From: Mixmaster <mixmaster@remail.obscura.com>
To: cypherpunks@toad.com
Message Hash: 97ddbf4cb72bdfb07b03a6805c656e9d5c8876996f6debb7e65064170643fa52
Message ID: <199711171711.JAA24770@sirius.infonex.com>
Reply To: N/A
UTC Datetime: 1997-11-17 17:44:12 UTC
Raw Date: Tue, 18 Nov 1997 01:44:12 +0800
From: Mixmaster <mixmaster@remail.obscura.com>
Date: Tue, 18 Nov 1997 01:44:12 +0800
To: cypherpunks@toad.com
Subject: [REPOST] Gary Burnore's Harassment of the Huge Cajones Remailer
Message-ID: <199711171711.JAA24770@sirius.infonex.com>
MIME-Version: 1.0
Content-Type: text/plain
Since Gary Burnore has been making posts in the alt.privacy.anon-server NG
about how remailers are supposedly being "abused" in order to "forge"
articles in his name, I figure it's time to repost a Usenet article from
Jeff Burchell, operator of the Huge Cajones Remailer, about Gary Burnore's
harassment which ultimately convinced him to shut down the remailer, in
order to document Mr. Burnore's modus operandi, in case he attempts a
similar attack against another remailer:
--- BEGIN INCLUDED MESSAGE ---
Subject: Jeff's Side of the Story.
From: toxic@hotwired.com (Jeff Burchell)
Date: 1997/07/01
Message-ID: <5pbnoe$f29$1@re.hotwired.com>
Followup-To: alt.privacy.anon-server,alt.fan.steve-winter,
alt.religion.scientology,alt.anonymous,misc.misc,
alt.censorship,news.admin.censorship,comp.org.eff.talk,
news.admin.net-abuse.misc
Organization: Content, Inc
Newsgroups: alt.privacy.anon-server,alt.fan.steve-winter,
alt.religion.scientology,alt.anonymous,misc.misc,
alt.censorship,news.admin.censorship,alt.cypherpunks,
comp.org.eff.talk,news.admin.net-abuse.misc
Anonymous (nobody@REPLAY.COM) wrote:
: > Only Jeff knows the whole story.
Actually, not even I know the whole story. If I truely knew who it was
that was orchestrating this attack, it would have stopped, one way or
another. The problem is, I don't know all the players (I have some
suspicions, which I'll elaborate on further in a little bit) but I don't
_really_ know who did it, and I really don't know why (other than a "I
don't like remailers, I think I'll shut one down"). And I really don't
know the background or what precipitated this.
: > But I have to ask. Could this
: > just be an" I'm sick of this shit, f**k it, I quit, who needs this
: > aggravation, I'll just pull the plug and go have a beer" reaction
: > to what really seems like a fairly small problem.
It is not a small problem anymore when you're getting >200 complaint
messages a day, plus 5-10 phone calls to your employer (and your
employer's legal department). Fortunately, Wired is a very progressive
company, and supported my efforts to provide anonymity, but our lawyers
aren't paid to answer phone calls on my behalf. Running a remailer is
one thing... getting harassed at work is an entirely different matter, and
getting a THIRD PARTY harassed at work is yet another one.
But yes, The ultimate "take this thing down" decision was one made
because I was sick of this bullshit. But you know what? I volunteer
my time, my computer equipment, and bandwidth that is given to me
as part of my salary. I do (well did) all of this because I believe
that anonymity is a right, and because I have the capabilities of
helping to provide anonymity to the masses. When the remailer was
self-sufficient (before the attacks started), it took maybe 10 minutes
of my time a day, and minimal resources on my machine. Afterwards,
even after I put in the auto-blocking feature (send a blank message
to a particular address and get your address blocked) and the
autoresponder on the remailer-admin account, I was still getting >100
messages a day reporting abuse... almost all of it spam-bait related.
I receive no benefit from running the remailer (I don't even use it
myself), and when it becomes a fairly major hassle without any
rewards, the decision is not a hard one to make.
And frankly, I already have enough to do, and get enough mail on a
daily basis (at last check it was hovering around 600 messages/day).
As soon as the remailer started taking up a lot of my time, it became
time to rethink why I was running it. The moment that the spam-baiter
started alerting people who had been baited, and telling them to
contact me, it became personal. And I don't have time to get into
personal pissing-contests. Yes, I took the easy way out, but that
was my choice to make.
Anyone who doesn't run a remailer has very little right questioning my
choice, because you have no idea what precipitated it. Most people
reading this group have the capabilities of running a remailer (it only
takes a POP account and a Windows machine to run the Winsock remailer),
but very few of us actually do. Why is that? I've been running huge.
cajones for just under 2 years, and it averaged just over 3000 messages
a day, so my remailer was responsible for about 2 million anonymous
messages in its lifetime. I think I've done my part (at least for now),
it's time for someone else to do theirs. If we had 15 disposable remailers
that operated for 2-3 months each before moving/going away, we'd have
paths for millions more anonymous messages. And isn't that what we're
really trying to provide?
