Child Porn Accusation As Online Extortion Tactic

Glenn writes "There's a story on silicon.com about a new twist in the tactics used by online extortionists trying to blackmail ecommerce sites with denial of service attacks. Yesterday one blackmailer threatened to send out child pornography emails in UK gambling site Blue Square's name if it didn't pay up 7000 Euros." This sounds even worse than simple DoS threats.

It's all SMTP's fault!

[LostCluster]

Using SMTP as our default e-mail system has got to go...

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with SMTP, sender spoofing has been done by spammers and phishers for years.

We need to retire this standard and find a better way to move e-mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

Re:It's all SMTP's fault!

[DaHat]

I'm all for the retirement of SMTP... but don't you think it would be wise to have a well known, well supported and well used standard already in place before throwing out SMTP? Such a plan would go something like...

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Personally, I fear Phase 2!

Re:It's all SMTP's fault!

[terraformer]

Actually, this could be done with the world's postal systems as well... Although it would cost more. The problem is not with SMTP itself, but people reliance on it for authentication, which it was never designed for. What needs to happen is the widespread adoption and use of technology like SMIME. A technology that was designed to be used for authentication.

Re:It's all SMTP's fault!

[YetAnotherName]

Mod parent up, certainly. But bear in mind also that SMTP was born in an environment that never foresaw such threats. DNS, TCP, UDP, and IP were also started in such an environment, and are also buckling under the abuses (address spoofing, SYN floods, etc.)

When do we have to replace the entire Internet? Or is IPv6 sufficiently robust?

Re:It's all SMTP's fault!

[isorox]

Digital signing would solve that problem, but of course it's the chicken and egg.

Re:It's all SMTP's fault!

[Albanach]

SMTP is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

But we have technology that works almost perfectly with existing SMTP servers that combats this very threat. SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

Why should we change every MUA & MTA, almost certainly handing control of email to big business in the process, when we hold a solution in our hands. If your ISP doesn't support SPF, point them to this and suggest they adopt it. If you don't publish SPF records, set some up. If you get a virus warning from another company where your email address was forged, email them and suggest they start SPF checking. There are alwyas going to be threats to internet protocols - this threat is one we can already deal with.

Re:It's all SMTP's fault!

[Kenja]

So a communications protocol made people collect child pornography to be used as an extortion tool? And how is removing anonymity and privacy from the Internet a good thing? I for one LIKE that I can send an email without the receiver getting my home address.

Re:It's all SMTP's fault!

[gl4ss]

it wouldn't really solve anything.

because basically the threat is that their name would get associated with child pornography.

you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

Re:It's all SMTP's fault!

[hitmark]

supposedly this is what sender id is supposed to fix but then the servers must allow for people hooked up by outside isps to hook up and send mail via the account connected to that isp. why? i more and more often get questions from people that have used a subscription-free isp to hook up via dialup but have now moved on to a isp that supply dsl or similar. then when they try to send a mail they get a error as the ip they are on are outside of the old isps range. usualy all it takes to fix the problem is to change the smtp to the one the new isp have set up. but if sender id comes online then this will no longer work. and email addresses have become connected to people just like cellphone numbers have in peoples minds...

Re:It's all SMTP's fault!

[terraformer]

And on a related topic, these sended id schemes bolted onto SMTP or attached in one way or another are horrible for people, such as myself, who have one or more user@alumni.almamata.edu addresses. I have two and both sender id schemes require the domain holder to bless the sending mail server to be considered not spam. That means people who send email through their ISP mail server (because the ISP shuts down 25) would be SOL and have to resort to using REPLY TO: headers again. There are good reasons for spoofing of the sender. It's an email system, not an authentication mechanism.

Re:It's all SMTP's fault!

[ajs]

There's nothing wrong with SMTP... The problem lies with the lack of consensus on authentication, authorization and reputation systems for electronic mail.

For example, using a combination of SPF and SMTP/AUTH you can easily prevent anyone who uses SPF from accepting invalid mail "from" your domain(s) while continuing to use the world's most pervasive mail transfer protocol.

Problem is that people aren't willing to apply the time and effort required to do this globally.

The next step is reputation, and as soon as you can be sure that the person claiming to be joe@example.com is in fact from example.com, you can begin assigning example.com a reputation. You'll see dozens of distributed reputation databases, just like IP-based blacklists, overnight.

Want to move the process along? Add an SPF record for your domain and add an SPF milter (or equivalent for your MTA technology) to your mail server. The sooner forgeries stop, the sooner we can start building reputation and end this.

Re:It's all SMTP's fault!

[miscGeek]

You're missing part of Phase 3.

Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit) (with possibly as bad or worse holes).

Re:It's all SMTP's fault!

[Zangief]

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Personally, I fear Phase 2!

But...your fear is developing according to your plan...so it is good, isn't it?

Re:It's all SMTP's fault!

This actually happened to my company a few months ago. They said that they would send out just pornographic material in my company's name. I asked to get on the list, but I got no reply. I just let the lawyer handle reporting it to authorities.

Seriously, who is going to fall for such ridiculous scams. Is someone really going to believe that a game company is going to email porn? Idiots.

Re:It's all SMTP's fault!

[DaHat]

Fear != Panic

I fear the panic that would be caused by SMTP being retired one day without a working replacement in place and a seamless transition between the two.

So long as we don't try to throw out SMTP all together... the panic can be avoided.

Re:It's all SMTP's fault!

[suso]

Really, there should never be panic before development. That is when bad implementations happen. Look at the panic that led to the Patriot Act.

Re:It's all SMTP's fault!

[nolife]

Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

On that note, all of the technical people already know this so the smear campaign will not work against them. I can not even make a guess about the percentage of "plain folks" that might be fooled but probably not as many as you think. I'm sure every person in the world with an email account has got and noticed email with a fake from field considering the amount of spam and worm artifacts flying around. Child porn is a different level when compared to a scam email, a virus, a security breach, a click me from your friend, m0Rtg4Ge L000an, or a phishing attempt. Child porn would stand out as something a business obviuosly would not send. I do not believe the impact would be that great, maybe some sour feelings by the business owners and employees but not much bottom line impact. Maybe I am wrong..

