Since Gary Burnore has been making posts in the alt.privacy.anon-server NG about how remailers are supposedly being "abused" in order to "forge" articles in his name, I figure it's time to repost a Usenet article from Jeff Burchell, operator of the Huge Cajones Remailer, about Gary Burnore's harassment which ultimately convinced him to shut down the remailer, in order to document Mr. Burnore's modus operandi, in case he attempts a similar attack against another remailer: --- BEGIN INCLUDED MESSAGE --- Subject: Jeff's Side of the Story. From: toxic@hotwired.com (Jeff Burchell) Date: 1997/07/01 Message-ID: <5pbnoe$f29$1@re.hotwired.com> Followup-To: alt.privacy.anon-server,alt.fan.steve-winter, alt.religion.scientology,alt.anonymous,misc.misc, alt.censorship,news.admin.censorship,comp.org.eff.talk, news.admin.net-abuse.misc Organization: Content, Inc Newsgroups: alt.privacy.anon-server,alt.fan.steve-winter, alt.religion.scientology,alt.anonymous,misc.misc, alt.censorship,news.admin.censorship,alt.cypherpunks, comp.org.eff.talk,news.admin.net-abuse.misc Anonymous (nobody@REPLAY.COM) wrote: : > Only Jeff knows the whole story. Actually, not even I know the whole story. If I truely knew who it was that was orchestrating this attack, it would have stopped, one way or another. The problem is, I don't know all the players (I have some suspicions, which I'll elaborate on further in a little bit) but I don't _really_ know who did it, and I really don't know why (other than a "I don't like remailers, I think I'll shut one down"). And I really don't know the background or what precipitated this. : > But I have to ask. Could this : > just be an" I'm sick of this shit, f**k it, I quit, who needs this : > aggravation, I'll just pull the plug and go have a beer" reaction : > to what really seems like a fairly small problem. It is not a small problem anymore when you're getting >200 complaint messages a day, plus 5-10 phone calls to your employer (and your employer's legal department). Fortunately, Wired is a very progressive company, and supported my efforts to provide anonymity, but our lawyers aren't paid to answer phone calls on my behalf. Running a remailer is one thing... getting harassed at work is an entirely different matter, and getting a THIRD PARTY harassed at work is yet another one. But yes, The ultimate "take this thing down" decision was one made because I was sick of this bullshit. But you know what? I volunteer my time, my computer equipment, and bandwidth that is given to me as part of my salary. I do (well did) all of this because I believe that anonymity is a right, and because I have the capabilities of helping to provide anonymity to the masses. When the remailer was self-sufficient (before the attacks started), it took maybe 10 minutes of my time a day, and minimal resources on my machine. Afterwards, even after I put in the auto-blocking feature (send a blank message to a particular address and get your address blocked) and the autoresponder on the remailer-admin account, I was still getting >100 messages a day reporting abuse... almost all of it spam-bait related. I receive no benefit from running the remailer (I don't even use it myself), and when it becomes a fairly major hassle without any rewards, the decision is not a hard one to make. And frankly, I already have enough to do, and get enough mail on a daily basis (at last check it was hovering around 600 messages/day). As soon as the remailer started taking up a lot of my time, it became time to rethink why I was running it. The moment that the spam-baiter started alerting people who had been baited, and telling them to contact me, it became personal. And I don't have time to get into personal pissing-contests. Yes, I took the easy way out, but that was my choice to make. Anyone who doesn't run a remailer has very little right questioning my choice, because you have no idea what precipitated it. Most people reading this group have the capabilities of running a remailer (it only takes a POP account and a Windows machine to run the Winsock remailer), but very few of us actually do. Why is that? I've been running huge. cajones for just under 2 years, and it averaged just over 3000 messages a day, so my remailer was responsible for about 2 million anonymous messages in its lifetime. I think I've done my part (at least for now), it's time for someone else to do theirs. If we had 15 disposable remailers that operated for 2-3 months each before moving/going away, we'd have paths for millions more anonymous messages. And isn't that what we're really trying to provide? : The first was doing questionable things, like installing content-based : filtering in an attempt to placate the attacker. Giving in to the demands When I first put the filters in, I was entirely unaware of exactly what the hell was going on. It seemed that someone had a bone to pick with databasix, and was using the remailer to get databasix harassed by third parties. So, Burnore's complaint seemed reasonable at the time, and I tried to come