: The first was doing questionable things, like installing content-based
: filtering in an attempt to placate the attacker. Giving in to the demands
When I first put the filters in, I was entirely unaware of exactly what
the hell was going on. It seemed that someone had a bone to pick with
databasix, and was using the remailer to get databasix harassed by
third parties. So, Burnore's complaint seemed reasonable at the time, and
I tried to come up with a way to block spam-bait abuse, without blocking
anything else (like a reply to burnore in Usenet).
See, if someone was doing to me what they appeared to be doing to Burnore,
I would be pissed. I figured placating him would be the best thing to
do. In hindsight, I was wrong, but at the time, it seemed like the correct
decision. (Also at the same time, the SPA threatened Wired with a
lawsuit because of The MailMasher, so things were a little tense between
me and the legal department already, I didn't need to make them any worse.)
The final content-based-filter (there was an interim one) looked for the
following things:
1. Any address at databasix (Yes, at the request of Burnore)
2. Any address from my destination block list
3. More than 5 addresses in a row, one line each, without other content
in-between.
4. Patterns of particular Usenet groups.
5. Particular subject lines.
If any THREE of these items were spotted, the message got thrown into a
reject bin. I periodically examined the reject bin, and can personally
attest that it didn't block ANYTHING that it wasn't intended to. (The
test posts reeked of spam-bait to me, and I believe were correctly
blocked)
FWIW, the filters were removed about a week ago.
Because the filters were looking for a specific form of ABUSE, and not
just doing basic pattern matches, I don't consider them to be "content
filters". I would think that just about anyone would agree that
posting lists of email addresses to mlm newsgroups would qualify
as abuse, and _should_ be blocked. Blocking of this nature does NOT
restrict free speech (or at least that is not the intentions of it), and
it would keep the remailer out of lawsuit territory.
See, the big problem with lawsuits is not the fact that _I_ don't want
to be sued. The problem is that anyone with half a brain can determine
that Wired is somehow related to any remailer that I am running on their
bandwidth. Wired has deeper pockets than Mr. Burchell, so they are a
much better group to sue... and they are a lot more willing to give
in to a threat than I am.
: What I *MIGHT* have done was to respond as follows:
:
: Your legal demands are unacceptable. I'd rather close the remailer than
: compromise its integrity to suit your whims. But understand this -- unless
: you withdraw your demands, I will not only close the remailer but also make
: damn sure all of its users know exactly who forced me to take this action!
I did respond in a fashion much like this, about a week before the attacks
started coming. Mr. Burnore requested a copy of my (non-existant) logs.
I told him to get me something in writing, signed by his lawyer that
stipulated that the logs were confidential, and not to be revealed to
anyone outside of the lawyer's office.
I received a letter from Belinda Bryan. She is not registered with the
State Bar of California, and is thus, not a California lawyer. I then
ignored the request, and forwarded the correspondence to the State
Attorney General's office (as impersonating a lawyer in CA is defined
as fraud with extenuating circumstances). They have been working with
me and the San Francisco DA's office. Look out DataBasix... I'm not done
with you yet.
: The second mistake I perceive is not fully disclosing the circumstances that
: brought down Huge Cajones, and *NAMING NAMES*. That way, even if the remailer
: shuts down, other remailer operators will learn about the tactics employed
: against it, know *WHO* made the demands, etc. IOW, when you get an innocent
: sounding, polite complaint from xxxx@yyy.com alleging "abuse", here's the
: scenario that's likely to follow ... (It's not too late to make that
: disclosure, Jeff.)
In fact, now is the time to. Making a disclosure like this while I
was still running the remailer would have probably been a bad move.
Now that the remailer is closed, I'll name the names that I've got.
Beware... all of this is speculation, because huge.cajones was an
anonymous service, not even I can say with any authority that any
of the people named below had anything to do with the shutdown of
huge.cajones (or The MailMasher). However, there are a number of
coincidences of timing.
I still don't know what the hell is going on with DataBasix, Wells Fargo
and Gary Burnore, but I suspect that someone used huge.cajones to say
something extremely unflattering about Burnore (from what I can tell,
he had it coming). Burnore then decided that he would make things
difficult for me. First, he wanted the user who had posted something
"inflammatory" about him revealed. When I told him that I couldn't
do that, he carried on about mail logs and identifying the host that
a message came from (the usual). I didn't explain to him that my
machine keeps logs, but not anything involving a *@cajones.com
address. He then requested the logs, which I denied (and told him
to get his lawyer to send a request...)
