Convince the History Channel, the Learning Channel, the Discovery Channel, to focus on
actual history and actual science...and not myth, superstition, and nonsense.
4. Please note that #3 does not cover Mythbusters, which, while occasionally a bit
self-indulgent, at least features actual experiments.
5. Try showing movies without censoring, interrupting or editing them.
6. Stop remaking things. Hawaii 5-0 (among many, MANY others) did not need to be remade, and you're embarrassing
yourselves, as well as putting crap on the air.
7. Lose the talking heads on news. Lose the theme music, lose the captions,
lose the scroll, lose the catchy titles for every major news event. Try something
different: sober, reasoned, analysis. Don't tell me that "you only 20 seconds left
to discuss this"; you're a fricking network, all you HAVE is time. And stop pretending
that there are two sides to every story: when one side is obviously insane, lying, or
stupid, there aren't. Instead: call them on it.
8. There are occasional treasures in the archives. Not only should you air them,
you should back them up to the world by posting them for free, unlimited download.
9. Run all commercials by a panel of 15-year-olds. If even they mock it, then what
reaction do you think intelligent adults will have?
10. Teach everyone on your staff that "/" is a slash, not a backslash. Make it
a policy that you will instantly fire anyone who calls it a backslash. If they
do so on-air, then armed security should tackle them, handcuff them, and drag them
off the set while the cameras are running. (Okay, so this one is selfish. But I would
it find it immensely satisfying to watch.)
I've NEVER bought anything from Ticketmaster. I've been getting spam from
them for seven years. (Yes, I could block it -- but instead I feed it to blacklists.)
These are a few of the tools that I use (Unix/Linux, of course):
formail (part of the procmail distribution) is very useful for rewriting mailboxes.
uuexplode is useful for discovering and yanking out attachments.
grepmail is REALLY useful for discovering messages which match certain criteria.
csplit is useful for more than mail, but it also has applications with mailboxes.
...if you join Facebook. You're working for spammer Mark Zuckerberg --
no different, in any meaningful way, from Spamford Wallace or any of
the other spammers.
If that's whose money you want to take, if that's who you're comfortable
having sign your paycheck: then by all means. But if you choose that path,
then you NEVER get to complain about spam again: you're one of them now.
...is not acceptable for professional use. The inferior people who use Microsoft
products will dispute this, of course, but one simply must make allowances for their
limited intellects -- this simple posit is as far beyond them as quantum mechanics
is beyond my dog. Meanwhile, pimple-faced teenagers living in their parents'
basements will continue to write malware that infests these systems whenever
they can stop stuffing cheesy poofs into their fat, bloated bodies long enough
to bother...and these SAME inferior people will whine about how terribly, terribly
awful that their systems have been hacked again. Lather, rinse, repeat.
"Awful" doesn't even begin to describe it. All development on it should be abandoned,
it should be ripped out of the distribution, the code should be printed out and burned, a massive
apology should be issued to the userbase, and any defenders left standing should be
forced to read 419 spam for a month...or until their minds crack.
This won't happen, of course. But 2011 will be remembered as the year that Ubuntu
began to fade into irrelevance, thanks to Unity and the fools behind it.
...because there are now 4 million pre-compromised systems in the field. It's a
certainty that they are now all attractive targets for anyone clever enough to detect
them and acquire control of them. I think chances are quite good that as you're
reading this, more than one person/group is attempting that very thing. They'll
probably succeed.
And when they do, they'll use yet another C&C mechanism to organize them,
harness them, and get on to whatever mischief they choose.
Seen in that context, this announcement is just a PR exercise. It has no real
significance.
Andrew File System - CMU
archie -- Princeton?
CAP (appletalk for Unix) -- Columbia
cops/tripwire -- Purdue
GNU everything -- MIT
Gopher -- Minnesota
Kerberos -- MIT
Khoros -- New Mexico
Mach -- CMU
NNTP -- UC San Diego
Mosaic -- Illinois
sendmail -- UC Berkeley
BSD -- UC Berkeley
RCS -- Purdue
Usenet -- Duke/UNC
tcl/tk -- UC Berkeley
multi-CPU Unix -- Purdue
cu-seeme -- Cornell
I'm sure I'm forgetting quite a few. And of course not all of these are STILL
successful, but in their day they made their mark, and often paved the way
for other projects.
