lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 9 Jun 2011 21:40:51 +0000
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: "nix@...roxylists.com" <nix@...roxylists.com>, Aaron Turner
	<synfinatic@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: NiX API

> Yes. That's the flipside of the coin. However though, any merchant that
> accepts purchases from user's behind proxies or other anonymizer's is
> taking a siginificant risk. 

Says who other than you?  I use a proxy all the time and have never made a fraudulent purchase attempt.  It is nobody's business where I am.  Just because you think proxied connections are bad doesn't mean they are.  Your "majority of fraud is committed from a proxy" is just some opinion.  How about some proof of that?

Besides, you will *never* be able to find out where my proxies are or add me to your database.  If I decided to commit fraud, your system would never catch me.  You have no way of determining how much fraud it committed from other sources, because you don't (and can't) know. 

> This happened to us about 50 times in 2.5 months period. Needless to say,
> im still mad as hell. We lost several hundreds of bucks to those paypal
> 'reversal fees' + wasted significant amount of our precious times while
> answering to those disputes.

Ah.  So, one attempt per day or so during that period is what you are basing your opinions on?  Depending on what one is selling, all it would take is one false positive to screw over the person using your API.  It just isn't a good idea. 

> The API resolved all issues. There has been few legit customers who
> wondered why they could not login using the proxy, I said, remove the
> proxy and try again and then do purchase. They did. A fraudulent user
> never bother for this, they will leave your site alone.

Nor do you know if a legitimate use would do it.  If I went to buy something from you and you assumed I was fraudulent and blocked the transaction, I wouldn't even bother telling you - I'd go buy from someone else.   The fact that you think the API resolved the issues doesn't prove anything.  It just proves that you THINK it did, but you don't know.  I may have stopped 1 bad transaction a day, but stopped 10 good ones.  You just don't know.  Your main bitch seems to be about a company charging you to use their risk management service.   If you don't like PayPal's agreement, then don't use them.  

You seem to be getting awfully wound up over a "free" tool.  It's free.  What do you care what people think?  Or is this just a "get my name in links" so that you can try to sell it later?  All my tools are free, and I've gotten plenty of "why should I use your tool" emails to which I reply "I have absolutely no investment in you using it or not.  If it provides value for someone, there it is.  Otherwise, go shit in your hat." 

You should wait until you are selling it before you give your sales pitch.

> 
> > --
> > Aaron Turner
> > http://synfin.net/         Twitter: @synfinatic
> > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix &
> > Windows
> > Those who would give up essential Liberty, to purchase a little temporary
> > Safety, deserve neither Liberty nor Safety.
> >     -- Benjamin Franklin
> > "carpe diem quam minimum credula postero"
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