Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck Your Rights Online

Child Porn Accusation As Online Extortion Tactic 321

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.
This discussion has been archived. No new comments can be posted.

Child Porn Accusation As Online Extortion Tactic

Comments Filter:
  • by LostCluster ( 625375 ) * on Wednesday October 27, 2004 @12:09PM (#10643784)
    Using SMTP as our default e-mail system has got to go...

    SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

    The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with SMTP, sender spoofing has been done by spammers and phishers for years.

    We need to retire this standard and find a better way to move e-mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.
    • by DaHat ( 247651 ) on Wednesday October 27, 2004 @12:12PM (#10643847)
      I'm all for the retirement of SMTP... but don't you think it would be wise to have a well known, well supported and well used standard already in place before throwing out SMTP? Such a plan would go something like...

      Phase 1: Retire SMTP
      Phase 2: Panic
      Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

      Personally, I fear Phase 2!
    • by terraformer ( 617565 ) <tpb@pervici.com> on Wednesday October 27, 2004 @12:14PM (#10643880) Journal
      Actually, this could be done with the world's postal systems as well... Although it would cost more. The problem is not with SMTP itself, but people reliance on it for authentication, which it was never designed for. What needs to happen is the widespread adoption and use of technology like SMIME. A technology that was designed to be used for authentication.
      • And on a related topic, these sended id schemes bolted onto SMTP or attached in one way or another are horrible for people, such as myself, who have one or more user@alumni.almamata.edu addresses. I have two and both sender id schemes require the domain holder to bless the sending mail server to be considered not spam. That means people who send email through their ISP mail server (because the ISP shuts down 25) would be SOL and have to resort to using REPLY TO: headers again. There are good reasons for spo
        • by timster ( 32400 ) on Wednesday October 27, 2004 @12:55PM (#10644467)
          Of course, the systems currently being discussed do NOT require the domain administrator to "bless" a mail server; rather, they ALLOW a domain administrator to create restrictions.

          If I'm Citigroup, I'd sure like to be able to place restrictions on mail coming from citigroup.com, because otherwise people might think a falsified communication is actually from their bank -- bad news. If I'm the owner of "alumni.almamata.edu" I probably don't care.

          Spam has zero, zilch, zip to do with any of this since a spammer can easily own a DNS record. The only goal of systems like SPF is to prevent fraud. Sometimes spammers commit fraud but SPF does nothing to address those who do not.
        • You're wrong about SPF. It doesn't do anything with the RFC822 "From:" header. It verifies the SMTP "RCPT FROM" address, which appears (generally) as "Received: from " in the headers, and is not generally displayed. That is, it tells you about where you got the mail from, not who sent it. It's really more like a postmark than a sender, and lets you know that some guy with a red marker didn't draw some inaccurate postmark on the envelope.

          For that matter, alumni.almamater.edu could check SPF records and let
    • by turnstyle ( 588788 ) on Wednesday October 27, 2004 @12:15PM (#10643889) Homepage
      It just makes me wonder sometimes if anonymity on the Internet protects way more scumbags and thugs than it does free speech.

      And, it scares me miserably that I would even think about that as a tradeoff.

      • Re: (Score:3, Insightful)

        Comment removed based on user account deletion
      • free speech should not need anonymity. the best filter for free speech is the requirement for name and face. just look at all the threats and other stuff that fly low over a system like slashdot. 99% of it comes from anonymous cowards. people are more likely to come out with weighted comments when they have to stand by it by name and face.
        • TRUE free speech requires anonymity, to prevent reprisals from the government or other parties that disagree with the speech. It's the same reason that we have anonymous voting. If you had to put your name and address on your ballot, then someone outside the voting area could use your past record against you to 'influence' you (usually with a heavy object or projectile weapon). They also have a list of people to deal with before they get the chance to vote in the next election.

