amuck-landowner

FraudRecord Public Dumps User / Customer Info

lbft

Active Member
If there can be databases for credit rating / credit score and such, why there can't be other similar databases? What makes this one different from the database of bad debtors?
Web hosting is small enough and the margins for many slim enough that there isn't the money to pay for the legal compliance costs or the money to fight in court people who got busted doing bad things. Even then, the credit report/cheque fraud/etc. databases tend to be limited to single countries, whereas web hosting/VPS/dedicated servers/colocation all require a single global database.

Which is probably partly why FraudRecord works for the most part - it's away from the legal and regulatory influence of the US, EU, China, etc. The only hiccup is the transfer of personal information from the country of the provider to another country, but the businesses using it are too small to attract government interest for the most part (look at how a certain Buffalo-based VPS provider still hasn't got spanked for three major data breaches).
 

Lee

Retired Staff
Verified Provider
Retired Staff
 



This is from a May 2014 EU opinion on anonymization techniques like hashes.  The determinant of whether the anonymized data (in the case of Fraud Record, the "hash" that is stored in the database) is considered personally identifiable information is the following:

........
I have raised these kind of issues almost every time I see a post about FR.  EU providers continually claim how much they respect privacy and protect data yet they hide their use of this service, I have yet to see a reference to FR in terms and conditions or confirmation that your personal data may be transferred outside the EU.  Harzen simply point blank refuses to deal any of these issues.

The appeal process is another thing.  Harzem constantly goes on about there is no identifiable client information held and that he nevers sees personal data on anyone.  So what If I have to come to you to appeal an entry in the system?  The host refuses to remove it and the only way I can prove to you that it's false is to give you a document or email that I can't censor but reveals more of my personal data than I would want a real service to see nevermind FR?  

[SIZE=13.63636302948px]Fraudrecord is something like 1k~ members  even at $20 per year = $20k income potential.[/SIZE]
I am sure the intention was to provide a solid, reliable database for the hosting industry.  If once that grew to a certain level Harzem could have charged for it, and why not, if it's providing a decent service then it's offering value worth paying for.  The issue though is that you would be paying for a database top heavy with useless crud.  Harzem himself admits that FR is used in the main by LET type providers, the quality is just not worth paying for.  Not saying its totally useless, as there is good info in there but not enough.

The amount of unreliable information far exceeds the reliable.  When you realise that idiots like GVH and others use it as a revenge service how can you treat it as a useful tool?  Or consider paying for it? This is the kind of thing that will prevent the largest market players wanting to participate in this kind of service who would bring a serious amount of good data to the table.

I have seen lots of reports in FR that are there simply because maxmind found an issue, so it's a duplication of information.  Who is that useful for?  People who are to lazy or cheap to use maxmind and rely on FR only or just in general too lazy to be bothered making an effort full stop.

You can easily see the logic with providers where someone for example gets 3 reports for DDoS and Chargeback.  Provider one reports clients for DDoS/Chargeback, provider 2 gets a request from client and sees the report by provider 1, he ignores the report in favour of the $2 he would otherwise loose but within a month the client uses it for DDoS/Chargeback.  And so the cycle continues!



If there can be databases for credit rating / credit score and such, why there can't be other similar databases? What makes this one different from the database of bad debtors?

That is a really bad comparison.  For one, credit rating and scoring is heavily regulated and audited.  Most importantly the information there is factual.

As a very rough example, I go to a bank and borrow $1,000 repaid at $100 per month over 10 months.

That bank will send data to the credit agency telling them whether I paid on time, paid, late, stopped paying, was taken to court and so on.  They do this via factual information only using codes.  Within the credit entry a 1 means I was 1 payment late, 3 means three payments late, D means I stopped paying and have since defaulted. You will never find an entry on a credit report that says "client is an asshole, do not lend".

In FR the reports use free text which can be emotive, aggressive and ultimately can rarely be relied upon as to whether they are factual.  The free text comments are very often emotive, badly written and appear much like a rant by a child than a true report of a client done something wrong and not to be considered for service elsewhere.

Now of course many will say that as it's only "bad" clients they report what is all the fuss?  But that is my point at least, where it's already been used several times as a revenge system then it's clearly not just a bad client reporting system.  Aside from this truly awful lapse in security it needs to burn in a fire generally, Harzem needs to stop acting like a spoiled child and it needs a complete rebuild to actually deal with the truly important elements.

/rant
 

drmike

100% Tier-1 Gogent
 




I have raised these kind of issues almost every time I see a post about FR.  EU providers continually claim how much they respect privacy and protect data yet they hide their use of this service, I have yet to see a reference to FR in terms and conditions or confirmation that your personal data may be transferred outside the EU.  Harzen simply point blank refuses to deal any of these issues.

