From nanog-bounces@nanog.org Tue May 27 12:06:50 2008 Subject: RE: amazonaws.com? Date: Tue, 27 May 2008 18:08:16 +0100 From: <michael.dillon@bt.com> To: <nanog@merit.edu>
If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them.
Exactly!!! If an SMTP server operator is not willing to police their server by implementing a list of approved email partners, then why should the rest of the Internet have to block outgoing port 25 connections?
Because the _privilege_ to send packets to other networks has been, from 'day one', conditional on the presumption that the sending network _is_ a "good neighbor" to the networks receiving their traffic. AS SUCH, they have a firm 'moral responsibility' to *NOT* let _their_ users =originate= traffic that is harmful/offensive/abusive to the receiving/destination network. Or, are you arguing for _no_ "acceptable use" policies for _anything_ on the 'net. That anyone should be free to attempt anything against any server/network, and that it is the sole responsibility of the receiving system to build and maintain the defenses against "whatever" any malefactor might decide to do? *AND* that the party providing that black hat' with connectivity should bear no responsibility for anything that their customer's do? Thinking about it, I realize that asking _you_ (an employee of major telephone company) is a silly question -- you have a biased viewopoint from a government-regulated monopoly
The buck needs to stop right where the problem is and that is on the SMTP servers that are promiscuously allowing almost any IP address to open an socket with them and inject email messages.
Since one _cannot_ stop the -attempts- at the destination end, and the volume of -attempts- (even though they're blocked at the fence-line) *CAN* be enough to to render 'normal' operations of the receiving network impossible -- "it should be obvious to the meanest intelligence" that the matter *must* be addressed at a point _upstream_ from the destination network. It is universally recognized in the real world that 'toxic waste' issues must be dealt with at the _source_ point -- where that toxic waste is produced. AND that the costs of doing so should fall on those who produce them. There is no reason that the Internet should be any different. The polluter is the party who *should* get hits with the majority of the costs of handling the toxic waste they produce, not the party simply tryng to enjoy the 'quiet satisfaction' of their own property. It is arguable that the Internet has advanced from the 'early pioneer' days of the '80s, to a state that is comparable to the height of the "Robber Baron" era -- where everybody was out for 'me first, and to h*ll with whomever isn't big enough, mean enough, and tough enough to stand up to whatever I want to do to take advantage of them. History shows that such attitudes weren't right _for_the_world_as_a_whole_ then, and societal barriers were put in place to prevent such abuses from re-occuring.
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
Amazon might get a clue and sue companies who take such outrageously extreme action.
*SNICKER* The results of such a suit are _utterly_ predictable. There's established case-law going back a couple of _decades_. For, example, look at any of the (100% _unsuccessful) suits that "Cyber Promotions, Inc." filed against any of the several providers that did exactly that to said plaintiff. There's similar case law in England, the Netherlands, Germany, Switzerland, Norway, Finland, and Austrailia -- just to name a few of the places where the matter has been litigated. There are no "rights" on the Internet, only "privileges". Your right to access any part of my network exists only -if- I extend you that privilege. And it _is_ revokable at whim. WITHOUT any need to 'show cause why'. Such a suit as you suggest runs the very real risk that the filing party would be sanctioned as regards "frivolous" filings.
Even if you are being slammed by millions of email messaged from Amazon address space, that is not justification for blocking all access to the space. It's a point problem on your mail server so leave the shotgun alone, and put an ACL blocking port 25 access to your mail server.
FALSE TO FACT. If they generate _enough_ 'unwanted' traffic towards me, that can/will constitute a fairly effective (D)DOS attack -- admittedly, it's only 'slightly' distributed, and it's coming from a single block, so it can be dealt with by some forms of point responses. I _cannot_ deal with volume-based DOS at -my- end of my pipes; it -requires- blocking/limiting the traffic *before* it hits the choke-point that is my external connectivity. When that traffic is coming from a 'well defined' source under a single entity's control, *THAT* -- the source -- is the appropriate place to deal with it. In the alternate case -- a widely distributed set of disparate sources -- other methods (usually involving the immediate "upstreams" -- who presumably have enough bigger resources to be able to 'absorb' a volume of toxic waste that would be fatal to me) are necessary. The fact that such methods are necessary in some circumstances does -not- mean that they are the _preferred_ method in all circumstances.
I don't believe that horrendously broken email architecture and email operators with no vision, are sufficient justification for blocking new and innovative business models on the Internet. 10 months of the year, Amazon has 10 times as many servers as they need. They want to rent them out piecemeal and I applaud their innovation. Maybe their model is not perfect yet, but the solution to that is not to raise a lynch mob. Instead you should build a better cloud computin> business and beat them that way.
I applaud their _intentions_, and deplore their *implementation*. They, like many others, have forgotten that "the Internet" is, in fact, a fairly -unique- institution/facility -- where the 'value' of what _you_ offer is contingent on the 'courtesies' you get for free from the rest of the world. Every internet service provider and service offerer *needs* the 'good will' of its competitors _more_ than it needs any of its own customers. Something like the initial part of the Hippocratic Oath is needed for those who consider Internet-based service offerings -- "First, do no evil." People who fail to control the toxic waste emissions from their property are _not_ "good neighbors", and fail that 'do no evil' test. The same for those who allow toxic waste emissions to flow from their networks over the Internet.
On 27/05/2008 20:53 Robert Bonomi wrote:
Because the _privilege_ to send packets to other networks has been, from 'day one', conditional on the presumption that the sending network _is_ a "good neighbor" to the networks receiving their traffic.
You need to wake up Dorothy, this isn't Kansas anymore. Free access to the internet won long ago, it's all about defending your self. -- Colin Alston ~ http://syllogism.co.za/ "To the world you may be one person, to one person you may be the world" ~ Rachel Ann Nunes.
Thinking about it, I realize that asking _you_ (an employee of major telephone company) is a silly question -- you have a biased viewopoint from a government-regulated monopoly
Reductio ad absurdum. Needs no other reply.
"it should be obvious to the meanest intelligence" that the matter *must* be addressed at a point _upstream_ from the destination network.
Of course. But a more advanced intelligence will wonder why we have to have an SMTP server architecture that invites attacks. Why, by definition, do SMTP servers have to accept connections from all comers, by default? We have shown that other architectures are workable on the Internet, where communications only take place between peers who have prearranged which devices talk to which. This worked for USENET news and it works for exchanging BGP route announcements. Such peering architectures allow you to introduce hierarchy into the set of bilateral arrangements, and as everyone should know, hierarchy is essential to scaling a network. As long as we don't fix the architecture of Internet email, we are stuck with the catch-22 situation that Amazon, and all hosting providers find themsleves in. These companies really have no choice but to allow spammers to exploit their services until the spamming is detected, either proactively by the provider, or reactively by a complaint to their abuse desk. And eyeball providers really have no choice but to accept this state of affairs, because without the hosted sites, there is not a lot of incentive for eyeballs to attach to the net. Sure, Amazon could try to react more quickly to abuse reports, but if more ISPs would get behind a standard like ARF or IODEF http://mipassoc.org/arf/ http://xml.coverpages.org/iodef.html then this would be possible without huge spending on an abuse desk that spends most of its time discarding junk mail. The fact is that around 10 years ago, the Internet lost its abuse reporting system and ISPs have not yet replaced it with one that works.
It is universally recognized in the real world that 'toxic waste' issues must be dealt with at the _source_ point -- where that toxic waste is produced. AND that the costs of doing so should fall on those who produce them.
And that is what we do with our retail DSL and dial customers because sending out tons of mail to port 25 is not normal in such an environment. But in a hosting environment, it is perfectly normal to send out tons of mail so it is not possible to be as proactive as you can be with consumer customers.
