The general demeanor of that person, some of the lingo used like "rooting" or "federal server hijacking", the fact that in the screenshot he's using some text editor with ads in it to browse the offending code combined with the fact that he doesn't know what Curl is (if he did he wouldn't have sent this e-mail) screams "script kiddie" to me.
I'm not sure whether this person is actually responsible for a multi-million dollar defense project, but if he really was, it's probably a good thing he lost the deal because I definitely don't want that kind of person managing such a project.
We are dealing with a person with mental illness, because nothing is coherent. It's all made up. That's why you don't answer that kind of mail, the goal is to trigger a reaction from you.
I am pretty sure they are not even a script kiddie... they are just a fairly immature troll.
Not sure what caused the original email, but the reply is just a copy/paste of various unrelated things and security incidents that the person Googled without even understanding enough about them to form a comprehensible narrative.
Which tells me they are simply trying to get a rise out of someone.
The way the grammar is constructed I would not be surprised if this came from a pre-teen.
I agree; this seems like someone with so little technical ability, that I wouldn't be surprised if he did manage to talk someone into a buying a multi million dollar defense project he could not deliver...
> I lost my family, my country my friends, my home and 6 years of work trying to build a better place for posterity.
I get loosing your family / home / friends, but a country? Where did that go?
My bet is on GPT-2 (GPT-3 would probably generate better text). This whole reply just isn't coherent (first it's a defence contract, then it's learning software for kids?).
So either AI generated or someone with some mental illness.
Some context: Daniel is the primary maintainer of curl (the ubiquitous utility and library for HTTP requests) [1]
His name often shows up in the licensing disclosures/attributions of applications that include curl.
The general opaqueness of modern software leads people to latch onto him and his email for all manner of things, and for non developers to attribute to him all sorts of bad motives ("You hacked me!").
This is especially unfortunate as Daniel has been such a genuinely positive and helpful face to a popular open source project. I feel awful that his generosity gets repaid with this kind of crap.
> This is especially unfortunate as Daniel has been such a genuinely positive and helpful face to a popular open source project.
I can't agree more, Daniel is one of the friendliest approachable maintainers out there. Several times he takes time to answer menial questions and is friendly about it. I recommend the curl mailing list if you work with it in any manner as for you will learn a lot from other people.
I wonder if Daniel would have received less unwanted correspondence if he had set up some kind of a foundation/shell for curl's IP from an early stage.
I'm sorry to hear that. libCurl is great and my life is better for it.
It's really best to not reply to the mentally ill people (and you can be pretty sure anyone sending something like the first is at least temporarily mentally ill).
It can sometimes be extremely tempting, I know-- especially when they've managed to say something almost perfectly constructed for pithy comeback. But it will not help you and it will not help them. If it does anything it will just encourage the behavior.
If it is any consolation lots of other people receive nasty kookmail messages -- I know first hand, in addition to the ones I get directly some of the kooks like to send massive carbon copy blasts-- as a result I have a bunch of very strange mail rules, like discarding any email that copies both a whitehouse.gov email address and Jeff Bezos, or another if both George Soros and Noam Chomsky are copied.
I never got more hate mail then when I tried doing outreach for my physics group. It did include death threats (I think) it was hard to tell if I was being accused of being part of a modern inquisition that burned people at the stake or should be burned at the stake or both.
Another good time was when I was running a crypto meetup and we had to call the cops because someone came in naked, the CIA had put chips in their clothes and they had to burn their house down so they weren't homeless but on the run.
This is not directed at you specifically, but your comment got me wondering how many people contact individuals like Daniel who are behind Open Source projects like this to share positive feedback, or even just to say "Thank you." I know I've not done it anywhere near as much as I should, and I suspect that doing so would help take the edge of what can often feel like a thankless task.
I imagine it's a bit like reviews: people with a bad experience are more likely to leave a review. Perhaps the best way to help people like David is to stop once in a while and thank them for the things they've done.
> It's really best to not reply to the mentally ill people
This IMO is the best way to deal with a lot of emails. I have some public software that is literally innocuous, and yet occasionally I get some very angry emails. An example: a small game where people think the game/computer is cheating (it's not).
If someone fires off an angry, irrational email to you, they aren't looking for a rational response - they are looking for a debate, or a fight, or an outlet. It's best to let them move on.
