I use generated passes on my hosting, and my root pass is getting changed after I have the admins look at my server.

I was talking more about an outsourced admin person, someone who's not in the company's office, but different country

and I dont give out my SSN when signing up for porn sites but have to with some or most sponsors, and some of them don't even have HTTPS forms for that

It's only illegal if you sell it, or use it to benefit from.

That is what I am talking about, you can easily make a track.php of your own which loads our track.php 80% of the time and the other times just does the redirect to the tour. But unless you pass the reseller id along, it is NOT transparent is it? And once you do that, as long as you do not make other changes to the system, the sale is tracked.

I am not arrogant btw, and not naive. I'm proud of my programming, thats it really.

I know that one of the reasons of open source is auditing. That does not change the fact that the reason why we encoded it is to SECURE our property. If we did not do that we could not have licensed it and everyone could have stolen our ideas. Why would anyone let that happen in a commercial environment?

From how you talk, you must be some open-source-lover. Do you read through the source of every single program you want to use before actually using it?

BTW, if open-source is there to have apps run "flawless"... I wonder why the heck there are new security holes found in open source apps every day. Does not seem to help much that great open-source idea, huh?

Of course, you will now come and say "but non-open-source apps have even more holes".....

LOL. Great examples. You know what isn't open-source that we use? Zend Optimizer, Zend Licence Manager, Zend Encoder. You know why? Because it HAS to be closed source to secure its inner workings.

And you are correct, Linux is entirely open-source. And I am using ICQ apps which are open-source too (they can nolonger connect me to ICQ, but heck, ICQ 4 is just annoying). This is all great.

I have no idea if you did not read what I write here. Or if this is the first thread you read about this (doubt it since you are so extremely pissed at me)... I said MULTIPLE times that it is possible to add stuff to shave AROUND NATS. The only thing I have also said is that its NOT as easy as everyone thinks to do so transparently.

Can you do anything else than insult me? No idea why you react so extremely aggressive. What did I do to make you so pissed at me?

I have explained in the previous post why simply wrapping track.php does not help in transparency...

I did not attack you for saying its possible to write something for shaving aroudn NATS. I attacked you for saying it would take 5 minutes. Thats simply not true. There are more things you need to do than you might think... Do not pretend to be a know-it-all. I might be more intelligent than you think ;)

Like John said, we wrote other affiliate apps, for privat use only. Multiple ones over the years.

Me myself, I wrote a big number of statistical apps. I guess you would call it "counters" ... really more than that though: PornTrack, Counted!, SexTrail, PornGraph. I wrote log-analysers too.

I also wrote a web server (daemon) system, but it was never released due to lack of time. It works well though.

I wrote big parts of a WebCam-Network's backend and some of the frontend.

And then a bunch of smaller apps that I really forgot about already.

3 people own Too Much Media, I am one of them.

Nathan = Fabian. Btw, its _FABIAN_ and not Fabien. Why does everyone mess up my name? :(

PornTrack? I wrote it, did not sell it though. I got fucked by my ex partner (Preston) on it. Lost a bunch of $$. That was YEARS ago though.

You do not have to give us admin access to NATS. We do not HAVE to update your script if you think we have any interest in "lifting" any information from your database. We are the last to do that though, we have 0 interest in it.

We do understand the concern and thats why we let you lock us out. And when we want to update your scripts, we can walk you through doing that yourself.

If someone - user or programmer - wants to go the open source route, fair enough, but let's not start talking as if it is anywhere near the norm. I worked as a consultant project manager for several years with a lot of household name companies and I can count on my fingers the number of times I came across unencoded software in production use.

Never mind software intended for sale to multiple clients, contracts for custom-coded software often did not include intellectual ownership of the software and it was therefore encoded. Clients might have access to the plain code, but that was usually for specific reasons and in controlled circumstances. Even software developed in-house was commonly encoded before going into a production environment. None of which prevented auditing, custom coding on request, etc.

Unless a program is a relatively simple one, or you put far greater resources into understanding it than any honest person or business is likely to commit, you don't need to see the code and doing so won't benefit you in any way. So why expect the author to make analysis of his work easier than it need be?

