Profitsiege Email - Was From Doc ( In Case some Wondered)

Michael S

Make Money Online
No, there's three things you need to know.

1. ... installed address, username, email address, and SHA-1 HASHED password of everyone who has installed PPV Demon. This doesn't give away anything. It seems this information is used to make sure that someone isn't using a disable receipt or perhaps password recovery via email.
As you say yourself, it is nearly impossible to recover a clear-text password from the SHA1 hash. Hence, it cannot be used for password recovery via email.

Ask yourself why things like your:
  • admin user name
  • admin password (hash)
  • admin email
are transferred to "Steven's" server at all. What does he need this data for, if not for shady reasons? All he needs to verify that you're not using a fake/stolen/shared license key is said license key and the domain you're running it on. Nothing more.

2. Steven's right in claiming that it would take forever (almost literally) to crack your individual password hash. In fact, the information wouldn't do anyone any good, unless they cracked the hash (which can be hard or easy, depending on how you view it with either bruteforce or rainbow tables, but its still a lengthy process).

The hash sent to the API isn't the same hash used to login to PPV Demon. If you poke around in the code some, you'll see that there is some salting done to the password before it's verified, and this salting changes the hash (i.e. makes it even harder to crack), that the PPV Demon script requires before logging you or anyone else in. So, there is no way for this to happen.
That may technically all be true. But it's totally missing the point. There is no legitimate reason for him to have ANY info about your password at all! It is your own, private, local installation after all. And depending on how the software is written, the hash COULD actually very well be used to gain unauthorized access.

3. There are no backdoors into PPV Demon. I've traced all the off-server inputs and outputs of the code. There's only a few calls to the PPV Demon server and as such, its very easy to see what it does. Updates, registration, and licence query. The last two are really only done when you change your password (for recovery and licence management, it seems) and when you setup the site. The first one is done all the time, but only queries the server about to see if there's available updates and then to download them.
Not true. It does a license/domain query at every login, not just during setup and password change.

And what about the updates? PPV Demon has an automatic update feature that does not let you examine what is being installed on your server (unless you take extra steps that are probably beyond most Profitsiege users). This capability to remotely install any arbitrary new code, coupled with "Steven's" knowledge of your configuration can open all sorts of exploit angles, even abuse of your server for criminal activity. I'm not saying "Steven" is going to do this, but it's really entirely a question of how much you trust him on that - trust a person with a fly-by-night Clickbank offer who already lied to you about his own background.
 

Catz

Make Money Online
Very Active Members
I have sent you my email that I signed up with at PPV Demon. I would like to see what info has been distributed.
 

Michael S

Make Money Online
Oops, I can't send PM:

"To be able to send PMs your post count must be 5 or greater."

How about this then: reply to my initial email you received and let me know that you're Catz from this forum. If you can't find the email, look in your spam filter.
 

Bama

Make Money Online
As you say yourself, it is nearly impossible to recover a clear-text password from the SHA1 hash. Hence, it cannot be used for password recovery via email.

Ask yourself why things like your:
  • admin user name
  • admin password (hash)
  • admin email
are transferred to "Steven's" server at all. What does he need this data for, if not for shady reasons? All he needs to verify that you're not using a fake/stolen/shared license key is said license key and the domain you're running it on. Nothing more.

That may technically all be true. But it's totally missing the point. There is no legitimate reason for him to have ANY info about your password at all! It is your own, private, local installation after all. And depending on how the software is written, the hash COULD actually very well be used to gain unauthorized access.

Not true. It does a license/domain query at every login, not just during setup and password change.

And what about the updates? PPV Demon has an automatic update feature that does not let you examine what is being installed on your server (unless you take extra steps that are probably beyond most Profitsiege users). This capability to remotely install any arbitrary new code, coupled with "Steven's" knowledge of your configuration can open all sorts of exploit angles, even abuse of your server for criminal activity. I'm not saying "Steven" is going to do this, but it's really entirely a question of how much you trust him on that - trust a person with a fly-by-night Clickbank offer who already lied to you about his own background.
Again post a password or are going to just continue fear mongering for your own agenda.