Oh, they have a flashy UI -- but that is unimportant. They fail miserably
at dealing with inbound spam (both their false positive and false negative
rates are far too high, not even worthy of "incompetent amateur" designation)
and they feel even more miserably at outbound spam control. They really
are quite incompetent, and anyone equipped with a modicum of knowledge
and the appropriate open-source tools can easily outdo them.
Thus, while your goal is admirable, and desirable -- to have a mail system
which, unlike Google's, isn't fed straight into the NSA -- your approach is
flawed because it aims too low. You can build a very effective system
that's greatly superior to Google's garbage by using an appropriate OS (which
means: BSD or Linux), an appropriate MTA (which means: sendmail, postfix,
exim or courier; qmail is only used by morons who don't know any better), and
the requisite anti-abuse controls, starting with your firewall, including the generous
use of blacklists, and strict enforcement of RFC requirements, including matching
forward and reverse DNS, resolving HELO/EHLO, and so on.
This is a straightforward task which any competent mail system adminstrator
should be able to accomplish in an afternoon. This is not to say that they
should have it fully tuned and tweaked; it is to say that they should have it
operational. Tuning and tweaking takes time, and is obviously a customized
task whose requirements are based on the environment in which the mail
server operates -- and it begins the moment the server is operational.
But please, do not set your sights so low as to emulate Google.
...there is no such thing as an ex-spammer. Nobody, NOBODY, can produce a living
example of one (either individual or corporate). Oh, they sometimes take a hiatus;
they sometimes disappear and come back under another name; they sometimes
switch tactics, strategy or modality; and they often claim that really, this
time for sure, they've stopped...bu they never do.
And this in turn why blacklist entries associated with these individuals and
corporations should be permanent. It's kind and noble of people to try to
forgive them, to give them yet another another another chance; but it's
extremely naive and stupid.
Ghostery is unacceptable, as it's not free AND open-source. Nobody who cares about their privacy and security should use an inferior product like this.
You know, anyone who hasn't been around long enough to have an email address
ending in.ARPA really should just STFU and stop proposing ridiculous nonsense
like this. Not only is it highly annoying to be exposed to idiocy of this magnitude,
but it distracts from measures that have actually been proven -- repeatedly -- to work.
The BSA is an extortion racket, which routinely threatens people/companies in order
to shake them down for cash. (I've received my own letter, even though I've used free/
open-source software for decades and am in full compliance with the relevant licenses.)
Make sure you're in compliance and can prove it -- to a court, not to the BSA. Do not
respond to them. If they're actually serious about suing you, then let them do it...because
they will have to prove their claims in court...which means that they'll have to state their
claims...which means that they'll have to reveal where their information is coming from.
Then countersue them AND the ex-employee.
You should also blacklist their domain so that they can't send your email -- after all,
you're require to provide them with email acceptance service unless they have a valid
contract for that service (with you). Make sure you blacklist it outbound as well so
that nobody can accidentally send them anything. In other words: force them to
put up or shut up, and force them to do it court.
My guess is that like most bullies and cowards, they won't press it.
I mean, really...with a few hundred million compromised systems, and something on
the order of a billion compromised email accounts...what could happen?
The Mozilla people should have had some very serious conversations with people
working in the spam/phish/botnet space before going down this road. It doesn't
matter how clever or robust this scheme is, in the contemporary environment it's
absolutely worthless.
In fact: it's worse, because it provides a new attack vector to people who have already
demonstrated that they're very adept.
It's often useful to carefully parse statements from people in positions of
power -- whether economic, political, or otherwise. Their utterances are
often more telling for what they do not say than what they do.
In this case, the assertion that any individual botnet may be taken down by a
combination of approaches is likely correct. However, it's worth noting that
the action of taking down individual botnets -- no matter how large -- is unimportant.
It simply doesn't matter to anyone but the PR departments of whoever claims
responsibility for this latest "triumph".
