“I will slaughter you”

You might know that I’ve posted funny emails I’ve received on my blog several times in the past. The kind of emails people send me when they experience problems with some device they own (like a car) and they contact me because my email address happens to be visible somewhere.

People sometimes say I should get a different email address or use another one in the curl license file, but I’ve truly never had a problem with these emails, as they mostly remind me about the tough challenges the modern technical life bring to people and it gives me insights about what things that run curl.

But not all of these emails are “funny”.

Category: not funny

Today I received the following email

From: Al Nocai <[redacted]@icloud.com>
Date: Fri, 19 Feb 2021 03:02:24 -0600
Subject: I will slaughter you

That subject.

As an open source maintainer since over twenty years, I know flame wars and personal attacks and I have a fairly thick skin and I don’t let words get to me easily. It took me a minute to absorb and realize it was actually meant as a direct physical threat. It found its ways through and got to me. This level of aggressiveness is not what I’m prepared for.

Attached in this email, there were seven images and no text at all. The images all look like screenshots from a phone and the first one is clearly showing source code I wrote and my copyright line:

The other images showed other source code and related build/software info of other components, but I couldn’t spot how they were associated with me in any way.

No explanation, just that subject and the seven images and I was left to draw my own conclusions.

I presume the name in the email is made up and the email account is probably a throw-away one. The time zone used in the Date: string might imply US central standard time but could of course easily be phony as well.

How I responded

Normally I don’t respond to these confused emails because the distance between me and the person writing them is usually almost interplanetary. This time though, it was so far beyond what’s acceptable to me and in any decent society I couldn’t just let it slide. After I took a little pause and walked around my house for a few minutes to cool off, I wrote a really angry reply and sent it off.

This was a totally and completely utterly unacceptable email and it hurt me deep in my soul. You should be ashamed and seriously reconsider your manners.

I have no idea what your screenshots are supposed to show, but clearly something somewhere is using code I wrote. Code I have written runs in virtually every Internet connected device on the planet and in most cases the users download and use it without even telling me, for free.

Clearly you don’t deserve my code.

I don’t expect that it will be read or make any difference.

Update below, added after my initial post.

Al Nocai’s response

Contrary to my expectations above, he responded. It’s not even worth commenting but for transparency I’ll include it here.

I do not care. Your bullshit software was an attack vector that cost me a multimillion dollar defense project.

Your bullshit software has been used to root me and multiple others. I lost over $15k in prototyping alone from bullshit rooting to the charge arbitrators.

I have now since October been sandboxed because of your bullshit software so dipshit google kids could grift me trying to get out of the sandbox because they are too piss poor to know shat they are doing.

You know what I did to deserve that? I tried to develop a trade route in tech and establish project based learning methodologies to make sure kids aren’t left behind. You know who is all over those god damn files? You are. Its sickening. I got breached in Oct 2020 through federal server hijacking, and I owe a great amount of that to you.

Ive had to sit and watch as i reported:

  1. fireeye Oct/2020
  2. Solarwinds Oct/2020
  3. Zyxel Modem Breach Oct/2020
  4. Multiple Sigover attack vectors utilizing favicon XML injection
  5. JS Stochastic templating utilizing comparison expressions to write to data registers
  6. Get strong armed by $50billion companies because i exposed bullshit malware

And i was rooted and had my important correspondence all rerouted as some sick fuck dismantled my life with the code you have your name plastered all over. I cant even leave the country because of the situation; qas you have so effectively built a code base to shit all over people, I dont give a shit how you feel about this.

You built a formula 1 race car and tossed the keys to kids with ego problems. Now i have to deal with Win10 0-days because this garbage.

I lost my family, my country my friends, my home and 6 years of work trying to build a better place for posterity. And it has beginnings in that code. That code is used to root and exploit people. That code is used to blackmail people.

So no, I don’t feel bad one bit. You knew exactly the utility of what you were building. And you thought it was all a big joke. Im not laughing. I am so far past that point now.

/- Al

Al continues

Nine hours after I first published this blog post , Al replied again with two additional emails. His third and forth emails to me.

Email 3:

https://davidkrider.com/i-will-slaughter-you-daniel-haxx-se/
Step up. You arent scaring me. What led me here? The 5th violent attempt on my life. Apple terms of service? gtfo, thanks for the platform.

Amusingly he has found a blog post about my blog post.

