http://www.cotse.com/runningcotse.htmlWhat it is like behind Cotse?
--------------------------------------------------------------------------------
General
Running Cotse is no picnic. It is a very large site and service, administration is a 24x7 job. It means dealing with DoS attacks, hacking attempts, complaints, and visits from the FBI. It means dealing with harassment, threats, and personal attacks. It means 24x7 monitoring of security lists and issues to fend off cracking attempts. It means not spending time with my family, going on vacations, or away for the weekend. No, it is definitely no picnic.
Why is it so difficult? Besides being a large reference site with a lot of traffic and operating on a shoe-string (we like to call it boot-strapping)? It is difficult only because we gave people the ability to post to Usenet. Usenet is a battleground. It is global unmoderated anarchy at it's finest where law is attempted through intimidation and cyber attacks. If those don't work, the ante is raised to include real life attacks.
We created the ability to post to help protect individuals from these types of attacks. We shielded their IP address so they could not be attacked for what they said. We have been very successful in this with a user base of over 10,000 on our webmail service. Our service was utilized during the Malaysian elections and the Yugoslavian conflict to enable people to speak, and it has protected thousands of individuals from real life attacks due to a disagreement in an on-line discussion.
We've let others shield themselves behind us so they could lawfully participate in on-line discussions without fear of becoming a target. We did this by identifying real abuse and adopting very strict policies regarding it. All forms of abuse were covered. Everything but saying something unpopular or participating in flamefests. What we didn't do was adopt a policy that said you could not disagree with anyone when posting to Usenet.
We operate under the principle of Freedom of Speech. Because of this we didn't make it so that you couldn't post an unpopular opinion. This often places us in the position of supporting something we do not believe in personally, but freedom of speech grants the person the right to express that opinion. The lack of a policy on unpopular opinions has brought us nothing but trouble and attacks. We found out that if you allow someone to speak an unpopular opinion, you will become the focus of malicious attacks. We have also found that every opinion is an unpopular one to someone.
The Cause
The cause is Usenet turf battles. Someone sets up shop in a newsgroup. They say people can only talk about X. They are opinionated and and try to impose rule by force in an unmoderated public discussion forum. Anyone who crosses them is attacked. If anyone disagrees they will attack their ISP to get them to term the account. If that does not work, they will also launch into real life attacks on the individual. They will do everything possible to try to rid that user's presence from Usenet.
Common attacks are: forging mail to employers, neighbors, and acquaintances; forging posts in on-line discussion forums trying to get others to attack the individual; signing the user up to every spam list; denial of service attempts and hack attempts; credit card fraud and identity theft; harassing phone calls and mail; attempts to set the individual up for crimes; and more.
This is where we come in. We shield an individual's identity to protect them from these attacks for what they say. The only way we will give it out is by legal subpoena. This protects our users from those that would attack them for a differing opinion while still allowing legal issues to be addressed. It is a form of anonymity with accountability.
What is left are issues that are not net abuse and are not illegal. That means disagreements and unpopular opinions. The Internet is filled with zealots and kooks of one flavor or another and they always manage to meet each other. Often the one attacking us over the postings of another is doing the exact same thing our user is doing.
What they are complaining about is not abuse, nor is it illegal. It is a flamefest or an unpopular belief. They view their only recourse being intimidation. Because they cannot identify the individual to intimidate them, they focus on us, and they will do anything to try to get us to act in their favor. They are attempting to shut us down by any means possible.
The FBI
I deal with the FBI almost weekly. I am under two federal gag orders and expecting a third. I obviously cannot speak about any details and only mention this because it was mentioned prior to receiving the order. They have visited my humble abode in the god awful hours of the morning and I'm fairly certain that they have me on speed dial. The last call was at least to tell me they'd be visiting again. Nice guys, actually. They've been very pleasant every time we've spoken or met. But all the same, I'd rather not have to go through it at all.
The problem is that those that attack do so in a very vindictive manner. They sign up for accounts to send bomb threats and death threats with the intention of bringing heat upon us. These threats are a serious breech of our policies and we do not even require a subpoena to turn over that information. (I've got news for those doing this, not only do we not require a subpoena to turn over information as per our policies, but we will not notify you, and we will help them trace you). They do this as a method of harassment designed to get us to terminate someone else's account or get the government to shut us down.