That aspect of this thread apart, I have to wonder at the motivation behind some of the posts knocking NATS. So what if their software is as vulnerable to cheating sponsors as any other? That doesn't make them guilty of anything worse than maybe over-hyping that it hasn't got any shave features built in and their promise to go after anyone who adds their own. Maybe they will do that, maybe not, but no-one has suggested they have already turned a blind eye to such abuse.

Which all makes it a bit odd that in this thread anyway, they have come in for more flack than Mansion, who actually were caught supporting sponsors with features intended to cheat their affiliates.

But the click is not tracked. So we wrap signup.php as well. Very difficult =P

Please tell me you're not that naive. Fair enough you want to protect your property - but there are laws for that. I'm sure there's nothing amazing about your PHP that is so revolutionary that it will be stolen.

Moreover, I do love open-source and there's definitely nothing wrong with that. I'm sure your servers are running Linux/FreeBSD, which is open-source. You use PHP, which is open-source. You use MySQL, which is open-source. I'm not required to read through the source of every application I run because I am confident that it has been audited correctly by the open-source community several times over. But it certainly helps when I am curious as to how a certain application is working.

It's also rather useful when developing FOR a certain application. For example, developing an Apache module - the source is essential.

And finally, you've proved you have NO clue about security. Go subscribe to bugtraq and see the spread of vulnerabilities. Linux/FreeBSD/OpenBSD .. hell ANY of the Unixes haven't had a major remote vulnerability in yonks. Lets see about Windows - two DCOM vulnerabilities in the last year? More IIS vulnerabilities. The list goes on.

You'd have to be absolutely out of your mind to try to tell me, that closed-source applications are somehow more secure. The reason bugs are often found in open-source applications, is because they are much more easily audited. So while the open-source applications have the non-critical bugs ironed out of them, people are stumbling across MAJOR vulnerabilities in things like Windows all the time.

How about the fundamental flaw in the Windows messaging system that allows anyone to escalate privileges? Shatter?

Clearly, you have no idea what I'm talking about because you haven't researched that much into security. But trust me, I have. I'm not going to sit here and argue what OS is more secure or something stupid like that. I'm just going to say, that open-source makes me feel much safer on the boxes I use.

Why does it have to be closed-source? Some pretty major companies run entirely open-source software. Major encryption algorithms are open-source. SHA/MD5/etc. So really, unless it is using a very weak method of encryption, Zend Optimizer doesn't need to be closed-source. This is what we in the industry call "security by obscurity" which is generally shunned upon as it is, evidently, not secure.

I am not "pissed" - more attacking your arrogance. The fact that you are trying to promote your program is the best out there and everybody loves it is just way too over the top. I have absolutely nothing against NATS - but when you start directly saying you'd "sue" me if I did this, "no this definitely isn't possible!" It's ridiculous and unprofessional. Being humble is often a wise idea.

Oh, and my explanation in my previous posts as to how to get around that is there as well. Wrap track.php to shave the clicks; wrap signup.php to shave the sales. Of course, you'd have to write something to add a member to the database into the wrapped signup.php but that's not difficult.

The fact is, it could easily be done. And it's far from a huge job. I could do it in 5 minutes I'm sure; others may take longer.

Yes, so now you have to at the same time you wrap track.php also wrap signup.php ... to achive anything effective. Means, to make it transparent you also have to implement your own cascading system that works like NATS does or a webmaster (or us btw) could see you messing with the system at that end.

So now you have 2, no 3 points of failure of your great shaving wrapper around NATS, which are all prone for us to detect you doing something weird with the traffic.

The signup.php could simply modify the "nats" variable with the new campaignid and then include() the old signup.php. Transparent to the user, and the signup can go as planned.

Simple enough. 10 lines of code?

If there is nothing revolutionary in our system, I wonder why all our features are more advanced than any of the competition. It has nothing to do with me scripting some amazing PHP, its the features and how we make them work which is the thing we protect.


It was obvious you love open-source. And I have never said there is anything wrong with it. And yes, we use FreeBSD, PHP, MySQL. All open-source. Whats your point? Because we use those we have to understand that its essential to use the open-source system for anything we do? You do not need to know how NATS works. If a client of ours has a specific question about the inner workings we TELL them. We do not have to give them the whole source of NATS. The is intellectual property and any way we can we will protect it.