The reality is that the systems constituting all such botnets are still compromised,
still vulnerable, still running Windows, still operated by less-than-clueful users,
and still available. They will therefore quickly be absorbed into either other
existing botnets or newly-constructed ones...and the latter are of course more
likely to be resilient against takedown attacks. Everyone knows this, including
Microsoft, but they're not about to admit that they've been steadily losing ground
for a decade.
As of the summer of 2011, any estimate of the worldwide population of compromised
systems that's under 200 million should be discarded, along with the idiot giving that
estimate. That's a floor value; the actual number is likely significantly higher. Nobody
should be surprised by this: since bots/botnets were first observed, absolutely nothing
of value has been done to reverse their growth trend. (Yes, yes, many people CLAIM
to have done things, and some of those things actually happened: but none of them
are of any lasting importance. They are band-aids haphazardly and temporarily slapped
on the edges of a gaping wound.)
So while this carefully worded PR pronouncement may be correct in some aspects,
it deliberately obfuscates the underlying truth: the problem continues to get worse and
there is absolutely nothing on the horizon which provides any reason to think it will
get better in the forseeable future.
Recommended supplemental reading: "The Shockwave Rider", by John Brunner.
Those of us who have worked in the anti-spam world for decades have been
predicting this for many years, so it's hardly surprising that we've turned out
to be right. Again. It's the inevitable consequence of the non-security of Windows.
There is of course no reason to believe that this is the ONLY such botnet. (And if it
is? It won't be for long.) With something on the order of 200 million compromised
systems on the Internet, botnet builders have plenty to work with.
What IS surprising is that so very few have been able to wrap their heads around
the obvious and direct consequences of this state of affairs. For example, all
click-based metrics are complete nonsense: anyone in control of a botnet of
substantial size can alter them at will. For another, it is ludicrous to pretend that
any email address can be kept "private", once used. And for a third, courts
really do need to recognize that "X's computer did something" is in no way
indicative that "X did something" -- a fact that should significantly alter much
of the litigation underway.
And this is only the beginning. It's going to get much worse.
This is an excellent idea. Let's begin with the author of this paper, who should now be
blacklisted for life. And by that I mean: NOBODY should hire him. NOBODY should
permit him to attend conferences or symposiums. NOBODY should accept his email.
NOBODY should permit him to join any mailing list. NOBODY should provide him with
any technical support or other assistance. And so on.
Why make an example out of this guy? Because, whether you recognize it or not,
he is pure evil, distilled down to its most insidious and destructive form. And because
all the (elective/voluntary) actions I enumerated above are, AFAIK, completely legal.
Given that Sony's executives have dishonored their ancestors and shamed themselves,
I think apologizing in the traditional manner is completely appropriate. Users should be
demanding this -- and moreover, demanding that it be webcast live, so that everyone can
bear witness.
On a more pragmatic level, executives are of course disposable and easily replaceable,
so it really would have no meaningful impact on corporate operations.
There are, at current best estimate, at least 200 million fully-compromised
systems on the Internet. That number has been monotonically increasing
for most of a decade, and there is no reason to expect that trend to change.
(And many reasons to expect it to continue.)
Not all of those are in the US, of course, but a lot of them are. This is
turn means that any credentials present on those systems are now the
property of their REAL owners, not the people who mistakenly believe
they own them. Which means that even if such a universal ID system
was properly designed (unlikely) properly built (unlikely) and properly
deployed (extremely unlikely) that its first major effect will be handing over
a large number of those IDs to The Bad Guys.
The second major effect will be providing major incentives to The Bad Guys
to compromise more systems, as the value of such increases with both
their usefulness and the value of the data stored on them.
The third major effect will be providing major incentives to The Bad Guys to go
after any system where these IDs are stored or used, since they now have
widespread usefulness, not just localized usefulness. They will be successful
some of the time, of course, and we will once again get to hear the refrain of
the professional liars who call themselves "spokespeople", as they solemnly
intone "Nobody could have foreseen..."
I think the biggest usefulness of this scheme will be filtering: anyone supporting
it is clearly marking themselves as a security imbecile, should be fired on the spot,
blacklisted for life, and never permitted to speak in public again on the topic of security.