Re:It's all SMTP's fault!

[Have+Blue]

You just mentioned part of the reason this doesn't happen in your own argument: "SPF, Sender ID et al". If there was ONE plan with the backing of the entire Internet community and every service provider on it, the migration could get under way.

Re:It's all SMTP's fault!

[Dirk+Pitt]

Why not a caller-ID type model? - you can attach your authenticated mail address, or choose to be completely anonymous. As the receiver, I can choose to block all anonymous mail.

I don't think it's a basic right for anyone to *force* their communication on someone else without the sender revealing who they are. As long as the receiver has the ability to regulate anonymous data, you can maintain the sender's right to anonymity, as well as the receiver's need to protect him/herself.

Re:It's all SMTP's fault!

[sce2aux]

Why fear the "panic" of cessation of email traffic? It's so close to useless now that important communication happens other ways, and major (expensive) change requires a major spur.

Re:It's all SMTP's fault!

[cortana]

I'm afraid I have to call bullshit here.

No one can forge child porn spam from me, because they don't have my GPG key.

Your better way to move email can be described as, "delete all non-signed and verified email".

Re:It's all SMTP's fault!

[dgatwood]

SenderID isn't an acceptable solution. It relies on DNS, which is a fundamentally broken authentication mechanism. Remember a few years ago when all the rage was to require reverse DNS to be reasonable for SMTP requests? Remember why people stopped doing that? It wasn't because it didn't work. It was because:

1. Lots of sites never got their RDNS entries right.
2. DNS is unreliable.
3. DNS resolution is usually not parallelizable.

The result is that the spam we have now could be a denial of service attack in two ways:

1. By overloading DNS servers of small companies.
2. By using bogus domain names that cause 30 second stalls in your inbound traffic.

It also fails to solve the phishing problem by providing no real, legitimate means to track the email back to an actual person, as it is trivial to register a domain like ebay-secure.com....

To make a long story short, mechanisms like Sender-ID are impractical and aren't even a stop-gap solution because they don't solve the -real- problem, which is determining the source of a message. Instead, they solve an irrelevant side problem, that of being able to send a message with a faked source domain. That would have solved the spam problem five years ago (when this was the usual means for sending this stuff). Now, it's too little, too late.

We need a mechanism based on verifiable key signing with the public keys transferred as an attachment to the message itself. With such a mechanism, you'd be able to track your way back through a chain of a handful of certifying keys until you get back to the certifying agency key. At that point, you have a verifiable audit trail for determining who sent the email message, and spammers will be effectively shut out unless they're willing to send messages that can be traced back to their home postal address, real email address, and real telephone number.

Further, with a key-based mechanism, a list of legitimate IP numbers for the domain could also be sent along with the message, signed with the private key. This would give the (modest) added benefit of Sender-ID without the (potentially devastating) use of DNS to do it.

Just my $0.03 (price adjusted due to inflation).

Re:It's all SMTP's fault!

[Kenja]

"Why not a caller-ID type model? - you can attach your authenticated mail address, or choose to be completely anonymous. As the receiver, I can choose to block all anonymous mail."

Sure, no problem with that at all. If my buisness is important to you you'll take in all incomming mail. If not then I guess you dont need my money and I dont need your goods or services.

Re:It's all SMTP's fault!

[crownrai]

SMTP also contains post marks. Take a look at the Message-ID: and Received: tags in the header of your emails.

Re:It's all SMTP's fault!

[timster]

Of course, the systems currently being discussed do NOT require the domain administrator to "bless" a mail server; rather, they ALLOW a domain administrator to create restrictions.

If I'm Citigroup, I'd sure like to be able to place restrictions on mail coming from citigroup.com, because otherwise people might think a falsified communication is actually from their bank -- bad news. If I'm the owner of "alumni.almamata.edu" I probably don't care.

Spam has zero, zilch, zip to do with any of this since a spammer can easily own a DNS record. The only goal of systems like SPF is to prevent fraud. Sometimes spammers commit fraud but SPF does nothing to address those who do not.

Re:It's all SMTP's fault!

[iabervon]

You're wrong about SPF. It doesn't do anything with the RFC822 "From:" header. It verifies the SMTP "RCPT FROM" address, which appears (generally) as "Received: from " in the headers, and is not generally displayed. That is, it tells you about where you got the mail from, not who sent it. It's really more like a postmark than a sender, and lets you know that some guy with a red marker didn't draw some inaccurate postmark on the envelope.

For that matter, alumni.almamater.edu could check SPF records and let you relay outgoing mail through them as well, if it is authenticated as really coming from the address that your account forwards to. The only reason that forwarding services are asymmetrical this way is that there is no good way of having a relay which is not an open relay.

Re:It's all SMTP's fault!

[Megor1]

Except anyone can look at the header information of the E-mail and see what ip address it came from. And whover owns that address is the one responsible for the content of the message (Although in most cases its probably an open proxy or a hacked computer so then its a debate as to how responsible they are)

Re:It's all SMTP's fault!

[Zeriel]

I think random, short lived domain names would start clogging up the net then though for the purpose of sending spam for about 24 hours.

Speaking as a sometimes mail admin, THEY ALREADY HAVE. Seriously.

Re:It's all SMTP's fault!

[legirons]

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Phase 4: Learn to cope with all the spam on the new system
Phase 5: Wonder why you have to pay for every email
Phase 6: Develop, implement, and distribute something SMTP-like again, and start signing emails.

Re:It's all SMTP's fault!

[aldoman]

I agree. Slashdot is confused.

We expect everyone to be unable to make a simple choice that 'xyz company did NOT send this, because it's not usual for them to' but at the same time expect people to be able to setup PGP or some other insanely complex public/private key system (possibly the only real way to avoid this issue entirely).