BTW, there are books about writing Apache modules. The source is actually not essential. ;)

Did I _EVER_ say windows was more secure or had less bugs? Stop interpreting what I write. _YOU_ said that the reason you like open-source is that people know the app is FLAWLESS. FreeBSD and/or Linux has been open-source for a long time, who cares if there were no major security holes in the OS itself for over a year. Does that mean its flawless?? Far from it. Also, you come here and compare flaws in FreeBSD/Linux with IIS for Windows?!? There is more to unix system than the OS itself. SSH, APACHE, MySQL, sendmail (oh god sendmail), and what not. Did you forget about those? They all have had security problems in the past, and plenty of them.

My point was that open-source software is FAR FROM flawless like YOU claimed the whole point of open-source would be.

Of course, yet again, I am stupid, have no clue, you know it better, I have never heard of security, and am in general a stupid idiot which does not have a brain.

So sorry I pissed you off so much... LOL

Firstly - how are your features oh so much better? Because honestly I don't see anything so incredible. It's a well put together system, but it's not rocket science.

The fact is, you're talking about me as an "open-source lover" as if there's something horribly wrong about that. And you're arguing that open-source software has FAR more bugs (you actually said that). And yet, you're running that. So why didn't you develop in Windows, with ASP.Net and SQL Server?

Oh, and when was the last time you wrote an Apache module? I'm sorry, never? I've written quite a number of them and trust me, the source is essential. No book could replace being able to actually see how things are working. Talk from experience, not your time at the local bookstore.

No, you didn't say that. You said that open-source software has a lot more security flaws. Which is false.

What is also false, is that Apache, MySQL, sendmail, etc. is part of a Unix system. No, it's not. Apache, MySQL, sendmail and the like are applications that run most often on Unix systems. Apache and MySQL both have Win32 ports.

Now, compare Apache to IIS over the last three years and honestly tell me Apache has had more flaws. Do the same with any two open-source vs. closed-source applications.

I only say you have no clue, because you simply don't. Go visit bugtraq, read it for a few months. There are security companies who just constantly audit the open-source code. So let's think logically. The open-source code is getting audited by numerous, separate people ALL the time. The closed-source code is audited by the developers and that's it.

Logically, what is going to have more bugs? Seriously, you'd have to be extremely naive to think open-source is going to be buggier. That is one of the many advantages of open-source software.

The Zend suite of software is an attempt to push PHP commercial. The Zend engine in PHP is completely open-source and if the encoder was half decent, there would be no problem pushing it open-source.

The reason Zend optimizer is closed-source is because it works with encoded php scripts and they do not plan to make it easier for anyone to write similar encoding apps. At least thats what I am guessing.

This arguing back and forth about open or closed source is useless. You obviously have a fundamental difference in thinking in this area. We prefer to encode our source code to protect it against tampering with and steeling by our competition. If you do not agree with that... thats not my problem. I have good reasons and all our clients and a LOT of other people agree.

Why in gods name would we not promote our program as the best out there? You want us to say "We are great, but program XYZ is really better."???? Are you totally losing your mind now? We WOULD sue you if you went, got nats from us, then put a shaving system around it, and then used NATS and shaved around it. Of course we would friggin sue you. You just caused major harm to OUR business and ALL of our clients! Why in gods name would we NOT sue you!?

If have not said its impossible. I have said its not as easy as you think ;) Read what I write.

5 Minutes, good. :) You kick ass. I still do not agree that it is that easy though.

LOL... 10 lines of code to do that? Dude, you are not as good as you think you are...

Also, great system, just shitty when a reseller checks your cascade with his reseller code and somehow notices that, hmmm... why the fuck does NATS send the resellerid 0 or at least one that is not me to the friggin biller. Now that is weird huh?

Saying your program is the best is one thing. Telling people you'll sue them is another. You're over the top.

Sue this, sue that. Americans. That's one grand thing that we have here. If you even dreamt about sueing me for something like that, it'd get thrown out of court here so fast your lawyers would still be getting into their suits.