          Yes, we may get a high noi
          • if a person needs anonymity to hide from its own goverment then the system have failed as the goverment is apointet by the people, it does only legitimatly rule with the support of the people. anything other is a dictatorship or dark age monarchy. a goverment that have to turn its weapons on its own citizens is a goverment that have failed and should (but sadly seldom do) step down. a person should not have to protest free speech against its goverment, but against its fellow citizens as they are the ones th
      • I don't buy the "but SMTP protects free speech through anonymity" argument. If people want anonymous speech, post something anonymously to the internet in another format. There are various ways to do this. Why insist on holding progress back on SMTP when other mediums can fill the "anonymous free speech" gap, and do a much better job at that anonymity then SMTP?

        It's like saying, well we need a way to keep phone calls completely anonymous to protect free speech -- even though a person could carry out their
    • Mod parent up, certainly. But bear in mind also that SMTP was born in an environment that never foresaw such threats. DNS, TCP, UDP, and IP were also started in such an environment, and are also buckling under the abuses (address spoofing, SYN floods, etc.)

      When do we have to replace the entire Internet? Or is IPv6 sufficiently robust?
    • Digital signing would solve that problem, but of course it's the chicken and egg.
      • by gl4ss ( 559668 ) on Wednesday October 27, 2004 @12:18PM (#10643941) Homepage Journal
        it wouldn't really solve anything.

        because basically the threat is that their name would get associated with child pornography.

        you can't really fight against such threats any other way than making it national news that someone is extorting you that way...
        • if digital signing was mandatory and everybody had certs (chicken and egg problem the poster was alluding to) their name would *NOT* be associated to anything untowards, as it would be impossible to spoof an email from somebody else (yeah, you could munge the 'from:' but your mail client would alert you that the email has an invalid signature (and possibly if this is the case the mail wouldn't even get routed in the first place)).
        • by garett_spencley ( 193892 ) on Wednesday October 27, 2004 @01:19PM (#10644771) Journal
          you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

          Scary thing about such threats is that even that doesn't work. I wonder how many people out there will never go see another "The Who" show as long as they live because of the Pete Townshend incident.

          First it was "innocent until proven guilty", then it was "guilty until proven innocent" .. and now I'm inclined to believe that it's "just guilty because the public wants it to be that way".

          If someone accuses you of being a pedofile it doesn't matter if you're guilty or not .. your life is over. And it doesn't matter what you say to defend yourself because you're a monster and a liar in the public's eye.
    • by Albanach ( 527650 ) on Wednesday October 27, 2004 @12:16PM (#10643901) Homepage
      SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

      But we have technology that works almost perfectly with existing SMTP servers that combats this very threat. SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

      Why should we change every MUA & MTA, almost certainly handing control of email to big business in the process, when we hold a solution in our hands. If your ISP doesn't support SPF, point them to this and suggest they adopt it. If you don't publish SPF records, set some up. If you get a virus warning from another company where your email address was forged, email them and suggest they start SPF checking. There are alwyas going to be threats to internet protocols - this threat is one we can already deal with.

      • You just mentioned part of the reason this doesn't happen in your own argument: "SPF, Sender ID et al". If there was ONE plan with the backing of the entire Internet community and every service provider on it, the migration could get under way.
      • BULLSHIT (Score:3, Insightful)

        by schon ( 31600 )
        But we have technology that works almost perfectly with existing SMTP servers that combats this very threat.

        No, we most certainly don't.

        SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

        And how, exactly, does this "combat" anything?

        Assume a scammer wants to extort money from "UpstandingCo.com". What's to stop them from registering "UpstandingCo.cx", "Upstanding-Co.com", "UpstandingCompany.com", or any one of a zillion other domains, setting up the
    • So a communications protocol made people collect child pornography to be used as an extortion tool? And how is removing anonymity and privacy from the Internet a good thing? I for one LIKE that I can send an email without the receiver getting my home address.
      • Why not a caller-ID type model? - you can attach your authenticated mail address, or choose to be completely anonymous. As the receiver, I can choose to block all anonymous mail.

        I don't think it's a basic right for anyone to *force* their communication on someone else without the sender revealing who they are. As long as the receiver has the ability to regulate anonymous data, you can maintain the sender's right to anonymity, as well as the receiver's need to protect him/herself.