Email 4:

There is the project: MOUT Ops Risk Analysis through Wide Band Em Spectrum analysis through different fourier transforms.
You and whoever the fuck david dick rider is, you are a part of this.
Federal server breaches-
Accomplice to attempted murder-
Fraud-
just a few.

I have talked to now: FBI FBI Regional, VA, VA OIG, FCC, SEC, NSA, DOH, GSA, DOI, CIA, CFPB, HUD, MS, Convercent, as of today 22 separate local law enforcement agencies calling my ass up and wasting my time.

You and dick ridin’ dave are respinsible. I dont give a shit, call the cops. I cuss them out wheb they call and they all go silent.

I’ve kept his peculiar formatting and typos. In email 4 there was also a PDF file attached named BustyBabes 4.pdf. It is apparently a 13 page document about the “NERVEBUS NERVOUS SYSTEM” described in the first paragraph as “NerveBus Nervous System aims to be a general utility platform that provides comprehensive and complex analysis to provide the end user with cohesive, coherent and “real-time” information about the environment it monitors.”. There’s no mention of curl or my name in the document.

Since I don’t know the status of this document I will not share it publicly, but here’s a screenshot of the front page:

Related

This topic on hacker news and reddit.

I have reported the threat to the Swedish police (where I live).

77 thoughts on ““I will slaughter you””

  1. They need some therapy if they blame curl for being exploited… they have some bigger issues. Here’s at tip: secure you systems first.

  2. I’m sorry you have to put up with this. The response, as ill-informed as it is, also causes some serious feels. Clearly, the person isn’t doing well either.

    Hope things will getter for both of you.
    Thank you for working on curl.

  3. What the actual f*ck? That sense of entitlement is unbelievable. I hope this went straight to the police?

    Wish you the best

  4. Poor guy whose life is ruined looking for someone to blame. I feel sorry for him, but threatening a random developer whose code happens to be open source is far beyond unacceptable.

    Do you know if any of the breaches he mentions actually involved vulnerabilities in code you wrote? Or does Al just not understand that software is composed of many parts, and that a vulnerability in one part has nothing to do with the developer who wrote another part?

    I’m sorry you got this hate mail. You don’t deserve that at all. You have no responsibility over someone losing his family etc. Such a thing is not caused just by a work project going bad. Al needs professional counseling to deal with his issues.

    1. @Sander: I’m fairly sure that curl was not exploited in any way in any of the attacks mentioned in that email. Maybe it was used as a tool or somehow involved to perform one or more of the attacks, I don’t know, but it I believe it is likely since curl is the world’s Swiss army knife for HTTP fiddling and transfers.

      1. The emails look like the ranting of someone suffering from a mental illness. There are delusions of grandeur and over-valuing curl as some cause for all of his problems. There is also a reference to Terry Davis, so it might have been shared.

  5. Kind regards, I hope you’ll manage to forget it and consider it just as another deeply dumb people on the Internet trying to blame someone else for his failure. Wish you the best (and big THANKS for your code).

  6. It occurs to me that you would not be experiencing any of this had you simply chosen to NOT “plaster your name all over” the software involved. Sorry, but I have little sympathy for anyone who seeks “fame”. Or is there some valid reason for attaching your name to that which you do?

    1. Karl, do you do all of your work anonymously? Do you seek no recognition or recompense for your work? Surely you must, you put your name to this comment after all.

    2. His name is in the license for curl. As part of the license terms (as will almost all other OSS licences), you must include a copy of said license in any software you distribute that includes curl.

      Daniel has not included his name for fun, fame or profit — he’s included it to protect curl as a free and open-souce tool that millions of people benefit from every day.

    3. Kindly suggest you do your homework on software licensing first before you start posting immature comments.

    4. It’s called a license header, it’s pretty much a legal necessity in order to keep software libre. I can’t honestly believe you’re trying to justify this absolutely unhinged idiotic behaviour.

    5. How could he defend the copyright without using his own name?

      And how could he make the living he does without building up his great reputation?

      He got a physical threat for something he’s innocent of. I don’t think you can blame this on him.

    6. I’m sorry, WHAT?
      Are you aware that Daniel wrote cURL, and the licenses almost always require someone to attribute the copyright to (yes, even the free/open/libre ones) and even if they didn’t, it should not matter to you or anyone else if Daniel “plastered his name all over the place” it’s Daniel right an that’s not enough argument to direct stupid emails to anyone.
      We should be grateful for all the good work Daniel has put over the years and the great library and tools he’s given us.

