TELECOM Digest OnLine - Sorted: Re: Ethics of Deterrence

Re: Ethics of Deterrence

Robert Bonomi (
Sat, 23 Jul 2005 02:17:54 -0000

In article <>, Steve Sobol
<> wrote:

> Eren Reshef wrote:

>> Some bloggers have recently claimed our fight is morally flawed.

> I'll go further and tell you you're a criminal.

> It's trivially easy for someone to put an URL of a website I own into
> a spam.

> And if you attack my website in response, and I had nothing to do with
> the original spam, you will have law enforcement knocking on your
> door.

> You're in California, I'm in California, should be as easy as a phone
> call.

> Did you mention something about the US Constitution? God, I *hate*
> when ignorant people claim that the Constitution gives them rights
> with no restriction -- you are welcome to certain rights as long you
> don't infringe on others' rights in the process of exercising
> yours. People who whine about their First Amendment rights being
> impugned often forget that.

> Steve Sobol, Professional Geek 888-480-4638 PGP: 0xE3AE35ED
> Company website:
> Personal blog, resume, portfolio:
> E: Snail: 22674 Motnocab Road, Apple Valley, CA 92307

> [TELECOM Digest Editor's Note: Well Steve, you are forgetting a couple
> of important factors: although yes, it is 'trivially easy' to put
> someone else's URL (for a web page) into spam a third party wants to
> send out, if you have a web page, your web page would have to have
> one or more 'forms' on it for people to use to fill in their credit
> card numbers in order for other folks to come along and deface your
> web site, wouldn't it? Wouldn't it be quite a coincidence if you,
> the innocent web site owner happened to have forms all over your
> web page which related to the product or service being spammed by
> some other person, _and_ through some 'human error' your web site
> got chosen?

Would it surprise you to learn that an unscrupulous operator might
DELIBERATELY spam "on behalf of" a competitor, for the express purpose
of getting that competitor knocked off the 'net?

Would it surprise you to learn that that _has_ happened?

Would it surprise you to learn that business *have* gone under, as a
result of such actions?

If so, you are *unaware* of events on the Internet, more recent than

The prototypical such actions (from which the name "joe job" for
describing such things is derived) occurred in late 1996. Google for
"joe job" (with the quotes, for lots of history -- or see (among many
others) the page at: <>
for the "jargon files" definition.

Such things are a "not infrequent" event, to this day.

> I really have to wonder if you read any of the FAQ on
> how the system works ... let's say for example, I
> am offended by a piece of spam I recieve; I forward it to BlueSecurity;
> someone there who has a modicum of intelligence (about as much
> intelligence as the people who write up filtering software) looks at
> it, quickly finds mid the HTML crap on the source page an IP address
> which _appears to be_ the offender. He (the investigator) goes to
> the URL; is it in fact the product or service being spammed? If not,
> then he junks it. If it is the product being spammed, and it has
> 'forms' around the page for things like credit card numbers, comments
> or names/addresses, etc then it gets put somewhere. Now the investi-
> gtor finds a thousand more pieces from the same spammer, referring
> to the same URL, then acts on it. It is not a willy-nilly process
> where 'you' sent me spam so I 'crash your system'. They only release
> the 'do not spam me further' notices (which simply goes to that URL
> and fills in the aforementioned, already located 'forms') once they
> have discovered the _actual offender_, not some innocent bystander.

That is a lie. They *cannot* tell who "really sent" the e-mail

All they can tell is that the material on the web-site, and material
in the message are 'consistent' with each other.

Which can be explained in _at_least_ two ways:
1) the web-site operator actually sent the message(s).
2) "somebody else" -- *deliberately*and*maliciously* -- posing as the
web-site operator sent the message(s) for the express purpose of
discrediting the actual web-site operator.

There is *no*way* to tell which of those scenarios is the "real"
explanation. Those who act, based on assumption #1, when the reality
is assumption #2, can find themselves in legal hot water.