That won't happen of course. They'll get bonuses. That's how we reward sufficiently
grandiose failure in this society.
This is specious nonsense, of course. It's the sort of FUD spread by spammers-for-hire
masquerading as ESPs in order to lure unsuspecting customers in.
The reality is that it's a trivial exercise to run mailng lists like this -- even those of
modest intelligence can easily manage it. The combination of Linux, Apache, Mailman
and an MTA-of-choice (postfix, sendmail, etc. -- not qmail, as that is only used by inferior
people) makes it an afternoon's exercise to set up a properly-functioning mail server
and mailing list service, with COI, RFC 2369 headers, excellent bounce processing, etc.
We know this because we see thousands of instances of sites doing it on a daily basis.
Further, many of those are run by relatively young/inexperienced people who are nevertheless
bright enough to RTFM and pay attention to best practices, and who thus do just fine.
But the spammer-for-hire industry will of course steadfastly maintain that it's necessary
to pay their exorbitant fees, use their spyware, pay additional fees for "deliverability
studies" (the biggest scam out there) -- of course they will, any customer that is foolish
to believe this crap will pay them handsomely.
Several of these have already been emitting spam for a while;
whatever Amazon's doing (presuming that they're actually doing
ANYTHING beyond having their spokespeople lie about it) isn't working.
Slashdot Mirror
1. They were founded by spammer Bob Parsons. (Yes, spammer. Check the archives of Usenet's news.admin.net-abuse.email.)
2. They have a very long and ongoing history of supporting more spammer, phishers, scammer, forger, etc. domains than anyone else. (See same source, plus archives of the spam-l mailing list.) The reason? They run an "abuse desk" that passes on complaints to the spammers, who can then of course target complainers for retaliation. (Yes, they do occasionally make a show of removing spammer domains -- but only when sufficient public exposure has turned up the heat enough. And even in those cases, they (a) help the spammers move the domains to another registrar and (b) sell the same spammers more domains.)
3. They confiscated the SecLists.org domain out of sheer spite and stupidity. (See the Wayback Machine's archives of the NoDaddy web site. Read the rest of it while you're at it.)
4. They run offensively sexist, sleazy TV commercials. (Yes, I like boobies too -- who doesn't? -- but these ads are insulting and degrading to women.)
5. They frequently bungle/obstruct domain changes and transfers and make it effectively impossible for domain owners to fix the situation.
6. Spammer Bob Parsons likes to kiil endangered, sentient animals for fun. Think about that for a minute: just for the thrill of the kill, this complete asshole is willing to extinguish the life of a beautiful, compassionate, free animal. That's one of the most selfish, low, vicious things that someone can do -- whether that animal happens to be an elephant or a fellow human being. And it tells you everything that you need to know about him: he'll do anything for self-interest/profit...including selling out the entire Internet.
7. The bottom line is this: there is no point in threatening GoDaddy. If they take it sufficiently seriously, they'll just lie about it and then quietly go back on their word once the furor dies down. So don't threaten. Just act. Get your stuff out of there, tell everyone else you know to get their stuff out of there, and let's be down with it. Spammer Bob Parsons has already made far too much money and done far too much damage in the process; it's time to blacklist him and his company forever. They don't deserve the privilege of your business, and they certainly don't deserve to be part of the Internet community.
1. Dump all "reality" shows.
2. Get rid of the incredibly annoying pop-ups during programs. Seriously, I stopped watching "Rubicon", which had at least some promise, because these are horribly disruptive and offensive.
3. Convince the History Channel, the Learning Channel, the Discovery Channel, to focus on actual history and actual science...and not myth, superstition, and nonsense.
4. Please note that #3 does not cover Mythbusters, which, while occasionally a bit self-indulgent, at least features actual experiments.
5. Try showing movies without censoring, interrupting or editing them.
6. Stop remaking things. Hawaii 5-0 (among many, MANY others) did not need to be remade, and you're embarrassing yourselves, as well as putting crap on the air.