Re:It's all SMTP's fault!

[garett_spencley]

you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

Scary thing about such threats is that even that doesn't work. I wonder how many people out there will never go see another "The Who" show as long as they live because of the Pete Townshend incident.

First it was "innocent until proven guilty", then it was "guilty until proven innocent" .. and now I'm inclined to believe that it's "just guilty because the public wants it to be that way".

If someone accuses you of being a pedofile it doesn't matter if you're guilty or not .. your life is over. And it doesn't matter what you say to defend yourself because you're a monster and a liar in the public's eye.

Re:It's all SMTP's fault!

[cortana]

But SPF and Sender-ID are different systems with different methods and goals. I'm sorry if you wanted a jack-of-all-trades, master-of-none solution served to you on a plate!

Re:It's all SMTP's fault!

[silverdr]

It's just pretty much the same like with regular (snail) mail. Isn't it? I can send anything in the name of someone else, so? Now as to the sender identification - there IS a solution for that. And it is known for a good time already. Digital signature is the magical word. This is significantly harder to fake than regular (ink) signature used for regular mail. No need for anything really special. No need for ditching SMTP. Just making good use of the well-known techniques is good enough. But this wouldn't give any extra gain/control/power/money to e.g. Microsoft. That's why they keep foaming about a true need for a new/revolutionary (patentable?) "technology", which would allow to identify the sender...

Re:It's all SMTP's fault!

[Dirk+Pitt]

you dont need my money and I dont need your goods

That's something I don't understand. I assume you're paying this person with a credit card, or a broker that's hooked up to (presumably) your credit card or checking account. The vendor is usually sending something to your corporal address - if you're trusting that to a vendor, and they're trusing your source of payment, what's the big deal with supplying your email address?

Re:It's all SMTP's fault!

[McDutchie]

Every time this topic comes up somebody posts the same tired old "SMTP is bad" blather and the mods keep modding it up. This is getting really tiresome.

It's perfectly possible to build authentication on top of SMTP without introducing needless compatibility problems. What's more, it already exists! All that's needed is for people to start using it.

Now if it takes this long for people to consider using authentication at all (and apparently even longer for the Slashdot mods to get a clue), what in the bleep are people thinking to suggest SMTP could realistically be replaced overnight?

Re:It's all SMTP's fault!

[Ryosen]

>>Of course, the systems currently being discussed do NOT require the domain administrator to "bless" a mail server

Isn't that usually the Rabbi's job?

Re:It's all SMTP's fault!

[Kenja]

I dont trust a vendor form the start, if I'm asking a pre-sales question you dont need to know who I am. Once I decide that I want whats being sold, things change.

Re:It's all SMTP's fault!

[jandrese]

I hate to tell you this, but nobody considers your livejournal rants "important communication". Email is still used for almost everything business related and that is not going to change any time soon.

Re:It's all SMTP's fault!

[cdrguru]

Why would you ever even ask a question from a vendor you don't trust?

See, that is the problem. If you don't trust the vendor, forget it - don't do business with them. Until we can assume that all vendors are trustworthy, we have a mess that looks like, ... well, it looks like the Internet does today.

Re:It's all SMTP's fault!

[rutledjw]

From fear comes pain, from pain comes anger, from anger comes suffering!

Or something like that

Re:It's all SMTP's fault!

[soft_guy]

The only thing there is to fear is ... panic itself!

Re:It's all SMTP's fault!

[jp10558]

Yeah, I mean - why has no one just integrated PGP or GunPG (like the Eudora Plugins) into many of the e-mail clients - and force signing of messages?

Then have ISP's sign the e-mail keys, and each ISP can get signed by some central authority (this ought to be able to be done like DNS is - so no charge to end users...) so if you are paranoid you can have a chain of trust.

I mean, it's in place - there are plugins for Eudora at the very least, these programs are OSS and FREE! What is the problem here?

Re:It's all SMTP's fault!

[Phil+Karn]

I wish I had a nickle for every person who's said this.

There's absolutely nothing wrong with SMTP. It's not end-to-end, so it's the wrong place to implement authentication anyway.

The right place to authenticate an email message is in the message itself. We already have two very good mechanisms that do this: PGP and S/MIME. They're even widely deployed; all we have to do is to get people to use them.

Re:It's all SMTP's fault!

The Patriot Act was hardly a panic development. They had much of it allready ready, they merely took advantage of the paniced public to get it passed.

Re:It's all SMTP's fault!

[AuMatar]

To try and determine if you can trust them?

As for assuming all vendors are trustworthy- lets try and do that in real life first. We can't trust all buisnesses on a give page of a phone book, much less the internet.

Re:It's all SMTP's fault!

[rainman_bc]

Okay, dumb question here, why can't we just stop allowing emails where the list of IP's for the domain aren't part of the email routing? I'm sure sysadmins can make that happen - where every SMTP server has the same domain as the email address that's sending out.

That way the sender is forced to send on their own domain's behalf.

Yeah, it's not perfect, and domain registration can get all screwy, but domain registration can be traced to a credit card.

Re:It's all SMTP's fault!

[AuMatar]

Reputation is a horribly flawed idea. It assumes that trust is transitive- if I trust A and A trusts B, I should trust B. Thats rarely true. Trust databases are an even worse idea- they set up small groups as gatekeepers to email. Piss off one or two admins of the db, and you're in trouble. Think it won't happen if its an open process? Think again- open process black hole lists have this problem all the time.

Re:It's all SMTP's fault!

[AuMatar]

You're half right. SPF isn't the answer. But neither is cryptology. The problem is that there IS no answer. Spam is not a technical problem- its a social one. The problem is that there's a subset of people who are willing to be assholes for money. The solution is to raise the cost of spam to levels where it isn't worth the risk. This means real world jail time and fines. This is the only way to curtail spam. Trying technical colutions is just a never ending game of "I got you last".

Re:It's all SMTP's fault!