> They got a lot of money from somewhere to put investigators to work
> tracking down _good_ URLs of spammers. Admittedly they cannot get
> anywhere with much of the crap which comes to them, but they do find
> some of them. And it is _not_ DDOS since the spammer is first given
> ample warning, and assistance as needed in cleaning his list.

You know. There's something really "funny" about their ENTIRE
operation. "Blue Security, Inc." according to their website, is
located in Menlo Park, California. With a claimed telephone number,
at that address, of "972-9-9577736", per the whois entry for the

Yet, according to the California Secretary of State, the *legal*owner*
of that _Corporation_Name_, is a locksmith in La Jolla, California,
who has had that name since 1997. (That information, and the info in
the following 3 paragraphs, *can* be verified by anyone who cares to,
on the State of California web-site.)

They can't legally have some other name, and be using "Blue Security,
Inc." as a "doing business as" (DBA) -- what California calls a
"fictitious name" -- because California *expressly* forbids the use of
a corporate ("Inc.", "Corp.", "Corporation", etc.) or LLC indicator as
part of a fictitious name.

One *cannot* legally register a corporate name (whether an in-state
corporation, or an out-of-state one doing business in California) that
is the same name as an existing Calif. corporation. One can register
a name that is "similar" only with the *written*consent* of the
presently- registered corporation, _and_ the agreement from the
Secretary of State that the naming would _not_ be unduly confusing to
potential customers.

Operating an unregistered business *is* a violation of California law.

Based on that, alone, Blue Security *does* appear to be a criminal

Blue Security's published INTENT regarding the co-ordinated
complaint-bombing of the targeted web-site is to make it 'unusable' by
people attempting to do legitimate business with that company.

One doesn't have to assume anything about how they work. One doesn't
have to do any interpretation. All one has to do is look at WHAT THEY

Their intent, per their own words, *is* to inflict a "denial of
service" on the "guilty" web-site owner.

That *is* a criminal action, under the law.

That isn't the only issue. If they're *not* doing what they say they
do, then there are issues of false advertising, and/or wire-fraud. If
they _do_ do what they proclaim (a crime, per the above analysis),
there are additional possible charges of:

soliciting for participation in a criminal enterprise
accessory before the fact
just to name a few.

Those 'co-conspirators' that get sucked into their scheme could get
names on any/all of the latter 3 counts named above.

Incidentally, *IF* the mail-senders must pay for the 'list-washing'
service that Blue Security offers, then one can probably add
"extortion" to the possible charges. Blue Security _has_ issued a
public 'threat' to attempt DDoS on the web-sites of people who send
them e-mail without going through the list-washing process. Avoidance
of that 'threat' by the payment of money (whether or not a service is
provided for that money) is the essence of extortion.

Note: somewhat deeper digging into "Blue Security" indicates that the
_actual_ ownership is apparently with a company in Israel. One that
many people belive as having a lot of business dealings with the

One might speculate that "Blue Security" is a 'front' for testing some
actual "information warfare" tools. Emphasis on "warfare".

> Oh, and by the way, if 'suddenly stops
> working' sometime soon, well ... its just ICANN doing their thing,
> trying to silence anyone who tells you how naked they and their merry
> band of choristers are. Anytime you cannot get through on
>, remember that is still
> a good address and points to the very same place. PAT]

REALLY??? My web browsers (4 different ones, on 3 different
platforms) insist that "" is not a valid

[TELECOM Digest Editor's Note: As I tried to explain to Robert Bonomi
in private email, these two URLS are _identical_ in where they go: (and)

These two emails are identical in where they go: (and)

I tried to explain to Robert Bonomi that a 'valid URL' (as in web
site) does not have an 'at sign' @ in the middle of it. PAT]

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: mc: "Re: Ethics of Deterrence"
Go to Previous message: Barry Margolin: "Re: Ethics of Deterrence"
May be in reply to: Eren Reshef: "Ethics of Deterrence"
Next in thread: mc: "Re: Ethics of Deterrence"
TELECOM Digest: Home Page