Slashdot Mirror
Child Porn Accusation As Online Extortion Tactic
Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.
OT discussion follows: My first reaction was, what a stupid idea -- all it takes is one faked entry on the list to turn it into a great weapon against whoever you hate today. Then I remembered Artists Against 419 and its many clones. Funny how I'm willing to trust one but not the other...
Carousel is a lie!
There's nothing wrong with SMTP... The problem lies with the lack of consensus on authentication, authorization and reputation systems for electronic mail.
For example, using a combination of SPF and SMTP/AUTH you can easily prevent anyone who uses SPF from accepting invalid mail "from" your domain(s) while continuing to use the world's most pervasive mail transfer protocol.
Problem is that people aren't willing to apply the time and effort required to do this globally.
The next step is reputation, and as soon as you can be sure that the person claiming to be joe@example.com is in fact from example.com, you can begin assigning example.com a reputation. You'll see dozens of distributed reputation databases, just like IP-based blacklists, overnight.
Want to move the process along? Add an SPF record for your domain and add an SPF milter (or equivalent for your MTA technology) to your mail server. The sooner forgeries stop, the sooner we can start building reputation and end this.
This is somewhat like posting a "no trespassing" sign, and a chain link fence around your property. It doesn't prevent the people from cutting through the fence and getting hurt on your property, but it lets you show to the courts that you took reasonable steps to prevent it.
This is also a good reason to check SPF records. If your company or ISP lets child porn email go through that the domain owner explicitly said should not be allowed, you may have to show why you aren't contributing to the libelling of the domain owner and why you didn't protect your employees/customers from preventable child porn.
Yeah, at this instant, SPF is not enough of a standard to give you strong protection, but in 5-10 years, I think that will change.
SPF support for most open source mail servers can be found at libspf2.
It involves posession of a material which, to be produced, requires that a crime be committed which is frequently harmful to the children involved, and therefore implicitly condones the fact that that crime took place.
Yeah that would be a reasonable definition. You'd think the law ended there. There was a case in 2001 where a law (the Child Pornography Prevention Act of 1996) banning "virtual child porn"- i.e. cartoons- was struck down by the Supreme Court in a 6-3 decision on First Amendment grounds. That went close to defining a thought crime. The Child Obscenity and Pornography Prevention Act of 2002 amended the law by adding the words "virtually indistinguishable from" to the statute- creating an exemption for obvious things like cartoons- but still covers "generated images" and "computer generated images" if they're "virtually indistinguishable from" real child porn with real children. That one passed the House but was never considered in the Senate. The Child Obscenity and Pornography Prevention Act of 2003 was included as an amendment to the PROTECT Act (outlawing digitally morphed images, where you paste the kid's head on a naked body). That one doesn't care about whether it's real or fake. It simply outlaws any solicitation to buy or sell child porn advertised as such. See here for details.
It's a lot like flag burning- where constitutional amendments often sit squarely in the way of a desire to be seen as "doing something".