Blue Security Gives up the Fight

bblboy54 writes "According to The Washington Post, Blue Security has closed its doors, which can be confirmed by the Blue Security application failing to work today and their domain no longer resolving. Blue Security's CEO is quoted in the article: "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start," Reshef said. "Our users never signed up for this kind of thing." You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"

The problem is it relies on a central server.

[Ant P.]

Anyone want to state the obvious answer?

When the going gets tough...

[fak3r]

Hey, wait a minute, I've followed Blue Security since I first read about them on /., and I can't believe they're just gonna fold up shop and give up! Isn't this what they got into the business for? Can't they take this attack and use it to demonstrate the validity of their concept? I wish they could think up another tactic besides, 'you win' -- perhaps diversifiying their URLs/IPs so that they're more spread out...less vuln to an attack on one IP? Come on, what do readers think...I know there's got to be some way to use BS software and reroute things through an Onion style network to fight back.

They should have listened

[CaptainZapp]

From the FA:

"When the company's founders first approached the broader anti-spam community and asked them what they thought of the idea, everyone said this was a terrible idea and that they would eventually cause a lot of collateral damage," Underwood said. "But it's also extremely unfortunate, because it shows how much the spammers are winning this battle."

Hell, the idea of flooding the spammers network is older then a reasonably aged Armagnac and was discounted even when it came up.

Building a business model on such an innane idea looks as if the company execs are a few fries short of a happy meal. Speceifically since they where warned by more experienced people.

We are ALL "owned"

[TFGeditor]

This episode proves that the spammers own and control the internet.

The internet is no longer free (not as in beer). We must pay obesience to the owners by allowing their spam in out inboxes.

I, for one, do NOT welcome our spam-spewing overlords.

Re:Third Choice?

[Salty Moran]

It's hard not to fall to vigilantism when there's no sherriff in town to keep the peace on your behalf...

Re:The problem is it relies on a central server.

[fak3r]

Exactly, this is why Napster was brought down. They need a different client-server setup, me thinks a bittorrent/Onion Router style network would do the trick here, and with the start that BS has provided, I can't see it as being impossible to make this into an effective defensive/offensive tool.

Re:Third Choice?

[fistfullast33l]

I noticed that your user page doesn't have any submitted stories that made the front page. I also comment fairly regularly and have had three submissions accepted. After my first one, I started receiving 20-30 phishing emails a day in my gmail inbox, and about 5 legitimate emails. That's why I've stopped posting any kind of email whatsoever to this site. As it is, my URL currently goes nowhere as well because shortly after I started using that instead I got hit with comment spam and lacking the time to install a solution like captcha images, I decided to just take the server down instead. This is for a site that got at most 20 people a day who were mostly my friends. We need some kind of international solution to stop these people and the harm they're doing.

wow

[trybywrench]

Wow so the bad guys won? This isn't the way it's suppose to happen. wtf

Sigh! Or why spam is unacceptable

[CaptainZapp]

I'm not a whiney mac fanboy, and even I get very very little spam. It's just not a day-to-day nuisance for me.

Fine, I'm happy for you. You obviously don't own an active domain, or a business. Because otherwise I could guarantee that it gets to be a problem for you.

But the problem is not you, it's not me, it's not my little kid sisters dog.

The problem is that a couple of hundred big time spammers are getting rich by shitting into the communal water supply!

If you think that's acceptable within a society then you will apologise that I have no respect for you and the likes of you.

Solving the Spam Bot problem

[smartin]

It seems that the problem here is that they were brought down by the spammer's huge number of bots running on compromised machines. Why has no one tackled this problem? It seems to me that this should be the responsibility of the ISP's. I'm no expert but I believe that if someone reports to an ISP that a particlular IP address is running a bot, that it should be a simple process for the ISP to do some tests to see if that is true by checking the nature of the traffic coming out of the machine. If they decide that the machine has been compromised, they should shut down it's connection and redirect port 80 requests to a web page explaining to the owner that their machine has be compromised and how to fix it.

This does not seem to me to be a difficult technical problem and it is in everyone's interest to get the compromised machines off the net.

Re:Third Choice?

[Tim C]

I know the flip side of the spam problem is bandwidth wastage, but anyone who's still getting spam in their inbox should install some nice filtering software.

I have a catch-all email address set up on my domain - so $anything@$mydomain gets to me.

For years, I used to get a very small amount of spam to addresses like info@, sales@, etc, and a throwaway account I used on a website that I never used for any real mails.