I'll admit, after my second or third contact with Mr. Burnore, I
no longer was particularly civil with the guy. He's a kook, and
really didn't deserve my courtesy.
Between the time he first contacted me, and the time I received the
letter from Belinda Bryan, is when the baiting of databasix addresses
began (slowly, with just a few posts). After a while, I received
requests from the other members of DataBasix (including William McLatchie
(sp) (aka wotan) who actually seems to be a remailer supporter (?)).
It was at this point that I realized something was completely amiss.
I asked McLatchie to please tell me the story of DataBasix, and he
said that he was going to, but never did. Anyone who can tell me
the story is invited to do so.
As a side note (and just because I am naming names). Peter Hartly
(hartley@hartley.on.ca) yesterday spam-baited me. Fortunately,
I've got good filters in place.
As another side note, I've seen nothing to make me believe that Belinda
Bryan is even a real person. Anyone?
: > Given the importance of what Jeff was doing, I hope that he
: > did all that he could, before declaring defeat. If that is the case,
: > I commend him for a job well done. If not, why?
I can't claim to have done _everything_ that I could have done, but I
did certainly make an effort. I'm not willing to go to court to defend
a practice like spam-baiting (and given the current public-opinion situation
and impending anti-UCE legislation, this would be a terrible test-case).
I am not new to threats of lawsuit, even ones that come from legitimate
lawyers. About 8 months previous, I was threatened repeatedly by the
legal wing of the "Church" of Scientology. I answered with a letter
from my lawyer that explained the policies of the remailer, and
threatened a harrassment lawsuit if the "Church" contacted me again asking
for information (that they now knew I didn't have) about a remailer user.
They complied, and went away (and haven't been too difficult with
other remailer operators lately).
: Agreed. Otherwise, these "asshole(s)" are simply going to do it all over
: again against another remailer, eventually taking them all down one at a time.
Except that right now, new remailers are springing up. If we could get
three more online for every one shut down, it wouldn't much matter, would
it? I may very well end up running a mailer again in the future, but if
I do, it will probably be either a throwaway exit-man or a truely anonymous
middleman (i.e. nobody will actually know who is running it). It also
will probably be hosted outside of the United States (Floating in
international waters with a sat feed would be nice).
: It's time for them to stand up and say "Next time you come for one of us
: he's
: not going quietly as the others have. You'll have to face ALL of us at once,
: instead."
Aah, you imagine much more solidarity among remailer operators than actually
exists. It doesn't work that way. It would be nice if it did, but many of
us are running remailers on borrowed bandwidth (or have other "situations"
to be concerned about). Being the squeaky wheel is not always a good idea
for many of the operators (most of whom try to keep a low profile).
The reality is, for all the good they do, remailers are tools that can
very easily be abused. And, as the internet gets more and more commonplace,
the average Joe and Joesphine, who don't have the strict Cyber-Libertarian
viewpoints that are shared by most of us old-timers, will start to wonder
just why anyone would want to run a service that allows anyone to speak their
mind without fear of reprisal. When you get people with more extreme
viewpoints (the ones who have a really legitimate need for anonymity) posting
all kinds of stuff to all kinds of places, it will get the attention of
Middle-America, which will then bring it to the attention of legislators.
Any time a legislator can say "This is a blow to Child Pornographers and
others who hide behind anonymity to commit crimes without fear of reprisal"
you can guarantee that the bill will pass.
When that happens, we're in trouble. America is scared of computers, and
remailers are thought to be havens for the big 3 (Terrorists, Organized
Crime and Child Pornographers). Now that the spammers are involved
(spammers possibly being hated more than the big 3), most users are
exposed to anonymous remailers in negative ways (Imagine what you would
think if the first time you heard about the existance of remailers, it
was because someone had spam-baited you, and then told you about it).
The right to anonymity in the US will be legislated away within 18 months,
partially because of spam. I do hope there's a _good_ test case waiting,
and someone willing to fight it to the end, but I have my doubts. Ultimately
the remailer network will be forced to move offshore, the way Crypto
development currently has.
Don't like the News? Go out and make some of your own.
-Jeff
|o| |o|
|o| Jeff Burchell toxic@wired.com |o|
|o|- - - - - - - - - - - - - - - - - - - - - - - - - -|o|
|o| I am not speaking for anyone but myself. |o|
|o| |o|
--- END INCLUDED MESSAGE ---
This article is archived in DejaNews under their "old" database if you
wish to verify its authenticity.
--
Return to November 1997
Return to “Mixmaster <mixmaster@remail.obscura.com>”
1997-11-17 (Tue, 18 Nov 1997 01:44:12 +0800) - [REPOST] Gary Burnore’s Harassment of the Huge Cajones Remailer - Mixmaster <mixmaster@remail.obscura.com>