...

Now of course many will say that as it's only "bad" clients they report what is all the fuss?  But that is my point at least, where it's already been used several times as a revenge system then it's clearly not just a bad client reporting system.  Aside from this truly awful lapse in security it needs to burn in a fire generally, Harzem needs to stop acting like a spoiled child and it needs a complete rebuild to actually deal with the truly important elements.

/rant
I couldn't have said it better and I shall not try. :)
 
  • Like
Reactions: Lee

AnthonySmith

New Member
Verified Provider
human error, bad practice, call it what you will and you are right it is not good practice etc but posting it publicly first is another separate matter I think notifying them and giving then 24 - 48 hours to fix it before making it public would have been a less 'dick move'

just my 2c
 

northhosts

New Member
Verified Provider
Anybody who is handling data in the fashion they are should be super tight, we are registered with them ourselves and use them to double check suspect orders that get through Maxmind. Its worrying that they let that happen to be honest.
 

drmike

100% Tier-1 Gogent
human error, bad practice, call it what you will and you are right it is not good practice etc but posting it publicly first is another separate matter I think notifying them and giving then 24 - 48 hours to fix it before making it public would have been a less 'dick move'

just my 2c
This data was exposed for some chunk of time.  Unsure of the start date if multiple day, weeks, months.

By the time I noticed this, many people were already through it.  Damage was already long done.  Data then already grabbed.
 

harzem

New Member
This data was exposed for some chunk of time.  Unsure of the start date if multiple day, weeks, months.

By the time I noticed this, many people were already through it.  Damage was already long done.  Data then already grabbed.
No, it was uploaded about 2 hours before you exposed it, and it started getting server hits after you exposed it. Check the email dates. It was your "dick move" not to alert me.


Gvie yourself some credit, you found the bug first, right after it was uploaded. Congrats!
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
No, it was uploaded about 2 hours before you exposed it, and it started getting server hits after you exposed it. Check the email dates. It was your "dick move" not to alert me.

Gvie yourself some credit, you found the bug first, right after it was uploaded. Congrats!
Definitely wasn't me that found it.  I can't say 2 hours or 2 years of exposure.  There are logs, you should see how many people and IPs hit those pages.
 

harzem

New Member
I take all the blame for lack of proper security and by relying only on "security through obscurity", as you can see I've never even tried to defend what I did.

But I uploaded the folder exactly 3.5 hours before you started this topic, as I determined now. Also, every hit to that email1.php file you linked, generated another set of emails. I was able to detect it and stop it at 23 hits. A few people received up to 23 emails, some people received less, and about 90% of people received only one email as they should. Because the email system doesn't send in bulk, it has delays after each email. The earlier I spotted the php file was being hit multiple times, the earlier I could stop further emails.

So, in short, the hits to that file started AFTER you found the email1.php file. Every run of that script would start an email, and I'm the first one to get the email.

I uploaded the folder/files and started sending the emails at Thu, Feb 12, 2015 at 10:44 PM, which is the first run of the script.

I received a second email, which indicates someone found the script, at Fri, Feb 13, 2015 at 2:24 AM (3.5 hours later)

I received several more emails in a few minutes, indicating the script was being run again and again.

You opened a thread at Fri, Feb 13, 2015 at 02:35 AM (11 minutes later) with your findings.

I kept receiving new emails, after people started clicking on the link. I was already aware and online, I logged in and disabled the script, and removed the exposed files.

5 days later you insist you aren't the one who found the script, but I do have access to a lot of data and those 11 minutes after 2.24 AM gives me all I need. I know that exactly at 2.24 AM, that email list was first clicked by anyone.

Now, if you aren't the one who found it at 2.24 AM, you sure had a good contact with whoever did it, since 11 minutes was all it took you to open a thread here after the script was run without my authorization or knowledge.

The unsecure files weren't even there before 10:44 PM, that's the upload date from my local to FTP. All dates/times are in my time zone here. It's Feb 17th, 10:38 PM here right now if you need to compare.
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Yeah definitely not me that found them.  

Your friends and foes are in IRC.  That's likely the vector where it was spread from.

I don't partake in IRC, contrary to phobias out there.
 

harzem

New Member
Would you like to enlighten me how did you get a hold of it then, in 11 minutes after it was first discovered?
 

drmike

100% Tier-1 Gogent
Read above up there.  Someone was dumping that URL/data on IRC.  

