Child Porn Accusation As Online Extortion Tactic

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.

Interesting...

[Saint Aardvark]

Compare and contrast with this editorial [guardian.co.uk] from The Guardian, which suggests a SETI@Home-like client to DDOS sites that host child porn.

OT discussion follows: My first reaction was, what a stupid idea -- all it takes is one faked entry on the list to turn it into a great weapon against whoever you hate today. Then I remembered Artists Against 419 [aa419.com] and its many clones. Funny how I'm willing to trust one but not the other...

Re:It's all SMTP's fault!

[ajs]

There's nothing wrong with SMTP... The problem lies with the lack of consensus on authentication, authorization and reputation systems for electronic mail.

For example, using a combination of SPF and SMTP/AUTH you can easily prevent anyone who uses SPF from accepting invalid mail "from" your domain(s) while continuing to use the world's most pervasive mail transfer protocol.

Problem is that people aren't willing to apply the time and effort required to do this globally.

The next step is reputation, and as soon as you can be sure that the person claiming to be joe@example.com is in fact from example.com, you can begin assigning example.com a reputation. You'll see dozens of distributed reputation databases, just like IP-based blacklists, overnight.

Want to move the process along? Add an SPF record for your domain and add an SPF milter (or equivalent for your MTA technology) to your mail server. The sooner forgeries stop, the sooner we can start building reputation and end this.

SPF helps here

[wayne]

One of the things that publishing SPF records does is that it creates a public statement about which email servers are authorized by you to use your domain name and which aren't.

This is somewhat like posting a "no trespassing" sign, and a chain link fence around your property. It doesn't prevent the people from cutting through the fence and getting hurt on your property, but it lets you show to the courts that you took reasonable steps to prevent it.

This is also a good reason to check SPF records. If your company or ISP lets child porn email go through that the domain owner explicitly said should not be allowed, you may have to show why you aren't contributing to the libelling of the domain owner and why you didn't protect your employees/customers from preventable child porn.

Yeah, at this instant, SPF is not enough of a standard to give you strong protection, but in 5-10 years, I think that will change.

Extortion is outdated... do people fall for this?

[DroopyStonx]

1. Don't give them money, if you do you're stupid.
2. Let em do what they claim they're gonna do. It won't hurt your company.

Anyone with a brain will be able to realize, "Hey, maybe it isn't them doing this nasty deed."

Do you REALLY think if Best Buy spams some dog sex images that people would think, "Best Buy is sick! What are they doing?!" Nah.

That's like getting those "Arnold Says 'Don't be a girlie man and vote for Bush'" spams and thinking Arnold actually approved it.

C'mon... people know better. Extortion is outdated.

Re:nothing new.

[ahfoo]

Well you also touch on the very real issue which is completely obfuscated in the fear mongering over child pornography which is the fact, and this is a very well documented fact, that the vast, vast majority of child molestation cases take place within the family and have absolutely nothing to do with this mythical image of the child predator.
Sure, you can document the sick twisted case of the totally whacked out career child killer freak all you like, but those are the extreme exceptions to the rule. The rule is that child molestation occurs within the home at the hands of an offender who is either a member or the family or close associate.
But the hype over child pornography literally pays thousands of people's salaries and forms the backbone of political careers and so you won't see it going away soon depite the fact that it has little to do with the real situation regarding the crime that it supposedly is targeting --child molestation.

Re:Huh?

[Anonymous Coward]

I don't think that's entirely true. It wasn't that the Catholic church had a specific policy to simply shuffle the criminal priests around. One thing you find in the organization of the Catholic church is that there tends to be one man in charge at any given time on any given level. And, since shit doesn't tend to roll uphill, things like this rarely made it past a single level of authority up the chain. So, aside from the same rumors that everyone heard, the Catholic church as a whole wasn't aware of specific cases. Priests get shuffled around regularly anyway, so putting in for one of your subordinate priests to be transferred elsewhere is a common occurrance and not questioned.

Other major religions don't fall into that trap so easily because of their structure. For example, any Jewish synagogue that I've seen (which isn't very many, I admit, so I could be mistaken here) has been run by a board of clergymen, with meetings and whatnot. It's harder to keep things quiet when more ears are turned your way. But in Catholicism things happen behind more tightly closed doors (good things as well as bad things) where some of the primary concerns are the privacy of the people involved and the sovereign authority of the one man in charge (priest, bishop, etc.) of that particular setting.

Re:It's all SMTP's fault!

[iabervon]

You're wrong about SPF. It doesn't do anything with the RFC822 "From:" header. It verifies the SMTP "RCPT FROM" address, which appears (generally) as "Received: from " in the headers, and is not generally displayed. That is, it tells you about where you got the mail from, not who sent it. It's really more like a postmark than a sender, and lets you know that some guy with a red marker didn't draw some inaccurate postmark on the envelope.

For that matter, alumni.almamater.edu could check SPF records and let you relay outgoing mail through them as well, if it is authenticated as really coming from the address that your account forwards to. The only reason that forwarding services are asymmetrical this way is that there is no good way of having a relay which is not an open relay.

Re:It's all SMTP's fault!

[Zeriel]

I think random, short lived domain names would start clogging up the net then though for the purpose of sending spam for about 24 hours.

Speaking as a sometimes mail admin, THEY ALREADY HAVE. Seriously.

Re:Distribution of child pornodraphy for profit

[GigsVT]

Actually, the supreme court of the US in 2002 ruled that simulated underage porn isn't illegal, and is, in fact protected speech, striking down the law you refer to.

http://www.freedomforum.org/templates/document.a sp ?documentID=16075

So, mere depictions that don't actually involve the underage aren't illegal in the US, no matter what any law says.

"The law [that was struck down by the Supreme Court] barred sexually explicit material that "appear(s) to be a minor" or that is advertised in a way that "conveys the impression" that a minor was involved in its creation."

The Supreme Court did say that if it really did involve someone under 18, even in an indirect sense such as my photoshop example, then it was not protected speech.

Re:This is what happens...

[MillionthMonkey]

It involves posession of a material which, to be produced, requires that a crime be committed which is frequently harmful to the children involved, and therefore implicitly condones the fact that that crime took place.

Yeah that would be a reasonable definition. You'd think the law ended there. There was a case in 2001 where a law (the Child Pornography Prevention Act of 1996) banning "virtual child porn"- i.e. cartoons- was struck down by the Supreme Court in a 6-3 decision on First Amendment grounds. That went close to defining a thought crime. The Child Obscenity and Pornography Prevention Act of 2002 amended the law by adding the words "virtually indistinguishable from" to the statute- creating an exemption for obvious things like cartoons- but still covers "generated images" and "computer generated images" if they're "virtually indistinguishable from" real child porn with real children. That one passed the House but was never considered in the Senate. The Child Obscenity and Pornography Prevention Act of 2003 was included as an amendment to the PROTECT Act (outlawing digitally morphed images, where you paste the kid's head on a naked body). That one doesn't care about whether it's real or fake. It simply outlaws any solicitation to buy or sell child porn advertised as such. See here for details. [washingtonpost.com]

It's a lot like flag burning- where constitutional amendments often sit squarely in the way of a desire to be seen as "doing something".