There is nothing that can be used for anything and if you know so much you know full well that there is no "backdoors" but you conveniently skip over facts and go for sensationalism.

You spouted your rhetoric.
You have been asked to reveal a password.
Now I ask you to find a "backdoor" or how it can be used.
You are slowly destroying all of your claims one by one.
You missed the mark on the people who actually created the end product also, but you know
that right?

You bank upon the masses not educating themselves.
Emails ? Who cares everyone's email is on so many lists it is not funny.
username? who cares again everyone uses the same username over and over
Hashed password? You admitted that is of no use to anyone.
You can not access anyone's script.
Can not do anything to anyone's campaign.
Nothing.
You want people to pm you so you can pass off that little bitof info I just outlined above and look
like a hero. You will not do it in public even AFTER you sent that email that listed it for people anyway?
Get real. You are starting to slip some there :)

Keep dodging and redirecting.

The code is not encoded at all..... that alone shows there is nothing to hide.
But hey don't let facts get in the way of messing with your agenda :)


How about naming some popular IM scripts that people use that actually the store database information on the script owners server when installing via their automated installation. You know they exist right?
I mean you are all knowing right?
How about the ones that are encoded that pass way more information....
You know of those also right?

Anyone that wants to know the truth can ask the script owners and get a straight answer.
You on the other hand are someone that has an agenda against the creators.
License queries are a part of life.
I am starting to think you bought it, refunded and thought you could keep using it.
Fact or Fiction? I bet fact.

Again if you have nothing to hide or gain reveal your true identity.
We both know you will not and will ignore this post and prey on people who get caught up in the sensationalism.

You said yourself "technically true". That ends the discussion.
Might want to uninstall any software you run
any OS as they all send information. Packet scan the next time you connect to your isp email or
hosting server *gasp* at the information being relayed and stored and the list will go on and on.


However keep posting. It makes good reading and good copy
 

Catz

Make Money Online
Very Active Members
No, there's three things you need to know.

1. It was simple to retrieve everyone's after I received the above email. I checked out the link and saw that it did disclose the installed address, username, email address, and SHA-1 HASHED password of everyone who has installed PPV Demon. This doesn't give away anything. It seems this information is used to make sure that someone isn't using a disable receipt or perhaps password recovery via email.

2. Steven's right in claiming that it would take forever (almost literally) to crack your individual password hash. In fact, the information wouldn't do anyone any good, unless they cracked the hash (which can be hard or easy, depending on how you view it with either bruteforce or rainbow tables, but its still a lengthy process).

The hash sent to the API isn't the same hash used to login to PPV Demon. If you poke around in the code some, you'll see that there is some salting done to the password before it's verified, and this salting changes the hash (i.e. makes it even harder to crack), that the PPV Demon script requires before logging you or anyone else in. So, there is no way for this to happen.

3. There are no backdoors into PPV Demon. I've traced all the off-server inputs and outputs of the code. There's only a few calls to the PPV Demon server and as such, its very easy to see what it does. Updates, registration, and licence query. The last two are really only done when you change your password (for recovery and licence management, it seems) and when you setup the site. The first one is done all the time, but only queries the server about to see if there's available updates and then to download them. In plain-text.

Those of you who are paranoid are gonna be paranoid. Those of you who can listen to reason won't be, and those of you who can read code should check it out. Its safe.
Thanks for taking the time to check this out for MMD's members. I',m going with "safe" as per Salvatore.
 

Michael S

Make Money Online
I appreciate you are a sceptical person, there are a lot of scams and shady things going on on the Internet and it's definitely good to have your head in the right place and not believe everything you read.

Of course you should apply this to me.
But not only to me.

In this light, let's look at a few things. First of all, you say I "bank upon the masses", I "have an agenda", I "prey on people". Well, as opposed to "Steven Rounds", I don't sell anything. I just put my warning out there because people should be aware. I get no benefit from anyone heeding it. It makes no difference to me and I have no ulterior motives. There is no banking, there is no preying.

