Whats especially troubling is that this is spilling over to other countries now. I always felt that despite having relatively lax laws in regards to the internet, russia is starting to turn into a seriously unfriendly place for the internet. Being a expat in moscow makes it especially awkward as I have tasted the koolaid on the 'free' side.
Worth noting is that this was essentially number one on product hunt, above all other items.
Meaning, the product hunt results shown are the absolute best result you could hope for and most users will receive a far smaller amount of visits. PH gets a bit of hype because its invite only and people assume it has a big impact, but for most folk it would be much more impactful for their launch to even be on a smaller tech blog like Read/write or recode.
For the average person who gets on PH and gets the normal amount of upvotes (around 10-20 ) you can expect a blistering 250-500 visits. You would get more traction just posting a comment in a HN article. PH seems more powerful because its invite only and has tons of hype around it, but it does not deliver on results yet.
Surprised that HN numbers were so high, but not surprised that Techcrunch was number one. They still have a great share of the market when it comes to initial exposure.
A good rule of thumb with Hacker News is that you get 90-100 unique visitors for every upvote on a post given that it hits the front page. (as someone whose blog has hit the top of HN multiple times, I can attest to this)
The app received 6100 hits with 76 HN points, so that's a good estimate.
I'm not a fan of Product Hunt because it's an echo chamber personified. It's what happened to Quora, and I don't think that strategy will work twice.
I'm not a fan of Product Hunt because it's an echo chamber personified. It's what happened to Quora, and I don't think that strategy will work twice.
Here here. I think Product Hunt is interesting to look at once in a while to see what others think is hot, but I hate the closed nature of it. There's no obvious way to get selected to make submissions or comments.
In fact, when I read Carlos Bueno's post on QZ, the first thing I thought of was Product Hunt--an echo chamber of like-minded folks with their own exclusive club on who gets to submit which startup; and not only just submit, but even comment! It's a fantastic article worth reading:
The next thing Silicon Valley needs to disrupt big time: its own culture
Someone's created a "product hunt-like" subreddit (http://www.reddit.com/r/producthunt) that I think is actually a better idea: Anyone can up-vote a submission, anyone can comment, and moderators can separate the wheat from the chaff. Too bad it's not more popular.
The way to get selected to submit or comment appears to be ryans buddy or that buddies buddy. Its a really misogynistic way to do it and minoritys and women seem to be under represented.
I am sure if he chimed in here, he would say something along the lines of "We are super excited to open it up to everyone but want to do things correctly and not hurt the quality! With that in mind we are only letting a few people in at a time!"
Which of course means a huge amount of straight white dudes on the site and no transparency about what is submitted or chosen to be on the site.
Product Hunt started with my startup friends -- mostly guys, not dissimilar from Silicon Valley in general.
You're absolutely right that Product Hunt needs more gender diversity and it's something we're working on. This topic has been on my mind well before it came up in a recent thread on PH (http://www.producthunt.com/posts/made-with-code). Erik and I spent the last few weeks emailing dozens of women in the community to (1) get their thoughts on the product and (2) ask for recommendations of other women they know that might be interested in contributing. We have a long way to go but it has helped.
We're working on a recommendation system to give people in the community the opportunity to invite new contributors. Additionally, we will soon have a new posting flow to allow anyone to submit products to be curated by the community. These won't solve the diversity problem but will help make things more transparent.
If you have suggestions or ideas on how we can make it more inclusive and welcoming to a broader audience, please share.
Open it up to everyone, that's how you can make it more inclusive.
edit: The invite-only thing is incredibly lame. I signed up a few minutes ago to see what product hunt was all about because it was being discussed in this thread (never heard of it before). I doubt I'll lose any sleep over forgetting its existence.
That's a great point. So many sites - including TC/VB - are the same folks all the time. And they might be keeping up with startup news, but they aren't potential end users.
"The way to get selected to submit or comment appears to be ryans buddy or that buddies buddy. Its a really misogynistic way to do it and minoritys and women seem to be under represented."
Quick anecdote to rebut this, I was 'selected' to submit.
I don't know Ryan, other than I know who he is. I don't know anyone that knows Ryan (I don't think). Like pretty much everyone reading this comment, I am pretty sure he has no idea who I am. I follow him on Twitter, he doesn't follow me.