    • supposedly this is what sender id is supposed to fix but then the servers must allow for people hooked up by outside isps to hook up and send mail via the account connected to that isp. why? i more and more often get questions from people that have used a subscription-free isp to hook up via dialup but have now moved on to a isp that supply dsl or similar. then when they try to send a mail they get a error as the ip they are on are outside of the old isps range. usualy all it takes to fix the problem is to
    • by ajs ( 35943 ) <ajs.ajs@com> on Wednesday October 27, 2004 @12:21PM (#10643986) Homepage Journal
      There's nothing wrong with SMTP... The problem lies with the lack of consensus on authentication, authorization and reputation systems for electronic mail.

      For example, using a combination of SPF and SMTP/AUTH you can easily prevent anyone who uses SPF from accepting invalid mail "from" your domain(s) while continuing to use the world's most pervasive mail transfer protocol.

      Problem is that people aren't willing to apply the time and effort required to do this globally.

      The next step is reputation, and as soon as you can be sure that the person claiming to be joe@example.com is in fact from example.com, you can begin assigning example.com a reputation. You'll see dozens of distributed reputation databases, just like IP-based blacklists, overnight.

      Want to move the process along? Add an SPF record for your domain and add an SPF milter (or equivalent for your MTA technology) to your mail server. The sooner forgeries stop, the sooner we can start building reputation and end this.
      • Comment removed based on user account deletion
        • I think random, short lived domain names would start clogging up the net then though for the purpose of sending spam for about 24 hours.

          Speaking as a sometimes mail admin, THEY ALREADY HAVE. Seriously.
      • by dgatwood ( 11270 ) on Wednesday October 27, 2004 @12:45PM (#10644336) Homepage Journal
        SenderID isn't an acceptable solution. It relies on DNS, which is a fundamentally broken authentication mechanism. Remember a few years ago when all the rage was to require reverse DNS to be reasonable for SMTP requests? Remember why people stopped doing that? It wasn't because it didn't work. It was because:

        1. Lots of sites never got their RDNS entries right.
        2. DNS is unreliable.
        3. DNS resolution is usually not parallelizable.
        The result is that the spam we have now could be a denial of service attack in two ways:

        1. By overloading DNS servers of small companies.
        2. By using bogus domain names that cause 30 second stalls in your inbound traffic.
        It also fails to solve the phishing problem by providing no real, legitimate means to track the email back to an actual person, as it is trivial to register a domain like ebay-secure.com....

        To make a long story short, mechanisms like Sender-ID are impractical and aren't even a stop-gap solution because they don't solve the -real- problem, which is determining the source of a message. Instead, they solve an irrelevant side problem, that of being able to send a message with a faked source domain. That would have solved the spam problem five years ago (when this was the usual means for sending this stuff). Now, it's too little, too late.

        We need a mechanism based on verifiable key signing with the public keys transferred as an attachment to the message itself. With such a mechanism, you'd be able to track your way back through a chain of a handful of certifying keys until you get back to the certifying agency key. At that point, you have a verifiable audit trail for determining who sent the email message, and spammers will be effectively shut out unless they're willing to send messages that can be traced back to their home postal address, real email address, and real telephone number.

        Further, with a key-based mechanism, a list of legitimate IP numbers for the domain could also be sent along with the message, signed with the private key. This would give the (modest) added benefit of Sender-ID without the (potentially devastating) use of DNS to do it.

        Just my $0.03 (price adjusted due to inflation).

    • by thisissilly ( 676875 ) on Wednesday October 27, 2004 @12:25PM (#10644050)
      Using US Postal Service as our default mail system has got to go...

      USPS is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

      The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with USPS, sender spoofing has been done by spammers and phishers for years.

      We need to retire this standard and find a better way to move mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.
    • Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

      On that note, all of the technical people already know this so the smear campaign will not work against them. I can not even make a guess about the percentage of "plain folks" that might be fooled but probably not as many as you think. I'm sure every person in the world with an email account has
    • I'm afraid I have to call bullshit here.