Thanks everyone for the positiveness and expression of appreciation I've sensed here. The threat has been reported to the police and I'll move on. I love you all. Now I'll go back and continue working on curl.
Thank you for your useful project and sorry you have to deal with this. Consider reporting to US authorities as well if you have not done so, (or wherever you think the threat may have originated from).
This feels to me like a person with some sort of mental illness or breakdown and delusions of grandeur and persecution. Their explanation doesn't make much sense. If I were Daniel, I wouldn't respond any further.
Although in that case the city was not actually hacked. It looks like this person actually got hacked by someone using curl and he is complaining that curl made it possible. I wonder if he knows anything about the people who wrote the actual exploit(s).
A bit like the time the scientology lawyers were desperate to find out who was running that server at 127.0.0.1 that had all their files on it, and really really wanted to find the person who was using the 'majordomo" login so that they could depose them
Woah, that should have been reported to the FBI as extortion. Through the (interstate) threat to report a crime falsely to the FBI, the extortioner successfully extracted a valuable service, viz. tech support, from the victim.
Many comments rush to label this guy as "mentally ill". Being an entitled asshole with misdirected anger is not necessarily a medical condition. And there are plenty of people with actual mental health problems who are not aggressive at all (statistically, mentally ill people are more likely to be victims of violence).
Health issues are a thing that happens to people, and they don't have control over it, which absolves them from responsibility for it. OTOH if the guy making these threats is just pissed off due to his own failures, or even is just a troll making it all up, he should be held responsible for his actions.
You're drawing a brighter line between mental illness and being an asshole than I would. There may be more grey area between absolution and being held responsible than you're allowing.
I'm not implying we shouldn't hold trolls responsible when they know better. From an outside perspective it would suck to have a brain that releases dopamine when causing others to suffer.
The is the equivalent of sending death threats to the car company that manufactured the car that the robbers used to get away in after robbing your bank.
The problem is a common one, where someone reaches a conclusion after a sloppy investigation.
From the letter, it sounds like this guy had his life ruined, and upon investigating the hacker tools used to ruin his project and life, he jumped on the name that appeared the most in the source code.
The screenshots would have been an "I know it's you" message to him, which the sender would assume is more than enough to let him know the meaning of his email. And indeed, if Daniel had been writing haxx0r tools, the message and intent would have been crystal clear.
At this point the sender would be assuming that Daniel is just playing games with him and playing dumb, so he's pouring out his story to shame Daniel over the damage that his hacker tool has done.
If someone were to write tools specifically for evil purposes, and your life were ruined by use of said tools, you'd be screaming mad, too. And probably seeking revenge.
Except that his investigation was sloppy and incomplete; Daniel doesn't write hacker tools, he writes a HTTP client library. He's no more guilty of facilitating hacking than the writer of any runtime library's HTTP client code.
Normally, this would be a matter of setting the facts straight, but in this case a criminal investigation would probably be in order.
I think we all owe Daniel a certain amount of thanks for somehow, incidentally, maybe, preventing nutjob exhibit A from getting a multi million dollar defense project.
And anytime such unrealistic threats are made, this always makes it seem like maybe it's not so bad:
Lets get our facts straight here. Does the Perseverance rover contain libcurl? It has ffmpeg, so, ... "on the planet" could be changed to "two planets in this system."
Seems like a death threat from an icloud.com address. Chances are the real name and location of the sender is available to the authorities (with consent by a judge) from Apple.
Relatedly, someone on the blog posted a comment that it might be more effective to report him to Apple than to turn a credible death threat over to law enforcement! Comments here seem acknowledge that he's delusional, but he may very well have lost a huge contract. He claims he's lost family, friends, house, and can't go back to his home country. What would Apple's move be? To lock him out without warning or due process of any sort. I don't know about any of you, but I KNOW how devastating it would be to suddenly be locked out of MY iCloud account. Do we really think that getting Apple to deplatform him will somehow assuage his stated murderous intent?! What kind of cyberpunk megacorp police state future are we advocating for here? No, the answer is to report this to local LEO and the FBI, let THEM deal with Apple to get his details, and handle whatever comes next.
I've seen the theme of "maintainer of popular open source product is threatened by person who doesn't understand it's just a component" show up a few times, but when I think about it most those times have been related to curl specifically. Maybe it's because of the domain haxx.se? Or maybe Daniel just writes about it a lot? Does this kind of thing happen so regularly to others?
