Why don't you address the main issue here - the ethics of selling anti-spam devices and permission to send bulk mail for money?
Well, for starters, I've already addressed both issues. I'll go over them again, though, as long as you promise to pay attention.
Regarding BondedSender- IronPort does not own Bonded Sender. ReturnPath does. If you get spam from a "Bonded Sender", you report it to ReturnPath, and they take money out of a pre-paid bond and give it to charity. It takes money out of the sender's pocket, but does not directly benefit ReturnPath. Understand? IronPort is not in the equation, and even if they were, the money goes *to charity*.
Regarding ethics- not sure what you're referring to, but I assume you're talking about IronPort selling their products to spammers..? I guess you can view that however you want to; I can't find any evidence to support your claim (but obviously your co-workers at CipherTrust know better than I). The funny thing is- if spammers covet IronPort's products, they must be doing something right. If CipherTrust had the technology to create the fastest mailer in the world, you don't think they'd productize it (and get customers like eBay, Yahoo!, Amazon, etc)? Don't kid yourself.
Maybe you should jump on Walmart next- they sell knives *and* band-aids. What a racket!
4) Profit! (Not yet, sadly. Customers are smarter than that.)
Yes, that is sad. CipherTrust will surely rocket themselves to profitibility once market researchers get wind of the phenomenon that is TrustedSource.com.
nslookup PLUS whois PLUS a scale of 1 to 10 envelopes.. pure genius.
Being a shareholder means "owning" in case you didn't know.
Being a shareholder means owning shares. Using your logic, I own roughly 10 large corporations.
Throw me another witty one-liner, please.. telling me that blocking 255.255.255.255 would "get me off the internet" had me chuckling all the way into work! Hint: my subnet mask isn't 0.0.0.0, and even if it was, it wouldn't matter. Hmm, wait a minute.. are you the guy who designed trustedsource.com? This is starting to make sense..
Another side of this is that Ironport sells not only anti-spam devices, but also boxes that are meant for massively high-volume outbound mail flow. They play both sides of the spam game.
Yes, because all companies that send high-volumes of outbound mail are spammers. Paypal, eBay, Amazon, Dell, buy.com, Yahoo!, etc.
Bonded Sender isn't even owned by IronPort. How exactly is this "proof"?
IIRC, Bonded Senders get charged for every 2-3 complaints per MILLION emails sent. If they're sending spam, report them to Bonded Sender. Complaining about them on Slashdot isn't going to accomplish anything.
I just looked this up- "Return Path" owns Bonded Sender. So there's "proof" that you're wrong.
That's not "proof" that either party copied the name. You're assuming they came up with each name on the exact date of the (non third-party) press releases you linked.. which is almost certainly not the case.
Either way, even if CipherTrust had the name first, they're three years late to the game with this new site. Not to mention, the site is just a glorfied WHOIS & DNS lookup tool, not a reputation system.. wow, thanks, I'll make sure to block 255.255.255.255 at my earliest convenience.
This is the last straw; the "IANA" postmaster is getting a letter from me. I've been having a problem with another one of their IPs as well (127.0.0.1).
Money won't buy you security. Keep in mind that somebody still has to *use* this computer. If they're dishonest (or just plain curious), you've basically just wasted a lot of cash.
I would invest in "top-shelf" knowledgable & trustworthy personnel before I would purchase a military-grade secure computing environment.
There is very little Apple can do to stop this from working for people who really want to do it.
Trust me, Apple wants you to run their OS on your x86-based PC. Otherwise, you wouldn't have the opportunity.
When OSx86 is finally a stable OS, Apple won't lose _anything_. They will continue to sell "it just works" to the same people who have been buying it for years (plus a few more with all this free publicity).
Those who choose to pirate OS X can do just that- but at their own risk, and without support. I actually wouldn't be surprised a bit if they open-sourced OS X within the next year.. take a portion of that "free development" share away from Linux (and then package whatever sticks to the wall with their own hardware).
Ken Dunham, senior engineer with VeriSign iDefense, said that this weekend his group eavesdropped on conversations about a Visual Basic script tool that would let attackers scan for vulnerable PCs.
Anybody else catch this?
Ken, my friend: you're not listening in on the right group of "hackers" if they're talking about scanners written in VB script. You would have probably had better luck in #metasploit "eavesdropping" on all the people asking about Windows-related compiler errors..
.. and noticed Belkin's pre-n wireless router on their home page. 3 antennas. I think it'd behoove our leet brothers and sisters to assume that any wifi connection is being logged and xreferenced w/ google maps, with a little flag over your treehouse that reads "asshat".
Uhh, three antennas right next to each other on a Belkin router won't work for triangulating someone's location. Also, even if you did have legit logs, do you think they would hold up in court? Logs like that can be falsified so easily- there's no way. Not to mention that all you're logging is someone's MAC address. Those can also be changed on the fly quite easily.