up with a way to block spam-bait abuse, without blocking anything else (like a reply to burnore in Usenet). See, if someone was doing to me what they appeared to be doing to Burnore, I would be pissed. I figured placating him would be the best thing to do. In hindsight, I was wrong, but at the time, it seemed like the correct decision. (Also at the same time, the SPA threatened Wired with a lawsuit because of The MailMasher, so things were a little tense between me and the legal department already, I didn't need to make them any worse.) The final content-based-filter (there was an interim one) looked for the following things: 1. Any address at databasix (Yes, at the request of Burnore) 2. Any address from my destination block list 3. More than 5 addresses in a row, one line each, without other content in-between. 4. Patterns of particular Usenet groups. 5. Particular subject lines. If any THREE of these items were spotted, the message got thrown into a reject bin. I periodically examined the reject bin, and can personally attest that it didn't block ANYTHING that it wasn't intended to. (The test posts reeked of spam-bait to me, and I believe were correctly blocked) FWIW, the filters were removed about a week ago. Because the filters were looking for a specific form of ABUSE, and not just doing basic pattern matches, I don't consider them to be "content filters". I would think that just about anyone would agree that posting lists of email addresses to mlm newsgroups would qualify as abuse, and _should_ be blocked. Blocking of this nature does NOT restrict free speech (or at least that is not the intentions of it), and it would keep the remailer out of lawsuit territory. See, the big problem with lawsuits is not the fact that _I_ don't want to be sued. The problem is that anyone with half a brain can determine that Wired is somehow related to any remailer that I am running on their bandwidth. Wired has deeper pockets than Mr. Burchell, so they are a much better group to sue... and they are a lot more willing to give in to a threat than I am. : What I *MIGHT* have done was to respond as follows: : : Your legal demands are unacceptable. I'd rather close the remailer than : compromise its integrity to suit your whims. But understand this -- unless : you withdraw your demands, I will not only close the remailer but also make : damn sure all of its users know exactly who forced me to take this action! I did respond in a fashion much like this, about a week before the attacks started coming. Mr. Burnore requested a copy of my (non-existant) logs. I told him to get me something in writing, signed by his lawyer that stipulated that the logs were confidential, and not to be revealed to anyone outside of the lawyer's office. I received a letter from Belinda Bryan. She is not registered with the State Bar of California, and is thus, not a California lawyer. I then ignored the request, and forwarded the correspondence to the State Attorney General's office (as impersonating a lawyer in CA is defined as fraud with extenuating circumstances). They have been working with me and the San Francisco DA's office. Look out DataBasix... I'm not done with you yet. : The second mistake I perceive is not fully disclosing the circumstances that : brought down Huge Cajones, and *NAMING NAMES*. That way, even if the remailer : shuts down, other remailer operators will learn about the tactics employed : against it, know *WHO* made the demands, etc. IOW, when you get an innocent : sounding, polite complaint from xxxx@yyy.com alleging "abuse", here's the : scenario that's likely to follow ... (It's not too late to make that : disclosure, Jeff.) In fact, now is the time to. Making a disclosure like this while I was still running the remailer would have probably been a bad move. Now that the remailer is closed, I'll name the names that I've got. Beware... all of this is speculation, because huge.cajones was an anonymous service, not even I can say with any authority that any of the people named below had anything to do with the shutdown of huge.cajones (or The MailMasher). However, there are a number of coincidences of timing. I still don't know what the hell is going on with DataBasix, Wells Fargo and Gary Burnore, but I suspect that someone used huge.cajones to say something extremely unflattering about Burnore (from what I can tell, he had it coming). Burnore then decided that he would make things difficult for me. First, he wanted the user who had posted something "inflammatory" about him revealed. When I told him that I couldn't do that, he carried on about mail logs and identifying the host that a message came from (the usual). I didn't explain to him that my machine keeps logs, but not anything involving a *@cajones.com address. He then requested the logs, which I denied (and told him to get his lawyer to send a request...) I'll admit, after my second or third contact with Mr. Burnore, I no longer was particularly civil with the guy. He's a kook, and really didn't deserve my courtesy. Between