There is no reason that the Internet should be any different. The polluter is the party who *should* get hits with the majority of the costs of handling the toxic waste they produce, not the party simply tryng to enjoy the 'quiet satisfaction' of their own property.
Actually, there *IS* a reason why the Internet should be "different". In the real world, if you try to enjoy the quiet satisfaction of your property without locking the doors, and someone walks in and takes your valuables, both the law, and the insurance company will consider you to be negligible. You do have an obligation to take reasonable measures to secure your property, i.e. don't leave the keys in the ignition. The Internet is no different.
History shows that such attitudes weren't right _for_the_world_as_a_whole_ then, and societal barriers were put in place to prevent such abuses from re-occuring.
Prevent? I don't think so. Enron did happen not so long ago and it was not an isolated incident.
Your right to access any part of my network exists only -if- I extend you that privilege. And it _is_ revokable at whim. WITHOUT any need to 'show cause why'.
Go ahead, no one will sue you for that. But if you solicit other companies to join you in painting Amazon the same color as Cyber Promotions, then I would expect them to sue you and win. In any case this will never happen because few ISPs have a customer base that would allow them to cut off Amazon, and all the other cloud computing suppliers.
I _cannot_ deal with volume-based DOS at -my- end of my pipes; it -requires- blocking/limiting the traffic *before* it hits the choke-point that is my external connectivity.
This is one of the flaws in the existing email architecture because it invites anyone and everyone to hit your email server with as many messages as they desire. This invitation is what drives spammers to do what they do.
I applaud their _intentions_, and deplore their *implementation*.
In what way does their implementation differ substantially from any other hosting provider? --Michael Dillon
On Tue, 27 May 2008, michael.dillon@bt.com wrote:
But a more advanced intelligence will wonder why we have to have an SMTP server architecture that invites attacks. Why, by definition, do SMTP servers have to accept connections from all comers, by default? We have shown that other architectures are workable on the Internet, where communications only take place between peers who have prearranged which devices talk to which. This worked for USENET news and it works for exchanging BGP route announcements.
Of course there's no unwanted traffic on USENET or BGP. Everyone de-peers Tiscali when their customers' compromised home computers perform DDOS attacks.
As long as we don't fix the architecture of Internet email, we are stuck with the catch-22 situation that Amazon, and all hosting providers find themsleves in. These companies really have no choice but to allow spammers to exploit their services until the spamming is detected, either proactively by the provider, or reactively by a complaint to their abuse desk.
Nothing prevents Amazon from implementing a hierarchial email delivery network for their little corner of the net. They just have to block outgoing port 25 and require their users to use Amazon's smarthosts. I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ HUMBER: SOUTHEAST VEERING SOUTHWEST 5 TO 7, PERHAPS GALE 8 LATER. MODERATE OR ROUGH. THUNDERY RAIN, FOG PATCHES. MODERATE, OCCASIONALLY VERY POOR.
I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome.
To begin with, mail could only enter such a system through port 587 or through a rogue operator signing an email peering agreement. In either case, there is a bilateral contract involved so that it is clear whose customer is doing wrong, and therefore who is responsible for policing it. It's a different model in which email traffic follows a chain of bilateral agreements from the sender to the recipient. At each link in the chain, a provider can block traffic if it does not conform to the peering agreement (or service agreement for end users). Today, an anonymous spammer can obfuscate the source of their email in a way that an average user can't figure out who to complain to. In a hierarchical email peering system, only a rogue operator could do that, and by nature of the system, they can't really be totally anonymous. After all they have to sign a peering agreement with someone. --Michael Dillon
On Wed, 28 May 2008, michael.dillon@bt.com wrote:
I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome.
To begin with, mail could only enter such a system through port 587 or through a rogue operator signing an email peering agreement. In either case, there is a bilateral contract involved so that it is clear whose customer is doing wrong, and therefore who is responsible for policing it.
This is different from Amazon's situation how? Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ SOUTHEAST ICELAND: EASTERLY 4 OR 5, INCREASING 6 OR 7. MODERATE INCREASING ROUGH. RAIN LATER. MODERATE OR GOOD, OCCASIONALLY POOR.
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity. Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud. Tony Finch wrote:
On Wed, 28 May 2008, michael.dillon@bt.com wrote:
I don't see how, in your preferred replacement email architecture, a provider would be able to avoid policing their users to prevent spam in the way that you complain is so burdensome.
To begin with, mail could only enter such a system through port 587 or through a rogue operator signing an email peering agreement. In either case, there is a bilateral contract involved so that it is clear whose customer is doing wrong, and therefore who is responsible for policing it.
This is different from Amazon's situation how?
Tony.
-- +1.925.202.9485 Sargun Dhillon deCarta sdhillon@decarta.com www.decarta.com
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider. The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal. Cheers, Steve
Well the thing that differentiates "the cloud" is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. Basically Amazon has allocated a /18, /19, and /17 to EC2. The chances of getting the same IP between two instances amongst that many possibilities is low. Basically someone could easily go get a temporary credit card and start up 10 small EC2 instances. This would give them 10 public IPs which would probably take 3-4 hours (minimum) to show up on any sort of blacklists. Then its just a matter of rebooting and you have another 3-4 hours. This could last weeks with a credit card. Then you could rinse and repeat. In the past I've seen companies require EIN/SSN verification (a bit much) in order to open up certain things (port 25, BGP, etc...). If Amazon is going to continue to have policies that allow spammers to thrive it will end with EC2 failing. SMTP has inherent trust issues. I'm currently researching Amazon AWS's static IP addresses. I think it would be easiest to block everything and just make exemptions for people who purchase the static IPs. My advice to you if you are buying anonymous resources would be to purchase an agreement with a relay that isn't part of the anonymous computing center. Steve Atkins wrote:
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider.
The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
Cheers, Steve
-- +1.925.202.9485 Sargun Dhillon deCarta sdhillon@decarta.com www.decarta.com
That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place... (I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...) - S -----Original Message----- From: Sargun Dhillon [mailto:sdhillon@decarta.com] Sent: Wednesday, May 28, 2008 12:34 PM To: Steve Atkins Cc: nanog@nanog.org Subject: Re: amazonaws.com? Well the thing that differentiates "the cloud" is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. Basically Amazon has allocated a /18, /19, and /17 to EC2. The chances of getting the same IP between two instances amongst that many possibilities is low. Basically someone could easily go get a temporary credit card and start up 10 small EC2 instances. This would give them 10 public IPs which would probably take 3-4 hours (minimum) to show up on any sort of blacklists. Then its just a matter of rebooting and you have another 3-4 hours. This could last weeks with a credit card. Then you could rinse and repeat. In the past I've seen companies require EIN/SSN verification (a bit much) in order to open up certain things (port 25, BGP, etc...). If Amazon is going to continue to have policies that allow spammers to thrive it will end with EC2 failing. SMTP has inherent trust issues. I'm currently researching Amazon AWS's static IP addresses. I think it would be easiest to block everything and just make exemptions for people who purchase the static IPs. My advice to you if you are buying anonymous resources would be to purchase an agreement with a relay that isn't part of the anonymous computing center. Steve Atkins wrote:
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider.
The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
Cheers, Steve
-- +1.925.202.9485 Sargun Dhillon deCarta sdhillon@decarta.com www.decarta.com
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. On Wed, May 28, 2008 at 1:01 PM, Skywing <Skywing@valhallalegends.com> wrote:
That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place...
(I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...)
- S
-----Original Message----- From: Sargun Dhillon [mailto:sdhillon@decarta.com] Sent: Wednesday, May 28, 2008 12:34 PM To: Steve Atkins Cc: nanog@nanog.org Subject: Re: amazonaws.com?
