![[SJF Logo]](../../images/sjflogo.gif)
John Gilmore is what many of us consider a "hero". Longtime technical guy, very strong lover of freedom, was in a cover feature of the August 2003 issue of Reason Magazine making the case for not requiring photo ID when traveling domestically. The man is my hero, really.
But for a guy with such a technical background, he doesn't get spam. He has long had a pissing contest about running an open relay, believing he has the right to operate his computers as he sees fit. This is a very nice sentiment, one that many of us share in theory, but in the real world he will be taken advantage of. He ended up getting booted by Verio for TOS violations.
Good for Verio.
Today my mailserver rejected mail from John's server, and it's a good bet it was spam (why else would an AOL user be sending mail to me from him?)
Nov 16 19:52:05 linux postfix/smtpd[7073]: 633894252: reject:
RCPT from new.toad.com[209.237.225.253]: 554 Service unavailable;
Client host [209.237.225.253] blocked using relays.ordb.org;
This mail was handled by an open relay - please visit <http://ORDB.org/lookup/?host=209.237.225.253>;
from=<406kbkow@aol.com> to=<steve@unixwiz.net>
proto=ESMTP helo=<new.toad.com>
My local cable company (Comcast) runs ads every now and then against the stealing of cable service, and there are a couple of spots in rotation. I completely agree that stealing cable service is "theft", but they make one of their points in a pretty lame way.
They have one guy talking about how dealers of descramblers often keep lists of customers, which suggests that if you bought one, you're more likely to be a target. This part is still fair (and I hope effective). But then then have a onscreen graphic that shows the poverty of their argument:
On June 22, 1994, Kenneth Murdock of Hi-Tech Electronics (Taylor, Michigan) pleaded guilty to selling illegal cable decoders and may face up to 10 years in prison.
This was almost ten years ago, and even if this guy had been sentenced he'd probably out by now. This is just a very lame argument.
Generally speaking, I presume that people lead with their best arguments, and if those fall, the junior varsity arguments probably won't fare much better. If these guys are sending the message that the best they can do is a 10-year-old case, they're not going to scare many people.
I'm a big fan of Nessus, the open-source vulnerability scanner, and I wrote about this excellent tool in Linux Magazine some time ago. There is an active developer community, and when a new vulnerability is announced, a plugin is usually built quickly and released.
Nessus competes with very expensive commercial scanners, such as Retina from eEye or FoundScan from FoundStone. It's not difficult to spend a couple of thousand dollars on these kinds of tools, and it's much more expensive if you're using these tools in a security consulting practice.
I dip a toe or two in Nessus development from time to time and am on the mailing list, and today we saw this doozy:
Date: Tue, 11 Nov 2003 11:07:23 -0800
From: Paul Weekley <pweekley@netxposed.com>
To: nessus@list.nessus.org
Subject: Nessus Reporting
Our company uses Nessus as its main engine for network audits of vulnerabilities. This is an awesome utility. While using Nessus, we have produced our own report which converts the xml output into both a standard report and a top level 'executive' report in both html and pdf formats.
Would others be interested in having their scans converted into this easy to ready, graphical reports for a modest price? Also, we are considering producing other report styles based on feed back.
We thought that this would allow another way to 'stand above' other reports by providing an easier and more attractive presentation.
We are interested in your input.
Paul Weekley
pweekley@netxposed.com
http://www.netxposed.com
Those not really hip to the whole "Open Source" thing might need this translated a bit: here's my effort:
If one would speculate "Hmmm, this won't go over so well", one would be right, and it's best embodied by the response from Renaud Deraison, the author and main driving force behind this wonderful tool.
Hello everybody.We make money selling security services using the free Nessus scanner, which is the fruit of the free labors of many on the mailing list. Like many of you, we've written some add-on software to work with Nessus, but unlike many of you who give it all back, we'd like to see if any of you want to pay us to use it.
Did we mention that we love your free scanner?
The old "think before you post" maxim comes to mind here.From: Renaud Deraison To: nessus@list.nessus.org Subject: Re: Nessus Reporting Paul, could you remind us what your company does or did to help Nessus developement before anyone even starts considering paying to get "better" reports ? Thanks, -- Renaud
For a long time I've periodically gotten these "survey" fax spams that post a yes/no question on some public policy issue and ask you to fax back your marked "ballot" to a 1-900 number costing $4/minute. In the disclosure of the fee, they often note that it's a "small price to pay for liberty" (they claim to forward the results to appropriate civil authorities. I always toss the silly things.
But the other day I got one that's utterly brazen: the survey asks whether I want to get more of their spam or not (!), and I'll pay $3.95/minute for the privilege. I'm sure I'd be shocked to find out how many idiots responded to this one way or the other, and of course the idiots are the enablers for the spammers in the first place.
Just amazing.