Now I didn't see the conversation, nor was I on IRC, nor do I have a log of such.

I was passed a message here (I think) about public exposure and noted it was being tossed around on IRC, so was public.

Which IRC channel?  I am unsure,  I think it was mentioned as being on the lowend channel though.
 
Last edited by a moderator:

Lee

Retired Staff
Verified Provider
Retired Staff
Would you like to enlighten me how did you get a hold of it then, in 11 minutes after it was first discovered?
Who, what, when.  Makes no difference.  You got caught with your pants down, accept it. Instead of now trying to turn this into a witch hunt and take the heat away from you, do a proper audit and make sure it does not happen again.
 

harzem

New Member
I accepted it (again) just 4 posts ago, the first sentence, if you bothered to read.
 
Last edited by a moderator:

Lee

Retired Staff
Verified Provider
Retired Staff
I accepted it (again) just 4 posts ago, the first sentence, if you bothered to read.
Yes, I seen it, that one and only line before another 15ish focussing all on the hunt.  I get it, you are a sensitive soul, that has always been apparent.  you don't like your kid being called ugly, but it is.  And this now makes not only the consumer more nervous about your kid but hopefully providers as well.  That is where you attention is needed.  Not here trying to find out who was the cause for leaking your mistake.
 

harzem

New Member
I'm also a designer, I've had a lot of negative feedback from random people as well. I got good feedback and bad feedback about my designs. I keep it professional, I don't mind my kid being called ugly there.

It used to be the same for FraudRecord. I've dealt with you in the past, always being againts everything FraudRecord has. I've fought againts people who claim it's illegal, it's against EU regulations etc etc. People cliamed to have reported me to the police. They reported me to Wiredtree, my hosting company, for spamming, only to find out I obey ALL spam regulations. I have my server active. People kept searching for legal flaws, mostly regarding sharing private info to 3rd parties.

They never seem to realize that FraudRecord requires that providers mention it in their Terms of Service:

https://fraudrecord.com/sign-up/

When you start using FraudRecord to submit reports or make queries, you will be sharing non-identifiable client information. You will need to reflect this in your Terms of Service. You may use the following example:

 

[Your Company Name] utilizes FraudRecord to screen new orders for previous fraudulent activity and report existing clients who violate our Terms of Service. In case of a violation, you may be reported to FraudRecord for misbehaviour using one-way hashed information.
 

Then people blame me for providers who don't mention it in their TOS.

 

I'm hosted at Wiredtree. Their contact information is on their website. If anyone feels I'm violating privacy laws or spam laws they are welcome to contact Wiredtree to get me suspended. The fact that FR is still online isn't because people haven't tried. It's because I obey the rules.

 

People blame me for sending spam emails. One guy here thinks he can get me into jail! Here is the facts:

 

I don't use false or misleading header information, deceptive subject lines. Identify the message as an advertisement. ı only send to those who verified their email addresses, full knowing that they may receive emails. I provide contact info on my website. I allow recipients to opt-out of receiving future messages. I honor opt-out requests immediately, in fact they are automated.

 

Those who complain about my emails are those who never read the TOS on the website before they registered.

 

Also, you do remember all the fuss last time I sent emails? Do you know how many of ~1k members actually unsubscribed last time? Take a wild guess for me please. (Hint: the answer is 8 people). Then the others started complaining all over again this time. Some guy went crazy here (DomainBop) calling me a spammer again.

 

So yes, I'm sensitive, and I'm going to run FraudRecord as I see fit, that is abiding by rules and regulations, and not caring what people who don't like FraudRecord call me. 95% of the memberbase know what they are in. They know they can opt out of the emails that they opted in when they registered.

 

I already took the responsibility for the failure to secure the directory. But in all 55 responses in this thread, how many are about the security, how many are about the email advertisements, how many are about how FR is illegal in X countries or laws?

 

I'm sensitive because the same people, drmike, Lee, DomainBop, a few others, run around the same old issues of blaming me for running an illegal boat, or running spam campaigns. So I'm defending my "kid" as you delicately put. I'm not worried or afraid of what I'm doing, I stand by it. I failed to secure a directory, some guy posted that online instead of alerting me, because he is in the team that loves to hate FR.

 

So yes, I'm sensitive when it's about FraudRecord. You keep not liking FR, I keep running it. I guess we'll need to leave it at that.
 

Lee

Retired Staff
Verified Provider
Retired Staff
I have never accused you of spamming, that's a worldwide persistent nuisance that will never go away.  I have no time to complain about that.

I won't go over all my very valid points made about FraudRecord, because you know many of the points I have raised time and time again.  You ignore them every time, not because you have a defence.  