Well the thing that differentiates "the cloud" is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities. Basically Amazon has allocated a /18, /19, and /17 to EC2. The chances of getting the same IP between two instances amongst that many possibilities is low. Basically someone could easily go get a temporary credit card and start up 10 small EC2 instances. This would give them 10 public IPs which would probably take 3-4 hours (minimum) to show up on any sort of blacklists. Then its just a matter of rebooting and you have another 3-4 hours. This could last weeks with a credit card. Then you could rinse and repeat. In the past I've seen companies require EIN/SSN verification (a bit much) in order to open up certain things (port 25, BGP, etc...). If Amazon is going to continue to have policies that allow spammers to thrive it will end with EC2 failing.
SMTP has inherent trust issues. I'm currently researching Amazon AWS's static IP addresses. I think it would be easiest to block everything and just make exemptions for people who purchase the static IPs.
My advice to you if you are buying anonymous resources would be to purchase an agreement with a relay that isn't part of the anonymous computing center.
Steve Atkins wrote:
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider.
The only reason this is a problem in the case of Amazon is that they're knowingly selling service to spammers, their abuse guy is in way over his head and isn't interested in policing their users unless they're doing something illegal or the check doesn't clear. As long as the spam being sent doesn't violate CAN-SPAM, it's legal.
Cheers, Steve
-- +1.925.202.9485 Sargun Dhillon deCarta sdhillon@decarta.com www.decarta.com
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc.
Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back. I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc.
Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them.
Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work? By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards... I'm still curious what a typical $ sale is on one of these cloud compute clusters, in orders of magnitude, $1, $10, $100, $1000, ...? P.S. For the record I'm not a great fan of blocking port 25 as someone mis-cited me here, I don't really care strongly either way, it's a tool. I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Wed, 28 May 2008, Barry Shein wrote:
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc.
Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them.
Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it. And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks. At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards? If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money. Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal. A mere "court subpoena" wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers. Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :) So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP... On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 28 May 2008, Barry Shein wrote:
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc.
Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them.
Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it.
And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks.
At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards?
If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money.
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world: "The key to offering a compelling service is minimising transaction hassles." I encourage all my competitors to implement inconvenient hard to use payment methods....
A mere "court subpoena" wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers.
Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :)
So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP...
On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 28 May 2008, Barry Shein wrote:
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it.
And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks.
At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards?
If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money.
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce "Know Your Customer" rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of "cloud" resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen. ---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org Subject: Re: amazonaws.com? Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world: "The key to offering a compelling service is minimising transaction hassles." I encourage all my competitors to implement inconvenient hard to use payment methods....
A mere "court subpoena" wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers.
Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :)
So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP...
On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 28 May 2008, Barry Shein wrote:
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in the case of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it.
And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks.
At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards?
If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money.
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones. On Thu, May 29, 2008 at 9:14 AM, Matthew Huff <mhuff@ox.com> wrote:
The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce "Know Your Customer" rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of "cloud" resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org Subject: Re: amazonaws.com?
Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising transaction hassles."
I encourage all my competitors to implement inconvenient hard to use payment methods....
A mere "court subpoena" wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers.
Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :)
So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP...
On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 28 May 2008, Barry Shein wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of irrevocable funds (wire transfer, etc) for a deposit that will be forfeited in
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote: the
of usage in violation of AUP/contract/etc would be both sufficient and not excessive for allowing port 25 access, etc. Until you find out that the source of those supposedly irrevocable funds was stolen or fraudulent, and you have some sort of court subpoena to give it back.
I don't believe there is a way for you to outwit the scammer/spammer by making them pay more of their or someone elses money. If you have what they need, they'll find a way to trick you into giving it to them. Are you still trying to prove that Amazon, Dell, The World, etc can't
case possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it.
And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks.
At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards?
If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money.
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Beckman
Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/
Dorn Hetzel wrote:
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones.
Equating port 25 use with domestic terrorism is specious. Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
On Thu, May 29, 2008 at 9:14 AM, Matthew Huff <mhuff@ox.com <mailto:mhuff@ox.com>> wrote:
The financial services world felt the same pre-9/11. Since then FINRA and SEC regulations enforce "Know Your Customer" rules that require extensive record keeping. The regulations now are quite burdensome. Given that usage of "cloud" resources could be used for DDOS and other illegal activities, I wonder how long it will take companies to realize that if they don't do a good job of self policing, the result will be something they would prefer not to have happen.
---- Matthew Huff | One Manhattanville Rd OTA Management LLC | Purchase, NY 10577 www.otaotr.com <http://www.otaotr.com> | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
-----Original Message----- From: Joel Jaeggli [mailto:joelja@bogus.com <mailto:joelja@bogus.com>] Sent: Thursday, May 29, 2008 9:09 AM To: Dorn Hetzel Cc: nanog@nanog.org <mailto:nanog@nanog.org> Subject: Re: amazonaws.com <http://amazonaws.com>?
Dorn Hetzel wrote: > There is a really huge difference in the ease with which payment from a > credit card can be reversed if fraudulent, and the amount of effort > necessary to reverse a wire transfer. I won't go so far as to say that > reversing a wire transfer is impossible, but I would claim it's many orders > of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising transaction hassles."
I encourage all my competitors to implement inconvenient hard to use payment methods....
> A mere "court subpoena" wouldn't even be remotely sufficient. The person > wanting their money back would pretty much have to sue for it and win. > Heck, people that get scammed and send their money via western union can't > even get their money back... People who sell physical goods that get > shipped internationally to places where they can't get them back from have > been dealing with irrevocable payment forms for a long, long time, and those > are generally wire transfers. > > Once that guy in Frackustan has my widgets, I need to make darn sure he > can't take his money back :) > > So, yeah, there would be some customers for whom the couple of business > hours it take their wire to go through (that's a pretty typical time from my > actual experience) would be longer than they would want to wait for their > port 25 or other "risky" service to be enabled, but really, how many is that > going to be. We're not talking about the wait for ordinary customers who > don't need those particular services that tend to be problem children, and > we're not talking about existing accounts of long standing, just about a > barrier for the drive-by customer who wants to use services and then not pay > the cost when they violate the AUP... > > On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com <mailto:beckman@angryox.com>> wrote: > >> On Wed, 28 May 2008, Barry Shein wrote: >> >> On May 28, 2008 at 21:43 beckman@angryox.com <mailto:beckman@angryox.com> (Peter Beckman) wrote: >>>> On Wed, 28 May 2008, Dorn Hetzel wrote: >>>> >>>>> I would think that simply requiring some appropriate amount of >>> irrevocable >>>>> funds (wire transfer, etc) for a deposit that will be forfeited in the >>> case >>>>> of usage in violation of AUP/contract/etc would be both sufficient and >>> not >>>>> excessive for allowing port 25 access, etc. >>>> Until you find out that the source of those supposedly irrevocable >>> funds >>>> was stolen or fraudulent, and you have some sort of court subpoena to >>> give >>>> it back. >>>> >>>> I don't believe there is a way for you to outwit the scammer/spammer >>> by >>>> making them pay more of their or someone elses money. If you have >>> what >>>> they need, they'll find a way to trick you into giving it to them. >>> Are you still trying to prove that Amazon, Dell, The World, etc can't >>> possibly work? >>> >> Amazon and Dell ship physical goods. Amazon Web Services sells services, >> as do I. Services are commonly enabled and activated immediately after >> payment or verification of a valid credit card, as is often expected by >> the customer immediately after payment. Shipment of physical goods will >> almost always take at least 24 hours, often longer, enabling more thorough >> checks of credit, however they might do it. >> >> And even with the extra time to review the transaction and attempt to >> detect fraud, I'm confident Amazon and Dell lose millions per year due to >> fraud. The reality is that the millions they lose to fraud doesn't affect >> us because a Blu-Ray player purchased with a stolen credit card doesn't >> send spam or initiate DOS attacks. >> >> At least not yet; those Blu-Ray players do have an ethernet port. >> >> By your reasoning why don't the spammers just empty out Amazon's (et >>> al) warehouses and retire! Oh right, they'd have to sell it all over >>> the internet which'd mean taking credit cards... >>> >> Now you're just being rediculous. Or sarcastic. :-) >> >> I am a big, big fan of assessing charges for AUP abuse and making some >>> realistic attempt to try to make sure it's collectible, and otherwise >>> make some attempt to know who you're doing business with. >>> >> Charging whom? The spammer who pays your extra AUP abuse charges with >> stolen paypal accounts, credit cards, and legit bank accounts funded by >> money stolen from paypal accounts and transferred from stolen credit >> cards? >> >> If you are taking card-not-present credit card transactions over the >> Internet or phone, and not shipping physical goods but providing services, >> in my experience the merchant gets screwed, no matter how much money you >> might have charged for the privilege of using port 25 or violating AUPs. >> That money you collected and believed was yours and was in your bank >> account can be taken out just as easily 6 months later, after the lazy >> card holder finally reviews his credit card bill, sees unrecognized >> charges and says "This is fraudulent!" And there you are, without your >> money. >> >> Getting someone to fax their ID in takes extra time and resources, and >> means it might be hours before you get your account "approved," and for >> some service providers, part of the value of the service is the immediacy >> in which a customer can gain new service. >> >> >> Beckman >> --------------------------------------------------------------------------- >> Peter Beckman Internet Guy >> beckman@angryox.com <mailto:beckman@angryox.com> >> http://www.angryox.com/ >> --------------------------------------------------------------------------- >> >> >
On May 29, 2008 at 06:46 joelja@bogus.com (Joel Jaeggli) wrote:
Dorn Hetzel wrote:
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones.
