lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <120620042117.8757.41B4CC640002EF310000223521602806510A900E0B0C0B@att.net>
From: dcdave at att.net (dcdave@....net)
Subject: I'm calling for LycosEU heads and team to resign or be sacked

two points should be mentioned in this discussion.

1) I have done several investigations of malicious code, intrusions, etc, and discovered it is almost impossible to avoid "collateral damage". Hackers and spammers working through someone else's machine are common. Does retaliation which does more damage to innocent people and may not even touch the spammer justify the means?

Of course, you could say that if that person is so unaware that he does not have his security up, he is causing the problem, but how will he know what he's done if you block his communication channels?

I woud recommend a nice email detailing the real damage and spiritual damage caused by spam, aned what they might do to find a better way to make a living.. Lots of spammers are simply trying to make a living, and don't feel they have other options. 

2) Retaliation leads to retaliation. Not to get into politics, but what opinion do you think the Arab and Muslim worlds have of George Bush and what he is doing with his bullying/terroristic power play in their back yards? Not to mention what they think of the American People for (allegedly) electing him again?
As a former member of the National Security Team I can vouch for their (Arab/Muslim) long memories and grudges. The Arab and Muslim worlds are uniting agaist a common bully. Groups that were on the edge or undecided are now joining the anti-Americans. We will pay or our children will pay for this. 

How will we pay for damages, both direct and collateral?

we need to find a better response.

I thought I was doing the right thing in Viet Nam at the time, but I am paying for it now in my soul.
People who have been in a war know that it is not the right solution to the problem.
If we don't learn from our mistakes, we are doomed to repeat them.

"Peace in your hearts, peace in the world" - Dali Lama
"There is a big difference between kneeling down and bending over" - Bob Dylan

dcdave
--
CSO 
InfoSec Group 
703-626-6516 



-------------- Original message from Tatercrispies <tatercrispies@...il.com>: -------------- 


> > Self regulate is NOT self retaliate. 
> 
> Why not? Why can't retaliation be a form of regulation? Is your 
> objection in general, or is there a specific to this case? 
> 
> To go back to a previous message; in attacking spammers, I see the end 
> result as being the greater good. Despite what another poster wrote, 
> the phrase "The ends justify the means" does not immediately 
> invalidate your argument, this is the essence of virtually all ethical 
> questions-- does one good outweigh a bad? 
> 
> . I run a small mail server that services about 10 domains. At any 
> given time, I have approximately 500MB of spam stored on my server. I 
> pay, every night, to back up this garbage to tape, and pay the weekly 
> bandwidth fees to upload disk images to a remote server. Not to 
> mention the gigabytes of transfer a month I spend downloading spam to 
> my system an re-uploading it to mail clients.I could enforce mail 
> quotas, but I will never be able to force a hosting client to check 
> and clean their mail on a regular basis. 
> 
> . More than once spammers have leveraged holes in the mail servers of 
> clients of mine. One mail server hard drive filled up with 60GB of 
> queued spam, and they had to pay me $100/hr to drive in and clean up 
> the mess. Plus the company was without e-mail for a weekend and a 
> Monday. Another time, an improperly configured zombie _elsewhere_ was 
> attempting to send spam in excess of 10,000 messages a minute to a 
> server I was managing. It took two days for me to contact the other 
> administrator and get them to unplug the server. 
> 
> . Every week I spend hours of what could be billable time cleaning out 
> my inbox. Sometimes I accidentally delete an legitimate message 
> without realizing it. This costs me. 
> 
> All these things cumulate to be a very large cost to myself, but more 
> so to others with even larger organizations. E-mail is steadily 
> becoming an irrelevant method of communication, and unless we can 
> perfect a method to ignore or combat spammers, I really can't see 
> e-mail being an effective form of communication in five or ten years. 
> Isn't that worth fighting for? 
> 
> If I can help shut down a spammer by sending a few MB of traffic their 
> way every day, I'm for it. What are the downsides? 
> 
> . Extra traffic for backbone carriers 
> + Spammers and their direct carriers will have to pay for it 
> + If the spammer is shut down, then this is irrelevant as the net 
> bandwidth and costs to others will still be less 
> - Might target an innocent, which is why such a tool is best 
> coordinated by SPAM professionals 
> 
> . Ethics 
> + If you object, you don't have to participate 
> . Operates outside the law. Some other people on the list like 
> making (rather funny) analogies about physically assaulting your 
> mailman, but the impacts are primarily financial, and if done properly 
> affect only the ones that deserve it. If a spammer is earning 
> $750,000USD a month, I feel no pity that I've increased his bandwidth 
> bill. 
> - May seem morally questionable. Clearly this is subjective. I think 
> history can demonstrate that while brute force isn't typically the 
> best solution, sometimes it is the only answer. 
> 
> 
> > Then, what will you do when (not IF) you'll receive X bazillions 
> > polite emails requesting you to remove such-and-such random 
> > IP from your flood-list ? Will you really deal with all of those messages ? 
> 
> This was intended tongue-in-cheek, but I would stop flooding a spammer 
> under the following conditions: 
> 
> . They use opt-in mailing lists only, and no funny business like "We 
> got your address from a member site" 
> . They use their own resources to send bulk e-mail, and stop 
> leveraging the bandwidth and storage of unsecured mail servers 
> . They respect unsubscribe requests 
> . They do not attempt to mask the true sender, nor pull stupid 
> bullshit like "V1.4grAAa". If I want my mail server to block messages 
> with Viagra in it, then forcibly bypassing my mechanisms is an 
> personal insult. Personally I can't see why spammers do this, if I'm 
> actively filtering spam, I'm obviously not going to buy your damn 
> Viagra. 
> 
> > I DO agree that strong measures should be taken against spammers. Legal ones, 
> that is. No other way to keep a civilized society still civilized. 
> 
> That's an interesting point. Is this illegal? Is it illegal to go to 
> the spammer's website and hit refresh fifty times? A hundred times? A 
> thousand times? If it is, then I suppose this _is_ illegal, but my 
> gut feeling says it isn't. If not illegal, then maybe in a gray area. 
> I'm sending them this traffic of my own cognizance as a peaceful 
> protest. Is there any law in any country that makes this illegal? If 
> not specifically defined, then in general what would you call this 
> sort of 'illegal' activity? 
> 
> _______________________________________________ 
> Full-Disclosure - We believe in it. 
> Charter: http://lists.netsys.com/full-disclosure-charter.html 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041206/4c012147/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