New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Which part of this you don't understand:
--
I think that this is more thing of a internet than country. Just look at LEB example. How many people cheated, scammed, etc...
In 4 - 5 years being here at LET/LEB we saw all possible. From both (clients and hosts) side.
@Spirit, those "abusive entries" that "dissapeared after I posted links - miracle..." have simply expired. Those report IDs are generated on the fly, and expire after some months when there are tens of thousands of queries. Every query generates a report. If you re-run any of those queries, you can get the same report again, which will expire after a certain amount of time.
You really need to stop assuming and start understanding.
Also, about the query form on the website. That's just a convenience tool. Regular way of reporting is through the module or open source API, where no client info can ever be submitted because they are all hashed before reaching FraudRecord.
By the way: why is it such a big deal that it's a "Turkish guy"? I would personally feel safer giving information to someone in Turkey than in USA. Not that I would give information to anyone anyway.
It's not though. I know what I submit and I know how I use FraudReport. There's no perspective here about what I do with FraudReport, only fact and trust. If you do not trust me, you shouldn't be providing me with information that you do not want shared to begin with. If you do trust me and I abuse that trust, I deserve to be put on display for it so that others may know. Until then, my use of FraudRecord cannot be considered a potential tool for me to abuse.
You did, however you need to think about the context of this. You can open up WHMCS and show that e-mail addresses are in plain text and then PROVE without ANY doubt that it is possible for a host to abuse this information and sell e-mail addresses. In fact, you can go find a host who does. Then, you can tell everyone about the abuse potential of WHMCS. You can tell people WHMCS is a potential point for abuse of private information. But isn't this implied? Why does it need stating unless you just have a bone to pick with WHMCS? So do you have a bone to pick with FraudRecord or do you have a bone to pick with an individual host? I am not responsible for what that host did. Neither is FraudRecord.
When you started what appeared to me to be a small campaign against FraudRecord and the supposed privacy violation committed by hosts that use it. To me you were implying that this is a malicious tool that hosts should not be using. Now, however, we are down to the truth which is that you have seen a host use it in a way that was not proper. If that was your original message in this thread, I assume you wouldn't have said anything at all. I have seen people misuse Apache but I don't post about it in Apache threads.
Ah, yes... I feel relieved now! Because no one use it and I know you enough to believe you, correct? (because here is only you, some guy on internet with his hobby site).
@jarland you still ignore this part. Because you personally use whmcs module, guess.
Ah I see
The search form? Of course I'm ignoring it. I don't enter information in plain text, and if the API can query against the hashed information then the search form doesn't bother me. You either already know the information or you don't. Even abuse of the API will return a bunch of data that means absolutely nothing to you or anyone who doesn't already have the information. In that way, it's the perfect system. There's nothing juicy to be had here, the work in maliciously obtaining the data would be the most unfruitful and pointless act.
Oh, you see, I am relieved again. Because you personally use more convenient whmcs api so you don't give to our buddy Harzem clients personal data through his webform in plain text.
What more are you looking for? If you don't trust me to not send your details around in plain text to a fraud database, why are you trusting me with the information to begin with? Even if I tell you that I don't use it at all, how do you still know that I don't? All that you are communicating is that you can never trust anyone, ever, at any time. Technically that's true. It's not going to get you far though. At some point you've gotta put a little faith in someone if you want to get things done.
I fail to see the point @Spirit, you can only use data you already know to search, what's the point in arguing?
Almost all those companies or individuals that you accuse of leaking private info use the WHMCS module (or custom modules that use the API), which is open source and has all the hashing functions written inside. They can't send private data to FraudRecord with that module even if they wanted it badly.
And since some people may choose to make manual reports on the website, there needs to be a page for it. Collecting those information would fill what percentage of a secret database, something like 2% ?
There is a open source module, there is a long page of API information to create your own module, all of those use the hashing mechanism that guarantee there can be no private data that reach FraudRecord. And you insist that FraudRecord is villainous because there is a report page on the website as well?
About the "some guy who isn't even a company" issue. What if FraudRecord was a registered business in Turkey? Would you start complaining about how it is not registered in US, but in Turkey? How it is a LLC but not a Corp?
I understand that you don't like the idea, or you don't trust random guys. But the front-end of the system is so obviously open source that you need to be able to understand that there can be no villainous intent. Can the system be abused by hosts that submit wrong info? Yes, certainly. Is the system to be blamed? I don't think so. I've never heard US government try to ban cell phones because terrorists use them to blow up remote controlled bombs.
Currently about 260 companies have registered a reporter profile on FraudRecord, and total reports are getting close to two thousand. There are some bad apples. But the WHMCS module doesn't block signups if there is a report. It provides a guideline, any host should read the reports and check the reporting providers before deciding to act on a report.
But the module, the API, the hashing, the privacy protection that SHA-1 hashing provides are so open-source and bulletproof that you can't blame FraudRecord backend to be malicious. There is mathematically no way of being malicious if you are capable of reading some PHP code.