Equating port 25 use with domestic terrorism is specious.
Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions? -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Barry Shein wrote:
On May 29, 2008 at 06:46 joelja@bogus.com (Joel Jaeggli) wrote:
Dorn Hetzel wrote:
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones.
Equating port 25 use with domestic terrorism is specious.
Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions?
Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland... http://www.local1259iaff.org/disaster.html So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
What I really, really, (really), don't understand is what is this perverse urge to argue incessantly that spam and related do little or no harm, are of little consequence, and nothing can be done about it anyhow? You'd think we were discussing ways to prevent hurricanes (and some won't even accept that there's no answer to those!) I realize there's a little bit of one-upsmanship to just beating a hopeless point to death (ok, fine, huge ammonium nitrate explosions which level entire cities are worse than million+ zombie bot armies, and superman can beat up the hulk, etc.) Zombie bot armies et al do cause probably billions of dollars in damages (e.g., equipment and personnel to deal with them not to mention lost productivity by end users), undermine trust, etc. But don't you ever stop to consider where your collective bread is buttered before you give the public and quotable impression as professionals that whether or not spam, phishing et al are bad is debateable, like we were arguing creationism vs. evolution, that there's no point in even trying to curb it, that credit cards can't possibly work, etc? It's one thing to give an idea a proper vetting, it's something else to work backwards from the assumption that nothing can possibly be done and just use reasoning like "I can think of something even worse, so therefore it's not so bad", or "fraud has occurred in credit card transactions, therefore credit cards cannot be viable." On May 29, 2008 at 11:10 joelja@bogus.com (Joel Jaeggli) wrote:
Barry Shein wrote:
On May 29, 2008 at 06:46 joelja@bogus.com (Joel Jaeggli) wrote:
Dorn Hetzel wrote:
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones.
Equating port 25 use with domestic terrorism is specious.
Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions?
Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland...
http://www.local1259iaff.org/disaster.html
So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
-- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Barry Shein wrote:
What I really, really, (really), don't understand is what is this perverse urge to argue incessantly that spam and related do little or no harm, are of little consequence, and nothing can be done about it anyhow? You'd think we were discussing ways to prevent hurricanes (and some won't even accept that there's no answer to those!)
I realize there's a little bit of one-upsmanship to just beating a hopeless point to death (ok, fine, huge ammonium nitrate explosions which level entire cities are worse than million+ zombie bot armies, and superman can beat up the hulk, etc.)
So don't use bad analogies... Describe the scope of the possible harm you envision.
Zombie bot armies et al do cause probably billions of dollars in damages (e.g., equipment and personnel to deal with them not to mention lost productivity by end users), undermine trust, etc.
But don't you ever stop to consider where your collective bread is buttered before you give the public and quotable impression as professionals that whether or not spam, phishing et al are bad is debateable, like we were arguing creationism vs. evolution, that there's no point in even trying to curb it, that credit cards can't possibly work, etc?
The fact that is criminal enterprise is undesirable is not a subject of much debate. I object to the notion the destruction of life and property are suitably analogous to spam, fraud, theft of resource and denial of service. They aren't. One is at risk of minimizing the suffering of the victims of the former by equating them with the later.
It's one thing to give an idea a proper vetting, it's something else to work backwards from the assumption that nothing can possibly be done and just use reasoning like "I can think of something even worse, so therefore it's not so bad", or "fraud has occurred in credit card transactions, therefore credit cards cannot be viable."
I don't think there's any evidence of me assuming that. The potential for abuse is not a prima facie reason not to do something. Large successful parts of our economy as well as the basic human condition are devoted to the business of managing opportunity vs risk and the mitigation of the later where possible.
On May 29, 2008 at 11:10 joelja@bogus.com (Joel Jaeggli) wrote:
Barry Shein wrote:
On May 29, 2008 at 06:46 joelja@bogus.com (Joel Jaeggli) wrote:
Dorn Hetzel wrote:
Yeah, there was a day when anyone could buy a pickup truck full of ammonium nitrate fertilizer from a random feed store and not attract any attention at all, now, maybe not. Just like port 25, it has plenty of legitimate uses, and some more problematic ones.
Equating port 25 use with domestic terrorism is specious.
Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions?
Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland...
http://www.local1259iaff.org/disaster.html
So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
I'm not on the MLC (which doesn't have any community representatives on it at present) anymore. Nonetheless, I implore everyone to consider this thread dead. It's run far enough afield on speculation and analogies that I for one think it's fairly out of scope. Thanks, ---Rob
On Thu, May 29, 2008 at 11:10:40AM -0700, Joel Jaeggli wrote:
Barry Shein wrote:
Equating port 25 use with domestic terrorism is specious.
Ammonium nitrate requires requires some care in handling regardless of your intentions,see for exmple the oppau or texas city disasters.
And how different is that from the million+ strong zombie botnets? Who owns (not pwns) those zombie'd systems and what were their intentions?
Well let's see. The texas city disaster is/was considered the worst industrial accident in american history. 581 people killed by an explosive yield of about 2 kilotons. The secondary effects includes fires in many of the chemical facilities in Galveston and a swath of destruction that reached up to 40 miles inland...
http://www.local1259iaff.org/disaster.html
So no, I don't think internet attached hosts can casually equated with the destructive potential of a pile of fertilizer at least not in the context described.
One word: SCADA. Yes, in point of fact, I think it *is* reasonable to evaluate potential threats to "just some PCs getting pwned" in terms of physical damage on grander scales. It's not just about spam, or fraudulent credit charges. Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer +-Internetworking------+---------+ RFC 2100 Ashworth & Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA +-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
Oh, come on... Businesses buy services every day that have to be paid for by methods like wire transfer. We're not talking about making it the only payment method, just the method for deposits for "risky" services. I wonder what percentage of Amazon E2C customers even want outbound port 25 access anyway. Of those that do want port 25 access, how many are going to wind up being more trouble than they are worth? And it's not really central to this conversation, but I don't think Amazon is in *any* danger with respect to their merchant account, almost no matter what they do :) On Thu, May 29, 2008 at 9:08 AM, Joel Jaeggli <joelja@bogus.com> wrote:
Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising transaction hassles."
