1997-07-02 - Jeff’s Side of the Story.

Header Data

From: tcmay@got.net (Tim May)
To: cypherpunks@Algebra.COM
Message Hash: 17c52979a1aecdc1d18ece6bbc7b8e705e0dc187f6c4453a2849b33f243e3d9a
Message ID: <199707020337.UAA17514@you.got.net>
Reply To: N/A
UTC Datetime: 1997-07-02 04:07:21 UTC
Raw Date: Wed, 2 Jul 1997 12:07:21 +0800

Raw message

From: tcmay@got.net (Tim May)
Date: Wed, 2 Jul 1997 12:07:21 +0800
To: cypherpunks@Algebra.COM
Subject: Jeff's Side of the Story.
Message-ID: <199707020337.UAA17514@you.got.net>
MIME-Version: 1.0
Content-Type: text/plain




There's been an ongoing discussion of the Huge Cojones remailer situation
on the related newsgroups.

This has a lot of relevance to our issues, and this is one of the more
illuminating articles.

--Tim


> From: toxic@hotwired.com (Jeff Burchell)
> Newsgroups:
alt.privacy.anon-server,alt.fan.steve-winter,alt.religion.scientology,alt.anonymous,misc.misc,alt.censorship,news.admin.censorship,alt.cypherpunks,comp.org.eff.talk,news.admin.net-abuse.misc
> Subject: Jeff's Side of the Story.
> Followup-To:
alt.privacy.anon-server,alt.fan.steve-winter,alt.religion.scientology,alt.anonymous,misc.misc,alt.censorship,news.admin.censorship,comp.org.eff.talk,news.admin.net-abuse.misc
> Date: 1 Jul 1997 20:02:22 GMT
> Organization: Content, Inc
...
> 
> Anonymous (nobody@REPLAY.COM) wrote:
> 
> : > Only Jeff knows the whole story.
> 
> Actually, not even I know the whole story.  If I truely knew who it was
> that was orchestrating this attack, it would have stopped, one way or
> another.  The problem is, I don't know all the players (I have some 
> suspicions, which I'll elaborate on further in a little bit) but I don't
> _really_ know who did it, and I really don't know why (other than a "I
> don't like remailers, I think I'll shut one down").  And I really don't
> know the background or what precipitated this.
> 
> : > But I have to ask. Could this
> : > just be an" I'm sick of this shit, f**k it, I quit, who needs this
> : > aggravation, I'll just pull the plug and go have a beer" reaction
> : > to what really seems like a fairly small problem.
> 
> It is not a small problem anymore when you're getting >200 complaint 
> messages a day, plus 5-10 phone calls to your employer (and your
> employer's legal department).  Fortunately, Wired is a very progressive
> company, and supported my efforts to provide anonymity, but our lawyers
> aren't paid to answer phone calls on my behalf.  Running a remailer is
> one thing... getting harassed at work is an entirely different matter, and
> getting a THIRD PARTY harassed at work is yet another one.
> 
> But yes, The ultimate "take this thing down" decision was one made 
> because I was sick of this bullshit.  But you know what?  I volunteer
> my time, my computer equipment, and bandwidth that is given to me
> as part of my salary.  I do (well did) all of this because I believe
> that anonymity is a right, and because I have the capabilities of
> helping to provide anonymity to the masses.  When the remailer was
> self-sufficient (before the attacks started), it took maybe 10 minutes
> of my time a day, and minimal resources on my machine.  Afterwards, 
> even after I put in the auto-blocking feature (send a blank message 
> to a particular address and get your address blocked) and the 
> autoresponder on the remailer-admin account, I was still getting >100
> messages a day reporting abuse... almost all of it spam-bait related.
> I receive no benefit from running the remailer (I don't even use it
> myself), and when it becomes a fairly major hassle without any 
> rewards, the decision is not a hard one to make.
> 
> And frankly, I already have enough to do, and get enough mail on a
> daily basis (at last check it was hovering around 600 messages/day).
> As soon as the remailer started taking up a lot of my time, it became
> time to rethink why I was running it.  The moment that the spam-baiter
> started alerting people who had been baited, and telling them to 
> contact me, it became personal.  And I don't have time to get into 
> personal pissing-contests.  Yes, I took the easy way out, but that
> was my choice to make.
> 
> Anyone who doesn't run a remailer has very little right questioning my
>  choice, because you have no idea what precipitated it.  Most people
> reading this group have the capabilities of running a remailer (it only
> takes a POP account and a Windows machine to run the Winsock remailer), 
> but very few of us actually do.  Why is that?  I've been running huge.
> cajones for just under 2 years, and it averaged just over 3000 messages
> a day, so my remailer was responsible for about 2 million anonymous 
> messages in its lifetime.  I think I've done my part (at least for now), 
> it's time for someone else to do theirs.  If we had 15 disposable remailers
> that operated for 2-3 months each before moving/going away, we'd have
> paths for millions more anonymous messages.  And isn't that what we're
> really trying to provide?
> 
> : The first was doing questionable things, like installing content-based
> : filtering in an attempt to placate the attacker.  Giving in to the demands
> 
> When I first put the filters in, I was entirely unaware of exactly what
> the hell was going on.  It seemed that someone had a bone to pick with
> databasix, and was using the remailer to get databasix harassed by
> third parties.  So, Burnore's complaint seemed reasonable at the time, and