7. Lose the talking heads on news. Lose the theme music, lose the captions, lose the scroll, lose the catchy titles for every major news event. Try something different: sober, reasoned, analysis. Don't tell me that "you only 20 seconds left to discuss this"; you're a fricking network, all you HAVE is time. And stop pretending that there are two sides to every story: when one side is obviously insane, lying, or stupid, there aren't. Instead: call them on it.
8. There are occasional treasures in the archives. Not only should you air them, you should back them up to the world by posting them for free, unlimited download.
9. Run all commercials by a panel of 15-year-olds. If even they mock it, then what reaction do you think intelligent adults will have?
10. Teach everyone on your staff that "/" is a slash, not a backslash. Make it a policy that you will instantly fire anyone who calls it a backslash. If they do so on-air, then armed security should tackle them, handcuff them, and drag them off the set while the cameras are running. (Okay, so this one is selfish. But I would it find it immensely satisfying to watch.)
I've NEVER bought anything from Ticketmaster. I've been getting spam from them for seven years. (Yes, I could block it -- but instead I feed it to blacklists.)
These are a few of the tools that I use (Unix/Linux, of course):
formail (part of the procmail distribution) is very useful for rewriting mailboxes.
uuexplode is useful for discovering and yanking out attachments.
grepmail is REALLY useful for discovering messages which match certain criteria.
csplit is useful for more than mail, but it also has applications with mailboxes.
...if you join Facebook. You're working for spammer Mark Zuckerberg -- no different, in any meaningful way, from Spamford Wallace or any of the other spammers. If that's whose money you want to take, if that's who you're comfortable having sign your paycheck: then by all means. But if you choose that path, then you NEVER get to complain about spam again: you're one of them now.
...who mistakenly think they can fix something that's not actually broken.
...is not acceptable for professional use. The inferior people who use Microsoft products will dispute this, of course, but one simply must make allowances for their limited intellects -- this simple posit is as far beyond them as quantum mechanics is beyond my dog. Meanwhile, pimple-faced teenagers living in their parents' basements will continue to write malware that infests these systems whenever they can stop stuffing cheesy poofs into their fat, bloated bodies long enough to bother...and these SAME inferior people will whine about how terribly, terribly awful that their systems have been hacked again. Lather, rinse, repeat.
"Awful" doesn't even begin to describe it. All development on it should be abandoned, it should be ripped out of the distribution, the code should be printed out and burned, a massive apology should be issued to the userbase, and any defenders left standing should be forced to read 419 spam for a month...or until their minds crack. This won't happen, of course. But 2011 will be remembered as the year that Ubuntu began to fade into irrelevance, thanks to Unity and the fools behind it.
...because there are now 4 million pre-compromised systems in the field. It's a certainty that they are now all attractive targets for anyone clever enough to detect them and acquire control of them. I think chances are quite good that as you're reading this, more than one person/group is attempting that very thing. They'll probably succeed. And when they do, they'll use yet another C&C mechanism to organize them, harness them, and get on to whatever mischief they choose.
Seen in that context, this announcement is just a PR exercise. It has no real significance.
archie -- Princeton?
CAP (appletalk for Unix) -- Columbia
cops/tripwire -- Purdue
GNU everything -- MIT
Gopher -- Minnesota
Kerberos -- MIT
Khoros -- New Mexico
Mach -- CMU
NNTP -- UC San Diego
Mosaic -- Illinois
sendmail -- UC Berkeley
BSD -- UC Berkeley
RCS -- Purdue
Usenet -- Duke/UNC
tcl/tk -- UC Berkeley
multi-CPU Unix -- Purdue
cu-seeme -- Cornell
I'm sure I'm forgetting quite a few. And of course not all of these are STILL successful, but in their day they made their mark, and often paved the way for other projects.
Thus, while your goal is admirable, and desirable -- to have a mail system which, unlike Google's, isn't fed straight into the NSA -- your approach is flawed because it aims too low. You can build a very effective system that's greatly superior to Google's garbage by using an appropriate OS (which means: BSD or Linux), an appropriate MTA (which means: sendmail, postfix, exim or courier; qmail is only used by morons who don't know any better), and the requisite anti-abuse controls, starting with your firewall, including the generous use of blacklists, and strict enforcement of RFC requirements, including matching forward and reverse DNS, resolving HELO/EHLO, and so on.