    7. You have to put your name in your software for legal reasons, such as if you want to ensure that others remain able to copy derivatives of your software, as is the case with his software

    8. You might want to read up a little bit on how open source licenses, like the GPL, work.

      GPL: “You should maintain a proper copyright notice and a license notice in each nontrivial file in the package.”

      https://www.gnu.org/licenses/gpl-howto.en.html
      https://www.gnu.org/prep/maintain/html_node/Copyright-Notices.html

      MIT: “The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.”

      https://opensource.org/licenses/MIT

    9. His name is in the files because of the copyright notice stating who the author is. IANAL, but my understanding is that a clear statement of authorship is required for the copyright notice to be valid.

      1. Eh, you don’t need a notice to have copyright on something you wrote, but it certainly makes it easier to show that you are the one who wrote it.

    10. it’s shorter and kinder to just say “i don’t understand the concept of software licensing” and then not post

    11. There is a very clear valid reason: Copyright law.

      If Daniel wouldn’t put his name in the license, how would people know who owns the copyright on this work?

      It’s standard practice throughout the whole software industry. And hell, throughout EVERY industry. You will be hard pressed to find any piece of software, music, video, etc. without author info.

    12. Wait, what? So, you actually think that some ways of providing contact details mean threats are ok. Wow.

      Secondly, it is not ok to stand for what you have created? Or is it simply that you feel people should hide from what they have created?

      Either way, I think that how you decide to provide your contact details does not mean it is ok to send threats. My opinion.

  7. Mr Nocai appears to be violating the terms of use of Apple’s iCloud service. Apple may be a more productive route than trying to find a law enforcement authority to route this to.

  8. Delusion, to put it in one word. Wasteful on so many levels. There does not seem to be a real person on the other side of that email. Just a big blob of anger. Misguided and lost, in a dire need of attention and proper help.

    It’s kind of you that you replied. But just equally, this may be a piece of elaborate SPAM, an unsolicited anger kind of it, polar opposite to “Sir, you won teh prize”. Either way should’ve been filtered to make this world a better place.

    Sorry you had to deal with this. Hope whoever that may be will find peace in life.

    Thanks for your efforts and the great product! Lots of real people and good projects depend on it.

  9. If I read right, the man is upset because a project he was working on got hacked. He’s looking for someone to blame, and your email address happened to be ‘@haxx.se’ so he probably assumed your tool was some hacking and exploitation tool.

    I know what curl is, I love it, I use it all the time, and I thank you for your service.

    1. lol
      If he thinks someone with such an email address must be a black hat hacker, it doesn’t surprise me that he got hacked.

  10. Am I missing anything here? Reading his response without knowing this was directed at the maintainer of curl, I would think it was instead directed at someone who curates an exploit kit or something like that. Maybe he just got info about the tool used (or one of them that was open source) and he had a quick look in the code and by chance he stumbled upon your name several times, he then immediately stopped what he was doing and sent you an aggressive email. But that would be a dangerously sloppy work ethic on his part.

    The fact that he is so misinformed about who you are and how undiscriminatingly widespread curl is in the world, makes me believe that maybe his confusion about what’s actually going on is pathological and may have been a more contributing factor in his misfortune than curl ever was. Just perhaps.

    This is speculation, but he sure seems odd and it goes to show that the display of anger is often a bad advocate.

    1. > But that would be a dangerously sloppy work ethic on his part.

      > The fact that he is so misinformed about who you are and how undiscriminatingly widespread curl is in the world, makes me believe that maybe his confusion about what’s actually going on is pathological and may have been a more contributing factor in his misfortune than curl ever was. Just perhaps.

      Hear hear. My immediate thoughts were some inscrutable mixture of paranoia, delusion, and Dunning-Krueger. I am sure he isn’t being honest, but the yeah it’s very difficult to understand how a sane and competent (engineer?) (Engineering manager?) would come to the conclusion that Daniel would somehow be even remotely responsible for his difficulties.

      Unfortunately I have had much more initimate interactions with people who exhibit paranoia, delusion, and Dunning-Krueger. It often doesn’t end well.

      I strongly suspect that this is the type of guy who cannot accept responsibility for his own problems, and admit the ways he contribute to them, and is creating a fantasy world where he can blame it all on someone else.