I was 'selected' because I hit Ryan up on Twitter with a quick link to our product, he took a look and decided it was interesting enough for PH, so gave me permission to submit. It was that simple.
Granted, I certainly don't tick any diversity boxes, but I think it would be a stretch to suggest that my ethnicity, gender, or sexuality had anything to do with my selection.
> to be ryans buddy or that buddies buddy. Its a really misogynistic way to do it
That's an odd way to say that; are you trying to say that nepotism in general is inherently misogynistic in some way? I mean, sure, Ryan's buddies are straight white dudes because Ryan is a straight white dude, and people tend to make friends with people they share culture with. But if Ryan was a gay black lady, nepotism wouldn't somehow cause her to want to hire straight white dudes nonetheless, would it?
That would be prejudice or sexism anyway. I'm with derefr; please explain how PH's processes are characterized by the hared of women. That's a rather strong claim to be tossing around flippantly.
I mod /r/SideProject, which is a subreddit similar to Product Hunt. Do you have any recommendations on how to prevent the subreddit from turning into an echo chamber?
Based on my relatively small sample size (a couple of times on HN frontpage and TC), a feature about a utility like this that sits on the Lifehacker homepage for any significant amount of time will demolish the sources mentioned here in terms of actual resulting usage.
I think Lifehacker editors read a variety of blogs, so if you appear in one of those, you probably have a better chance of getting noticed. It's been a while, but probably smaller blogs that are focused on new companies - KillerStartups, MakeUseOf, ProgrammableWeb, that sort of thing. You can also try emailing them (tips@lifehacker), but I imagine that they don't read all of those.
It's also worth noting that these services do not live in a vacuum. People seeing the story on Hacker News may well have later seen the story on Techcrunch but skipped over it. I read all three websites daily so I would be counted where I simply saw the story first.
In all 3 links this is the only relevant part I've been able to find regarding them being malicious:
> Heck, if the DDoS for hire services protect themselves against DDoS attacks by using CloudFlare then CloudFlare must be damn good!
So they protect their customers from DDoS attacks. All of them. I see nothing bad in this. Saying they shouldn't is like saying a government should put all criminals together in a village and then have them perform criminal activity on each other.
The link to Kreb's is basically the same: people protecting themselves. Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks". Like I said before, that person A kills another person doesn't mean that another person may kill person A, at least not within our current laws. Even if it did, is CloudFlare the one who should be calling the shots?
Finally your first link is someone complaining to CloudFlare about LOIC (or related perl scripts launched from VPSes) and cloudflare responds that they see no harmful traffic and that logs or other details should be attached. Merely saying "hey I'm having trouble" has never gotten anyone further in resolving issues. That's why we have logs so that CloudFlare can check their own logs to see what happened. Perfectly reasonable.
So yeah elaboration is necessary. I do not see why CloudFlare is harmful.
The point being made above is that Cloudflare charges users to protect them from attacks, but they're also providing protection (from attacks and identification) to the people performing the attacks. To many, it appears that they're helping to allow malicious activity because it benefits the sale of their services.
> Should CloudFlare play for judge and ban people that do not violate their terms? Because I'm sure they boot people that perform illegal activities on their network or otherwise harm their network from within, but I can see why they don't proactively take down any website mentioning "we offer DDoS attacks".
DDoS attacks are illegal in most countries, including the US where CloudFlare operates. It would be reasonable for them to include something in their terms about not allowing illegal activities. Then, if it's brought to their attention via a verifiable abuse complaint, yes, they should cease providing service to that user. They are a private company and do not have the obligation to provide service to any particular person; there is no "rights" issue here.
Proactively, as in proactively monitoring and reviewing each site they provide service to, would no doubt be a huge burden and difficult or impossible, but I don't think anyone has suggested that. The only thing they need to be doing is the same as any responsible ISP, have an abuse@ mailbox (which they do), review and take the appropriate action on complaints.
If it's illegal and you're harmed I'm sure you can sue the people who did it and CloudFlare will have to hand over IP addresses. But is it CloudFlare's duty to police the Internet? Like ISPs, I think they should be content neutral unless illegal content like child porn is being hosted. Merely talking about services is not illegal as far as I know; only performing the DDoS attacks is.