I encourage all my competitors to implement inconvenient hard to use payment methods....
A mere "court subpoena" wouldn't even be remotely sufficient. The person
wanting their money back would pretty much have to sue for it and win. Heck, people that get scammed and send their money via western union can't even get their money back... People who sell physical goods that get shipped internationally to places where they can't get them back from have been dealing with irrevocable payment forms for a long, long time, and those are generally wire transfers.
Once that guy in Frackustan has my widgets, I need to make darn sure he can't take his money back :)
So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through (that's a pretty typical time from my actual experience) would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be. We're not talking about the wait for ordinary customers who don't need those particular services that tend to be problem children, and we're not talking about existing accounts of long standing, just about a barrier for the drive-by customer who wants to use services and then not pay the cost when they violate the AUP...
On Wed, May 28, 2008 at 11:53 PM, Peter Beckman <beckman@angryox.com> wrote:
On Wed, 28 May 2008, Barry Shein wrote:
On May 28, 2008 at 21:43 beckman@angryox.com (Peter Beckman) wrote:
On Wed, 28 May 2008, Dorn Hetzel wrote:
I would think that simply requiring some appropriate amount of
irrevocable
funds (wire transfer, etc) for a deposit that will be forfeited in the
case
of usage in violation of AUP/contract/etc would be both sufficient and
not
excessive for allowing port 25 access, etc.
Until you find out that the source of those supposedly irrevocable
funds
was stolen or fraudulent, and you have some sort of court subpoena to
give
it back.
I don't believe there is a way for you to outwit the scammer/spammer
by
making them pay more of their or someone elses money. If you have
what
they need, they'll find a way to trick you into giving it to them.
Are you still trying to prove that Amazon, Dell, The World, etc can't possibly work?
Amazon and Dell ship physical goods. Amazon Web Services sells services, as do I. Services are commonly enabled and activated immediately after payment or verification of a valid credit card, as is often expected by the customer immediately after payment. Shipment of physical goods will almost always take at least 24 hours, often longer, enabling more thorough checks of credit, however they might do it.
And even with the extra time to review the transaction and attempt to detect fraud, I'm confident Amazon and Dell lose millions per year due to fraud. The reality is that the millions they lose to fraud doesn't affect us because a Blu-Ray player purchased with a stolen credit card doesn't send spam or initiate DOS attacks.
At least not yet; those Blu-Ray players do have an ethernet port.
By your reasoning why don't the spammers just empty out Amazon's (et
al) warehouses and retire! Oh right, they'd have to sell it all over the internet which'd mean taking credit cards...
Now you're just being rediculous. Or sarcastic. :-)
I am a big, big fan of assessing charges for AUP abuse and making some
realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Charging whom? The spammer who pays your extra AUP abuse charges with stolen paypal accounts, credit cards, and legit bank accounts funded by money stolen from paypal accounts and transferred from stolen credit cards?
If you are taking card-not-present credit card transactions over the Internet or phone, and not shipping physical goods but providing services, in my experience the merchant gets screwed, no matter how much money you might have charged for the privilege of using port 25 or violating AUPs. That money you collected and believed was yours and was in your bank account can be taken out just as easily 6 months later, after the lazy card holder finally reviews his credit card bill, sees unrecognized charges and says "This is fraudulent!" And there you are, without your money.
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Beckman
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/
---------------------------------------------------------------------------
On May 29, 2008 at 06:08 joelja@bogus.com (Joel Jaeggli) wrote:
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising transaction hassles."
I encourage all my competitors to implement inconvenient hard to use payment methods....
One way of describing it is "minimizing transaction hassles". Another way of describing it is "monetizing others' hassles", let them spend on bandwidth, firewalls, personnel, etc, to deal with my customers' spamming. That's the arbitrage we're currently deaing with. But you're right, there was no good reason for tobacco companies to concern themselves with the cost of health effects of their products for many, many years, it wasn't their problem. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Thu, May 29, 2008 at 06:08:47AM -0700, Joel Jaeggli wrote:
Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. I won't go so far as to say that reversing a wire transfer is impossible, but I would claim it's many orders of magnitude harder than the credit card reversal.
To paraphrase one of my colleagues from the user interaction world:
"The key to offering a compelling service is minimising transaction hassles."
I encourage all my competitors to implement inconvenient hard to use payment methods....
I do too. If all of your competitors uniformly make it just enough harder for Bad Actors to rent servers from which to Act Bad, then we'll *know* where it's coming from, and what to do about it -- and why (you wanted to make more money). See also "Tragedy Of The Commons". Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer +-Internetworking------+---------+ RFC 2100 Ashworth & Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA +-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On Thu, 29 May 2008, Dorn Hetzel wrote:
There is a really huge difference in the ease with which payment from a credit card can be reversed if fraudulent, and the amount of effort necessary to reverse a wire transfer. A mere "court subpoena" wouldn't even be remotely sufficient. The person wanting their money back would pretty much have to sue for it and win.
So, yeah, there would be some customers for whom the couple of business hours it take their wire to go through would be longer than they would want to wait for their port 25 or other "risky" service to be enabled, but really, how many is that going to be.
In the end, all you've done with these "extra" AUP and risk charges is line YOUR (generally, not directed at you Dorn) pockets while the rest of us suffer under the deluge of spam sent from your systems. Which still sucks for the rest of the 'net. I suspect that for Amazon, it is easier and cheaper for them to screw us and allow spam to flow out port 25 unhindered (which costs US money and time) than it is to implement something that makes them a good Internet citizen (which costs AMAZON money and time). Maybe they'll change their stance, but I suspect it is a business decision to not block port 25 and hang out on blacklists, not a good Internet citizen decision. My position from the beginning of this thread is that you cannot AUP this problem away, nor can you just "charge more" and hope THAT will stop it, nor can you simply improve and perfect anti-fraud systems so spammers and fraudsters cannot gain access to your services. It's free to do nothing, and there is a cost of doing something. There are no laws that say what Amazon is doing is illegal, either. You have choices: null route them, blacklist them, get a group together (NANOG?) and group null route Amazon's EC2 IP blocks until they bow to your demands. Being on the 'net means spam, DOS attacks, being slashdotted, dealing with bad Internet citizens, etc. Either you accept those facts, or you should give up and go unplug your connection. With a backhoe, preferably. Much more fun. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
On May 28, 2008 at 23:53 beckman@angryox.com (Peter Beckman) wrote:
Getting someone to fax their ID in takes extra time and resources, and means it might be hours before you get your account "approved," and for some service providers, part of the value of the service is the immediacy in which a customer can gain new service.