Do you think running make install as root does not constitute a security risk? Do you _really_ check all the code that runs on your systems?
Running "make install" is a security risk? Any chance you could provide me with a link to a vulnerability report to backup your statement? Don't bother looking; there isn't one. That would be like me telling you that hitting the "power" button on a Windows system is a security risk. Let's get serious.
Either way, the day that a massive Linux/BSD worm hits the 'net, I'll come back here and we'll both have a good laugh at my expense. Until then, I stand by my previous statement.
Anybody reading this because they're looking to buy a great case- check out the CoolerMaster Stacker. I picked one up for my 2x Opteron system, and I've been extremely pleased. In fact, I can't think of a single thing that I dislike about it.
Nobody is trying to force you to use Gentoo. If you don't see any benefit in compiling your own software, don't use Gentoo. Instead, find another distro, where you can quickly and easily install pre-compiled binaries of your favorite authentication modules and remote access tools.
Not having to call support in the first place. [..] This, of coursed, implies assuring high quality, durability and ease of use, in both software and hardware.
Unfortunately, some people just don't know how to solve problems on their own. Anybody who's ever worked in/around a help-desk knows the type of person I'm talking about. Instead of pausing for 2 seconds and using their brain, they pick up the phone and call someone else to do it for them.
In theory, you should be able to design products and/or services so they don't require live support.. but it just doesn't work out that way.
When I go to lunch I go to eat, talk with my wife, and just mellow out. Why would I want to surf the net at lunch? Why would I want to surf the net at a park?
Most people wouldn't. The point is, why work from the office when you can work from the park?..or a coffee shop?..or _anywhere_ in the city of Orlando?
When I was a kid, my parents bought their first cordless phone, replacing an old rotary phone in our living room. My Mom would always sit right next to the cordless basestation when she used it- not because she doubted the technology; it was just what she was accustomed to doing.
I think you see my point. Orlando was just a little ahead of the curve on this one..
Err, no. It doesn't work like that. There is no way you can visually glean the content of text messages from an abstraction of gigs of data flowing by.
So if you're interested in looking for administrative botnet traffic, but you're not exactly sure what protocol/port the controller uses to communicate with the bot, which method would you choose for figuring it out?
a. Capture all Internet traffic for a period of time, and then inspect each packet manually for suspicious content.
b. Look through flow data for anomalies, or "new" traffic patterns coinciding with worm outbreaks, and then selectively capture only _that_ traffic for further inspection.
Unless you've got a couple hundred years of spare time on your hands, I'd probably go with 'b'. So, yes, it does work like that.
I'm sure the research they're doing is quite intriguing, but when are we going to stop wasting time and money on clueless users that obviously don't understand the importance of clicking on "Windows Update" every couple weeks? That type of negligence is unacceptable in almost every other facet of everyday life, so why aren't businesses holding the actual users responsible for the damage they cause?
You know what I'd like to see for once? How about a vigilante team of lawyers that work with the businesses who regularly pay $many thousands of dollars to deal with these botnet attacks. Work with the ISPs involved to get customer names, through *legal channels* (so they'll cooperate), and then file civil lawsuits against every single one of negligent computer owners. Hmm, what's that? Oh, now you've got everyone's attention.
Even a DirecTV/RIAA-style letter campaign would probably do more to fight the problem than this team of bot-busters will.
Note: no disrespect to the research team. I applaud their efforts, even though I think there's a better solution to this problem.
Slashdot Mirror
Regarding BondedSender- IronPort does not own Bonded Sender. ReturnPath does. If you get spam from a "Bonded Sender", you report it to ReturnPath, and they take money out of a pre-paid bond and give it to charity. It takes money out of the sender's pocket, but does not directly benefit ReturnPath. Understand? IronPort is not in the equation, and even if they were, the money goes *to charity*.
Regarding ethics- not sure what you're referring to, but I assume you're talking about IronPort selling their products to spammers..? I guess you can view that however you want to; I can't find any evidence to support your claim (but obviously your co-workers at CipherTrust know better than I). The funny thing is- if spammers covet IronPort's products, they must be doing something right. If CipherTrust had the technology to create the fastest mailer in the world, you don't think they'd productize it (and get customers like eBay, Yahoo!, Amazon, etc)? Don't kid yourself.
Maybe you should jump on Walmart next- they sell knives *and* band-aids. What a racket!
nslookup PLUS whois PLUS a scale of 1 to 10 envelopes
Throw me another witty one-liner, please.. telling me that blocking 255.255.255.255 would "get me off the internet" had me chuckling all the way into work! Hint: my subnet mask isn't 0.0.0.0, and even if it was, it wouldn't matter. Hmm, wait a minute.. are you the guy who designed trustedsource.com? This is starting to make sense..
Brilliant observation.
