Yay for Death Threats
I guess there is a first time for everything. We have gotten our first legitimate death threat by way of blog comments. Last night at Wed, 15 Nov 2006 20:54:51 -0800 (PST) we got many threatening posts. Don’t worry, I’m not running for the hills, but I thought you should all know about it, as I do try to be full-disclosure about events like this. Here is a choice snippet for your enjoyment:
IP: 211.144.105.161
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
…non threatening babble snipped…
IM GONNA SET FIRE TO UR FUCKING HOUSE AND DANCE ON UR FUCKING CORPSE!!! ( IM NOT A MENTAL PATIENT!!)
If I had a house I might be more worried, I guess, but if I’m dead why would I care if someone was dancing on me? Clearly he is not a mental patient as he says, although perhaps that should change as a result of this post. No, but seriously, at first I thought it was a joke, a la fthe.net: “No death threats or poetry please. Just Kidding. No Poetry please.” But after looking at his traffic and seeing the huge volley of posts talking about what I should suck and where I should shove things, I kinda doubt it. Not that I think he would actually come after me and dance on my corpse, but I still don’t take things like this lightly.
This is a user who has been on the site off and on for quite some time, so it is not in regard to any of the near recent past events, and in fact found me through a link talking about the imagecrash script. So I’m not exactly sure what the impetus was other than perhaps there is some clue in the post he looked at immediately before going crazy - the click fraud post. I can’t really see why click fraud would burn this user up, but there you have it.
Look, whatever the reason is, I’m not online to make enemies. I don’t care about harming companies, or about posturing in general. I’m really just interested in security as a whole. That doesn’t make me malicious. In fact, if anything I am one of those most level headed business oriented people you’ll ever meet. I’m a consumer advocate and a business advocate almost to a fault. The lab was built for me to test serious flaws that were affecting the company I worked for a the time. Why? Because I was trying to protect all of you. Yes, nearly every single one of you was being protected by me and the team I was on. That’s not a joke, and sooner or later it’ll come out about what I used to do.
My point being, I’m not sitting in a basement thinking of ways to destroy security companies or huge businesses. I’m very much a normal guy, who just has a passion for finding issues that would affect me or my family or good people like you all. I really love the Internet but it’s getting to be a scary place. I don’t feel safe on it (and it’s not just because of the death threat). By shutting people like us up all that will happen is that you end up with a more insecure Internet where only people in the shadows have any clue what’s going on.
I started the web application security lab because there was a huge void in the security space. There were a few good organizations like WASC and OWASP out there. Zeno had CGI Security but even he’ll admit that he wasn’t as free to talk about what he was working on as he would have liked. Frankly very few people were discussing web application security publicly while I was living the business end of it every day. I was dealing with all these issues for real, not as a game and I certainly wasn’t involved in the academics of security theory - at least not while I was on the clock. I had to protect millions of users while making half of it up as I went along, because there were no good resources out there for people like me.
Things have evolved in an odd way and I am sure some people think I am super malicious and out to destroy all that is good and holy. That could not be further from the truth. I have zero interest in vulnerabilities in particular companies. Yes, I like some companies better than others, but I don’t care about the issues in them. I’m a privacy advocate, but that doesn’t mean I live in shadows. I like for people to know what I’m thinking. Even if I’m dead wrong (and I have been wrong before) at least there is an avenue to discuss it, unlike two or three years ago when all we had was the webappsec mailing list, which had perhaps two or three posts a day on it if that. That’s just not enough for how serious an issue web application security actually is.
So I’m speaking both to our friend at the Chinese IP address as well as to any other people who think I am a self-servicing anarchist. I’m here protecting you. I’m a) keeping you people with jobs b) giving you an opportunity to see the issues before the bad guys use them against you and c) I’m attempting to find ways to fix those same holes. There are only a handful of people out there doing this sort of research and being public about it. Frankly, the more we do the closer we’ll get to figuring out the issues.
I’ve been out of the security industry for almost a year now but I think it’s about time to come back. This time on my own terms.
November 16th, 2006 at 11:04 am
Actually I’m free now to talk
Do expect much more in the upcoming months.
- zeno
November 16th, 2006 at 12:15 pm
Oh, I believe that. It’s good to see the gag is finally out of your mouth. I can’t wait.
November 16th, 2006 at 12:32 pm
Hey, if you are going to have people dancing on your grave, you should have a pole installed instead of a gravestone so at least you get some entertaining dancers.
November 16th, 2006 at 1:54 pm
Entertaining for you maybe! I’ll be dead! Fat lot of good that’s doing me. I want you all depressed and wallowing in misery over my loss, not hot and horny. Remind me to not let you plan my funeral. However, as a consolation prize remember to tell me to let you plan my bachelor party.
November 17th, 2006 at 9:46 am
I thought you’d like to see the face of your stalker:
http://www.youtube.com/watch?v=gi8LJt-8zqg
I’d be afraid. Very afraid.
November 17th, 2006 at 11:46 am
cb, if that were really him, I’d unplug the machines right now. That guy is seriously having a full blown hissy fit.
November 17th, 2006 at 6:02 pm
There’s a thin line between love and hate RSnake - Seems someone is courting your attention!
I wouldn’t worry too much unless you have cause for concern not revealed here - Most death threats in the real world come-to-nothing… much less on the net.
Having said that, if you do believe it’s credible, I know how you feel: One of my ex-bosses had a “contract” arranged for me - paid for ‘n’ everything. I was tipped-off before “anything” happened and I don’t mind admitting that during the week or so between finding out, and having the “contract” “un-arranged”, I was shitting myself.
I propped-up bits of wood between the doors and wall and slept in my clothes with strategically-placed weaponry dotted about the gaff. After 2 or 3 days I just stayed at my girlfriends until it was all sorted out - It just got so debilitating I couldn’t function properly.
I knew, with little doubt, it was credible; and I knew the “security guard” company “employed”, performed the odd unusual request… but it was the NOT knowing: who, where, when and how that was bad for my mental health.
I’m sure you know what to do if you believe this idiot is “for real”… conversely however; if you don’t know, don’t go burning braincells wondering.
November 18th, 2006 at 9:17 am
Quote:
I thought you’d like to see the face of your stalker:
http://www.youtube.com/watch?v=gi8LJt-8zqg
Damn… Yeah this is some freaky stuff.
November 20th, 2006 at 10:28 am
I got some encouraging words from Jeremiah. He reminded me that the Attrition.org guys had to deal with this kind of crap all the time: http://attrition.org/postal/
I had forgotten about that (I shouldn’t have as I used to have an email address there). Anyway, don’t worry, I’m not deterred.