      No one can forge child porn spam from me, because they don't have my GPG key.

      Your better way to move email can be described as, "delete all non-signed and verified email".
      • Umm, anyone can send child porn spam from your email address, to the 99.99% of the people on the Internet who have never heard of you, don't know you sign all of your messages, and wouldn't even care to have your public key if they knew about it. They probably can't ruin your reputation with anyone crypto-savvy who you regularly email, but so what?
    • Except anyone can look at the header information of the E-mail and see what ip address it came from. And whover owns that address is the one responsible for the content of the message (Although in most cases its probably an open proxy or a hacked computer so then its a debate as to how responsible they are)

  • by Enigma_Man ( 756516 ) on Wednesday October 27, 2004 @12:10PM (#10643806) Homepage
    I thought they were supposed to prevent stuff like this... or is it a matter of "once the crime's been comitted, the damage is done permanently" so the law can't possibly compensate enough for the loss? Also, does it being probably international screw up the judicial process?

    -Jesse
    • Comment removed based on user account deletion
    • For society to work, with freedom must come responsibility. As long as you can effectively send anonymous information via the Internet, there is no way to hold someone responsible for this sort of action. Even if the laws are there, without any effective way to enforce them, what does it matter?

    • Welcome to the world of international law enforcement on crimes committed over the Internet.

      Perps: in Russia
      Victims: UK and US

      Victim contacts Scotland Yard or the FBI. If they have time, they'll investigate and figure out the perp is quite likely in Russia, but they can't be sure, because they used an anonymous proxy in South Korea. It's now about 3 months after the incident.

      They contact the South Korean network with the open proxy. They answer after a month or two saying they didn't keep logs. Pass go,
  • by Scrameustache ( 459504 ) on Wednesday October 27, 2004 @12:11PM (#10643830) Homepage Journal


    It should, however, get the attentio of the authorities much more readily though.
    These guys admit to having illegal photographic material in their possession and are attempting to use it to make a buck. Catching these would be much better publicity for the enterprising copppers than some two-bit hackers.
    • by poptones ( 653660 )
      since they're probably in some flea bit FSU state. and given what many (if not most) in the US call "pornography" (when it comes to children) it wouldn't be hard at all to fill that promise by sending out a few pictures of the local kids playing on the beach.

      You seem to have forgotten that the internet doesn't end at the coasts?

      This isn't about framing them legally - it's about smearing their reputation further. Any competent website op is going to have logs, and their tiering partners are going to have l
      • It would be almost trivial to prove to the FBI the "bad stuff" didn't come from them, but it would likely be a fair sight harder getting the luser recipients of said material to believe it.

        Unless there is a very public investigation of a child pornography ring using legitimate businesses' name to distribute. Have the cops and the company's PR rep on the news saying how horrible these people are...etc.
  • What, this extortionist thinks that people will honestly believe that a legitimate organization is now sending child porn? I think not. Let him send out all this child porn, thus not only proving that he has it, but also that he's willing to commit extortion and probably a number of other crimes. Good luck to him...
    • That's the thing though. The same idiots who buy from spammers or open attachments titled "10_YEAR_OLD_SEX.jpg" will be the same to report the email to whatever authority in their country deals with this crap. It sucks, but it's an effective way to bring unwanted headlines like "Company XYZ under investigation for child porn mailing".
    • Like Lyndon Johnson said, it's doesn't have to be true; it's enough to make the poor bastard deny it.
    • What, someone thinks that people will honestly believe that Hotmail wants them to forward an email to 20 people or their account will be closed down.