Bonded Sender isn't even owned by IronPort. How exactly is this "proof"?
IIRC, Bonded Senders get charged for every 2-3 complaints per MILLION emails sent. If they're sending spam, report them to Bonded Sender. Complaining about them on Slashdot isn't going to accomplish anything.
I just looked this up- "Return Path" owns Bonded Sender. So there's "proof" that you're wrong.
That's not "proof" that either party copied the name. You're assuming they came up with each name on the exact date of the (non third-party) press releases you linked.. which is almost certainly not the case.
Either way, even if CipherTrust had the name first, they're three years late to the game with this new site. Not to mention, the site is just a glorfied WHOIS & DNS lookup tool, not a reputation system.. wow, thanks, I'll make sure to block 255.255.255.255 at my earliest convenience.
0.0.0.0
Current reputation: Spam First seen: 2005-08-03
This is the last straw; the "IANA" postmaster is getting a letter from me. I've been having a problem with another one of their IPs as well (127.0.0.1).
..except SenderBase has been around for around 3 years?
IronMail.. IronPort.. funny. Sounds like CipherTrust needs some original ideas. I'm surprised they didn't call this new service "SenderSource".
(that domain will be registered by 4PM, watch)
Money won't buy you security. Keep in mind that somebody still has to *use* this computer. If they're dishonest (or just plain curious), you've basically just wasted a lot of cash.
I would invest in "top-shelf" knowledgable & trustworthy personnel before I would purchase a military-grade secure computing environment.
When OSx86 is finally a stable OS, Apple won't lose _anything_. They will continue to sell "it just works" to the same people who have been buying it for years (plus a few more with all this free publicity).
Those who choose to pirate OS X can do just that- but at their own risk, and without support. I actually wouldn't be surprised a bit if they open-sourced OS X within the next year.. take a portion of that "free development" share away from Linux (and then package whatever sticks to the wall with their own hardware).
Ken, my friend: you're not listening in on the right group of "hackers" if they're talking about scanners written in VB script. You would have probably had better luck in #metasploit "eavesdropping" on all the people asking about Windows-related compiler errors..
You should really do some local testing before posting that sort of thing.
Either way, the day that a massive Linux/BSD worm hits the 'net, I'll come back here and we'll both have a good laugh at my expense. Until then, I stand by my previous statement.
As for what we can do to make writing worms less attractive...that's more difficult. There is no magic bullet here.
My Powerbook doesn't even have A/V software loaded on it, and neither does my Linux desktop. Do the math- there's your silver bullet.
Maybe Microsoft should create their own virus, exploiting this most recent flaw, that would automatically patch any computer it infects!
On second thought.. Windows users would probably detect the 30MB worm before it could "infect" their computer, and reboot.
Anybody reading this because they're looking to buy a great case- check out the CoolerMaster Stacker. I picked one up for my 2x Opteron system, and I've been extremely pleased. In fact, I can't think of a single thing that I dislike about it.
To all the people flaming Gentoo:
Nobody is trying to force you to use Gentoo. If you don't see any benefit in compiling your own software, don't use Gentoo. Instead, find another distro, where you can quickly and easily install pre-compiled binaries of your favorite authentication modules and remote access tools.
In theory, you should be able to design products and/or services so they don't require live support.. but it just doesn't work out that way.
When I was a kid, my parents bought their first cordless phone, replacing an old rotary phone in our living room. My Mom would always sit right next to the cordless basestation when she used it- not because she doubted the technology; it was just what she was accustomed to doing.
I think you see my point. Orlando was just a little ahead of the curve on this one..
The bastards who rejected my idea for an Irwindale-based PS2/USB combo-card should be having second thoughts right about now.
a. Capture all Internet traffic for a period of time, and then inspect each packet manually for suspicious content.
b. Look through flow data for anomalies, or "new" traffic patterns coinciding with worm outbreaks, and then selectively capture only _that_ traffic for further inspection.
Unless you've got a couple hundred years of spare time on your hands, I'd probably go with 'b'. So, yes, it does work like that.
I'm sure the research they're doing is quite intriguing, but when are we going to stop wasting time and money on clueless users that obviously don't understand the importance of clicking on "Windows Update" every couple weeks? That type of negligence is unacceptable in almost every other facet of everyday life, so why aren't businesses holding the actual users responsible for the damage they cause?
You know what I'd like to see for once? How about a vigilante team of lawyers that work with the businesses who regularly pay $many thousands of dollars to deal with these botnet attacks. Work with the ISPs involved to get customer names, through *legal channels* (so they'll cooperate), and then file civil lawsuits against every single one of negligent computer owners. Hmm, what's that? Oh, now you've got everyone's attention.
Even a DirecTV/RIAA-style letter campaign would probably do more to fight the problem than this team of bot-busters will.
Note: no disrespect to the research team. I applaud their efforts, even though I think there's a better solution to this problem.