In general, it's a good idea to follow the money trail. Ask yourself: Could this person gain by lying to me? Ask this question about "Steven Rounds", then ask it about me.


You are asking me to reveal my true identity. What prove would you like to see? Do you want me to post my ID? And what difference does it make? What I had to say does not depend on who I am. My name is Michael, but again - I'm not the one trying to sell you something. I'm not the one making my identity, including previous employers and work experience, the cornerstone of a marketing campaign.

It's good to be sceptical. So have you also asked "Steven Rounds" to reveal his true identity? Have you grilled him about his made-up story of working for Paypal?


You are asking me to post a password. It was never my claim that I would be able to post anyone's password. Actually, there is a chance that with some extra work I may be able to find the password of a good percentage of the PPV Demon users, but again - that was never my claim and I have better things to do.

The challenge I posted earlier about PM'ing me your email address was to counter "Steven Round's" response that only email addresses leaked from his system. That's simply not true and easy to disprove.

My main claim was that by installing PPV Demon, you are giving the keys to your server to an unknown individual who already lied to you. I stand by that. "Steven Rounds" never worked at Paypal. And another poster called his pitch "one of the most deceptive I have seen in a long time."

I've been in the IM field for a while and like many I've become blind to some of the hype, fake testimonials and exaggerated earning claims that are just par for the course in this space. But when I see a never-heard-of guy with a fly-by-night Clickbank offer blatantly lie about his own background and then pushing a product that does shady things under the hood that it's not supposed to do - that crosses a line for me.

If your're looking for my motivation to contact his users, that's where it is. I hate seeing people pull shit like that giving the entire IM space a bad name, and I hope that if someone else found problems that affect my business security they would contact me too.

Talk about "preying on people". You have no idea what replies I got to that email. From people who literally thought they could just install the software and it would fill their bank account (after all that's what the sales page promised!), an uber-religious ex-Marine who wrote incoherent ramblings about Jesus Christ and running for president, to some American dude who desparately needs money to save his campground that he opened in Kenya of all places. Without being asked, nearly all of them said they hadn't made any money with the software.

Are these people naive? Yes. Does that make them a free-for-all? What would you rather call "preying on people"? Me telling you about security issues with this software without any financial gain, or "Steven Rounds" exploiting such people with lies and deception to make a quick buck?


Now, let's go over the security issues on more time. As mentioned it's not that *I* am somehow able to tell your password. It's much more about what "Steven Rounds" could do.

So you have a commercial software that requires a license check. Fine. Does the license server need:
  • your license key? Yes.
  • the domain where you run the software? Yes.
  • your admin user name? No!
  • your admin email address? (this is not the Clickbank order email, it's an email adress that is only used to set up admin access on YOUR OWN server) No!
  • your password? No!
  • your password SHA hash? No!
  • the length of your password? No!
  • how long it takes a blind guy to type your password with one finger? No!
Maybe you can help me with this, but I can think of NOT EVEN ONE legitimate reason why "Steven's" central server would collect this info. I CAN think of a whole handful of shady reasons.

Beyond that, the automatic update feature means that "Steven" could put anything he wants onto your server. From including a "feature" that allows him to log in to your system without needing a password at all to much more extreme things like using your server for spamming, phi­shing or malware distribution. As I said earlier, I'm not saying "Steven" is going to do this, but it would be trivial to do so.

Maybe this sounds paranoid to you. But remember, you're dealing with somebody who has no known history, no reputation other than for deceptive advertising and who lied to you to get your sale.


You are asking about other software with automated installation features. Of course it exists, of course I'm using some of it.
  • Do I trust Microsoft's or Apple's software update feature will not pull malicious shenanigans on my PC or Mac? Yes.
  • Do I trust WordPress auto-update will not pull malicious shenanigans on my web server? Yes.
Those products have a stellar reputation and a long, verifiable history. Even with some of the IM scripts, I may be more cautious, I may install them in a local sandbox at first, but if they've been around for a few years and have a solid userbase (not just a bunch of affiliates who all parrot the same made-up story), I'll probably trust it enough to use it live.
  • Do I trust that an unknown guy with a fly-by-night Clickbank offer, who was already caught lying, will not pull malicious shenanigans on my web server? No!