[jp10558]

I think the reason PGP is difficult is because people think it is.

Now - for people using clients, at least a few have plugins for PGP/GnuPG than make this click and enter a password.

Webmail ought to be able to do the same (though this obvously would not be as secure, but for some reason it seems like 90% of the population can't deal with an e-mail client), and really - these people can enter a password - they had to to access the webmail in the first place!

Re:It's all SMTP's fault!

[triskaidekaphile]

Pehaps the Powers-That-Be do not want the unwashed masses to learn about encryption.

Or perhaps the People might learn how thin is their illusion of privacy.

Or perhaps -- just perhaps -- someone is afraid it would actually succeed! I wonder... who might that be?

Perhaps.

Re:It's all SMTP's fault!

[zogger]

--there is an easy way. Treat emails just like telephone numbers or street addresses. Don't recognize any emails that aren't connected to a verifiable human being. have them be registered exactly like domains, pay 10 or 20$ per email addy.

It's that, or put up with various schemes so that anyone can create as many email addys as they want to, which is what we have now. This is fish or cut bait time, we either like having access to unlimited email with as many names as we choose, or we do not. What we have now is cart before the horse action, though, and I'm not sure how many people want to give up anonymity and their ability to create as many email addys as they want to effortlessly on the net just to have verified email addresses.

I've read the various rube goldberg authentication schemes, none of them address the problem of tying a verifiable individual named human being to an individual email address in total. At best they would "verify" a still easy to be anonymous and thereby a gooberhead if you want to be "person" on the net. Even with domain registration the way it is now badguys can get them and still do bogus stuff and hide their identity. So even if all email addys were registered we would STILL have badguys getting them. Maybe not as many, but it would still be possible.

Now if there is some magical protocol that would allow you to be both anonymous but still identified, I'd like to see it, because you could write it up in physics journals, because in the past it was one or the other. If you mean some "authority" could identify you, then you have to deal with official corruption, which exists in every nation on the planet. Badguys would just buy off the appropriate person to do e-vile,to get into or around or through the new and improved "system", same as they do now with smuggling across borders for instance.

So, I don't see an easy answer to this, other than to just deal with things of this nature immediately and rationally, not make a huge deal out of it, if you get threatened with an extortion attempt, immediately make it as public as possible and turn the threat emails over to the authorities. Post the threats on your website so that any user could see that you are innocent, let them decide if a legit business would send them child porn or other malwares of any nature on purpose. If you hide the threat, then the badguy follows through, then you not only have to admit it happened, but play catch up and have a doubly hard time convincing your clientele that you are innocent.

Best bet to dry up slime is to expose it to sunlight.

Re:It's all SMTP's fault!

[syousef]

Phase 1: Retire SMTP
Phase 2: Panic
Phase 3: Develop, implement and distribute new e-mail sending system (maybe profit)

Phase 4: Realize that because you rushed the development the new standard is worse than SMTP and has more holes than 10kg of swiss cheese.

You definitely need a standard that can co-exist with SMTP for a long while, and a slow phased shutdown of SMTP. Ahhh how I've seen companies rush to replace one system with another, only to realize after spending a fortune that the new system is worse than the old. Lets do it on a global scale shall we? Just for fun?

Re:It's all SMTP's fault!

[dgatwood]

You are correct, to an extent. However, a technical solution (beyond Sender-ID/SPF/*) is required in order to make those social consequences possible. At present, it is impossible to definitively pin most spam on an actual live person. Proper use of crypto makes this possible.

You can raise the theoretical cost of spam to levels where it isn't worth the risk all you want to. Under California law, prior to CAN-SPAM, I had the right to sue the pants off of spammers. The problem was, I couldn't prove beyond a shadow of a doubt that it wasn't a frame job. Same thing for the child porn extortion that was the subject of this thread. Without an airtight mechanism for determining the actual source of an email message, there can be no accountability, and as such, threats of jail time and fines are just that---idle threats.

Re:It's all SMTP's fault!

[jcr]

domain registration can be traced to a credit card ...and nobody ever steals credit cards, right?

-jcr

Re:It's all SMTP's fault!

[geoffspear]

Umm, anyone can send child porn spam from your email address, to the 99.99% of the people on the Internet who have never heard of you, don't know you sign all of your messages, and wouldn't even care to have your public key if they knew about it. They probably can't ruin your reputation with anyone crypto-savvy who you regularly email, but so what?

Re:It's all SMTP's fault!

[Buran]

Where were blogs (specifically livejournal) mentioned here? (and businesses are starting to blog too, love it or hate it).

Re:It's all SMTP's fault!

[cortana]

My point is that there is no reason to waste lots of time and energy coming up with a new, 'secure' email system, when existing tools do the job perfectly well already.

Re:It's all SMTP's fault!

[myowntrueself]

I've even seen an ISP silently dropping any PGP signed or encrypted email.

In the case of the encrypted email, it wasn't even a mime attachment; just ASCII armored inline.

The ISP in question even tried to charge for 'fixing' it when we spotted what was happening, though at first they tried to totally deny it.

Re:It's all SMTP's fault!

[AuMatar]

No, you don't need technical solutions to trace the spam. Tracing the spam is useless, its too hard to do. Trace the MONEY. Buy one of the products, trace where the money goes. Arrest them. This is something law enforcement is trained for and good at. Tracing the sending computer is pointless, too may dodges they can put up.

Re:It's all SMTP's fault!

[PalmerEldritch42]

I dont trust a vendor form the start, if I'm asking a pre-sales question you dont need to know who I am.

So, you're argument- if I understand it correctly, is that you want the ability to send an anonymous email (without a return email address) so that you can ask a question? How, pray tell, would the recipient of this email supply you with an answer?

Re:It's all SMTP's fault!

[thogard]

Please research X.400 before you talk about trashing SMTP.

Also anything you replace sMTP with is going to have patent problems. The result is your going to have to pay per message and there isn't going to be any way around that.

Re:It's all SMTP's fault!