It’s because curl and libcurl are used virtually everywhere, and clearly identified. This means in any problematic or malicious device or software, odds are good the first clearly identifiable thing you’ll find are references to curl.
Though the domain probably doesn’t help with the association. If you got hacked and the first clear string you find is “haxx.se” it’s not a big leap to interpret it as a taunt.
I'm guessing it is because people who create these hacking tools often need to do HTTP requests, so they just copy in libcurl source and before you know it Daniel's name is associated with all these tools and attacks.
'man curl' lists Daniel. I think morons that don't know what curl is only see the 'haxx.se' domain and think it's some hacker.. it's sad a person who's written a tool used by so many people and systems everyday has to deal with nonsense like this.
Unfortunately this is what a mental health problem looks like. Our society is ill trained to identify and deal with this category of heart breaking disease.
I'm not a psychiatrist, but it seems that this person has some severe psychotic disorder. The whole thing reads like a cheap knockoff of "A Beautiful Mind".
[+] [-] Nextgrid|5 years ago|reply
I'm not sure whether this person is actually responsible for a multi-million dollar defense project, but if he really was, it's probably a good thing he lost the deal because I definitely don't want that kind of person managing such a project.
[+] [-] shin_lao|5 years ago|reply
[+] [-] brunes|5 years ago|reply
Not sure what caused the original email, but the reply is just a copy/paste of various unrelated things and security incidents that the person Googled without even understanding enough about them to form a comprehensible narrative.
Which tells me they are simply trying to get a rise out of someone.
The way the grammar is constructed I would not be surprised if this came from a pre-teen.
[+] [-] bryanrasmussen|5 years ago|reply
[+] [-] bjarneh|5 years ago|reply
> I lost my family, my country my friends, my home and 6 years of work trying to build a better place for posterity.
I get loosing your family / home / friends, but a country? Where did that go?
[+] [-] growt|5 years ago|reply
[+] [-] uh_uh|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] michaelbuckbee|5 years ago|reply
His name often shows up in the licensing disclosures/attributions of applications that include curl.
The general opaqueness of modern software leads people to latch onto him and his email for all manner of things, and for non developers to attribute to him all sorts of bad motives ("You hacked me!").
This is especially unfortunate as Daniel has been such a genuinely positive and helpful face to a popular open source project. I feel awful that his generosity gets repaid with this kind of crap.
1 - https://github.com/sponsors/bagder
[+] [-] oblio|5 years ago|reply
[+] [-] ProAm|5 years ago|reply
I can't agree more, Daniel is one of the friendliest approachable maintainers out there. Several times he takes time to answer menial questions and is friendly about it. I recommend the curl mailing list if you work with it in any manner as for you will learn a lot from other people.
[+] [-] dharmab|5 years ago|reply
[+] [-] robin_reala|5 years ago|reply
[+] [-] nullc|5 years ago|reply
It's really best to not reply to the mentally ill people (and you can be pretty sure anyone sending something like the first is at least temporarily mentally ill).
It can sometimes be extremely tempting, I know-- especially when they've managed to say something almost perfectly constructed for pithy comeback. But it will not help you and it will not help them. If it does anything it will just encourage the behavior.
If it is any consolation lots of other people receive nasty kookmail messages -- I know first hand, in addition to the ones I get directly some of the kooks like to send massive carbon copy blasts-- as a result I have a bunch of very strange mail rules, like discarding any email that copies both a whitehouse.gov email address and Jeff Bezos, or another if both George Soros and Noam Chomsky are copied.
[+] [-] konjin|5 years ago|reply
It was pretty close to: https://web.archive.org/web/20150506055228/http://www.timecu...
Another good time was when I was running a crypto meetup and we had to call the cops because someone came in naked, the CIA had put chips in their clothes and they had to burn their house down so they weren't homeless but on the run.
Then there was the time I was on the board of a hacker space: https://shitnoisebridgesays.tumblr.com/page/3 it wasn't noise bridge but it had the same vibe.
[+] [-] cmsefton|5 years ago|reply
This is not directed at you specifically, but your comment got me wondering how many people contact individuals like Daniel who are behind Open Source projects like this to share positive feedback, or even just to say "Thank you." I know I've not done it anywhere near as much as I should, and I suspect that doing so would help take the edge of what can often feel like a thankless task.