> I tried to come up with a way to block spam-bait abuse, without blocking
> anything else (like a reply to burnore in Usenet).
> 
> See, if someone was doing to me what they appeared to be doing to Burnore, 
> I would be pissed.  I figured placating him would be the best thing to
> do.  In hindsight, I was wrong, but at the time, it seemed like the correct
> decision.  (Also at the same time, the SPA threatened Wired with a 
> lawsuit because of The MailMasher, so things were a little tense between
> me and the legal department already, I didn't need to make them any worse.)
> 
> The final content-based-filter (there was an interim one) looked for the
>  following things:
> 
> 1. Any address at databasix (Yes, at the request of Burnore)
> 2. Any address from my destination block list
> 3. More than 5 addresses in a row, one line each, without other content
>    in-between.
> 4. Patterns of particular Usenet groups.
> 5. Particular subject lines.
> 
> If any THREE of these items were spotted, the message got thrown into a
> reject bin.  I periodically examined the reject bin, and can personally
> attest that it didn't block ANYTHING that it wasn't intended to.  (The
> test posts reeked of spam-bait to me, and I believe were correctly 
> blocked)
> 
> FWIW, the filters were removed about a week ago.
> 
> Because the filters were looking for a specific form of ABUSE, and not
> just doing basic pattern matches, I don't consider them to be "content
> filters".  I would think that just about anyone would agree that 
> posting lists of email addresses to mlm newsgroups would qualify 
> as abuse, and _should_ be blocked.   Blocking of this nature does NOT
> restrict free speech (or at least that is not the intentions of it), and
> it would keep the remailer out of lawsuit territory.
> 
> See, the big problem with lawsuits is not the fact that _I_ don't want
> to be sued.  The problem is that anyone with half a brain can determine
> that Wired is somehow related to any remailer that I am running on their
> bandwidth.  Wired has deeper pockets than Mr. Burchell, so they are a
> much better group to sue... and they are a lot more willing to give
> in to a threat than I am.
> 
> : What I *MIGHT* have done was to respond as follows:
> : 
> :    Your legal demands are unacceptable.  I'd rather close the remailer than
> :    compromise its integrity to suit your whims.  But understand this
-- unless
> :    you withdraw your demands, I will not only close the remailer but
also make
> :    damn sure all of its users know exactly who forced me to take this
action!
> 
> I did respond in a fashion much like this, about a week before the attacks
> started coming.  Mr. Burnore requested a copy of my (non-existant) logs.
> I told him to get me something in writing, signed by his lawyer that 
> stipulated that the logs were confidential, and not to be revealed to 
> anyone outside of the lawyer's office.
> 
> I received a letter from Belinda Bryan.  She is not registered with the
> State Bar of California, and is thus, not a California lawyer.  I then
> ignored the request, and forwarded the correspondence to the State 
> Attorney General's office (as impersonating a lawyer in CA is defined
> as fraud with extenuating circumstances).  They have been working with
> me and the San Francisco DA's office.  Look out DataBasix... I'm not done
> with you yet.
> 
> : The second mistake I perceive is not fully disclosing the circumstances that
> : brought down Huge Cajones, and *NAMING NAMES*.  That way, even if the
remailer
> : shuts down, other remailer operators will learn about the tactics employed
> : against it, know *WHO* made the demands, etc.  IOW, when you get an innocent
> : sounding, polite complaint from xxxx@yyy.com alleging "abuse", here's the
> : scenario that's likely to follow ...  (It's not too late to make that
> : disclosure, Jeff.)
> 
> In fact, now is the time to.  Making a disclosure like this while I 
> was still running the remailer would have probably been a bad move.
> Now that the remailer is closed, I'll name the names that I've got.
> 
> Beware... all of this is speculation, because huge.cajones was an 
> anonymous service, not even I can say with any authority that any
> of the people named below had anything to do with the shutdown of
> huge.cajones (or The MailMasher).  However, there are a number of
> coincidences of timing.
> 
> I still don't know what the hell is going on with DataBasix, Wells Fargo
> and Gary Burnore, but I suspect that someone used huge.cajones to say
> something extremely unflattering about Burnore (from what I can tell,
> he had it coming).  Burnore then decided that he would make things 
> difficult for me.  First, he wanted the user who had posted something
> "inflammatory" about him revealed.  When I told him that I couldn't 
> do that, he carried on about mail logs and identifying the host that
> a message came from (the usual).  I didn't explain to him that my 
> machine keeps logs, but not anything involving a *@cajones.com 
> address.  He then requested the logs, which I denied (and told him
> to get his lawyer to send a request...)
> 
> I'll admit, after my second or third contact with Mr. Burnore, I
> no longer was particularly civil with the guy.  He's a kook, and
> really didn't deserve my courtesy.
> 
> Between the time he first contacted me, and the time I received the