Right, which means they're monetizing the risk and cost of damages for the rest of the net. They're selling your resources also (e.g., need for firewalls, bandwidth, cleanup.) That monetization needs to be recognized. If I rented cars to people w/o checking creds to a reasonable standard and those cars were used in the commission of crimes or generated a lot of insurance claims and emergency personnel expenses what would the reaction be? I doubt it would be "...but fast turnaround is that car rental company's competitive advantage! what can they do???" -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
Peter Beckman <beckman@angryox.com> writes:
If you are taking card-not-present credit card transactions over the ...snip "hard to charge fradulent customers" and also "verifying customer identity annoys the customer"... points-
The goal here is to give abuse a negative expected return. One way to do this is to charge (and collect) a fee that is greater than what the spammer can earn between when they sign up and when you shut then down. There are two ways to do this - 1. raise (and collect) the abuse fee, or 2. lower the amount they can earn before you shut them down. I am suggesting that we put some effort into 2- If we can reduce the amount of time between when a spammer signs up and when they are shut down, we raise the spammer's costs. I think there is low-hanging fruit in this area. I believe that the 'strongly authenticate customer, then take legal action' model is dictated by the fact that most abuse incidents are not actually reported to your abuse desk- some abusive customers can go days or weeks before you receive a complaint. to give abuse a negative expected return, then, you need to make the consequence expensive. (to say nothing of covering the costs of trying to get good logs/evidence out of those who are complaining, or trying to figure out if your customer is a spammer or if your customer was owned by a spammer, and the costs of collecting the fee.) I wanted to point out another option providers now have. IDS technology has matured. Snort is free and pretty standard. Personally, I find monitoring incoming traffic to be... of limited utility. However, I believe snort is an excellent tool for lowering the cost of running an abuse desk, if you run it on the outgoing traffic. Snort is pretty good about alerting you to outgoing abuse before people complain. Heck, if you trust it, you can have it automatically shut down the abusive customers.
On Thu, 29 May 2008, Luke S Crawford wrote:
Peter Beckman <beckman@angryox.com> writes:
If you are taking card-not-present credit card transactions over the ...snip "hard to charge fradulent customers" and also "verifying customer identity annoys the customer"... points-
The goal here is to give abuse a negative expected return. One way to do this is to charge (and collect) a fee that is greater than what the spammer can earn between when they sign up and when you shut then down. There are two ways to do this - 1. raise (and collect) the abuse fee, or 2. lower the amount they can earn before you shut them down.
All these charges do is line the coffers. Sure, a few might be prevented from doing it in the first place, but the rest will continue, and everyone else here, including Barry, will continue to get hit by spam and DOS and backscatter.
I wanted to point out another option providers now have. IDS technology has matured. Snort is free and pretty standard. Personally, I find monitoring incoming traffic to be... of limited utility. However, I believe snort is an excellent tool for lowering the cost of running an abuse desk, if you run it on the outgoing traffic. Snort is pretty good about alerting you to outgoing abuse before people complain. Heck, if you trust it, you can have it automatically shut down the abusive customers.
This is what I think we should ALL be doing -- monitoring our own network to make sure we aren't the source, via customers, of the spam or DOS attacks. All outbound email from your own network should be scanned by some sort of best-practice system before delivery to prevent or limit spam from originating on your network. IMO. But let's be realistic -- the reality is that not everyone does, due to financial or resource or management constraints, and that receiving spam and being hit by DOS attacks and being slashdotted is simply part of the cost of being on the 'net. Profiting MORE from those that proliferate these attacks may hurt you less in the bottom line, but it still hurts everyone else who is the target of the attacks enabled by high AUP abuse fees. I know I'd be just as ticked off about a spam attack from Amazon EC2, whether or not Amazon got paid extra to enable it. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com http://www.angryox.com/ ---------------------------------------------------------------------------
Peter Beckman <beckman@angryox.com> writes: ...snip "use snort" suggestion....
This is what I think we should ALL be doing -- monitoring our own network to make sure we aren't the source, via customers, of the spam or DOS attacks. All outbound email from your own network should be scanned by some sort of best-practice system before delivery to prevent or limit spam from originating on your network. IMO. But let's be realistic -- the reality is that not everyone does, due to financial or resource or management constraints
I believe that in the case of a VPS provider like ec2, monitoring outgoing traffic with an IDS is cheaper than not monitoring it. Abuse reports are expensive to process. You need people with both social and technical skills on your end, people with social and technical skills who are willing to do what amounts to technical support. Often the abuse reports are vague, requiring back-and-fourth. Even if your IDS only catches a small percentage of the abuse-generating complaints (and I bet the IDS can get a large percentage of the complaint-generating abuse- it takes a lot of abuse to generate a complaint) you are saving a lot of money on abuse desk services. Heck, I bet just the ability to search IDS logs after a abuse report would pay for the IDS.
I strongly suggest that those heading to New York visit the great musems, architecture (Saint Patrick's Cathedral), and restaurants. You have the American Museum of Natural History, which includes an excellent Planetarium and just on the other side of Central Park, the Metropolitan Museum of Art and the Guggenheim. There are excellent Chinese and Indian restaurants in Lower Manhattan. Do not take taxis in New York. The subway is much faster and cheaper. Regards, Roderick.
On Sat, May 31, 2008 at 12:36 PM, Rod Beck <Rod.Beck@hiberniaatlantic.com> wrote:
Do not take taxis in New York. The subway is much faster and cheaper.
'you may consider that the NYC metro system is fairly cheap, fairly ubiquitous... Taxi's are relatively expensive in the city, though nice for certain places which maybe more of a gymnastics event on the metro' (the taxi system in nyc isn't too horrid, though it is pricey, which I think was Rod's main objection... plus if you taxi you miss out on the other famous NYC attraction, the giant metro rats! :) )
I miss those dancing rats on the Subway platform at Columbus Circle. Frisky Little Criters. Regards, Roderick S. Beck Director of European Sales Hibernia Atlantic 1, Passage du Chantier, 75012 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. Landline: 33-1-4346-3209. French Wireless: 33-6-14-33-48-97. AOL Messenger: GlobalBandwidth rod.beck@hiberniaatlantic.com rodbeck@erols.com ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christopher Morrow wrote: | On Sat, May 31, 2008 at 12:36 PM, Rod Beck | <Rod.Beck@hiberniaatlantic.com> wrote: | |> Do not take taxis in New York. The subway is much faster and cheaper. | | 'you may consider that the NYC metro system is fairly cheap, fairly | ubiquitous... Taxi's are relatively expensive in the city, though nice | for certain places which maybe more of a gymnastics event on the | metro' | | (the taxi system in nyc isn't too horrid, though it is pricey, which I | think was Rod's main objection... plus if you taxi you miss out on the | other famous NYC attraction, the giant metro rats! :) ) | | If you're not from NYC and or aren't familiar with certain places be advised that taxi drivers can *mistakenly* get lost resulting in you paying a high bill. Tips on getting around: * East and West starts on 5th Avenue When you're on a numbered STREET (not Avenue) the divider from East and West is Fifth Avenue. The numbers work themselves from there on. So for example, if you needed to get to say 12 E57th Street, this will be between 5th and Madison Avenue. 