Then, a few months ago, some scum-sucking shit-brained low-life motherfucker* decided to use my domain name in forged From: addresses.

(* But I'm not bitter)

I now receive on the order of a thousand spams, bounces and assorted related crap per day. Now, of these, only a tiny handful make it to my inbox, and they're all easy to spot. I've not done the stats, but I'd image that Thunderbird's filtering is 99% accurate or better.

It's still a pain in the arse though, and it's still utterly unacceptable behaviour on the part of the morons responsible.

I don't necessarily think that vigilantism is the answer, but something has to be done.

(Yes, I could switch off the catch-all addressing, but I actually find it useful, inconsiderate wankers trying to ruin the entire net for everyone not withstanding)

Re:Take a page from SETI

[Daniel Dvorkin]

At this point I'm convinced that the only solution is a worldwide series of gory murders of spam kings with "death to spammers" written on the walls at the crime scenes in the spammers' blood.

Re:The problem is it relies on a central server.

[boldtbanan]

One of the nice attributes of having a central server is that BlueSecurity could validate that the site was a legitimate target before unleashing the flurry of opt-out requests.

Which brings us right back to a centralized server in the first place. As long as everything has to pass through a single choke point (or even a small number of them), they are susceptible to the same DDOS attack. If there is no authoritative verification, you essentially just created a P2P DDOS system that the spammers/organized crime/anybody can (and will) readily abuse. Therin lies the rub.

Re:We are ALL "owned"

[Anonymous Coward]

We don't have to do anything of the sort. What we should be doing is redesigning the SMTP protocol so spamming becomes either too cost-prohibitive or downright technically impossible. If we took the billions of dollars a year we pour into fighting spam with blocklists, heuristics, and the ever popular "just delete it from your inbox when you get it" and a) got our legislators to actually REALLY ban spam, and b) redesigned the protocol to provide technological countermeasures against the possibility of spam, we'd have licked this problem years ago. Spam is just as bad as child pornography or rape and should be combatted with as many or more resources than these disgusting crimes.

We're going about this the wrong way

[netruner]

The bad guys won this time because we tried to match force with force. I've said it multiple times in this forum - we have to accept that spam isn't going to go away. The only way we're going to get it down to an acceptable level is to make it not worth doing.

Filtering is one way, but basing it on the raw content of the email won't work. If there was a public key repository where legitimate users placed a public key for decryption, and all legitmate email were sent encrypted with the corresponding private key, the authenticity of the email could be known. Then, if someone starts making a nuisance of themselves, they could get their public key revoked. If this method were used, filters could be made to only let through emails that decrypted with the public key of the sender.

Let's face it, spam is a fact of life. Remember that you're up against people who do this as their 9-5er with no regard for law, ethics or their public image if you want to go the force-vs-force route.

Re:When the going gets tough...

[Billosaur]

The attack was probably large, but then why wouldn't they seek out help from law enforcement?

Because these "spam kings" (ok, let's find a new, more acceptable phrase, like "spam dorks") tend to hide out in countries that either have a) no formalized relations with the US or other countries or b) countries that might be allies but will not let us simply go tromping through their country on the hunt for spammers.

They hide in the shadows, collect money from the stupid and unwary, and then go after anyone who tries to stop them. If you think DDoS attacke are their only weapon, think again. It really is going to take a campaign of Internet espionage followed by vigilantism to get at most of these people. I can see it now... Merc for Hire -- specializing in SPAM and the removal of the source with extreme prejudice!

Spammers are the wrong enemy

[linvir]

The king spammers are too powerful. If it's vigilante action you're after, it seems that the right people to attack are their customers. Bluesecurity would have done better if they'd sent the opt-out requests to the companies being advertised.

This person has received a promotional email advertising your product, and is not interested in it. They have authorised us to advise you of this on their behalf. Please inform your advertising provider of this and ask them to remove this user from their list.

And underground, it'd be also be helpful to DDoS the fuckers. The problem with that is that the dickhead 13 year old kids running the botnets don't care about spam.

Re:We are ALL "owned"

[RM6f9]

Excuse me, one moment please: While I can understand that you (and many others) have a deep personal hatred for unsolicited commercial email, please consider correcting yourself - there is no way in kind or in degree that the irritation of Spam/UCE is equal to the tragedies of child pornography or rape.

May whatever Deity exists prevent you from learning the difference first-hand.