As I have always said, great idea, useful system but badly managed and executed.  You let anyone use it and abuse it.  If nothing else it will be confined to a limited market space with no strength or relevance, ignored by the sensible providers who are capable of spotting the crud.  It's a useful tool for the masses of the lowend market that is riddled with the type of clients that cause the bulk of the problems within that sector.  However when the spammers get wind of being on FR they adapt and evade.  Like I said above, a database top heavy with useless crud.

But yes you are probably right I do keep running around raising the same issues because I believe my concerns are valid whilst you exploit FR for your own gain whilst ignoring providers who use your system to get back at clients as revenge for a negative but truthful review.

Yes, you keep running FR your way and trying to convince people it is doing nothing wrong.  Every thread that pops up as you say always ends up about what FR is not doing, that should tell you something.
 
Last edited by a moderator:

AnthonySmith

New Member
Verified Provider
sigh.... some people have a love hate relationship with this whole industry, they love to hate it, some people thrive on chaos.

2 issues:

1) That it was allowed to happen, clearly human error, is it good enough? no, but it was done and it has been fixed and we can only hope lessons learned. 

2) Posting it on a public forum, IRC channel etc before notifying FR, no real excuse for that, but that is human nature for you, some people love the chaos and probably have very empty lives and are beyond even understanding why this was a stupid way to let people know in the first place.

If people are going to pound Harzem in to the ground over it at least separate the 2 issues.

I know not everyone will agree but that is what I think.
 

drmike

100% Tier-1 Gogent
[SIZE=13.63636302948px]Constructive post there @harzem.[/SIZE]

[SIZE=13.63636302948px]I point to things where they need addressed.   Believe me, if I had it in for you and FR, dumping public info would be the least I'd do.  Witch hunting me for posting it,  won't work.  Everyone knows I punt stuff fairly equally when deserved.   The deserving part went like this:[/SIZE]

[SIZE=13.63636302948px]1. People complained about email ads prior (we had a thread here and such was said to be stopped / not again)[/SIZE]

[SIZE=13.63636302948px]2. I am unsure if opt out functions and all are in place for providers before they get more of that.  Such wasn't at signup and auto opt-in per se I bet.  (could be wrong here).[/SIZE]

3. It was another email ad blast about to happen.

4. In same directory as ad blast were plaintext details on users (yes only their emails and IDs)

Big picture FR does a bit, it's half baked though and like DomainBOP did point out earlier, it's very similar to earlier company (for profit) that was smacked down and out for same deficiencies.  I may not agree with some finer points and see utility of such a service, but the lack of due process, rebuttals, policing screwballs who misuse the system (see: GVH vs. William for example).... yeah it's concerning.  Plus the name of the site is a violation of the English language and misleading by name.  People are shoe-hornring non-FRAUD issues into the system and such is allowed :(

I don't have a competing product to promote and enrich my pocket, so no ill intent.  I know companies that use FR and big picture I disagree with said use and note their Terms lacking such disclosure.   I'll say I bet if I audit all the companies using FR that 15% or less disclose their use of the service in Terms and wrongly believe such is covered under their third-parties business operations umbrella style clause.

Similarly, these users, the ones with own IP allocations aren't rightly disclosing that they broadcast customer details to ARIN either.

Sadly, I don't think the deficiencies are related / exclusive to Lowend companies.  It's just business as usual and half assed at that.
 

harzem

New Member
Yes, you keep running FR your way and trying to convince people it is doing nothing wrong.  Every thread that pops up as you say always ends up about what FR is not doing, that should tell you something.
It's the same 3-4 people who keep trying to convince me regarding how I should run it.

I realize the need to properly verify providers, or even read/approve every report to make sure the text content is useful and informational.

FraudRecord receives about:

70 new registrations per month

600 new reports per month

50 removal requests per month, that requires investigation and discussion with both parties

Hundreds of DDoS attacks

$250 in donations

FraudRecord needs:

$125 to run including backup system

20+ admin hours per month for removal requests

50+ admin hours a month if I start approving all reports manually

10+ admin hours a month if I start verifying all providers by researching each one online for reputation?

That leaves me about $125/mo for all the admin hours people ask me to spend. I apologize to those who think getting one email every few months is annoying, but I need everything to run this for free.

But I will listen to one of your previous recommendations. I will monetize it more to make sure I can spend proper time to increase the quality of the memberbase and the individual reports. I will get a lot more hate for monetizing some parts of FR, but it's either that or no FraudRecord at all, if the current wasy isn't working for everyone.
 
Top
amuck-landowner