the time he first contacted me, and the time I received the letter from Belinda Bryan, is when the baiting of databasix addresses began (slowly, with just a few posts). After a while, I received requests from the other members of DataBasix (including William McLatchie (sp) (aka wotan) who actually seems to be a remailer supporter (?)). It was at this point that I realized something was completely amiss. I asked McLatchie to please tell me the story of DataBasix, and he said that he was going to, but never did. Anyone who can tell me the story is invited to do so. As a side note (and just because I am naming names). Peter Hartly (hartley@hartley.on.ca) yesterday spam-baited me. Fortunately, I've got good filters in place. As another side note, I've seen nothing to make me believe that Belinda Bryan is even a real person. Anyone? : > Given the importance of what Jeff was doing, I hope that he : > did all that he could, before declaring defeat. If that is the case, : > I commend him for a job well done. If not, why? I can't claim to have done _everything_ that I could have done, but I did certainly make an effort. I'm not willing to go to court to defend a practice like spam-baiting (and given the current public-opinion situation and impending anti-UCE legislation, this would be a terrible test-case). I am not new to threats of lawsuit, even ones that come from legitimate lawyers. About 8 months previous, I was threatened repeatedly by the legal wing of the "Church" of Scientology. I answered with a letter from my lawyer that explained the policies of the remailer, and threatened a harrassment lawsuit if the "Church" contacted me again asking for information (that they now knew I didn't have) about a remailer user. They complied, and went away (and haven't been too difficult with other remailer operators lately). : Agreed. Otherwise, these "asshole(s)" are simply going to do it all over : again against another remailer, eventually taking them all down one at a time. Except that right now, new remailers are springing up. If we could get three more online for every one shut down, it wouldn't much matter, would it? I may very well end up running a mailer again in the future, but if I do, it will probably be either a throwaway exit-man or a truely anonymous middleman (i.e. nobody will actually know who is running it). It also will probably be hosted outside of the United States (Floating in international waters with a sat feed would be nice). : It's time for them to stand up and say "Next time you come for one of us : he's : not going quietly as the others have. You'll have to face ALL of us at once, : instead." Aah, you imagine much more solidarity among remailer operators than actually exists. It doesn't work that way. It would be nice if it did, but many of us are running remailers on borrowed bandwidth (or have other "situations" to be concerned about). Being the squeaky wheel is not always a good idea for many of the operators (most of whom try to keep a low profile). The reality is, for all the good they do, remailers are tools that can very easily be abused. And, as the internet gets more and more commonplace, the average Joe and Joesphine, who don't have the strict Cyber-Libertarian viewpoints that are shared by most of us old-timers, will start to wonder just why anyone would want to run a service that allows anyone to speak their mind without fear of reprisal. When you get people with more extreme viewpoints (the ones who have a really legitimate need for anonymity) posting all kinds of stuff to all kinds of places, it will get the attention of Middle-America, which will then bring it to the attention of legislators. Any time a legislator can say "This is a blow to Child Pornographers and others who hide behind anonymity to commit crimes without fear of reprisal" you can guarantee that the bill will pass. When that happens, we're in trouble. America is scared of computers, and remailers are thought to be havens for the big 3 (Terrorists, Organized Crime and Child Pornographers). Now that the spammers are involved (spammers possibly being hated more than the big 3), most users are exposed to anonymous remailers in negative ways (Imagine what you would think if the first time you heard about the existance of remailers, it was because someone had spam-baited you, and then told you about it). The right to anonymity in the US will be legislated away within 18 months, partially because of spam. I do hope there's a _good_ test case waiting, and someone willing to fight it to the end, but I have my doubts. Ultimately the remailer network will be forced to move offshore, the way Crypto development currently has. Don't like the News? Go out and make some of your own. -Jeff |o| |o| |o| Jeff Burchell toxic@wired.com |o| |o|- - - - - - - - - - - - - - - - - - - - - - - - - -|o| |o| I am not speaking for anyone but myself. |o| |o| |o| --- END INCLUDED MESSAGE --- This article is archived in DejaNews under their "old" database if you wish to verify its authenticity. --