You are mentioning other software "as they all send information". I challenge you to find a reputable software that sends sensitive admin info to a central server. As shown above, they may check your license key, but they will NOT transmit login credentials, hashed or not, for an account that you set up on your own, local PC or server. I mean could you EVEN IMAGINE Windows sending your login name to Microsoft? Could you imagine self-hosted WordPress sending your login name to their central server?

I can't. What I can imagine is the outrage it would cause all over the press if something like this was discovered. They would tear MS to shreds. But somehow you seem to think if a shady Clickbank character does it, it's ok?


What about the email leak? "Who cares everyone's email is on so many lists it is not funny." Maybe for you that's no big deal. Many others beg to differ. Did you see the major commotion in the media just a few days ago about the Epsilon breach? How about you tell all those affected companies that it's not a big deal? You'd make a great P­R director for Epsilon!

There is another aspect to it. When you set up your private server with PPV Demon and you enter your admin email address there so that your own server can send you alerts etc, you have a justified expectation that this email address will never leave your server. You may willingly enter a more real email address so that you receive such alerts right away, whereas you may be more cautious and use throw-away email addresses for any public services.

Well, PPV Demon just threw your expectation in the trash.

At the end of it all, as I said before, it comes down to trust. If you want to believe that "Steven Rounds" is a trustworthy person, if you believe that I somehow just want to take advantage of you by telling you all this, then by all means, keep using PPV Demon.
 

Michael S

Make Money Online
Follow-up as to my identity. I'll be at ad:tech SF all day tomorrow and Wednesday. This week that really is the place to be for all you Internet money makers. So if any of you guys happen to be there too, welcome to meet up with me at the Moscone Center or one of the after parties.
 

roundsoftz

Make Money Online
Very Active Members
Follow-up as to my identity. I'll be at ad:tech SF all day tomorrow and Wednesday. This week that really is the place to be for all you Internet money makers. So if any of you guys happen to be there too, welcome to meet up with me at the Moscone Center or one of the after parties.
So how does this validate your identity?
Tell us what time you will be available.
 

Michael S

Make Money Online
So how does this validate your identity?
Tell us what time you will be available.
I figured if people can meet me in person it will show that I'm not hiding behind a website and it will give them a good enough idea of who I am. Will it be enough validation for you? Maybe, maybe not.

But, aren't you the guy who is selling dubious software based on the claim that you are an ex-Paypal programmer? Frankly, between the two of us, I don't think I am the one who needs to validate his identity.

I guess you can imagine what kind of person I think you are. Maybe I'm wrong. But that offer was really meant for your users who may have more questions. I'm not sure it would be wise of me to meet up with you. It's not clear who you refer to with "us" and I'm not exactly a frail person, but the last thing I need is a bunch of angry thugs following me around a city where I don't know anybody.

Call me sissy if you like, but I say better safe than sorry.

For anyone else: If you want to meet up, reply to that email you received from me using that same email address and we can arrange something today or tomorrow.
 

Bama

Make Money Online
"My main claim was that by installing PPV Demon, you are giving the keys to your server to an unknown individual who already lied to you"
Please xpand upon the giving of keys please.

This intrigues me so tell me what you can do with that information..

Also just for kicks I will challenge you to take those keys you talk about and do something with them..

You can not :)

I waited for you to show your identity as I really looked forward to discussing your agenda and to really see someone who has nothing but 'goodness' in his heart in this field ;)

There really would not have been any "us" with me it would have just been me, but then again if you are "afraid" I understand that but that is a bit of a cop out.
I mean "thugs" seriously ... You would think some of these marketers crossed over from the 'dark' area of making money online where the game you are running right now would not received as nicely as the principles here have received it..


I think it is more your pocketbook is afraid ;)

Ah the internet allowing you to pretend to be the man one game at a time, funny thing though about the internet you never just know who it is you are talking to in this big crazy internet world.
I remember one time talking with someone at the market and realized we had spent years online talking on a forum
sort of like this one.