Re:We are ALL "owned"

[alcmaeon]

"Excuse me, one moment please: While I can understand that you (and many others) have a deep personal hatred for unsolicited commercial email, please consider correcting yourself - there is no way in kind or in degree that the irritation of Spam/UCE is equal to the tragedies of child pornography or rape."

Oh yeah? Well, what if it's spam adveretising websites that show pornographic pictures of child rape? Huh? Huh? Huh?

Right

[SmallFurryCreature]

You are an ISP that means you business getting people to pay you to let them on the internet. Now try to do this. Block people from the internet if they are not running proper software. How many seconds do you think it will be before people switch to a provider that doesn't block bots. Because people don't care they are infected they just want to be hassle free. Until their computer blows up they don't want to know that their machine is a bot.

Anymore then people want to know their 3 ton car is causing global warming. Imagine if Shell refused to sell gas to cars that do not have a certain fuel efficiency. How long would they stay in business?

It is one of the reason to liberetarians are wrong. A lot of things can only happen because they are written down in law.

Should there be a law that forces ISP's to shutdown bots? Well, it all depends on the kind of internet you want. A totally free on that is controlled by criminals or a non-free one that is controlled by the state.

Cause freedom doesn't exist. There is always someone in control. For now it is the spammers.

Never signed up for this

[linvir]

It's exactly what I signed up for. Maybe they got the majority of their users before the DDoS, but I only signed up once it turned ugly, and a lot of people here would say the same.

This really demonstrates the need for a distributed version. Not only is the centralised architecture easy to attack, as we saw with BS vs PM, but also it's at the mercy of its operators. A living breathing antispam system was in place, with many willing users, but had to be shut down because the tiny head at the top of the body wanted out. If it was less monolithic, head shots wouldn't even exist.

Tie that in with my other idea [slashdot.org], and maybe there's a good method in there somewhere.

Re:This works ... 100% effective in killing off sp

[Anonymous Coward]

Hello spammers. In Soviet Russia, the angry citizens beat the shit out of YOU!

Writers class 101: Define before use

[Idaho]

"Our users never signed up for this kind of thing. You have to wonder where it goes from here. It seems an effective method has been found but more than a small private company could handle. Will someone else adapt this concept, or does the internet world give up?"

What kind of thing? What kind of effective method has been found to do, what exactly? What is "this" concept we are talking about?

I read this site (almost) daily but have never ever heard of this company before. As it is apparently some kind of small startup, I'd imagine many others around here have never heard of them, either.

Without any context, this "article" is pure gibberish. Maybe it makes sense after reading the linked article (which, I'll admit in good /. style, I haven't *yet* done), but can we please at least try to make somewhat clear what an article is about, so that everyone can decide for himself whether this subject is of interest to them in the first place?

Re:The problem is it relies on a central server.

[Spy der Mann]

The problem would be how to make a distributed system that can't be poisoned or decieved by
an attacker.

Easy. Make it not relying on a server or P2P network at all. You only opt out *YOUR* e-mail address (hashed, of course). The mails will be either automated or human-verified (by you).

Re:Third Choice?

[Tom]

I don't necessarily think that vigilantism is the answer,

Why not? It obviously is. Nothing else is working. Once a few spammers have died horrible deaths, or have been mutilated, tortured, branded and hung out in the marketplace covered in honey with a big ant colony nearby, there just might be a reduction of spam.

Spamhaus knows the top 200 or so spammers, many with addresses. $1 from everyone who hates spam and there's a pretty good bounty, and it is cheaper than installing new filters all the time.

Re:Take a page from SETI

[infolib]

the only solution is a worldwide series of gory murders of spam kings

Do it right then. If you've got 15 names, murder 10. Then drop a Usenet post with a couple of scene shots saying "There's five names left on my list. If you want to know if yours is on it, just keep spamming." That would stop much more than 15 spammers. (Or at least they'd cower.)

Re:Email is broken

[Tim C]

There's nothing stopping me shitting in the reservoir. Does this mean that tapwater is dead?

If you do that sort of thing enough, you will be tracked down and (if caught) prosecuted.

The same apparently cannot be said of spammers - or at least, not the ones that pick on individuals. I imagine that the story would be different if they chose to forge addresses from amazon, google, microsoft, etc.

Re:Third Choice?

[Geno Z Heinlein]

I don't necessarily think that vigilantism is the answer...

Vigilantism is exactly the answer. For some reason, there's this idea that people aren't supposed to "take the law into their own hands". Well, who is supposed to maintain the law? The authorities? They can't do it. If every last cop on every last police force was Joe Friday, they still wouldn't come close to having the manpower to control traditional crimes, let alone email spammers.