1. Websites hosting services that have no other purpose but to DDoS other computers are absolutely illegal. Many such sites have been taken down by the FBI before, and both users and owners of the sites have been arrested. The problem is that there are many hundreds of such sites and tens of thousands of users, and law enforcement simply can't take down each and every one. Cloudflare is relying on the fact that most people won't be able to get a subpoena or file a lawsuit.
2. You could apply that same argument to any hosting provider. They're just letting people see content that you yourself have uploaded; why should they act as Internet police? And yet every hosting provider has a legal responsibility to take action if someone is using their services to spread malware, launch DDoS attacks, or hack other websites.
Cloudflare is able to weasel itself out of it because it is not actually a hosting provider. However, they won't even let you discover the real hosting provider after showing proof of extremely blatant criminal activity. This is why many criminals flock to them: they know they will be harbored and their botnet command & control / DDoS service / malware distribution network can stay up for longer than it would normally.
I work in the information security field and we're definitely seeing more and more malicious network operators moving to Cloudflare and staying there for a long time.
The legal system simply cannot process every single civil or criminal complaint everyone in the US may have. If a security researcher had to go through a court, and/or law enforcement, every single time they wanted a malicious domain taken down then their work would be nigh impossible.
Legal due process should be required when there are legal penalties or punishments. In this case, the bot herders and malware distributors are not subject to any criminal or civil penalties in response to abuse complaints: they do not go to jail and are not fined. Some of them will be fined or imprisoned, many years later, but everyone's better off if their botnets are shut down immediately instead of in 2-5 years.
It's a dealing between private entities: private entity X agrees to stop providing server or domain hosting for the bot herder after seeing a good faith report. A provider has every right to stop offering you service.
Without this sort of cooperation between entities, the Internet would be even more of a mess right now.
I agree they should not be policing. Instead they should allow you to contact the people who are hosting the actual content. Which is where DMCA notices have to go to, for example. Since they do not host the content, they claim the DMCA should not be sent to them, but they won't tell you who to contact instead.
So what? It's not their job to help copyright holders, their job is to protect their clients' privacy. Even the cops have to get a court order to find someone's private data from a business, but since it's copyright every man and his dog claiming to be the copyright holder should be handed private information willy nilly?
So, would you consider a site where you can click a button and have a DDOS attack launched for you to be illegal? Because that's exactly what's being referred to here, "DDOS-as-a-service".
Have fun filing lawsuits and sending out subpoenas when you're just trying to host a game server as a hobby and not making money off it. Cross-jurisdictional issues will also make this very difficult, even if you know who the attacker is.
From what I have read, Cloudflare takes considerable flack because they willingly provide services to the websites that let you buy and sell ddos-for-hire services.
Also, I believe their defense is "we are a proxy, not the host, go elsewhere to complain". So, yes- They appear to allow these booters to exist and thrive in a world where they were unable to (at this level) before.
If Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing, that's a big bunch of bullshit right there.
Just because a company temporarily relocates behind Cloudflare doesn't mean CF is guilty, though. They can't vet every website before it goes up and each time it updates.
If they aren't kicking these guys off their network for performing the same activities they defend against, though . . . well, "racket" is kind of the term for it.
If Cloudflare kicked accused DDOS-for-hires, the first step in any DDOS campaign would become "accuse target of being DDOS-for-hire". That wouldn't actually be a step forward for DDOS victims who use Cloudflare, because then they would have to provide human input to some sort of appeal process ASAP, rather than Cloudflare just working automatically to thwart an attack.
An accusation should not be sufficient, obviously. Why can't CloudFlare take abuse complaints, verify and take action based on that?
In fact, this is precisely what they've done in the past, though they'd only provide the host details rather than stopping service to a site. (I don't think they'll even go this far anymore, rather they'll give you the abuse email for the host and tell you to have the host contact them, which is ridiculous.) I've filed a few such complaints myself. In one instance, the booter site didn't provide any info about its services without registration, so I linked to the hackforums thread where it was being offered. CloudFlare declined this as sufficient proof. Luckily, I could register an account without payment, and that gave me the options to pay to launch attacks, so I sent the login details to CloudFlare and they accepted that.
