Full Disclosure mailing list archives

Re: NiX API

From: Haxxor Security <h () xxor se>
Date: Thu, 9 Jun 2011 23:49:00 +0200

This must be a sales-person, since it took 3 emails to tell us it's a proxy
blacklist.
And to use a phrase as "NiX API is effectily blocking 85% of all open
proxies 24/7/365 fully
automatically".
I would like to see a manualy operated proxy-blacklist that only works 6 h a
day in july.


2011/6/9 Thor (Hammer of God) <thor () hammerofgod com>

Yes. That's the flipside of the coin. However though, any merchant that
accepts purchases from user's behind proxies or other anonymizer's is
taking a siginificant risk.


Says who other than you?  I use a proxy all the time and have never made a
fraudulent purchase attempt.  It is nobody's business where I am.  Just
because you think proxied connections are bad doesn't mean they are.  Your
"majority of fraud is committed from a proxy" is just some opinion.  How
about some proof of that?

Besides, you will *never* be able to find out where my proxies are or add
me to your database.  If I decided to commit fraud, your system would never
catch me.  You have no way of determining how much fraud it committed from
other sources, because you don't (and can't) know.

This happened to us about 50 times in 2.5 months period. Needless to say,
im still mad as hell. We lost several hundreds of bucks to those paypal
'reversal fees' + wasted significant amount of our precious times while
answering to those disputes.


Ah.  So, one attempt per day or so during that period is what you are
basing your opinions on?  Depending on what one is selling, all it would
take is one false positive to screw over the person using your API.  It just
isn't a good idea.

The API resolved all issues. There has been few legit customers who
wondered why they could not login using the proxy, I said, remove the
proxy and try again and then do purchase. They did. A fraudulent user
never bother for this, they will leave your site alone.


Nor do you know if a legitimate use would do it.  If I went to buy
something from you and you assumed I was fraudulent and blocked the
transaction, I wouldn't even bother telling you - I'd go buy from someone
else.   The fact that you think the API resolved the issues doesn't prove
anything.  It just proves that you THINK it did, but you don't know.  I may
have stopped 1 bad transaction a day, but stopped 10 good ones.  You just
don't know.  Your main bitch seems to be about a company charging you to use
their risk management service.   If you don't like PayPal's agreement, then
don't use them.

You seem to be getting awfully wound up over a "free" tool.  It's free.
 What do you care what people think?  Or is this just a "get my name in
links" so that you can try to sell it later?  All my tools are free, and
I've gotten plenty of "why should I use your tool" emails to which I reply
"I have absolutely no investment in you using it or not.  If it provides
value for someone, there it is.  Otherwise, go shit in your hat."

You should wait until you are selling it before you give your sales pitch.

--
Aaron Turner
http://synfin.net/         Twitter: @synfinatic
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix

Windows
Those who would give up essential Liberty, to purchase a little

temporary

Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
"carpe diem quam minimum credula postero"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: NiX API, (continued)
- - - Re: NiX API nix (Jun 09)
    - Re: NiX API adam (Jun 09)
    - Re: NiX API jabea (Jun 09)
    - Re: NiX API nix (Jun 09)
    - Message not available
    - Message not available
    - Re: NiX API Aaron Turner (Jun 09)
    - Re: NiX API nix (Jun 09)
    - Re: NiX API Aaron Turner (Jun 09)
    - Re: NiX API nix (Jun 09)
    - Re: NiX API Aaron Turner (Jun 09)
    - Re: NiX API Thor (Hammer of God) (Jun 09)
    - Re: NiX API Haxxor Security (Jun 10)