[Rocinante]

spammers will be effectively shut out unless they're willing to send messages that can be traced back to their home postal address, real email address, and real telephone number

I think you mean "willing to send messages that can be traced back to grandma's computer which got 0wned and is now a spammer's zombie".

Re:It's all SMTP's fault!

[crazyprogrammer]

Not everything gets a postmark. I work as a mail carrier and every day I see 5 or 10 letters that didn't get postmarked and canceled.

You only have about a 1 in 1000 chance of sending a letter and having it delivered without a postmark and a 0 in 1000 chance of having anything delivered without the stamp being canceled.

Re:It's all SMTP's fault!

[Psychotext]

Look for a show on the BBC called monkeydust. It has a character called the "pedofinder general" that aptly (and humorously) agrees with your viewpoint.

Re:It's all SMTP's fault!

[Tyreth]

If someone accuses you of being a pedofile it doesn't matter if you're guilty or not .. your life is over. And it doesn't matter what you say to defend yourself because you're a monster and a liar in the public's eye.

It's the same deal for someone who's accused of rape.

Re:It's all SMTP's fault!

[tftp]

IMO, PGP is difficult because of WOT (Web Of Trust). If you have just 10 people in the company, each has to generate his own key and to sign 9 other keys - in total it requires 100 signings. When another person gets the key, all 10 should sign his key... and so on. In a company with 10,000 employees WOT is not possible at all.

Of course, it is not necessary to have so many signatures on your key, but it all depends on who trusts who, and that you don't know. That's why it is valuable to collect signatures - you can't unfold the WOT for a given recipient and at a given time (past, present or future.)

PGP was designed as a grassroots tool which exists on its own and grows where needed. But businesses need some central authority who certifies that you are you and gives you the key. But then how much hassle (and money) that will take? Who will be managing these keys for 10,000 employees if many companies (MS) fail to even renew their domains once a year? That is one serious expense, with no apparent business gain.

So basically PGP is difficult because it requires more effort on part of the user than the user is willing to contribute. It is possible to force PGP on users, but some users will be very unhappy.

Re:It's all SMTP's fault!

[mikechant]

So you advertise your *competitor's* products in spam emails. They get arrested, jailed, fined, put out of business, and you...profit!

Re:It's all SMTP's fault!

[jp10558]

Well, people want authentication for mail, but don't want to work for it. TANSTAAFL. No one is going to do all the work for you. Personally, I trust the big companies/CA's less than most regular people.

I'm also not willing to pay for each e-mail, or pay for e-mail, and based on the number of people using Hotmail or GMail, I think most people will not pay for it.

So how is this central authority going to make money? Or at least afford to assure people that you are who you claim to be?

I honestly think that PGP is the best we've got for the forseeable future, the rest is vaporware as far as I can see in terms of ANYONE actually using it. And all these schemes are only as good as someone using them.

Re:It's all SMTP's fault!

[gl4ss]

... central authority.

dude, if there was one for email all this crap could be easily fixed.

if there was a central authority with on/off button it would be easy to switch to a new system.

Re:It's all SMTP's fault!

[ajs]

SenderID isn't an acceptable solution

SenderID isn't at issue here, so please drop it. I was discussing SPF. SenderID is an SPF/CallerID hybrid which was DOA.

It relies on DNS, which is a fundamentally broken authentication mechanism

Works for me and tens of thousands of others.

Lots of sites never got their RDNS entries right.

That's fine. They'll learn as more an more of their mail gets rejected. Sites that have no reverse mapping at all are already being rejected in droves anyway. Oh, and SPF doesn't require that your RDNS mapping is correct (though most implementations do check that it exists). It only requires that the domain that you claim to be coming from the envelope is one that lists your host as an authorized sender.

DNS is unreliable.

DNS is unreliable?! Where do you get this kind of thing? DNS Is one of the most reliable distributed databases (arguably THE MOST reliable distributed database) in the world. Are you refering to the fact that DNS is done over UDP? If so, you should know that the redundancy in the domain resolution protocol provides at least as many guarantees as TCP. That is, your answer will be the same regardless of duplication of packets, and packet loss will be detected and dealt with appropriately. DNS is quite reliable, though its guarantees do not include your question ever being answered, neither do the guarantees of ANY IP-based protocol. Obviously, they cannot.

DNS resolution is usually not parallelizable.

I do it all the time.

denial of service attack[...]By overloading DNS servers of small companies.

That's highly unlikely. There is a 1:1 ratio of outgoing requests via SMTP to SPF requests generated. Yes, you could use a network of zombies to issue those requests, but that network of zombies could just as easily send DNS requests directly to the small companies servers, causing the same problem. Dangerous denial of service conditions stem from many:1 relationships, and SPF has none that I'm aware of.

[...]By using bogus domain names that cause 30 second stalls in your inbound traffic.

I would far, far rather have incoming SMTP delayed 30 seconds waiting for a response (though I would probably trim that time anyway) then start recieving the message. I ALREADY do this, in fact, for reverse DNS and Spamhaus SBL/XBL checking, and it's not a problem.

Re:It's all SMTP's fault!

[isorox]

And of course the bitch that does the false accusation gets protection, while the bloke that has his life destryed has his name spread all over the papers.

Anonmity for both the man and the woman

Re:It's all SMTP's fault!

[crazyprogrammer]

The postmark is the circle thing that has the date and the city in which it was processed. when something is hand canceld(when it's too big for the machines), the postmark is put over the stamp(s) by a clerk. letters go through a machine that puts the postmark about 2 inches from the top right of the letter and from the postmark to the right side of the letter are the traditional wavy lines or sometimes Shrek and Donkey with the message "Greetings from far far away". The reason for the wavy lines is so that the postmark can be read easier and to cancel multiple stamps on one letter(ie a 34 and 3 cent stamp side by side might not be canceled by one postmark).

Same solution as always

Publicize that this is in fact a lie and the truth shall set you free.