Your experience seems to contradict the insinuation that "Cloudflare is knowingly providing cover to the DDOS-for-hire companies after being informed of what they are doing", to which I responded. So I guess there's no problem after all?
I don't think it contradicts that. CloudFlare is indeed knowingly providing cover to them. The fact that they'll give you an abuse email to the actual host doesn't change them continuing to provide service to such sites, even when they acknowledge a site is a booter.
I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting". Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.
I wonder, however, if even the latter policy would solve the booter problem. Accessible websites are convenient for commerce, but they aren't required.
> I think we agree, that any defensible policy would lie somewhere between "ignore all accusations of booting" and "credulously believe all accusations of booting".
I agree with this.
> Re-reading your comment, I'm not sure, but are you saying that CF are at the former end of the policy spectrum? That's regrettable.
Somewhat. As of my last experience with them (which was like a year ago), they will accept abuse complaints for booters. If you can prove to them the site is a booter, by providing documentation on the site itself (not hackforums or anywhere else where it's being advertised, which is understandable as it's basically hearsay, though a bit difficult) indicating the site offers a DDoS service, they will provide the abuse@ email of the hosting company. They will tell you to have the abuse@ people contact them directly for further details. This is the only action they will take.
But my opinion is they should, upon confirming the site is a booter, terminate their service to the site. It would also be nice if they would continue to provide the host details, in addition, so the reporter can contact the actual host and have the site taken down from there as well.
The difference I see is that CloudFlare actively provides a service to them, while Google is merely maintaining a keyword-based search listing for them. That being said, I can see both sides of this one.
My views on the legitimacy (rather, lack thereof) of booters: they are a service that serves absolutely no legitimate purpose. The sole purpose is to perform an illegal act against another person. I know a bunch of them are sold on hackforums as "stressers," i.e. "stress test your own server," but that also isn't a legitimate purpose - I can see no case where one would want to stress test their own services with some UDP or SYN flood over the Internet. Such a thing would only be done over a private network using your own packet generator.
I may not have been clear where I made that comment, so let me explicitly say that I do not know the history or state of CF's abuse policies. CF may, in fact, be doing everything right. I was merely stating a condition that, if CF is doing what you quoted, then it would be a "big bunch of bullshit."
Help them thrive, how? I don't understand. Because they prevent DDOS-for-hire services from attacking each other? Surely "other DDOS-for-hire operators" are not the people charged with stopping DDOS-for-hire services.
DDOS-for-hire websites are naturally unstable - if not for the protection CloudFlare provides, they would all knock one another offline and there would be no DDOS-for-hire websites (or only a single, expensive winner).
Depending on your point of view, cloudflare providing the protection that makes DDOS-for-hire possible is either (a) them being fair and website-content-neutral, anything else would be censorship or (b) the glazier giving baseballs to the child who carelessly breaks windows with them, to generate demand for his services that would not otherwise exist.
The DDOS-for-hire company doesn't need a significant or even continuous web presence, does it? Seems ineffective to DDOS them.
EDIT Surely many of these DDOS-for-hire companies cross into illegal territory. CF can maintain a content-neutral stance by kicking illegal activity off.
The DDoS-for-hire being discussed here are called booters. Access to them can be bought for a few dollars (~$10), and then one is able to log into the site and click a button to attack someone for a few minutes (the exact time depending on the booter itself and sometimes how much you pay).
which is kind of ironic, seeing as conway is major airbnb investor and airbnb is arguably one of the largest contributors to the housing shortage in the bay area.
people ellis act buildings and then airbnb them as a way around the law
Sorry to hear that. You must have known that this day was coming though? Basically you were living on borrowed time from Google. If the revenue was that much of a priority to you, you should have laid much lower than you did and certainly not make threats to people who have no issue with doing fraudulent things.
If you lay down with pigs, you are gonna get dirty
If you play with fire you will eventually get burned
That trusting income from Google is a bad bet?
Or that he should not have threatened the spammer?
With regards to the threat - he did have a valid claim against the guy - he could have complained to the registrar and eventually had the spam domain confiscated.
As to relying on Google, Amazon, Paypal and friends to stand by you when things get tough... plenty of other people have made that mistake in the past.