400 E57th will likely be down near 2nd and 3rd Avenue. Numbers head higher in opposite directions: 1 West Whatever Street will be between on the West side of 5th Avenue and vice versa, 1 East will be across from 1 West ;) * Good eating: Chinese is best (opinion) around Mott Street and Canal. I've always stayed away from places directly on Canal Street. Best method to get around here via subway, 4 or 5 train from Brooklyn to City Hall, transfer to the 6 train one stop. Italian: Anywhere in Little Italy is usually good. Mulberry Street has some pretty good restuarants. Dress is usually casual for most places. Nightlife: Depending on your genre, see if you can pick up a copy of "Village Voice" usually free in the city (Manhattan for non NYers). Towards the end of the page, they usually post all sorts of clubs, dance spots, bars, etc.. Unsure of NANOG's dates (too lazy to read) - if it ends up going on through next Sunday or even begins then, some may want to keep away from the city or at least the midtown area as the Puerto Rican Day Parade is in the city. Usually crowded and getting or around the city via the train is a headache. NY'er tips... After certain hours, say 11pm'ish, when taking any of the subways (if you do), you generally want to stay in the car nearest the conductor. You'll usually find the troublemakers near the end of the cars. Same goes for the platforms. If you have to take a train late at night, stay in a visible area (common sense). Empire State Building... If you're going to visit, be aware they're doing a slew of security checks so expect delays. Any entrance you come in on, you'll end up getting in the line (tourist). Unsure about the visitors heading to the top, but you'll usually be asked for photo ID getting in the building (I was just there earlier this month). Yankee Stadium: Its the B, D or 4 trains. 4 is generally fastest to 161st Street. Shea Stadium, Tennis Center, Worlds Fair: 7 train. If you see a 7 train in a diamond (not circle) jump on it. Its the express train and will get you there faster. Lest I forget... Good good good steak: Peter Luger's (overrated a bit but some really good steaks). Here is a link for bars, clubs, nightlife, etc., etc., for those who don't pick up the paper: http://www.villagevoice.com/bestof/2007/category/arts http://www.villagevoice.com/bestof/2007/category/bars http://www.villagevoice.com/bestof/2007/category/sports (browse through not what you may think) Hippest bars (noise, music, people factor) (opinion): Anywhere under 14th street (14-Delancey) on 2nd Avenue. You could head towards midtown but they end up becoming. Snootiest bars (snooty meaning stuck up, I make more money from my dad's trust fund then you): 40s-60s circa 2nd and 3rd Avenue. Anything goes bars: Usually in the East Village (Bowery) Guess My Gender bars: Usually in the West Village Cool place to get a bite to eat, be seen, hear some cool music, see some cool people (think noisy): Caliente Cab Company. Best place to throw away your money for lights, camera and crapaganda: Times Square. Thats it for me. ;) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBSEGbkIOeOV2sx4+mAQKQEg/5AQEBPhsztJ2IOcWy/rjNG0NtHPcjJBbl /WOmVKCG/HRnFYQMgett/OTqMNCQ5ebTnWTJk9zx1biO2y6ky+EBDLCl4iEmu7XQ 2S53NYLgR7En1be5RnguHAIHK2jUcfYqxNfEzaJfMlzjH8ptzAcFR3BoC89Sazr5 LeTiyzaq2nRlszocEAvCoONMDoqWch9rTqTurBSSxyeVOhpZdnHZfYh+CS5VaLHO GUuUJKcGHhlt1kyTgE//mtNe5tCwidJ91bLyo4625th/66Ie1K76OqVHBAaKqw/i ian1U1G03Rcx1MMo2D5n96kVxGxbcQ2ZBcGZetym23ynl+Jgp95BCESIe/5qTm7/ bWPNgsQ1jEzaQUqEm8lLlCjxa9eARMH1HHzggQsn8AmCG1QlEWn/q3V1UlkvVFfE lqKt0iQIj3B30anO+hY+xW4Le/8DxzSU+iRt8D+JwLXesJJtdo0kEVsYEyYMCw8b 8jESt4gjqVr0vxfs3fIOejFu+aUjd44nn9MvbgHGzqWzjTlpq4xXHVMVyCYrlSVb 8Fb0kXcDQPPgdzQ/YsTHyvo1LQrXIaGAm+cbz2+jZazSGHG2Kd3s7QysKiuIi3I9 yGHtj9JTi9mTD/J1BZ45bSh3DztIZmEc8B33xDnv8+50gicl6tojV5LKxwCoNKMr B3fjy5YjuWs= =xgN2 -----END PGP SIGNATURE-----
On 5/31/08 12:36 PM, Rod Beck allegedly wrote:
I strongly suggest that those heading to New York visit the great musems, architecture (Saint Patrick's Cathedral), and restaurants. You have the American Museum of Natural History, which includes an excellent Planetarium and just on the other side of Central Park, the Metropolitan Museum of Art and the Guggenheim. There are excellent Chinese and Indian restaurants in Lower Manhattan.
Don't forget about Brooklyn in all this Manhattan praise :-). Consider the Brooklyn Botanic Garden. It's too late for cherries but the rose collections will be great. And the best pizza in New York (if you can get in) is at http://menupages.com/restaurantdetails.asp?areaid=0&restaurantid=31402&neighborhoodid=114&cuisineid=0
Speaking of food, ill be going to the Big Apple BBQ fest next weekend: http://bigapplebbq.org/2008/ If you love to eat BBQ, this is a big MUST to cap off your stay in NYC. if you do decided to go, be sure to get the Fastpass: http://www.bigapplebbq.org/2008/index.php?s=fastpass You dont want to wait 30 mins online for food. Don't forget a bib and leave your belt at home. :-) - ------------------------------------ Andrew Young Webair Internet Development, Inc Phone: 1 866 WEBAIR 1 FAX: 516.938.5100 http://www.webair.com andrewy@webair.com ------------------------------------- We are interested in any feedback you might have about the service you received. Please contact our technical support consumer care manager directly at 1.866.WEBAIR1 or e-mail customercare@webair.com ------------------------------------- On Sat, 2008-05-31 at 18:17 -0400, Scott Brim wrote:
On 5/31/08 12:36 PM, Rod Beck allegedly wrote:
I strongly suggest that those heading to New York visit the great musems, architecture (Saint Patrick's Cathedral), and restaurants. You have the American Museum of Natural History, which includes an excellent Planetarium and just on the other side of Central Park, the Metropolitan Museum of Art and the Guggenheim. There are excellent Chinese and Indian restaurants in Lower Manhattan.
Don't forget about Brooklyn in all this Manhattan praise :-). Consider the Brooklyn Botanic Garden. It's too late for cherries but the rose collections will be great. And the best pizza in New York (if you can get in) is at http://menupages.com/restaurantdetails.asp?areaid=0&restaurantid=31402&neighborhoodid=114&cuisineid=0
Barry Shein <bzs@world.std.com> wrote on 05/28/2008 11:08:56 PM:
I'm still curious what a typical $ sale is on one of these cloud compute clusters, in orders of magnitude, $1, $10, $100, $1000, ...?
Not sure what a typical sale looks like, but Single virtual instance: ~ $72/month from AWS: Storage $0.15 per GB-Month of storage used Data Transfer $0.100 per GB - all data transfer in $0.170 per GB - first 10 TB / month data transfer out $0.130 per GB - next 40 TB / month data transfer out $0.110 per GB - next 100 TB / month data transfer out $0.100 per GB - data transfer out / month over 150 TB Requests $0.01 per 1,000 PUT, POST, or LIST requests $0.01 per 10,000 GET and all other requests* * No charge for delete requests Joe
On Wed, May 28, 2008 at 11:08 PM, Barry Shein <bzs@world.std.com> wrote:
I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Just out of curiosity, what stats can you make available as far as: - How often you assess this AUP abuse fee? - How often it is successfully collected? - How successful are chargebacks against that fee? I've heard lots of anti-abuse folks opine that this helps with spam and other abuse prevention and cleanup, but I've never seen it in practice before. I've also heard multiple ISP folks talk about it being unenforceable. And from what I know from working for an e-commerce service provider in the past, it sounds like a chargeback magnet that could even endanger the merchant account of anybody who uses it more than once. Regards, Al Iverson -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA Remove "lists" from my email address to reach me faster and directly.
On May 29, 2008 at 09:07 aiversonlists@spamresource.com (Al Iverson) wrote:
On Wed, May 28, 2008 at 11:08 PM, Barry Shein <bzs@world.std.com> wrote:
I am a big, big fan of assessing charges for AUP abuse and making some realistic attempt to try to make sure it's collectible, and otherwise make some attempt to know who you're doing business with.
Just out of curiosity, what stats can you make available as far as: - How often you assess this AUP abuse fee? - How often it is successfully collected? - How successful are chargebacks against that fee?
