Monday, May 22, 2006

Don Spamleone

Fact: the company called "Blue Security" gave in to spammers and hackers and shut down their anti-spam service. I think this is the first time spammers achieved victory of this kind.

Story (as far as I got it from various sources): Blue Security came up with a controversial method of fighting spam. Basically, its software called "Blue frog" was installed on the users' computers and was flooding websites of spammers with opt-out messages, thus performing a typical DDoS attack. Then, some (allegedly, Russian) spammer/hacker PharmaMaster declared a war on Blue Securityand staged a real DDoS attack on their servers, disabling their site completely. Blue Security attempted to evade the attack by redirecting the users to its TypePad-hosted blog, but then PharmaMaster stroke Six Apart (the company which hosts TypePad), causing a lot of additional damage along the way. As a result, the company's co-founder Eran Reshef stated (according to "Washington Times") that "It's clear to us that [quitting] would be the only thing to prevent a full-scale cyber-war that we just don't have the authority to start..."- and the service was shut down.

This story is a sorry and disturbing one. Speaking frankly, I don't feel any real sympathy towards Blue Security: fighting crime with criminal methods is not such a great idea. Besides that, their floding caused unnecessary load on the servers and communication channels, and thus was not much better than the spam itself. There is a russian proverb which seems to perfectly describe this conflict: "A thug stole a club from another thug" (my translation is not perfect, but it shows the idea). By the way, there are some attempts to recreate Blue Frog in a P2P way - and I think these attempts are extremely foolish and dangerous, because it definitely will lead to a full-scale cyberwar.

I am also worried by the fact that, as I discovered from some articles, Blue Security got several million dollars from its investors - which menas that, besides some hard-core anti-spam extremists, there are some people with money who support the idea of fighting criminals with their own methods. Basically, this is equivalent to investing money in weapons for guerrillas and rebels. We all know too well where this policy leads to.

And I am disturbed - and enraged - by the fact that one outlaw hacker was able to declare a war on a legitimate company, which resides in a civilized country, and had won the war without anybody being able to protect the victim. This is really scary, because it means that a person with some knowledge of cyber underground, and some money is able to bring down any legitimate company. Some mesures definitely should be taken to protect people and companies from such fate - but, I am afraid, those measures most probably will turn out to be more harmful to Internet that spammers and hackers together.

Technorati tags: , , ,

1 comment:

Aleksey Linetskiy said...

I agree - automated "fight-back" plans cause more trouble to the network in general than to the "target". Actually, I think that in cases like this the only right way to harm the attacker is to jail him (or her).

And as for DDoS - I think there are two problems with these attacks. First - the Internet architecture was created without much thoughts of security. I do not want to blame the creators, but it seems like it's time to do some architectural changes.

And second problem is, as usual, users. People keeping their computers undefended, with no antivirus/firewall, and with no knowledge about security. Sometimes I think - though I know, that it's not the right solution - that users should be made responsible for hackers using their machines and connections. Something like "If a hacker used your machine to cause harm, you will be held responsible unless you can prove that the computer was adequately protected". Yes, yes, it sounds bad...