      1. I think every time you suggest Dunning-Krueger is in effect, you should add that you aren’t quite certain about what it is. Otherwise you would be the victim of Dunning-Krueger yourself.

        Yes. I’m pretty positive that is exactly how it works.

  11. Hey there. This is clearly a person suffering from mental issues including delusion. Looks like they don’t receive help currently. There are millions of people like this in North America. Just make sure your address or other contact info is not easily traceable or public. Also, inform the authorities.

    Most of the time, people in such conditions cannot harm others because they physically cannot be dedicated enough to show up on your doorstep. But better be safe.

    Most likely, this person made up most of the things they lost and imagined you as their scapegoat in their mind.

    Stay safe.

  12. Next they’ll be holding Tim Berners-Lee accountable for their own failures. Displacement: it can’t possibly be their own fault, they did everything right and the first name they find they blame.

    They will blame the wind for blowing, the sun for shining and the river for flowing, they will never take responsibility.

  13. Fascinating that this guy assumes cUrl was created as a black hat tool. Who does he go after next, Postman? Your security issues are your own. cUrl is not the only tool you can use to exploit then, nor does any of this make it an illegitimate tool in any way.

  14. “I have now since October been sandboxed because of your bullshit software” hmmmmm

    “I got breached in Oct 2020 through federal server hijacking” this proper english for american good time

    “JS Stochastic templating utilizing comparison expressions to write to data registers” hE iS a CrYpTaNaLySiS eXpErT

    “I cant even leave the country because of the situation;” oh;no

    “So no, I don’t feel bad one bit.” probably the one true part besides the sandbox

  15. since you’ve made a gigantic change to the timeline, it’s natural (human nature, that is) that you be pilloried for it. stay safe please; the world needs you and needs those you will yet inspire.

  16. He probably doesn’t understand what curl does, and is triggered by your domain name: haxx.se

    He probably thinks you make hacking tools…

  17. I’m glad you posted this. It’s enlightening how some people think, and how wrong they can be. I’m glad it’s been reported, as I know this is not the only time. Open source can be such a thankless task, and that’s fine – but it’s never fine to be threatened. Never.

  18. cURL: an amazing piece of general-purpose networking software, small and beautful

    I use it heavily, daily. I’m always grateful for it.

    I just figured you deserve a thoroughly, 100% purely positive comment. Thank you for helping make this software a beloved part of my computing life. Please keep up the good work.

    (I linked to a reference to cURL in my “website” link for this message.)

    1. Agreed. Commercial software I wrote links to libcurl and uses it to do all the hard lifting on the communications side, just as it is designed to do. Saved me a lot of work. I don’t work for that software company any more but the company I now work for relies on it and that software still relies on your software. I have also used your command line curl program a lot and found it to be a very valuable tool. You deserve all the recognition for it you get and I hope that recognition also helps you with any commercial endeavours and/or work you do to make a living.

  19. Thank you for your work. I really like your library. It is super easy to use. I made a program that uses your library. It got accepted in Debian repository. The experience of writing that program really helped me with my job interview. I am now working for a big tech company. Your work really helped me.

  20. I love cURL. I hope this doesn’t deter you. I wish I could help.

    Thanks for all that you’ve done. Such a gratitude maybe doesn’t too the scales much, but I offer it nonetheless.

    Fuck this guy. Honestly. Open source is not about open responsibility. If you manufacture a wrench and someone beats someone’s ass with it, you don’t owe anybody anything because of it. if anything, you made one hell of a wrench.

    Never stop! ??

  21. I’m sorry, but why is he using the world “sandboxed” like this:
    “[…] I’ve been sandboxed since October.”

    To “sandbox a server” is similar to “pwn a server”? Or am I missing something here?

    Btw Daniel, keep up with the splendid work… cURL rocks!
    (Sorry for my English and kudos from Brazil!)

  22. I am a Cuban developer who has never set foot in Sweden. You are a Swedish developer who as far as I know has never visited Cuba. I have used curl and libcurl in countless projects both professional and personal. You, a complete stranger, have made my life (and many others) easier thanks to your work, regardless of race, culture and geography. Be proud, be happy, keep up the good work.

  23. Secure your own networks and applications – this is what threat models and pen tests are for you fucking scrub.

    Don’t blame people for utilizing their code in your projects unless you know how to use it.