I imagine it's a bit like reviews: people with a bad experience are more likely to leave a review. Perhaps the best way to help people like David is to stop once in a while and thank them for the things they've done.
[+] [-] david422|5 years ago|reply
This IMO is the best way to deal with a lot of emails. I have some public software that is literally innocuous, and yet occasionally I get some very angry emails. An example: a small game where people think the game/computer is cheating (it's not).
If someone fires off an angry, irrational email to you, they aren't looking for a rational response - they are looking for a debate, or a fight, or an outlet. It's best to let them move on.
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] notthegov2|5 years ago|reply
[+] [-] bagder|5 years ago|reply
Thanks everyone for the positiveness and expression of appreciation I've sensed here. The threat has been reported to the police and I'll move on. I love you all. Now I'll go back and continue working on curl.
[+] [-] sagebird|5 years ago|reply
[+] [-] mchusma|5 years ago|reply
[+] [-] richer6605|5 years ago|reply
[+] [-] ToniCipriani|5 years ago|reply
[+] [-] kstrauser|5 years ago|reply
[+] [-] Rovanion|5 years ago|reply
[+] [-] Ndymium|5 years ago|reply
[+] [-] blinkingled|5 years ago|reply
Although in that case the city was not actually hacked. It looks like this person actually got hacked by someone using curl and he is complaining that curl made it possible. I wonder if he knows anything about the people who wrote the actual exploit(s).
[+] [-] Taniwha|5 years ago|reply
[+] [-] unanswered|5 years ago|reply
[+] [-] pornel|5 years ago|reply
Health issues are a thing that happens to people, and they don't have control over it, which absolves them from responsibility for it. OTOH if the guy making these threats is just pissed off due to his own failures, or even is just a troll making it all up, he should be held responsible for his actions.
[+] [-] joombaga|5 years ago|reply
I'm not implying we shouldn't hold trolls responsible when they know better. From an outside perspective it would suck to have a brain that releases dopamine when causing others to suffer.
[+] [-] m12k|5 years ago|reply
[+] [-] Tepix|5 years ago|reply
[+] [-] kstenerud|5 years ago|reply
From the letter, it sounds like this guy had his life ruined, and upon investigating the hacker tools used to ruin his project and life, he jumped on the name that appeared the most in the source code.
The screenshots would have been an "I know it's you" message to him, which the sender would assume is more than enough to let him know the meaning of his email. And indeed, if Daniel had been writing haxx0r tools, the message and intent would have been crystal clear.
At this point the sender would be assuming that Daniel is just playing games with him and playing dumb, so he's pouring out his story to shame Daniel over the damage that his hacker tool has done.
If someone were to write tools specifically for evil purposes, and your life were ruined by use of said tools, you'd be screaming mad, too. And probably seeking revenge.
Except that his investigation was sloppy and incomplete; Daniel doesn't write hacker tools, he writes a HTTP client library. He's no more guilty of facilitating hacking than the writer of any runtime library's HTTP client code.
Normally, this would be a matter of setting the facts straight, but in this case a criminal investigation would probably be in order.
[+] [-] BLKNSLVR|5 years ago|reply
And anytime such unrealistic threats are made, this always makes it seem like maybe it's not so bad:
https://youtu.be/Nw1643T0RD0
(One of these days I'm going to cut you into little pieces, by Pink Floyd)
[+] [-] ChrisRR|5 years ago|reply
[+] [-] _pvfr|5 years ago|reply
[1] https://twitter.com/FFmpeg/status/1362509273029353472
[+] [-] Tepix|5 years ago|reply
[+] [-] TheRealDunkirk|5 years ago|reply
[+] [-] oldkn|5 years ago|reply
[+] [-] masklinn|5 years ago|reply
Though the domain probably doesn’t help with the association. If you got hacked and the first clear string you find is “haxx.se” it’s not a big leap to interpret it as a taunt.
[+] [-] sime2009|5 years ago|reply
[+] [-] dmingod666|5 years ago|reply
[+] [-] extropic-engine|5 years ago|reply
[+] [-] FriedrichN|5 years ago|reply
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] carlsborg|5 years ago|reply
[+] [-] mkl95|5 years ago|reply
[+] [-] corobo|5 years ago|reply
Either it's scary and get law enforcement involved or it's not and we're gawking and laughing at someone at their worst moment.
In an attempt to take this post at its most charitable I agree, it fucking sucks there's not enough focus on mental health in the world.