Often they trust them because they have no other real choice. I'd watch this with more of a sense of 'there but for the grace of god go I'
Being moral isn't the same as being naïve, no matter how much harsh people tell you it is. It is a sign of moral strength to not immediately bite back.
Ok, some good news. It might be untrue about them having passport scans. Reason I say that, is the following:
We know from the leaked mtgox crisis plan doc that they have 550,000 verified accounts.
Each user who wanted to be verified had to scan at least 2 documents- a passport+license and a electric bill of sorts.
Assuming both documents alone were only 100KB combined (and its likely way more than that since scans are usually 500KB+ per document) than we can estimate the file size:
550,000 x 100KB = 52.45GB
Thats more than double the claimed 20GB.
In fact, even if we believe that every persons doc is in the DB; and assuming nothing else but passports is in there- you are only allowing for 20KB per document
My guess is any passport scans would just be any recent web uploads made by users trying to verify their accounts and thus copied off the web server filesystem, not their customer database. Once verified these documents would be moved somewhere else, one would hope.
In any case, regardless of what was found or how, it's completely inexcusable that such sensitive data isn't encrypted asymmetrically the moment they receive it.
It is possible for them to extract the MRZ data of the passport (the Machine Readable Zone), it contains the passport ID, issuer state, DOB and DOE.
I don't know if the regulatory requirements state that you must keep a photocopy, but in case you do not it would be foolish to store more data than you need.
I suspect that most people who commit copyright infringement are not credit card thieves.
However, I don't like drawing conclusions without evidence, and I don't think it should be considered naive to ask for evidence before making up one's mind. In fact, I'd consider it extremely foolish to do otherwise.
I don't have any evidence I can point to. However, I can reference the hundreds of millions of dollars processed through various payment systems I oversaw to state that if you were trying to pay through a VPN, it would classified as extremely high risk, and outside of a few extenuating circumstances, we'd simply deny the transaction.
When researching the various scoring mechanisms, we generally find that the VPN was generally just used for masking purposes, so we'd see multiple attempts go through using multiple names and addresses.
Also, the chances of getting a stolen card response back from the bank was much higher.
This isn't to say that a VPN means you are a thief. What it does mean, however, is that the risk far outweighs the potential benefits.
Isn't paying through a VPN a rather different matter to paying for a VPN? I mean, there's no point to using a privacy VPN to hide your identity only to then give out your credit card details, so it sounds like an inherently biased scenario.
If you are going to use a VPN to charge stolen credit cards, you sure aren't going to use a real credit card to purchase the VPN service, which could then be linked back to you.
I agree that some users use VPNs for credit card fraud. What I find hard to believe is that the majority of VPN users are committing credit card fraud. If nothing else, it would be difficult for VPNs to make a profit if they had that many chargebacks.
> What I find hard to believe is that the majority of VPN users are committing credit card fraud.
The problem isn't the majority. The problem is just a significant amount. Keep in mind how low the chargeback rates need to be to avoid serious penalties. Also, keep in mind the number of people isn't the issue, but it's the number of fraudulent transactions that occur. One person can attempt many.
It's an attack vector, and one person can cause problem for many, many customers.
Additionally, while a legitimate VPN user most likely will only need one VPN, someone interested in committing fraud may want many. The relevant metric is not the number of users, but the number of accounts.
You seem to be reading more into my comment than I put into it. I'm not saying anything more than I find the original assertion that the majority of VPN users use stolen credit cards to be unlikely.
Claiming that VPNs have more people signing up with stolen credit cards than their own credit cards rather unlikely to me. The penalty fees on the resulting chargeback would make it difficult to make a profit, particularly on a service that competes on price in an increasingly crowded marketplace.
As I see it there are three main customer groups for VPNs; people using it to circumvent copyright protections (either location based or outright theft), tech savvy people who want privacy, and bad guys.
The original said more bad guys than tech savvy people, I assumed that excluded copyright circumventors (the largest group) and you assumed they were included.
I would say that any claim is bold if it is surprising or apparently important, and is not covered by multiple mainstream sources.
Examples are claims of majority (A majority of people are suffering from sickness A, B, or C), Or claims of superiority (My car is the fastest in the world).