Yes, of course. But luckily people have choice to made selection to whom trust and whom not. After all, where did I say that I trust YOU with the informations. Fair point?
(just generally speaking I don't havy anything against you)
+1 Same thought here
When you gave it to him by signing up
You should take some time and effort to read also sentence before the one you quoted. It's not a lot of text after all...
I know, no worries. This is just conversation.
Right. You should choose a provider that you trust. I'm telling you that you can trust me not to add a report to FraudRecord unless I am very certain that other hosts need to be warned that someone with this e-mail address is about to sign up and wreck their systems. Can you know that I'm not lying? Sadly, no you cannot. You cannot know that I'm not lying about a lot of things about how I do business, and many of them I won't help you find out because that is private. You won't know how secure my keys/passwords are because I'm not going to tell you, you have to trust that they're secure or decide that I'm not to be trusted, but I'll never give you proof as to which is true because the proof in itself changes the truth.
This is just how life works. You have to make decisions, and you won't always know without a shadow of a doubt what is true.
So choose wisely.
Yep, not just VPS providers either
I hope I do. Most of the time
You see... now you're talking. Before this post any possability was categorically denied. And no, I am not saying that you're villain. I don't even know you. But I also wouldn't use your website to enter my clients database. But those 2% from some strange reason believe you with their clients database. Strange way to run business.
Actually it is a system issue because there isn't any vetting in place to prevent the "bad apples" of the hosting industry from registering a reporter file (verifying ownership via WHOIS or other documents of profile reporters only verifies ownership, it doesn't weed out the bad apples of the industry and prevent them from accessing the database).
...who controls a database that credit card info, passwords, and other personally identifiable info can be submitted to (spare me your spiel about hashes). Credit report agencies are subject to strict regulations...you operate without any such supervision. The country you're from is irrelevant, it's the fact that you are a private individual not a company and are operating without any supervision or government regulations or oversight to prevent misuse of the info submitted to your database that is the primary concern.
Well then this is actually a problem with the internet because blogger, twitter, facebook, myspace, none of these prevent it either. No one forces a provider to take the reports seriously. No one even asks a provider to use it maliciously. If you find someone submitting false reports in the name of Catalyst Host please notify me and I will notify FraudRecord.
Should we also implement these checks in e-mail services so that providers cannot report privately to other providers? This is, by your logic, a flaw in e-mail.
Now, should users be banned for abuse of it? Certainly. I recommend contacting FraudRecord and pleading your case.
@DomainBop, "spiel about hashes" is the core of online security. SSL certificates use the same hashing algoritm. US government uses the SHA-1 algoritm. The spiel about hashes is the definitive proof that credit card info or anything else cannot be submitted. Personally identifiable information doesn't exist in the database, it can never exist as long as the module or API are used. That's not spiel, that's science.
http://en.wikipedia.org/wiki/SHA-1
These hashes can be cracked by someone with enough intent. Therefore storing credit card numbers with an unsalted hash can technically be dangerous. Someone correct me if I'm wrong here, I'm no expert on cracking things but rainbow tables attack this very kind of thing do they not?
However, none of the other information is worth such a procedure as the data would only be valuable to you if you already had it. Credit cards, however...
Care to address the other issues I raised about the complete lack of regulation/oversight of you and your database
May I answer to this with fraudrecord related WHT post (just because it's better written than I would)
And yes, even as hashed they are still available to
quoted from: http://www.webhostingtalk.com/showpost.php?p=8453857&postcount=72
So much about your own "Information collected on this site is strictly for our use, NO OTHER OUTSIDE PERSONS MAY VIEW YOUR PERSONAL INFORMATION SUCH AS BILLING INFORMATION, ETC." privacy policy @jarland
@jarland, the hashes are indeed salted. Also iterated, so rainbow tables are out of question.
@DomainBop, I'm not even sure people have understood the very simple and widely documented security of sha-1, and how FraudRecord doesn't receive private data. I'm not going to try to explain to those people how FR can't be regulated by privacy laws like credit agencies.
Of course it does. Even hashed they are still stored with you. Or that's incorrect: "anyone just by knowing a few details about me can search for details and get results, which also gives them more details about me and what I did."
@Harzem US Government switched to SHA-2 in 2010 when NIST felt that SHA-1 was unsecure.
Nope. What information have I shared and about whom? Was the policy relevant in this or these case(s)? You can't know that. If you intentionally send an outgoing DDOS from my services and I do not feel that the issue is resolved from our communication, and you are a US citizen, you can either accept the nullification of my privacy policy (just as you nullified our agreement via our AUP) or you can meet me in court. Do you have a problem with how I handle a US citizen who violates US federal law under my care?
Let's go ahead and get this specific, because this is what I'm talking about. Someone want to stand up for this client?
Your refusal to address the complete lack of oversight/regulations regarding you and your database speaks a 1000 words
and until you address the issue and prove otherwise I'm going to have to lump you in with the same type of scammers as people like badcustomer.com who setup a similar "fraud prevention" database a few years ago for nefarious purposes.