BlueFrog back, sort of.

Winning the award for one of the odder names I’ve heard in while, Okopipi promises to carry the BlueSecurity flag onward (Cnet article here).

Security expert Gadi Evron has serious doubts. From an IRC session with one Okopipi person (it’s worth noting that this person Gadi was talking to does not represent the core organizers of Okopipi)):

“what you do, in simple terms..and without trying to hurt you, as you guys are trying to also fight the good fight…is stupid and proven wrong”

And he continues in a blog posting:

Thing is, a P2P network is just as easy to DDoS. It has centralized points.

It is, indeed, a botnet.

Gadi also discusses what I consider the major glaring problem with this system: It will use an opt-out registry (a “Do Not Email”) registry. I asked someone with the Okopipi project about this and got this answer:

The the answer is yes, we currently believe the best solution would be to have a way for Spammers to cleanse their list with an Opt-out registry. Yes it will be possible for spammers to compare a cleaned and non-cleaned list to find out which E-mails were on the list but remember this will only give the spammer a list of addresses he already had. The encryption of the list would prevent them from using it to add previously unknown addresses to their list.

Remember the idea is to get spammers to remove those people from their lists who do not wish to receive spam. We have no intention of stopping anyone who sends Bulk E-mail from sending to people who wish to receive it or putting them out of business.

Look, I really respect this group for the effort, time and attention required to launch such a project. I think their heart is in the right place. But I think it’s an awful idea to have this registry.

The logic that a spammer can compare a list he has against Okopipi as “this will only give the spammer a list of addresses he already had” is flawed. This assumes that that spammers only have certain lists. Well, it’s not hard for a spammer to get a massive list that they could then compare against the Okopipi database and then start the war…again.

One thing I can guarantee: I won’t be giving them my email address.

However, to their credit, they are open to new ideas and changes and have invited others in the security community to join the discussion. If you feel strongly about the issue, go to their website and start yacking on their forums.