      People will believe anything that they read on the internet - the fact that everyone is still falling for phishing scams and getting rooted via email tojans should be proof enough of that fact.
  • blackEmail (Score:5, Insightful)

    by Doc Ruby ( 173196 ) on Wednesday October 27, 2004 @12:14PM (#10643876) Homepage Journal
    Blackmailers like this provide the test cases that clean up Internet law by building case history. A judge's decision showing the blackmailer is liable protects other victims later, diluting the force of unfounded accusations with trivially contrived evidence.
  • heh (Score:5, Interesting)

    by JeanBaptiste ( 537955 ) on Wednesday October 27, 2004 @12:14PM (#10643879)
    sounds just like an idea i had for a virus about 5 years ago. (no, I didn't write it).

    The virus would load a couple of nastypics onto the victims machine, then send out an email to the FBI. The first virus that would get you arrested.

    It was just an idea, I have never written a virus that has been let loose into the wild...
  • by lukewarmfusion ( 726141 ) on Wednesday October 27, 2004 @12:15PM (#10643884) Homepage Journal
    People have been forging the From field for a long time, with varying reasons and consequences. In my university, a student sent a message to several thousand people pretending to be the head of the Student Affairs office. It was a very convincing text, but the user's AFS ID (not to mention his IP and room's port) were easily traced with the headers. He was picked up pretty quick.

    It might be bad publicity for the company, but it almost certainly will have no legal ramifications for them.

    Which brings me to the next question - is there an agency, organization, department, etc. that receives and processes these kinds of threats? If my company got something like this, to whom would I report it? And what would be done?

    If there's nobody out there handling these, I suggest a bounty hunter system. The kind with bows and arrows.
  • It's not all bad (Score:4, Interesting)

    by ObsessiveMathsFreak ( 773371 ) <obsessivemathsfreakNO@SPAMeircom.net> on Wednesday October 27, 2004 @12:15PM (#10643887) Homepage Journal
    The only major effect of this will be the mass blacklisting of emails from online gambling sites.

    How will that be a bad thing?
  • by www.sorehands.com ( 142825 ) on Wednesday October 27, 2004 @12:16PM (#10643903) Homepage
    Peopla have told me that me that saying that spammers are one step above pedophiles is in exageration. This type of extortion shows that my statements are true. This shows that spammers are involved with child pornography.
  • ...to clear your cache. Just what I need is some cached email shit from some spammer on my machine when the FBI comes to take back all of my Mp3's! Hahaha FBI, they are all legal from iTunes! (and then converted to Mp3 of course)
  • I mean honestly... if you got an email with child porn, and it was from info@partypoker.com, is your first response going to be "Oh my gosh! What an awful company!!" Please... how stupid do you think people are? Well on second thought...
    • Where you laugh, I cry.
      Our director of IT got a virus on her laptop and started spreading it around the company. When I got one of the emails, I looked at the header, found the originating IP address and tracked it back to her machine. She proclaimed "It didn't come from me, it came from finance first."
  • by Juvenall ( 793526 ) on Wednesday October 27, 2004 @12:19PM (#10643963) Homepage
    ..really, I'm shocked. The company I worked for a few months back on a contract basis was getting threats like "If you don't ____________ we'll spam in your name/send people fales rates for your service/send a virus from your accounts/send magic pixies to rearrange in your sock drawer". This really seems like the natural progression of things, as sad as that sounds. You can really only hope for one of two options. Either inform the media and hope if and when it goes down, enough people are "in the know" that you can avoid any backlash or keep your fingers crossed that one of the proposed email verification ideas takes off.
  • this reminds me... (Score:3, Interesting)

    by to be a troll ( 807210 ) on Wednesday October 27, 2004 @12:20PM (#10643969)
    ...of something i was thinking about the other day after a couple weeks of hunting spyware on my PC. what if someone comes along and designs some spyware that actually functions quietly (without the random popup windows and other tell-tale signs of infection). And they are able to open a port and upload any sort of incriminating evidence they would like into your own home... what is there to stop this sort of thing from happening? remember the /. article about north korea waging a cyber war on americans? ITS ONLY A MATTER OF TIME
    • what if someone comes along and designs some spyware that actually functions quietly (without the random popup windows and other tell-tale signs of infection). And they are able to open a port and upload any sort of incriminating evidence they would like into your own home.