More to the point, every last cop on the force isn't Joe Friday. Frank Herbert wrote that the saying "power corrupts" needed to be re-written as "power attracts the corruptible". With profound respect to those who become the authorities of society because they genuinely want to make the world a better place, there are also lots of people who do it because they want the power. From street cops to the presidency, we have seen that bad people are drawn to power. The worst ones are on the take, beating people who surrender, invading other countries without justification, passing legislation that favors institutions over individuals, and so on. The ones who are just misguided genuinely believe that only particular, designated officials should run a society. Both types support the idea that people aren't supposed to take the law into their own hands.

How does all this happen? How do people get into situations where bad people ruin things and nothing can be done? Because there are people who don't believe in taking the law into their own hands. Because there are people who believe that making things better is a job for someone else, not a sacred trust. Because there are people who don't feel like this is their world. And because lots of people who care only for themselves are willing to take advantage of people who don't believe in vigilantism.

Of course, the word "vigilantism" is not a native part of my vocabulary. I have another word that I use there. Let me rewrite the original statement: "I don't necessarily think that responsibility is the answer..."

Re:Email is broken

[jc42]

A new protocol will help greatly, but it won't stop the REAL problem which is people shitting in communal waters.

Interesting metaphor. Fact is that public waters tend to be full of shit, and there's nothing we can do about it. Reservoirs are routinely colonized by fish, waterfowl and aquatic arthropods, which eat the plants and each other and shit out the waste. Water supplies can only minimize this; they can't prevent it. So, rather than fighting a hopeless battle and delivering contaminated water, they accept the situation. They try to keep the reservoir somewhat clean, but they also filter and sterilize the water while delivering it.

It's likely that the same situation with email is permanent. Attacks can cut down somewhat on spammers, but like the insect larvae in the reservoirs, there will always be spammers in the internet. Delivering clean email will require filtering and decontamination software. We already have lots of it in place, and it's likely that we will always need it.

There will always be hucksters and scammers out there trying to separate us from our money.

Re:Take a page from SETI

[Anonymous Coward]

Yes, but the Lycos screen saver was owned by a company. Companies are easily pressured into changing their ways. An open source project on the other that belongs to everyone wouldn't have a single point at which to attack. Each person who chooses to use the tool takes upon themselves the repercussions of their own use.

Re:Dive Into Mark said it best...

[Matts]

Except only the slashdot hive-mind thinks that what Blue Security were doing was OK. I know about the whole "one web request for one email" but spam is a problem of traffic, and fighting that by INCREASING the traffic on the network is just utterly bizarre to anyone involved in email except for BS.

As for: You will be attacked by professionals who have more money than you, more resources than you, better programmers than you, and no scruples at all that's not exactly true. There are anti-spam organisations and companies that have been running for years, are very good at keeping peoples inboxes clean, and also work within the industry to find long term solutions to the spam problem. And they haven't been DDoS'd off the internet. Now it's true that Spamhaus and SORBS regularly get attacked, but they're still here, and they will be for the long term because the ISPs are willing to put up with a bit of bad network traffic for them because what they're doing is admirable. What BS were doing wasn't, and I'm sure their ISP wasn't willing to ride out the storm of the DoS.

Re:When the going gets tough...

[spyrochaete]

Blue Frog had 100,000 new signups AFTER the DDoS attack! That's over 20% of their user base! It seems people are willing to recieve more spam if it means sticking it to the culprits!

Re:Sigh! Or why spam is unacceptable

[HermanAB]

Yup, the people that get ripped off are not the receivers of the spam - they delete it or ignore it. The people that get ripped off are the business owners that get duped into thinking that advertising by spam is useful - they then hand over oodles of cash to the spammer, who sends out the crap and the business owner gets zero return on his 'investment', plus a few death threats.

WRONG! It's an ECONOMY problem.

[Spy der Mann]

but spam is a problem of traffic

NO! SPAM is a problem of bandwidth STEALING! Spammers are using OUR bandwidth to GAIN MONEY.

Remove one of the two (our bandwith, or their money) and we'll solve the problem.

Re:Take a page from SETI

[DrSkwid]

fuck you

leave all my ports open, thanks

Re:When the going gets tough...

[Pollardito]

clearly the answer is to shutdown and reopen with a new terms of service that states that you understand that you're signing up for a war.

Re:Third Choice?

[Acer500]

While I do hope someone does something about spam, I'm not certain if vigilantism is such an answer... just think if one of Spamhaus's 200 spammers is mis-identified.