In other words, once this scam is publicly known, it will be worthless for the scammers.

Re:Same solution as always

[93,000]

I disagree. Even though he was eventually cleared (but is still a dumbass), what comes to mind when you think of Pete Townshend? Sort of a different scenario, I know, but mud still sticks.

It's not so much about fear of actual jail/persacution as it is about fear of the shitstorm that arises in the time it inevitably takes for the truth to be found.

The charges were dropped against old Pete, but he still had his name mentioned in the same sentence as 'child porn' countless times in print and on the net.

Re:Same solution as always

[anon*127.0.0.1]

That might happen. I'd kind of hope that if the target contacted the authorities as soon as the recieved the threat, and cooperated with them completely, that the authorities would realize that the spam didn't originate from the victim without needing to shut them down and confiscate their computers for a few years.

On the other hand, doesn't trying this sort of thing make the blackmailer public enemy number one? DOS attacks are common and boring... I doubt the public knows much about them, and cares even less. Someone spams out a few thousand pieces of kiddie porn, on the other hand... there's going to be a lot of publicity, and a ton of respectable citizens screaming for someones head.

Re:Same solution as always

[anon*127.0.0.1]

So give them a better story. Granted, the company won't be able to disassociate themselves from the kiddie porn thing. So cooperate with the authorities, get a good PR person, and try to go from "the company that sent out all that kiddie porn" to "the company that helped the police catch that awful kiddie porn blackmailer person". Maybe if you point out to the media outlets that they could just as easily be targeted by the same scheme, they'll give you a positive spin on things.

That's really the only chance the company has. If they pay off the blackmailer, he'll be back again next week. Or someone else trying the same scam, who won't care that you're out of money because you paid it all to the last blackmailer.

Re:Same solution as always

[nanospook]

As I read your post, it occurred to me that with everyone knowing that the gambling firms are being blackmailed by hackers (Yes I know, not all hackers are evil, its just a tool), they will also wonder if their credit card information, transactions, personal data is secure. Just riding with the wave may be a bad idea from a financial credibility sense..

Whatever happened to "Laws" and "Rules"?

[Enigma_Man]

I thought they were supposed to prevent stuff like this... or is it a matter of "once the crime's been comitted, the damage is done permanently" so the law can't possibly compensate enough for the loss? Also, does it being probably international screw up the judicial process?

-Jesse

Re:Whatever happened to "Laws" and "Rules"?

[DrEldarion]

Wait... since when have laws always stopped people from doing things they shouldn't?

Re:Whatever happened to "Laws" and "Rules"?

[davesplace1]

If these people would spend half as much time thinking up ways to my a honest living as they do scams, they would be rich.

Re:Whatever happened to "Laws" and "Rules"?

[gorbachev]

Welcome to the world of international law enforcement on crimes committed over the Internet.

Perps: in Russia
Victims: UK and US

Victim contacts Scotland Yard or the FBI. If they have time, they'll investigate and figure out the perp is quite likely in Russia, but they can't be sure, because they used an anonymous proxy in South Korea. It's now about 3 months after the incident.

They contact the South Korean network with the open proxy. They answer after a month or two saying they didn't keep logs. Pass go, do not go to prison.

They then contact the Russian authorities. The Russians answer you have no proof this falls under Russian jurisdiction, and even if you did, you have failed to show how which Russian law was broken, and even if you did prove Russian law was broken, the punishment under Russian law is 5 months probation, and no, we will not extradite the criminal to the US or UK.

We're now at 5 - 6 months after the incident.

That's assuming it's not the Russian mafia, who really doesn't give a shit whether or not the Russian cops bust them for $7K extortion scam.

Re:Whatever happened to "Laws" and "Rules"?

[Tesral]

I thought they were supposed to prevent stuff like this... or is it a matter of "once the crime's been comitted, the damage is done permanently" so the law can't possibly compensate enough for the loss? Also, does it being probably international screw up the judicial process?

No "law" has ever protected anyone. The best a law can do is punish after the fact. The worse it can do is assume everyone is guilty and forbid an otherwise harmless or multi use technology or behavior to criminal and law-abider alike. This is assuming the public at large has no legit use for the forbidden thing, even if that is patently not the case, such as making DVD copying software illegal because "someone" might copy and sell movies. Which still will not keep this from happening. They are callled "criminals" becasue they break the law.

Therefore is is better to not have a law than to have a law. However even if there is a law, it cannot protect you. Laws have existed for thousands of years, and they have been willfully broken for thousands of years. I don't see a change in that trend.

Re:Whatever happened to "Laws" and "Rules"?

[killjoe]

Alas for some crimes the law is warped. Child pornography is one of them. You are pretty much presumed guilty and even if you are innocent nobody will believe you once you are charged.

Distribution of child pornodraphy for profit

[Scrameustache]

It should, however, get the attentio of the authorities much more readily though.
These guys admit to having illegal photographic material in their possession and are attempting to use it to make a buck. Catching these would be much better publicity for the enterprising copppers than some two-bit hackers.

Re:Distribution of child pornodraphy for profit

[GigsVT]

Actually, you can have the parts you need to make illegal child porn, without actually possessing it.

All you need is a picture of a kid, and a regular porno picture. Photoshop the kid's head onto the pic and instant child porn, just as illegal as the real stuff.

That's the insanity caused by this hysteria in the name of "protecting the children".

Re:Distribution of child pornodraphy for profit

[AK+Marc]

You don't even have to do that. Anything that presents the idea of child porn is illegal. That is, if you take a perfectly legal porn video involving 21+ participants (I can't bring myself to call them "actors") and name the file "illegal_child_porn_16_year_old_gets_nailed.mpg" it becomes illegal because you are representing them as under age.

Hell, all you have to do is draw a picture of two 12 year olds having sex, and you've just made illegal child porn. "Depiction" is just way too broad of a word for targeting what they are after.

Re:Distribution of child pornodraphy for profit

[Scrameustache]

Actually, you can have the parts you need to make illegal child porn, without actually possessing it.