> letter from Belinda Bryan, is when the baiting of databasix addresses
> began (slowly, with just a few posts).  After a while, I received
> requests from the other members of DataBasix (including William McLatchie
> (sp) (aka wotan) who actually seems to be a remailer supporter (?)).
> 
> It was at this point that I realized something was completely amiss.
> I asked McLatchie to please tell me the story of DataBasix, and he
> said that he was going to, but never did.  Anyone who can tell me 
> the story is invited to do so.
> 
> As a side note (and just because I am naming names).  Peter Hartly 
> (hartley@hartley.on.ca) yesterday spam-baited me.  Fortunately, 
> I've got good filters in place.  
> 
> As another side note, I've seen nothing to make me believe that Belinda
> Bryan is even a real person.  Anyone?
> 
> : > Given the importance of what Jeff was doing, I hope that he
> : > did all that he could, before declaring defeat. If that is the case,
> : > I commend him for a job well done. If not, why?
> 
> I can't claim to have done _everything_ that I could have done, but I 
> did certainly make an effort.  I'm not willing to go to court to defend
> a practice like spam-baiting (and given the current public-opinion situation
> and impending anti-UCE legislation, this would be a terrible test-case).
> 
> I am not new to threats of lawsuit, even ones that come from legitimate
> lawyers.  About 8 months previous, I was threatened repeatedly by the 
> legal wing of the "Church" of Scientology.  I answered with a letter
> from my lawyer that explained the policies of the remailer, and 
> threatened a harrassment lawsuit if the "Church" contacted me again asking
> for information (that they now knew I didn't have) about a remailer user.
> They complied, and went away (and haven't been too difficult with 
> other remailer operators lately).  
> 
> : Agreed.  Otherwise, these "asshole(s)" are simply going to do it all over 
> : again against another remailer, eventually taking them all down one at
a time.  
> Except that right now, new remailers are springing up.  If we could get
> three more online for every one shut down, it wouldn't much matter, would
> it?  I may very well end up running a mailer again in the future, but if
> I do, it will probably be either a throwaway exit-man or a truely anonymous
> middleman (i.e. nobody will actually know who is running it).  It also
> will probably be hosted outside of the United States (Floating in 
> international waters with a sat feed would be nice).
> 
> : It's time for them to stand up and say "Next time you come for one of us
> : he's 
> : not going quietly as the others have.  You'll have to face ALL of us
at once, 
> : instead." 
> 
> Aah, you imagine much more solidarity among remailer operators than actually
> exists.  It doesn't work that way.  It would be nice if it did, but many of
> us are running remailers on borrowed bandwidth (or have other "situations"
> to be concerned about).  Being the squeaky wheel is not always a good idea
> for many of the operators (most of whom try to keep a low profile).  
> 
> The reality is, for all the good they do, remailers are tools that can 
> very easily be abused.  And, as the internet gets more and more commonplace,
> the average Joe and Joesphine, who don't have the strict Cyber-Libertarian
> viewpoints that are shared by most of us old-timers, will start to wonder
> just why anyone would want to run a service that allows anyone to speak their
> mind without fear of reprisal.  When you get people with more extreme
> viewpoints (the ones who have a really legitimate need for anonymity) posting
> all kinds of stuff to all kinds of places, it will get the attention of
> Middle-America, which will then bring it to the attention of legislators.
> Any time a legislator can say "This is a blow to Child Pornographers and 
> others who hide behind anonymity to commit crimes without fear of reprisal"
> you can guarantee that the bill will pass.
> 
> When that happens, we're in trouble.  America is scared of computers, and
> remailers are thought to be havens for the big 3 (Terrorists, Organized
> Crime and Child Pornographers).  Now that the spammers are involved 
> (spammers possibly being hated more than the big 3), most users are 
> exposed to anonymous remailers in negative ways (Imagine what you would
> think if the first time you heard about the existance of remailers, it
> was because someone had spam-baited you, and then told you about it).
> 
> The right to anonymity in the US will be legislated away within 18 months, 
> partially because of spam.  I do hope there's a _good_ test case waiting,
> and someone willing to fight it to the end, but I have my doubts.  Ultimately
> the remailer network will be forced to move offshore, the way Crypto 
> development currently has.
> 
> Don't like the News?  Go out and make some of your own.
> 
> -Jeff
> 
> |o|                                                   |o|
> |o| Jeff Burchell                     toxic@wired.com |o|
> |o|- - - - - - - - - - - - - - - - - - - - - - - - - -|o|
> |o|     I am not speaking for anyone but myself.      |o|
> |o|                                                   |o|

-- 
There's something wrong when I'm a felon under an increasing number of laws.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1398269     | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."






Thread