      It's called a Trojan. And that has been used succesfully as a defense in court cases. Yes, someone actually claimed they were trojaned and thats why the evidence was on their machine and was found not guilty. If they were actually gu
  • Interesting... (Score:4, Informative)

    by Saint Aardvark ( 159009 ) * on Wednesday October 27, 2004 @12:20PM (#10643980) Homepage Journal
    Compare and contrast with this editorial [guardian.co.uk] from The Guardian, which suggests a SETI@Home-like client to DDOS sites that host child porn.

    OT discussion follows: My first reaction was, what a stupid idea -- all it takes is one faked entry on the list to turn it into a great weapon against whoever you hate today. Then I remembered Artists Against 419 [aa419.com] and its many clones. Funny how I'm willing to trust one but not the other...

  • I predict that cops everywhere, including the extortionist's home countries, will be willing to cooperate (for once) to fix their wagons.

    The article says the message was signed 'Bohan Krascevic'. Most of the old Eastern Block countries are really protective of their kiddies. Bohan better hope he gets extradited fast, if they catch him.

    Getting your local cops angry is a really bad idea, and this sounds like a really bad idea. I don't think it'll catch on.

  • Will one brave company open Soldier Of Fortune and hire a mercenary already?

    A few spammers in an open field killed execution style will rein in this stuff faster than any legislation.

    There. Problem solved. You'd be suprised just how many problems violence CAN solve.

  • I swear... (Score:4, Funny)

    by indros13 ( 531405 ) * on Wednesday October 27, 2004 @12:23PM (#10644030) Homepage Journal
    that sort of thing ain't my bag, baby.

  • nothing new. (Score:4, Interesting)

    by Lumpy ( 12016 ) on Wednesday October 27, 2004 @12:24PM (#10644031) Homepage
    Mothers angry at their soon to be Ex-husbands use the "child porn or Molestation" card all the time to try and ensure that the father can not get custody or even visitation. This is usually used as a way for her to "punish" him for what he may have done and is typically found in divorce cases where the husband was fooling around.

    People have been using the boogymen like that for decades... Even when proven innocent it will haunt the accused for their life.

    It's too easy to accuse without proof and be sure it will cause huge damage.
    • Re:nothing new. (Score:3, Informative)

      by ahfoo ( 223186 )
      Well you also touch on the very real issue which is completely obfuscated in the fear mongering over child pornography which is the fact, and this is a very well documented fact, that the vast, vast majority of child molestation cases take place within the family and have absolutely nothing to do with this mythical image of the child predator.
      Sure, you can document the sick twisted case of the totally whacked out career child killer freak all you like, but those are the extreme exceptions to the rul
  • I could be wrong about this, but my guess is that the whole child pron thing is just a bluff. The extortionist already has enough zombie machines to do a DDoS attack, so there's no need to risk a more severe prosecution if caught when a lesser means will do the same job. The additional threat is likely just a kick in the seat of the pants of the target, to make sure the extortionist has their attention.

  • Joe Jobs. (Score:5, Interesting)

    by SeanDuggan ( 732224 ) on Wednesday October 27, 2004 @12:24PM (#10644049) Homepage Journal
    Sounds like a fairly standard Joe Job [snopes.com] such as has happened with DarkProfits [snopes.com]. Only difference being here, they're actually extorting on the threat rather than simply trying to damage someone's reputation. Thing is, this could be very damaging. When it comes to child pornography, people tend to get very irrational and seldom check for any form of proof or second opinion. It's kind of like being accused of being a child molester IRL. Even once you prove your innocence, no one will quite look at you the same again and some people will never truly believe your innocence. Heck, the more squeaky-clean of life you lead, the more guilty you may seem to them. After all, you must have something to hide.
  • but if a company, and granted i don't gamble so i don't know what their typical mailings are like, that i do business with sends me an e-mail with pornography in it my first thought is not going to be, "sick bastards! i'll never gamble there again!" it's going to be "one more victim, how sad." i think this type of thing get's blown out of preportion, which if i might add is what the spammers are really looking for (next to money). no i'm not proposing that if we ignore it the problem will go away, find the
  • Oh look (Score:3, Interesting)

    by Turn-X Alphonse ( 789240 ) on Wednesday October 27, 2004 @12:33PM (#10644169) Journal
    No officer I did not send that e-mail, it was spoofed.. I do not have any child porn no sir...