All you need is a picture of a kid, and a regular porno picture. Photoshop the kid's head onto the pic and instant child porn, just as illegal as the real stuff.

As soon as you save it, you're in possession of it though.

But I wasn't going for a discussion of what is "child porn", since a lot of crap gets lumped into that nebulous category. But rather, I was making a point to upping the ante of online extortion from DDOS to kiddy porn means you can get the cops and the press on your side much easier. So its not really that good a move for the extortionists to do this, IMO.

Re:Distribution of child pornodraphy for profit

[GigsVT]

Actually, the supreme court of the US in 2002 ruled that simulated underage porn isn't illegal, and is, in fact protected speech, striking down the law you refer to.

http://www.freedomforum.org/templates/document.a sp ?documentID=16075

So, mere depictions that don't actually involve the underage aren't illegal in the US, no matter what any law says.

"The law [that was struck down by the Supreme Court] barred sexually explicit material that "appear(s) to be a minor" or that is advertised in a way that "conveys the impression" that a minor was involved in its creation."

The Supreme Court did say that if it really did involve someone under 18, even in an indirect sense such as my photoshop example, then it was not protected speech.

So, let the guy hurt himself

[Dejohn]

What, this extortionist thinks that people will honestly believe that a legitimate organization is now sending child porn? I think not. Let him send out all this child porn, thus not only proving that he has it, but also that he's willing to commit extortion and probably a number of other crimes. Good luck to him...

Re:So, let the guy hurt himself

[Juvenall]

That's the thing though. The same idiots who buy from spammers or open attachments titled "10_YEAR_OLD_SEX.jpg" will be the same to report the email to whatever authority in their country deals with this crap. It sucks, but it's an effective way to bring unwanted headlines like "Company XYZ under investigation for child porn mailing".

Re:So, let the guy hurt himself

[Spad]

What, someone thinks that people will honestly believe that Hotmail wants them to forward an email to 20 people or their account will be closed down.

People will believe anything that they read on the internet - the fact that everyone is still falling for phishing scams and getting rooted via email tojans should be proof enough of that fact.

Re:So, let the guy hurt himself

[JuggleGeek]

What, this extortionist thinks that people will honestly believe that a legitimate organization is now sending child porn?

The "legitimate organization" is an off shore casino. In many peoples minds, that makes them somewhat less than legitimate. It also lowers the interest the feds are going to have in chasing them down. If the same thing happened to, say, Ebay, or Google, then I think that various governments would be much more concerned about it.

This is a new twist on an age old tactic. Rob an honest citizen, they can certainly report you. Rob a drug dealer, he can't exactly call the cops saying "Hey, dat bum Joe done stole my coke!".

blackEmail

[Doc+Ruby]

Blackmailers like this provide the test cases that clean up Internet law by building case history. A judge's decision showing the blackmailer is liable protects other victims later, diluting the force of unfounded accusations with trivially contrived evidence.

Re:blackEmail

[Not_Wiggins]

I agree with you completely.

But, I think everyone is interested in trying to implement change without it costing thousands of people their honor and reputation first.

Because, honestly, it doesn't always matter if you were innocent or guilty, just being accused is often enough to ruin you.

Although dated, it is similar to the case of Dr. Mudd.

Re:blackEmail

[Doc+Ruby]

It's too late to stop the blackmail letters, or even the spoofed email. So we have to play the hand we're dealt, and the potential gain is that once tested in court, these accusations will be disarmed of their legal threats, the costs in defending from them, the business risk of their uncertain punishment. Removing all that removes much of their threat, so removes much of their value to the blackmailers. Given the threat environment, it's useful to bring these threats to a head, to end them and reduce their perpetuation.

heh

[JeanBaptiste]

sounds just like an idea i had for a virus about 5 years ago. (no, I didn't write it).

The virus would load a couple of nastypics onto the victims machine, then send out an email to the FBI. The first virus that would get you arrested.

It was just an idea, I have never written a virus that has been let loose into the wild...

Re:heh

[Mononoke]

It was just an idea, I have never written a virus that has been let loose into the wild...

You just did.

Re:heh

[JeanBaptiste]

really? wow. I didn't even write a single line of code!

I'm going to have to use slashdot as a programming interface more often.

Re:heh

[mdielmann]

I think you're underestimating the FBI, which is something coming from me. What you would actually do is create a virus that would make it nearly impossible to convict someone of child porn. Imagine multile emails, with the pics of your choice. You could make a collection, and if the feds came, you could honestly say you didn't know where those files came from.

Re:heh

[flonker]

Hrmmm, here's a better(?) idea. A virus that copies pictures from one computer to another. If anyone with the virus has kitty porn, then it can be transmitted to anyone else with the virus.

You could do tricks like copying the directory structure, copying entire directories instead of just one picture, etc. Very hard to prove intention. Also, the virus could erase itself afterwards. No evidence would remain that it wasn't you.

Existing problem, of course...

[lukewarmfusion]

People have been forging the From field for a long time, with varying reasons and consequences. In my university, a student sent a message to several thousand people pretending to be the head of the Student Affairs office. It was a very convincing text, but the user's AFS ID (not to mention his IP and room's port) were easily traced with the headers. He was picked up pretty quick.

It might be bad publicity for the company, but it almost certainly will have no legal ramifications for them.

Which brings me to the next question - is there an agency, organization, department, etc. that receives and processes these kinds of threats? If my company got something like this, to whom would I report it? And what would be done?

If there's nobody out there handling these, I suggest a bounty hunter system. The kind with bows and arrows.

Re:Existing problem, of course...

[aldoman]

It's very easy just to set up a script on some hacked webserver and use an open proxy and you are totally untraceable.

Re:Existing problem, of course...

[Rocky1138]

It might be bad publicity for the company, but it almost certainly will have no legal ramifications for them. Hmm.. I'm no expert, but aren't they liable by, after being warned about impending child porn mails, neglecting to unplug their mail server until the sickos have been found? If you do nothing to avert a crime, aren't you part of the problem?