This is a straightforward task which any competent mail system adminstrator should be able to accomplish in an afternoon. This is not to say that they should have it fully tuned and tweaked; it is to say that they should have it operational. Tuning and tweaking takes time, and is obviously a customized task whose requirements are based on the environment in which the mail server operates -- and it begins the moment the server is operational.
But please, do not set your sights so low as to emulate Google.
And this in turn why blacklist entries associated with these individuals and corporations should be permanent. It's kind and noble of people to try to forgive them, to give them yet another another another chance; but it's extremely naive and stupid.
Ghostery is unacceptable, as it's not free AND open-source. Nobody who cares about their privacy and security should use an inferior product like this.
You know, anyone who hasn't been around long enough to have an email address ending in .ARPA really should just STFU and stop proposing ridiculous nonsense
like this. Not only is it highly annoying to be exposed to idiocy of this magnitude,
but it distracts from measures that have actually been proven -- repeatedly -- to work.
The BSA is an extortion racket, which routinely threatens people/companies in order to shake them down for cash. (I've received my own letter, even though I've used free/ open-source software for decades and am in full compliance with the relevant licenses.) Make sure you're in compliance and can prove it -- to a court, not to the BSA. Do not respond to them. If they're actually serious about suing you, then let them do it...because they will have to prove their claims in court...which means that they'll have to state their claims...which means that they'll have to reveal where their information is coming from. Then countersue them AND the ex-employee. You should also blacklist their domain so that they can't send your email -- after all, you're require to provide them with email acceptance service unless they have a valid contract for that service (with you). Make sure you blacklist it outbound as well so that nobody can accidentally send them anything. In other words: force them to put up or shut up, and force them to do it court. My guess is that like most bullies and cowards, they won't press it.
The Mozilla people should have had some very serious conversations with people working in the spam/phish/botnet space before going down this road. It doesn't matter how clever or robust this scheme is, in the contemporary environment it's absolutely worthless.
In fact: it's worse, because it provides a new attack vector to people who have already demonstrated that they're very adept.
Dump (and restore) allow one to make backups of filesystems in ways far superior to what can be accomplished with tar.
Etherape allows the visualization (in real time) of network traffic patterns.
Grace is a powerful graphing and data exploration tool.
Htmldoc allows the generation of PDF and other output formats from HTML input.
Ntop allows one to slice-and-dice network trafffic many different ways; it's another tool that's highly useful for understanding WTF is going on.
W3m is a text-only browser, sort of the web equivalent to the superb mutt email client.
In this case, the assertion that any individual botnet may be taken down by a combination of approaches is likely correct. However, it's worth noting that the action of taking down individual botnets -- no matter how large -- is unimportant. It simply doesn't matter to anyone but the PR departments of whoever claims responsibility for this latest "triumph".
The reality is that the systems constituting all such botnets are still compromised, still vulnerable, still running Windows, still operated by less-than-clueful users, and still available. They will therefore quickly be absorbed into either other existing botnets or newly-constructed ones...and the latter are of course more likely to be resilient against takedown attacks. Everyone knows this, including Microsoft, but they're not about to admit that they've been steadily losing ground for a decade.
As of the summer of 2011, any estimate of the worldwide population of compromised systems that's under 200 million should be discarded, along with the idiot giving that estimate. That's a floor value; the actual number is likely significantly higher. Nobody should be surprised by this: since bots/botnets were first observed, absolutely nothing of value has been done to reverse their growth trend. (Yes, yes, many people CLAIM to have done things, and some of those things actually happened: but none of them are of any lasting importance. They are band-aids haphazardly and temporarily slapped on the edges of a gaping wound.)
So while this carefully worded PR pronouncement may be correct in some aspects, it deliberately obfuscates the underlying truth: the problem continues to get worse and there is absolutely nothing on the horizon which provides any reason to think it will get better in the forseeable future.
Recommended supplemental reading: "The Shockwave Rider", by John Brunner.