    Anyone seeing a problem here? If we start spoofing things like this is becomes much harder ro prove person X did send e-mail Y..
  • SPF helps here (Score:4, Informative)

    by wayne ( 1579 ) <wayne@schlitt.net> on Wednesday October 27, 2004 @12:34PM (#10644193) Homepage Journal
    One of the things that publishing SPF records does is that it creates a public statement about which email servers are authorized by you to use your domain name and which aren't.

    This is somewhat like posting a "no trespassing" sign, and a chain link fence around your property. It doesn't prevent the people from cutting through the fence and getting hurt on your property, but it lets you show to the courts that you took reasonable steps to prevent it.

    This is also a good reason to check SPF records. If your company or ISP lets child porn email go through that the domain owner explicitly said should not be allowed, you may have to show why you aren't contributing to the libelling of the domain owner and why you didn't protect your employees/customers from preventable child porn.

    Yeah, at this instant, SPF is not enough of a standard to give you strong protection, but in 5-10 years, I think that will change.

  • This scumbag by e-mail thing has got to stop somehow. This has just gotten too far with child porn.

    This whole way of extracting money from people just reach an unacceptable point here.

    There are many good techies in Slashdot, why not retaliate against those scumbags in an "open source retaliation scheme against scumbags". I am thinking of some sort of open source militia that would take down the systems from those criminals with the same kind of attacks (or more clever) that they do.

    AskSlashdot::How can I

  • by MillionthMonkey ( 240664 ) on Wednesday October 27, 2004 @12:41PM (#10644284)
    ... when you establish thought crimes.

    If times were different the threat might be to send Communist propaganda.
  • Risk vs Reward ? (Score:5, Interesting)

    by vhold ( 175219 ) on Wednesday October 27, 2004 @12:42PM (#10644291)
    The guy doing the extorting now has to actually have child porn and has to send it himself. The risk if he gets caught is -way- greater then if he were just cooridinating simple DDOS attacks. He'll get all kinds of scrutiny from all kinds of groups that oridinally wouldn't bother. If he's in some totally untouchable country, he's in the unique position that now if the locals find out they'll probably actually care.

    I think the extra risk this behavior exposes the perpetrator to will go a long way to self regulate this trend.
  • by DroopyStonx ( 683090 ) on Wednesday October 27, 2004 @12:46PM (#10644354)
    1. Don't give them money, if you do you're stupid.
    2. Let em do what they claim they're gonna do. It won't hurt your company.

    Anyone with a brain will be able to realize, "Hey, maybe it isn't them doing this nasty deed."

    Do you REALLY think if Best Buy spams some dog sex images that people would think, "Best Buy is sick! What are they doing?!" Nah.

    That's like getting those "Arnold Says 'Don't be a girlie man and vote for Bush'" spams and thinking Arnold actually approved it.

    C'mon... people know better. Extortion is outdated.
  • I see so many ppl here willing to give up animinity and the ensuing free speech, to stop such harassments.

    But this is no different than Gun Rights. Many in the USA want to stop gun sales. But that will not stop crimanals from obtaining and using guns. That has been shown in numerous cultures over the years.

    What I find sad about this, is that many of the same ppl who fight for the right to own guns (and even unregistered) are the same ones that would remove our rights to be anonomous.

    Instead of saying to

  • Crypto doesn't solve everything... but in this case its capability to create messages which can or cannot be repudiated would solve this flat. This is something that has been missing from our email systems for ages -- and until we can get something reliable in place by which a user can absolutely know that the sender is authentic, we'll continue to suffer from SPAM, scams, forgeries, and these attempts at extorsion.

    Never a better time for email encryption.