The great thing here is we have no DMCA copyright laws. I could legally decompile your source code, modify it with shaving and use it. And you wouldn't be able to do sweet fuck all to stop me. =)

Read what I wrote. You still haven't replied to my "10 line source code" post. Why is that not possible hey? It's just as easy as I think and you know it.

Still, you can go on and on saying how difficult it is, how near impossible it is. If you want to see if it really can be done, then let me. I'll prove to you that I can successfully create a transparent NATS shaver in under 5 minutes. Oh wait, shit I'm sorry, you'd sue me! Ah well, I guess we should all go back and lull in our false sense of security.

I agree, it is not rocket science. Still funny that somehow our cascade system is more advanced, our programs system is more advanced, our resellers system is more advanced, our stats system is more advanced, than anything I have seen out there. Configurability is the key here.


Because almost noone on this friggin planet uses IIS or windows servers in general. If 99% of the web would run on IIS, would you only code for Apache? No of course you would not.
I am not saying I love windows, I hate the bugs it has, I hate how unstable it once was (it isn't anymore in my oppinion). It really is bad sometimes.
WHERE have I said open-source apps have MORE bugs than closed-source ones? If I did say that, I appologize, I did not mean it that way. I can not find me saying that in this thread though.

LOL. You crack me up man. You do not even know who I am dude. Why are you judging me like this? Who are you to know if I ever wrote an apache module or not?!



I actually did not say that either. I said that open-source software has a lot of security flaws. NOT a lot MORE security flaws.

Of course Apache and so not part of the unix system itself. But _YOU_ put IIS in the same line as windows yourself. So do not do that either.

Yet again, I have not said closed-source apps are more secure! I said open-source apps are FAR FROM FLAWLESS. _READ_ what I write damnit.

Again, I have not said closed-source has less bugs than open-source. READ damnit. READ.

You do not want to get it right? Its about interlectual property. The second you push something open-source people can easily copy what you do. Why in gods name would anyone want to do that if they sell the app for a lot of money?!?!

There might be people that think its intelligent. I am not one of them.

I'm german. ;)

I would not be so sure about this. Is it legal in Australia to defraud someone that sells you something? (Traffic) I doubt it is.

Again, it might not be illegal to decompile source, change and use it in your fine Australia. I do doubt that taking away money from someone that sells you traffic is legal in Australia though.

I actually did reply to that great 10 line source code post ;)

Dragon, (or do I call you Curve? or Dragen Curve?) our goal is to keep our clients from even trying to defraud anyone. How in gods name is this a BAD thing? Whats your problem with that? Read jeyeff's post in this thread again, its a very wise one. (He is not a client btw, at least I do not know him.)

So we insert the member into the members table in our wrapper with the 0 campaign ID. Then we continue to pass the normal campaign ID to signup.php and we wrap process_epoch.php etc. We could even write an .htaccess which would do that automatically so anything hitting process_* would have that replaced. Then we could catch where it's redirecting to, and simply change the member ID being passed along. We could even clean up the member signup.php would create, if it did any.

Simple.

Nobody runs IIS? HAHAHAHA. This is too much.

How would I know if you've never written an Apache module? The way you talk about it. Go on - am I right?

I get your intellectual property speech. And like I said, if you'd read, that's fair enough. But my argument is that it's not as secure, which is very valid.

We do not consider decompiling source code and reusing it elsewhere as fraud. You can not legally protect any kind of source code here. I know the laws, thanks.

And I don't think shaving is illegal anywhere. You have no actual contracts. You have not priced anything. So no, you could shave like crazy and be well within the laws.

If you'd read my posts, I actually COMMENDED NATS for making it difficult for people to shave. You talk to me about reading, where's your comprehension skills? What I find amusing is that people think that because this isn't written into NATS, it'll never happen, and therefore NATS is a better program. It CAN be written.

Ok, now you also have to wrap all poll_ scripts because they will pickup the sales that did not correctly register with process_ or which somehow got the reseller dropped.

Of course wrapping that tends to get more and more complicated since those scripts pull data from another URL and uses it directly. So you would really have to rewrite those scripts instead.