Those of us who have worked in the anti-spam world for decades have been predicting this for many years, so it's hardly surprising that we've turned out to be right. Again. It's the inevitable consequence of the non-security of Windows. There is of course no reason to believe that this is the ONLY such botnet. (And if it is? It won't be for long.) With something on the order of 200 million compromised systems on the Internet, botnet builders have plenty to work with. What IS surprising is that so very few have been able to wrap their heads around the obvious and direct consequences of this state of affairs. For example, all click-based metrics are complete nonsense: anyone in control of a botnet of substantial size can alter them at will. For another, it is ludicrous to pretend that any email address can be kept "private", once used. And for a third, courts really do need to recognize that "X's computer did something" is in no way indicative that "X did something" -- a fact that should significantly alter much of the litigation underway. And this is only the beginning. It's going to get much worse.
This is an excellent idea. Let's begin with the author of this paper, who should now be blacklisted for life. And by that I mean: NOBODY should hire him. NOBODY should permit him to attend conferences or symposiums. NOBODY should accept his email. NOBODY should permit him to join any mailing list. NOBODY should provide him with any technical support or other assistance. And so on. Why make an example out of this guy? Because, whether you recognize it or not, he is pure evil, distilled down to its most insidious and destructive form. And because all the (elective/voluntary) actions I enumerated above are, AFAIK, completely legal.
Given that Sony's executives have dishonored their ancestors and shamed themselves, I think apologizing in the traditional manner is completely appropriate. Users should be demanding this -- and moreover, demanding that it be webcast live, so that everyone can bear witness. On a more pragmatic level, executives are of course disposable and easily replaceable, so it really would have no meaningful impact on corporate operations.
There are, at current best estimate, at least 200 million fully-compromised systems on the Internet. That number has been monotonically increasing for most of a decade, and there is no reason to expect that trend to change. (And many reasons to expect it to continue.) Not all of those are in the US, of course, but a lot of them are. This is turn means that any credentials present on those systems are now the property of their REAL owners, not the people who mistakenly believe they own them. Which means that even if such a universal ID system was properly designed (unlikely) properly built (unlikely) and properly deployed (extremely unlikely) that its first major effect will be handing over a large number of those IDs to The Bad Guys. The second major effect will be providing major incentives to The Bad Guys to compromise more systems, as the value of such increases with both their usefulness and the value of the data stored on them. The third major effect will be providing major incentives to The Bad Guys to go after any system where these IDs are stored or used, since they now have widespread usefulness, not just localized usefulness. They will be successful some of the time, of course, and we will once again get to hear the refrain of the professional liars who call themselves "spokespeople", as they solemnly intone "Nobody could have foreseen..." I think the biggest usefulness of this scheme will be filtering: anyone supporting it is clearly marking themselves as a security imbecile, should be fired on the spot, blacklisted for life, and never permitted to speak in public again on the topic of security. That won't happen of course. They'll get bonuses. That's how we reward sufficiently grandiose failure in this society.
...then you are not a professional.
This is specious nonsense, of course. It's the sort of FUD spread by spammers-for-hire masquerading as ESPs in order to lure unsuspecting customers in. The reality is that it's a trivial exercise to run mailng lists like this -- even those of modest intelligence can easily manage it. The combination of Linux, Apache, Mailman and an MTA-of-choice (postfix, sendmail, etc. -- not qmail, as that is only used by inferior people) makes it an afternoon's exercise to set up a properly-functioning mail server and mailing list service, with COI, RFC 2369 headers, excellent bounce processing, etc. We know this because we see thousands of instances of sites doing it on a daily basis. Further, many of those are run by relatively young/inexperienced people who are nevertheless bright enough to RTFM and pay attention to best practices, and who thus do just fine. But the spammer-for-hire industry will of course steadfastly maintain that it's necessary to pay their exorbitant fees, use their spyware, pay additional fees for "deliverability studies" (the biggest scam out there) -- of course they will, any customer that is foolish to believe this crap will pay them handsomely.
50.16.0.0/14
67.202.0.0/18
72.44.32.0/19
75.101.128.0/17
174.129.0.0/16
184.72.0.0/15
204.236.128.0/17
216.182.224.0/20
Mail from these ranges should probably be refused, or, at minimum, subjected to heightened scrutiny.