We have been mistaken for spammers once, and it's not nice, we were blacklisted for 3 days before we convinced the blacklisters that we were a legitimate business, during that time our sales people had a hard time (and no we don't send newsletters or nothing of the kind, just business email).

Being DOS'd or some of the scarier options proposed does not sound good to me.

Re:The problem is it relies on a central server.

[jafiwam]

Well, if the anti-spammers wanted to play hardball they could use the 13 root DNS servers to host the anti-spam services (RBL or whatever).

Then, when the spammers act to take it down, they take down the internet.

Then joe-public and jackass-senator get involved and play hardball to... leading to PMITA prison for the the domestic ones, and severe concequences for the out of country ones. (Why the heck not just flatline all traffic out of Korea (home of many many zombified machines) for example. They clean up their boxes or they have their own internet.)

That's hardball.

So far, I have just seen reactionary measures that don't last long, or hand-wringing.

Re:When the going gets tough...

[Tom]

And now imagine if they would team up with MS and Vista scans all mails the user sends (it probably does that anyways) and if he is dumb enough to reply to any of those "enlarge your penis" scams, it disconnects the network, permanently.

It'd be 3 days until spam is a thing of the past.

I mean, we've been talking about removing the profit for a long time. Has nobody before me thought about doing it by removing the dumb who are the profit source?

Re:Theology

[SatanicPuppy]

The question is, are you giving them the way out, or are you leading them into damnation? You're assuming that your interpretation is the only possible true interpretation, and that therefore you have the right & duty to enforce that interpretation on people who disagree with you. That is incredible hubris.

In the modern day, we see a lot of people judging and throwing stones, and claiming that they're right to do so. Now, I'm no biblical scholar, but I'm pretty sure that both the OT and the NT are pretty specific about people usurping the perogatives that belong to god.

Let me be blunt: It is not given to you to be judge and jury to your fellow man. No one appointed you the sole keeper of god's laws, and nothing makes your interpretation of those laws superior to anothers.

Re:Theology

[SatanicPuppy]

Interesting point. I am not, as you seem to be suggesting, an ethical relativist. On the other hand, Christian dogma is so amazingly fragmented it would be difficult to attribute anything like a consistency of belief across the whole of the religion.

My point, thus, is that, where there is doubt, there should be circumspection. I've never heard a defense of murder, for example, that would appeal to a rational audience. On the other hand, biblical passages have in times past been used to justify murder, for example, the Salem Witch Trials.

Now while I hold that anyone who feels strongly that witches should be burned has every right to that belief, I strongly object when they try to impose that belief on a world that disagrees. Likewise with the modern evangelical tradition of deciding, arbitrarily, on what constitues the truth, and then attempting to force that belief on all and sundry. They would certainly expect their beliefs to be honored...indeed recent history can be conclusively shown to demonstrate a tendency on the part of evangelical christians to hysterically denounce any and every action that they feel impinges on the fullness of their belief (e.g The "Holiday Tree" debate, and others).

Now, historically, there has been a way around this impasse of beliefs that I'm going to refer to as laws, which, for the purposes of discussion, we can think of as "enforcable beliefs" that are agreed on by people who otherwise have different belief structures. Now recently, the evangelical types have taken to thinking of any "belief" (be it legal, moral, logical, or scientific) that runs a counter to their own beliefs as less valid, and, indeed, a purely personal attack on their correct beliefs.

Now my argument, if you would call it thus, is simply to point out that, with so much disagreement on the fine points as it were, of their beliefs, it would be wise for them to accept, with some Christ-style holy humility, that other people are also entitled to beliefs, before their hysterical intolerance breeds domestically the very same problems we see all over the world.

Re:Take a page from SETI

[wkitchen]

I'd have no objection to ISP's blocking outgoing SMTP by default, but with a policy to unblock upon request. Better yet if they provided a means for users to block/unblock at will.

Re:WHAT THE FUCK???

[Anonymous Coward]

Actually, yes, it is. Pretty nearly anyway.

Because spam is not just about cluttering you inbox.

A substantial portion spam is now primarily a revenue generator for serious criminal organisations. The sort of organisations which also PRODUCE child pornography and traffic in child prostitutes from destitute countries.

That is why so many people are now muttering about vigilante justice.

And why I post as an Anonymous Coward. Something else to consider: if someone comes up with a method which hurts them as badly as Blue Frog's technique, but can't be stopped by technical means, they WILL try to kill you.