    ——————————-
    I love using curl as a callback tool to see if an exploit was successful – keep on rocking, Daniel.

  24. Wait, it wasnt even an exploit in curl? It was simply malware utilizing it? If so this guy is a moron ignorant of basic utilities who doesnt deserve a project of that magnitude.

    This is as stupid for blaming the authors of internet protocol for anything bad on the internet.

  25. Sorry to read this. You are one the people I always recommend people to follow. Great personality, great code, great vision. Keep the greatness rolling 🙂

  26. I feel like you ought to leave this one alone for now. Al almost certainly is suffering from mental illness and lashing out. So although this post started out as a needed discussion about toxic online rhetoric, these new updates just feel voyeuristic. What Al needs is some medical intervention, not a public excoriation. Psychosis is a terrible affliction and leads to long-term brain damage. I am sorry you were subjected to these emails but people with mental illness *rarely* become violent and the best thing to do is to hope Al is able to find some help.

  27. The author of these emails shows clear signs of suffering from a psychotic illness of some kind (maybe schizophrenia). It can be distressing to deal with someone like that, but it might be helpful to remember that these threats are the illness talking, and the (likely seriously) mentally ill author doesn’t possess the same ability to control their behaviour (and consider its impact upon others) that most people do.

  28. About six years ago I was walking past the Gates Foundation in Seattle when a woman asked me to take a picture of her in front of the building. I did, and I quickly found myself in a conversation between her and an employee who was trying to enter the building. The woman was trying to deliver a book to Bill Gates. She said he owed her billions of dollars and then went on to explain that the Apple logo was based on her own image and that Mark Zuckerberg also owed her money. I was able to figure out her name and learned that some other tech CEOs have restraining orders against her.

    The weirdest thing was that she seemed so normal. She had an accent and was well spoken and well dressed. But the longer I listened to her the more crazy the words coming from her mouth became. It was truly a strange experience. She was able to logically explain her problems and her arguments, but it was all just so absurd. She truly believed these fantastical thoughts. When I have described this encounter to other people the one word they say is “schizophrenia.”

    This post story reminds me a lot of the woman I ran into. In general humans like to blame other people for their problems, but coupled with severe mental illness that tendency can really take a dark and twisted turn.

    I hope nothing comes of these emails, and I hope this person gets mental health treatment.

  29. As others have said this person is clearly dealing with mental issues. I used to work in mental health (before my tech days) and this sounds like the ramblings of something dealing with schizophrenia.

    Thank you for your work! I’ve now been in tech for over 10 years and use curl in so many scripts and libcurl in so many applications I can’t count!

  30. It’s possible he found a reference to an exploit for some of the shitty software he was using and he never updated, and that this exploit involved a command line starting with “curl”, and that he concluded that “curl” was an attack tool. You can never know what stupid people think, they’re often way more complex than rational people, it’s a waste of time to try to explain anything to them. You can just hope that Charles Darwin does his job.

  31. Thank you for all your work on CURL, I am very grateful for your contribution. This person is damaged and abusive and they are transferring blame for their problems to you.

  32. Curl is a well-written versatile tool which is widely accepted. Also in curl/COPYING it is clearly stated that therehs no warranty in curl. The same sentence appeared in the first image. I can’t image who would let a moron who never checks the license files handle federal projects.

  33. This reminds me of emails my physics department would regularly get from crack pots that had “solved the issues with Einstein’s theory of relativity”. Have a look at http://www.vixra.net (backward spelling of arxiv, which is a proper preprint archive: http://www.arxiv.org) and you will recognize the deranged way of writing in the “articles” on that site.

  34. YOU invented the pen.
    Someone used a pen to con me.
    So YOU are responsible for all my problems and losses !

    This reasoning raises stupidity to such a level we should a new word for it.

    Trying to make a dumb guy understand that he’s dumb is assuming he’s smart enough to understand you. A bold assumption, to say the least…

    You are a f…ing benefactor of mankind, and the number of occurrences of your name in IT project files is proof of it.

  35. After read the emails that you public. I still don’t know anything about the “attack vector” about curl… Too bad, really.

    Thank you for your work of curl and any other opensource projects.

  36. Hi Daniel,

    This person is mentally disturbed. You did the right thing by reporting him to the police.

    Also, in case you are feeling bad: We ALL LOVE you and cURL!

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.