[Noisebridge-discuss] I am really disappointed with certain members of noisebridge

Fri Oct 30 21:56:28 UTC 2009

In what world is voting ~9.7 times / second even an attempt at a DDOS? It
would need to be hundreds or thousands of times higher to even begin to
matter.

It was an attempt at making numbers in a pointless poll pointlessly high.
Being Abnormal != An Attack!

On Fri, Oct 30, 2009 at 2:51 PM, Ian <ian at slumbrparty.com> wrote:

> I'm sorry for categorizing it as a DDOS attack where n=2. I should
> have said attempted DDOS attack. Voting 35k times in an hour is
> abnormal behavior on most of our forums, especially one with a total
> of around 50 votes. i'm sure you have seen much better DDOS attacks
> taking down sites much larger than uservoice.
>
> When I talked about legal action, it wasnt a threat coming from me. I
> was relaying what other people were saying. I was trying to resolve
> this so it didnt escalate to anything else. I'm sorry you feel that I
> was trying to scare anyone.
>
> Maybe someone with more skill in computers such as yourself could have
> saw the difference between what happened and malicious intent, but
> unfortunately, i am not and had to make sure via other means. in the
> future, i will make sure not to apply for a computer related job at a
> company you owned.
>
> ian
>
> On Fri, Oct 30, 2009 at 2:44 PM, Crutcher Dunnavant <crutcher at gmail.com>
> wrote:
> > Ian, you're being an ass.
> > No matter how much you "appreciate" Leif coming forward, you walked into
> > this with the threat of Legal Action for something that was obviously not
> a
> > DDOS attack.
> > If you can't tell the difference between this and malicious intent, maybe
> > you shouldn't work with computers.
> >
> > On Fri, Oct 30, 2009 at 2:41 PM, Ian <ian at slumbrparty.com> wrote:
> >>
> >> Leif,
> >>
> >> Thanks for coming forward to say this. You are right in that it is
> >> possible to do the aforementioned curl voting anonymously. We made a
> >> design decision to allow anonymous voting to lower the barrier for
> >> participation. We have fraud detection counter measures to take care
> >> of those situations. You did not cause any damage, but we were more
> >> concerned with the intent. It was unclear to us whether it was people
> >> playing around or someone with malicious intent. if it was not the
> >> latter, then we are okay with people exploring the system.
> >>
> >> I really appreciate you talking about this on the list.
> >>
> >> Thanks,
> >>
> >> Ian
> >>
> >> On Fri, Oct 30, 2009 at 2:30 PM, Leif Ryge <leif at synthesize.us> wrote:
> >> > Ian,
> >> >
> >> > First and foremost, I offer you my sincere apology and my promise that
> I
> >> > personally will not (mis)use your company's service again.
> >> >
> >> > I was the one who pointed out last night that people could run
> >> > curl -d to=3 http://some-uservoice-url/votes
> >> > to vote for something, and that without cookies, they could keep
> voting.
> >> >
> >> > I would characterize this as harmless ballot-stuffing, rather than a
> >> > DDOS,
> >> > but I understand that if it got out of hand it could certainly have
> the
> >> > effect of a DOS. I am very glad to hear it didn't take the site down.
> >> > Taking
> >> > the site down was certainly nobody's intent; the intent was simply to
> >> > get a
> >> > lot of votes on a single item, to demonstrate why voting on things
> with
> >> > a
> >> > tool like this doesn't make any sense for a group like ours.
> >> >
> >> > I personally only sent a few hundred http requests, and in light of
> your
> >> > company's stated interest in legal action (which I think is entirely
> >> > unwarranted given that the whole thing was apparently a few thousand
> >> > http
> >> > requests from a single location) I will not help determine who else
> sent
> >> > more. Obviously, like most things at noisebridge, this was in no way
> an
> >> > action of the organization and was only the action of a few
> individuals.
> >> >
> >> > I regret the strife that this caused you, and hope you can accept my
> >> > apology.
> >> >
> >> > ~leif
> >> >
> >> > Ian wrote:
> >> >>
> >> >> last night, there was an attempted DDOS on the noisebridge forum from
> >> >> 75.101.62.89 and 75.101.62.88. yes. those are both noisebridge IPs.
> >> >> they submitted around 35,000 votes to the forum and could have taken
> >> >> the entire uservoice site down.
> >> >>
> >> >> i have no problem with people voicing their concerns on the mailing
> >> >> list, but to do something destructive and illegal using noisebridge
> >> >> equipment against a company that one of its members works for simply
> >> >> because you didnt agree with its usage is beyond pathetic. rubin, for
> >> >> future reference, even though you may not mean anything destructive
> or
> >> >> personal with your "abrasive" (as you put it in your personal apology
> >> >> to me) comments on the list, other, weaker people on the list who are
> >> >> followers will take them in a different way.
> >> >>
> >> >> i tried to not censor anyone on the feedback forum and accommodate
> >> >> everyone and tried to play the role of strictly the forum admin. one
> >> >> of our staff deleted the suggestion about trying to get root on our
> >> >> site because, well, they simply viewed it as a threat against
> >> >> uservoice. i assured them finding security flaws was legitimate and
> >> >> will even benefit us. then they pointed to the suggestions about
> >> >> disparaging uservoice and my comment facilitating that. then again i
> >> >> reassured them i was only being the site administrator and that we
> >> >> shouldnt censor people who use our product even if their suggestions
> >> >> could hurt our business. the bottom line is i put my neck out to try
> >> >> to provide noisebridge with something that i thought would be useful
> >> >> and this is the thanks i get.
> >> >>
> >> >> aside from my current situation with the company, uservoice is
> talking
> >> >> about taking legal action against noisebridge for the DDOS attack. i
> >> >> have begged them to allow me to solve this without legal
> intervention.
> >> >> i ask that the people who were responsible name themselves and
> >> >> separate them from the rest of noisebridge. if you identify yourself,
> >> >> explain and apologize for your actions, i think i can convince the
> >> >> rest of uservoice to move past this.
> >> >>
> >> >> ian
> >> >> _______________________________________________
> >> >> Noisebridge-discuss mailing list
> >> >> Noisebridge-discuss at lists.noisebridge.net
> >> >> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> >> >
> >> >
> >> _______________________________________________
> >> Noisebridge-discuss mailing list
> >> Noisebridge-discuss at lists.noisebridge.net
> >> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
> >
> >
> >
> > --
> > Crutcher Dunnavant <crutcher at gmail.com>
> >
>

-- 
Crutcher Dunnavant <crutcher at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.noisebridge.net/pipermail/noisebridge-discuss/attachments/20091030/6bb62673/attachment-0003.html>