Hope you enjoyed your time I know I did.
 

Doc

Make Money Online
ADMINISTRATOR
This thread is way off track here. You guys are talking serious non sense and you evidently have no idea what your talking about. I for one do and Im sick of the idiosyncratic posts here. This isnt a h a c k i n g forum and you guys need to grow up. To Micheal S , who do you think you are? To me your a coward. Steven said he would meet you and you chumped out that just goes to prove half of what you have to say is just hot air. Furthermore I personally know Steven so the lies and things your coercing here are pure lousy to anything from being the facts. I see your only here to cause drama and offer absolutely no knowledge except what your dreaming up in your head. I suggest this thread get back on track as I'm tired of babysitting it.

Doc
 
hey dudes... love the landingpage video, love the price, love the good things being said about the package.... but... paid like last week, got no download link... :( you know us internet dudes... we have come to expect instant delivery... so getting a mail saying "please wait 48 hours to get your product".... that really bums me out... we wanna get started man :)

ps. 7 days later Iam still waiting to get the package, plimus download links = fail.

can you send me the package, tbanks dude :)
 

roundsoftz

Make Money Online
Very Active Members
hey dudes... love the landingpage video, love the price, love the good things being said about the package.... but... paid like last week, got no download link... :( you know us internet dudes... we have come to expect instant delivery... so getting a mail saying "please wait 48 hours to get your product".... that really bums me out... we wanna get started man :)

ps. 7 days later Iam still waiting to get the package, plimus download links = fail.

can you send me the package, tbanks dude :)
Yeah should have used Docs link... It has never been sold on plimus... Our lawyers had to chase that one down too.
 

roundsoftz

Make Money Online
Very Active Members
so how do I get the software that I paid for?
Presumably you would contact the guy you paid, however he can't give you what he doesn't own. Contact Plimus, get your refund (it might have happened already since our lawyers contacted them) and buy through approved channels.. then you will get your software instantly and wont have to wait.
 

Klout

Make Money Online
People are concerned about this software and are even discussing it on other forums. I got a link to this discussion from one of them.

Honestly I couldn't be arsed to read all the six pages here so maybe I'm like one of the proverbial blind men who had only seen part of the big picture. However still I'll shove in with the perceptions and opinions that I've formed so far.

@Doc - I respect your past track record and feel you are an all-right guy and have added tremendous value to this great community. However I disagree that this thread is going off track. People ARE concerned about what software does through the backdoor and Steven HAS to fix that perception to increase his sales and build his reputation. The only thing off track here is the discussion about Steven as a person or his background. That has nothing to do with nothing. I think Michael is out of line discussing that. He's entitled to his opinions, and freedom of speech, but it dilutes the purpose of this thread and also the otherwise excellent points he makes.

@Michael - I'm seriously glad you invested serious time into this. It's truly appreciated but you destroy the otherwise excellent signal-to-noise ratio by going into personalities. You don't trust him, fine. You don't like him, no hair off anyone's ass. But heck! It's NOT about Steven, it's about the product and the possibly good (or not) things it could do for us or the (potential) harm in the payload.

@Steven - Do you REALLY need to pull that PW info shit etc.? Could your software work effectively without it, while protecting your intellectual property at the same time? I intend to give your software a test run and am rooting for you to make bagfuls of money with this product so you can develop it further or create new ones but you GOTTA fix perceptions and remember, perceptions are more important than actual facts. For my 2 cents, Michael is perhaps going to turn out the best friend you ever had if he kicks your ass into turning a good product into a great product.

@Everyone reading this - Let's STOP talking about Steven for fuck's sake. I don't care if he worked at Paypal or not. I'm a businessman and I ONLY care if this software can add value to me or not. Does it give a good return on investment on the $ price and the time and PPV investment.

Questions -
What is the name of this product anyway? I was investigating Profit Siege and I don't know when it morphed into PPV Demon. Same thing? Different thing?

Where's Doc's offer link? Is it still open? Is it backed by Clickbank's refund guarantee? PM me someone, please.

Any product reviews backed by personal experience?

Peace! Love! Profits!