I'll just say we have certainly assessed AUP abuse fees and in most cases collected those fees. The most common fee is a $50 per incident charge for spam complaints after a stern warning or two which depends on frequency, a few per day is very different than one or two per month, and what to do with those phony AOL TOS complaints which almost always mean "I asked to be on this list but I forgot how to get off so maybe if I keep clicking the spam button..."? These are not generally for all-out spamming in our experience. I don't think that's even happened from here in this century. But I've had people who sold services and harvested addresses from, e.g., usenet groups or mailing lists they joined specific to those services (kinda like the router salesman you sometimes hear about on nanog) which generated complaints. They got a lecture and a warning. In a few cases their persistance got them billed, as warned, which usually put a stop to it. One time very early on I remember someone did some more egregious spamming and I shut him down and added a $1500 clean-up fee and he paid it. I was a bit shocked. I've billed a few others like that and of course they just disappeared. One advantage of AUP abuse fees, from a business point of view, is that if you've done your homework (in the AUP, customer clearly warned on first offense, response received) you can then shut them down pending a significant deposit or payment of abuse fees on your terms. You can, e.g., say this is too much for a credit card if you doubt their trustworthiness, credit cards aren't legal tender, and demand some more trustworthy payment method. Let's be frank, once you're pretty sure they're willful spammers you're not losing a lot of sleep over keeping them happy, you're mostly trying to get rid of them unless this is really something they're willing to give up entirely. Should they try to come back at you legally this is a lot more understandable ("I never extended them a credit relationship of $1500 on a $20/mo account!") than just "we didn't like what they were doing with their account". Anyone can understand non-payment, even a court, so claims of "business damages" etc mostly go out the window ("but if it was so important to your business why didn't you just pay the fees??? it was in their AUP, didn't you read it?") Obviously the fees have to be steep enough to discourage even someone who might otherwise be willing to pay the fees. And for the way spammers work that doesn't have to be very high, they mostly shoot for "free" as an overhead goal, even the semi-legitimate types who would claim they're just doing direct email marketing and sell products a little more credible than herbal body enlargement pills. At any rate I'll admit all this begs the zombie bot spammers and others whose businesses are entirely built on crime and fraud but we were talking about computing clouds. As to chargebacks, over almost 20 years we've punched millions of card charges and I'd say the number of chargebacks is small enough that it usually gets mentioned when it happens, "hmm, we had a couple of chargebacks this month", very few, certainly not one a month. We have what I'd call a normal number of "card invalid" (closed, over limit, expiration date wrong, etc.), you get a steady stream of those, but nothing I'd call serious and in most cases gets straightened out with the customer...before someone (as usually happens in these discussions) re-defines those as "chargebacks" and uses the redefinition to question my credibility/sanity. By chargebacks I mean a disputed charge, they're clearly distinguished in your merchant acct from just "bad" cards. -- -Barry Shein The World | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD | Login: Nationwide Software Tool & Die | Public Access Internet | SINCE 1989 *oo*
On Thu, May 29, 2008 at 10:03 PM, Barry Shein <bzs@world.std.com> wrote:
The most common fee is a $50 per incident charge for spam complaints after a stern warning or two which depends on frequency, a few per day is very different than one or two per month, and what to do with those phony AOL TOS complaints which almost always mean "I asked to be on this list but I forgot how to get off so maybe if I keep clicking the spam button..."?
You run a botique provider of shells that - at least today - almost exclusively caters to geeks. You arent as likely to pick up genuinely badhat spamming customers as the rest of us large ISPs are - and the large colo farms (he.net, softlayer etc) are even more vulnerable to this kind of thing. Feedback loops (such as those AOL provide, or we provide - and we were the second ISP after AOL to offer ARF'd feedback loops) are about the best tool any ISP has available to it, to get near real time spam reports. You're a corner case. And an opinionated corner case at that. That doesnt change just how useful FBLs are to the vast majority of consumer ISPs out there. --srs
On 5/28/08, Skywing <Skywing@valhallalegends.com> wrote:
That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place...
(I assume that you are not actually really advocating such a requirement for anyone wanting to run a mail server...)
- S
Many, many years ago, when I was working someplace that was just starting to dabble in shared hosting, the company would require a faxed copy of a driver's license to enable some hosting features (shell off the top of my head). In today's world, this simply will not do (customer sentiment, liability for loss of that data you're storing, and so on). I think the straightforward fix is for Amazon to put some practical mail guidelines together for their environment (time-based volume limitations, Amazon-provided smarthosts, etc) with an exception process for those who need larger amounts of legitimate outbound mail. I guess legitimate is subjective though. *sigh* -brandon
I think the straightforward fix is for Amazon to put some practical mail guidelines together for their environment
Has anyone making these suggestions ever thought to look at the Amazon Web Services agreement that governs these EC2 customers? <http://www.amazon.com/AWS-License-home-page-Money/b/ref=sc_fe_c_0_20159 0011_13?ie=UTF8&node=3440661&no=201590011&me=A36L942TSJ2AJA> --Michael Dillon
On Wed, May 28, 2008 at 12:01:30PM -0500, Skywing wrote:
That's somewhat ironic of a sentiment you referred to there, given that the conception that one should have to hand over one's SSN for "verification" to anyone who asks for it is the kind of thing that many of these spammers/phishers thrive on in the first place...
What... are people still using SSNs as authenticators instead of identifiers, 20 years on? Cheers, -- jra -- Jay R. Ashworth jra@baylink.com Designer +-Internetworking------+---------+ RFC 2100 Ashworth & Associates | Best Practices Wiki | | '87 e24 St Petersburg FL USA +-http://bestpractices.wikia.com-+ +1 727 647 1274 If you can read this... thank a system administrator. Or two. --me
On 28 May 2008, at 16:34, Sargun Dhillon wrote:
Well the thing that differentiates "the cloud" is that there is an infinite amount of resources, the ability to have anonymous access, and the infinite amount of identities.
That sounds great. Presumably in addition to the above the sun is always shining, cats never crap in the kitchen and those responsible for the American Idol franchise have been lined up against the wall and shot? Joe
On Wed, May 28, 2008 at 9:14 AM, Steve Atkins <steve@blighty.com> wrote:
On May 28, 2008, at 9:03 AM, Sargun Dhillon wrote:
Has Amazon given an official statement on this? It would be nice to get someone from within Amazon to give us their official view on this. It would be even more appropriate for the other cloud infrastructures to join in, and or have some sort of RFC to do with SMTP access within the "cloud." I forsee this as a major problem as the idea of "the cloud" is being pushed more and more. You are talking about a spammers dream. Low cost , powerful resources with no restrictions and complete anonymity.
Personally I'm going to block *.amazonaws.com from my mail server until Amazon gives us a statement on how they are planning on fighting spam from the cloud.
"The cloud" is just a marketing term for a bunch of virtual servers, at least in Amazons case. It's nothing particularly new, just a VPS farm with the same constraints and abuse issues as a VPS or managed server provider.\
These are highly dense service farms that are making efficient use of power, CPU, memory and network based on huge densities based on power and square footage. It's far more than a marketing term. Careful. Don't under estimate this trend. -M<
participants (26)
-
Al Iverson
-
andrew young
-
Barry Shein
-
Brandon Galbraith
-
Christopher Morrow
-
Colin Alston
-
Dorn Hetzel
-
J. Oquendo
-
Jay R. Ashworth
-
Joe Abley
-
Joe Loiacono
-
Joel Jaeggli
-
Luke S Crawford
-
Martin Hannigan
-
Matthew Huff
-
michael.dillon@bt.com
-
Peter Beckman
-
Robert Bonomi
-
Robert E. Seastrom
-
Rod Beck
-
Sargun Dhillon
-
Scott Brim
-
Skywing
-
Steve Atkins
-
Suresh Ramasubramanian
-
Tony Finch