  • by eno2001 ( 527078 ) on Wednesday October 27, 2004 @01:06PM (#10644609) Homepage Journal
    ...this is ever going to change. Someone will need to create a new protocol for sending mail that will provide the anti-spam features, but more importantly will provide some new, very desirable feature(s) that people will desperately want. This is the only way to get lazy asses to move to a new protocol. The problem lies in who that someone turns out to be. If Microsoft comes up with some whiz-bang new protocol for sending mail that does what I mentioned above, then all the folks who are Microsoft shops will move in that direction and the openess of the internet will have dissipated that much more. If Sun, or Novell do it (assuming they could manage to get an original idea out of their R&D at all. ;P ) the adoption of this new protocol would be slow. If the IETF come up with something, then we'll get the usual people joining in later in this order: *nix vendors first, ISPs with proprietary setups next, and finally Microsoft after their initial attempts at mimicking the IETF but in a backwards way fail. It happened with HTTP that way...

    So the real question isn't, "how do we stop spam by getting rid of SMTP" but it's, "what can a new protocol do that will up the ante in functionality so that everyone and his brother just HAS to have it"? Personally, I have a completely different solution that I've been using with friends and family using freely available open source tools. Think about your phone numbers (work, home, cell) and you'll get the idea... (Come on folks! I can't feed you everything ;P )
  • by Anonymous Coward on Wednesday October 27, 2004 @01:09PM (#10644636)

    Could we come up with a more motivated group of people, than gamblers? How about people who are often smart, with good memories? How about people with time and money on their hands? How about people, who are social, many of them, to some degree? How about their being *everywhere*?

    How about their not wanting to have their "vice" (gambling) even remotely connected to child pornography?

    Post a reward to catch the extortionist. Include benefits a high roller would love to get a chance at, say, travel, being able to access certain games or more access to them.

    Catching the extortionist, could make everyone involved, at the very least,a very happy gambler and very possibly a local hero with international renown. Worse for the extortionist, I'm sure there are local bookies and mafia sorts which would act, help, simply to keep their reputations from being mired with child pornography in the media.

    This doesn't even include all of the various policing agencies which are now going to cooperate to get the extortionist because they have reasonable grounds to suspect child abuse.

    If the extortionist keeps it up, they'll be caught & I can't imagine their making any money because really, what company wants to be seen as funding a child abuser?

  • by gmuslera ( 3436 ) on Wednesday October 27, 2004 @01:45PM (#10645096) Homepage Journal
    Some time ago (when terrorist attack/paranoia/etc was on rise) my explanation to people for trying to be secure when online, and try to avoid virus, open shares, being hacked, etc, or just what kind of damage could do to him an enemy, is that is not just bandwidth that could be consumed, but in their computers/servers could be put an child pornography site, a fake al-qaeda site or a credit card sharing site, something that almost ensures that will have severe legal problems.

    Now, threatening with sending child porn with their email is not very serious. A lot of spam was sent with my email address (some spammers send spam with real email addresses instead of totally fake ones to try to have more luck, and being hit with that a few times), but checking mail headers normally clean a bit what really happened (why i would travel to mexico just to send spam? :).

    Of course, if the mail server of this people is an open relay or is hacked, and is used to send child pornography, spam, 419 scams, Al-Qaeda advertisement or any kind of law-breaking stuff, well, there mail headers will not help a lot, and they will have a bit of responsibility on that.

  • by johntromp ( 565732 ) on Wednesday October 27, 2004 @03:32PM (#10646490)
    Of course a smart company will realize that giving in to blackmail will do nothing except encourage more blackmailing, to the detriment of the whole industry. But in order for all companies to take this stance, it should be made an offense to pay off blackmailers, subject to heavy fines. That makes it much easier for a company to reply to scammers "i'm sorry, we'd love to pay you for your lack of services, but uncle sam won't let us." Such a law would be much more effective than a similar one for kidnappings and ransom, as it becomes more of a pure business decision rather than a moral and emotional dillema.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...