The hack attempts
Fifteen hundred attacks a day, more if you count idiots trying IIS exploits. Add to that ping floods, DoS attacks, ddos attacks, mailbombs, and the like and it makes this a constant challenge to keep running. If it is out there on the net, someone will run it on us.
This means constantly being on top of new exploits and security issues. It means monitoring and detection. I've learned more about system and network security running this than any years spent doing it in a consulting role for big business. No one I've consulted for has had a network and setup that goes through what we do daily.
Every service, form, or anything we offer has to be crawled through for abuse issues. If there is a way to abuse something we offer, someone will do it to try to stir trouble up for us. Running Cotse is being forced to stay on top of things 24x7. It has to be or we'd get blind-sided, but it's only a matter of time. We can't stay ahead forever, the law of averages says that someday a new security issue will reach them before it reaches us. Nothing is 100% secure.
Real Life
I've been threatened, attacked, and harassed. We've had to change our phone number due to 47 untraceable calls in a 24 hour period just to call my wife nasty names. We've lost advertisers due to forged e-mail. We've had attempted mails to our employers (fortunately we are our employers and it's actually kind of amusing to get a message sent from you to you to try to get you fired). Our family has gotten calls. This is just what I know about, what I don't know is probably twice as much.
I've been forged all over usenet, been called every name in the book, and have had my name forged to some of the bomb and death threats sent. People have done everything they can to make my name mud. Recent postings to alt.prisons have been made in an attempt to stir up attacks on me and my family. Why? Because one of our users called someone posting racist messages a racist name. The one who started the entire racism stuff is now angry that he got called a name.
Why?
Why do I still do it? Everyone I know asks me that question. People think I am nuts for putting up with everything. People think I should just close it down. After all, it makes us no money, why bother?
These attacks we get are not because of illegal activity from our services, that can be addressed legally. They are not from harassment from our service, if they were we would be working with law enforcement. These attacks are not from net abuse from our service, we worked hard developing strict policies regarding abuse. Our policies were discussed and adopted with help from the net-abuse groups and we continue to be an active member in those groups.
No, these attacks are because someone said something unpopular or got involved in a flamefest. They are because the attacker has no valid legal recourse and no valid complaints of real abuse. These attacks exist only to squelch an opposing viewpoint or to win a flamewar by account term in an attempt to effect banishment from the Internet for that opposing view. Everyone has a right to express their view, even if it is found distasteful by others.
Freedom of Speech is the foundation of a free society. Our country (USA) was founded upon it. But it is under attack now. The problem is that the only speech that needs protecting is unpopular speech. In order to protect freedom of speech for all you must protect unpopular speech. If you give away that freedom and censor, you'll have no recourse later if someday it is your own speech that has become unpopular. But if you support unpopular speech you will get attacked, and attacked viciously.
We believe in it enough to offer these services free with no revenue return at all. It is our way of taking a stand. This may only be a tiny stand, but freedom is being taken away in tiny pieces in the name of protecting against unpopular speech. What is popular today will change tomorrow, but the restrictions passed will stay. Freedom of speech must not be forced out because someone does not like what someone else says. This has been our stand against the eating away of that freedom.
But I'm battle scarred and shell shocked. It hasn't been an easy fight. Those against us are not the governments, they are not the corporations, they are not the legal system. They are individuals self-righteous in their views. They are the very people who's freedom of speech we are trying to protect. They have a right to be heard. But at the same time they work hard to squelch any opposing opinions or speech, those others also have a right to be heard. If they succeed, they will only have given away their own freedom.
They don't seem to understand this, or if they do, they don't seem to care. They forge our headers and commit net abuse to get support in their war against us. They sign up for accounts and skirt the edges of our policies to irritate others and build support against us. They have one goal, shut us down or get me to shut it down because we shield someone they want to attack. All because that person said something unpopular or disagreed with their views.
So on to the main question: Is it worth it? They are hoping that I eventually decide no. I don't think I am going to do that.
/steve