This does nolonger take 5 minutes, do you agree? Now you have to do all kinds of things to modify and wrap and whatnot scripts in NATS. The effort is growing and growing and growing. And you never know, maybe we have more scripts that do checks of the posted data compared to the data we pull from the billers.. Hmm.... you wanna risk being cought shaving and lose your face? Or might you want to prefer to maybe just not shave and put all this effort in another place and actually try to make a good affiliate program?

At some point, Dragon, the effort gets too big to actually make it interesting to try to circumvent every little thing in NATS. Why not just write your own app instead? Sounds way easier to me than to risk us finding you shave and losing your integrity in this biz forever.

Thanks for proving my points ;)

I still stand by that I could achieve this in less than 5 minutes. Complete transparency. I'm serious - take me up on the offer and I'll prove it to you. Until then, your points will never be proven.

I'm not condoning shaving in any way. I'm merely saying I could EASILY do it.

Moreover, you overestimate the attention to detail of most people. I'd be willing to bet my left nut that you could do something as simple as wrapping just the track.php and signup.php and nobody would be any the wiser - even if the reseller ID of 0 was being sent through.

I could create complete transparency in under 5 minutes, with very few lines of code - and I'm more than happy to do so if you'd like. The only real way you can prove it's not transparent, is to have me do it.

But since it's clear that's not what you want, we can only speculate. Any decent programmer could write shaving around NATS. It's a fact.

Compared to other servers, it virtually is nobody. Ok, maybe what, 10-20% on the whole net? Thats not a lot though. Only 2 clients of ours used IIS till now. I was talking about this industry mainly.

No, you are not. ;) I actually wrote quite a few for myself and modified a few others to my liking. I do have a book btw, did not have to read through source to learn how to do it. ;)

Yes, you are correct, some closed-source apps are not as secure as other open-source apps. Statistically speaking, closed-source apps probably are less secure, you are right. But there now and then are closed-source apps which have not had any security problems yet. MS software is not really a great example for closed-source apps ;)

Oh and one more thing - how many of those poll scripts are actually pulling the campaign from the biller? gxb and tel2_helper? No need to use those billers then.

Which client of ours do you work for? You have never told me that.

The point also is not that RESELLERS might not see you shaving. Its _US_ you have to worry about the most here. ;)

Your ideas are good. Wrapping stuff might help, but EVENTUALLY, if you make it TRANSAPRENT and I see the usual stuff in all URLS, we _WILL_ catch the sale and assign it to the reseller. UNLESS you take NATS, totally write a copy of it yourself, and then claim you still use NATS but you really do not.

This totally defeats the purpose. We _WILL_ catch you.

Who knows... ;)

20% of the internet is virtually nobody? Uhhh..

Oh really, I'm intrigued. What did your Apache modules actually do? Out of pure curiousity of course =)

And you stand by that NATS is 100% secure?

Let me just say one thing. You can see how proud Nathan is of his programming and his stance on NO-SHAVING PERIOD. No webmaster is going to build a program and try to shave when Nathan finds out he can just push a button and turn off your program.

So that in itself is enough to show that all programs using NATS are honest and proud to use a software that opening stands against shaving.

Ah so you check every reseller on every single client you have. You must have a huge team to do that.

Dragon Curve - you seem to have some personal vendetta agaisn't NATS umhhhhh

I wrote one auth module which could use any number of password files instead of just one.

I wrote a module for one of my other sites to handle and display my directory of sites and searches. That was a few years ago though. Have not done much module work since then, started again just a week or so ago because we are working on a new auth/anti-password-trading/fraud module... But thats all still hush hush so *psssst*

We check every reseller? Why would we have to check every reseller? We will catch you ;)

BTW, you keep evading the question: which client of ours do you work for?

Missed that one, sorry...

I have never claimed NATS is 100% secure. There might be security holes in it we have not found yet, but we have people that actively search for them. If you know of a security hole, feel free to tell me on AIM: fthylmann about it so we can fix it and make this whole thing a safer place... Of course, people helping us protect our clients and fix bugs they find will get something back from us... We won't sue you btw ;)

So, if you know of a problem, make sure to contact me on AIM. I am all ears.