Re:Existing problem, of course...

[lukewarmfusion]

Of course not -

You can send an email from your own mail server and convince 90% (I made that up) of the world that you're someone else. Your enemy, your competitor, your victim, whatever...

As for doing "nothing to avert a crime" - reporting them to an authority or whatever is all they should do. They can't shut themselves down until the problem blows over... that could cost thousands, millions, etc. Just because other people threaten you doesn't make you responsible for their actions.

It's not all bad

[ObsessiveMathsFreak]

The only major effect of this will be the mass blacklisting of emails from online gambling sites.

How will that be a bad thing?

Re:It's not all bad

[julesh]

Would you say the same thing if you'd missed the email from the gambling site telling you that you'd won GBP 500 on the bet that you placed the night before while you were too drunk to remember it? ;)

Sigh, so many scumbags and thugs.

[turnstyle]

It just makes me wonder sometimes if anonymity on the Internet protects way more scumbags and thugs than it does free speech.

And, it scares me miserably that I would even think about that as a tradeoff.

Re:Sigh, so many scumbags and thugs.

[bconway]

It scares me that you think scumbags and thugs are less worthy of free speech than you or I. Perhaps we should put them in a free speech cage like at the DNC.

Re:Sigh, so many scumbags and thugs.

[hitmark]

free speech should not need anonymity. the best filter for free speech is the requirement for name and face. just look at all the threats and other stuff that fly low over a system like slashdot. 99% of it comes from anonymous cowards. people are more likely to come out with weighted comments when they have to stand by it by name and face.

Re:Sigh, so many scumbags and thugs.

[That's+Unpossible!]

I don't buy the "but SMTP protects free speech through anonymity" argument. If people want anonymous speech, post something anonymously to the internet in another format. There are various ways to do this. Why insist on holding progress back on SMTP when other mediums can fill the "anonymous free speech" gap, and do a much better job at that anonymity then SMTP?

It's like saying, well we need a way to keep phone calls completely anonymous to protect free speech -- even though a person could carry out their anonymous free speech in many other ways than a telephone. Thus the police and people with 800 numbers can always see who is calling (ignoring, for the moment, the flaws that star38.com exposes in this idea).

Personally, I am ready for something like SenderID + SPF.

Re:Sigh, so many scumbags and thugs.

[TrentTheWiseA]

TRUE free speech requires anonymity, to prevent reprisals from the government or other parties that disagree with the speech. It's the same reason that we have anonymous voting. If you had to put your name and address on your ballot, then someone outside the voting area could use your past record against you to 'influence' you (usually with a heavy object or projectile weapon). They also have a list of people to deal with before they get the chance to vote in the next election.

Yes, we may get a high noise-to-signal ratio by allowing ANYONE to say things and be anonymous, but otherwise we would end up with only those people speaking the party propaganda actually safe from harm. (Think PRAVDA, or other Soviet-era news outlets).

And 'filtering' free speech, by definition, makes it non-free.

Re:Sigh, so many scumbags and thugs.

[Ironsides]

Perhaps we should put them in a free speech cage like at the DNC.

Could you expand on what you mean by this? Or at least a google search or knews article? This is not a Troll and I am honestly curious.

Re:Sigh, so many scumbags and thugs.

[cowscows]

That's not what he said, jackass. He wasn't saying we should just take free speech away from people we don't like. Laws tend to take away rights in exchange for safety/order/efficiency/whatever. And hopefully the trade-off is worth it. Your parent post was implying dismay that a similar trade-off is almost looking appealing as people find more destructive ways to utilize the anonymity that the internet can provide.

Re:Sigh, so many scumbags and thugs.

[hitmark]

if a person needs anonymity to hide from its own goverment then the system have failed as the goverment is apointet by the people, it does only legitimatly rule with the support of the people. anything other is a dictatorship or dark age monarchy. a goverment that have to turn its weapons on its own citizens is a goverment that have failed and should (but sadly seldom do) step down. a person should not have to protest free speech against its goverment, but against its fellow citizens as they are the ones that get offended by a persons statement.

in a truley free contry you should be able to make any statment against your goverment without haveing to cover behind the cover of anonymity.

and the problem of pravda is the removal of speech compleatly. this can allso be done today by the goverment (or for that matter any single person or group) owning all the newspapers, tv and radio stations.

if your affraid of your goverment then you do not live in a democrasy...

Re:Sigh, so many scumbags and thugs.

[hitmark]

you can go back and look at any post done under that "name" and know that its the same person that have made them all. this makes you able to form an oppinion about me or for that matter filter me out. its not perfect but its better then to filter anyone that makes a statement under no name as often there is the odd gem.

Re:Sigh, so many scumbags and thugs.

[TrentTheWiseA]

Reprisals don't necessarily come from the government. Just because the government doesn't crack down on dissenting opinions, doesn't mean other groups or individuals don't. The call for anonymity protects the speaker from ALL sources of reprisals. The witness protection program, from organized crime reprisals. The whistleblower program (government protection for those uncovering corruption and/or misdeeds in the government processes) protect the person coming forward. News reporters protecting their sources is an old and honored practice, to prevent these sources from being endangered by 'forcing' them public. All of these are non-governmental persecution on free speech.

Free speech is more than complaining about the government, it's the ability to say dissenting opinions about any subject. Individuals and groups unfortunately, respond with violence against these people that are publicly identified with their speech and/or policies. (Think presidental assassinations, the assassination of Martin Luthor King, Bobby Kennedy, many Equal Rights speakers during the 60's, church burnings, random killing of openly gay individuals, bombings of Planned Parenthood clinics, the list goes on.) Unpopular opinions can get one killed. Without anonymity, most of these people afraid for their safety would simply shut up.

Re:Sigh, so many scumbags and thugs.

[cortana]

Google for "free speech zone".

Re:Sigh, so many scumbags and thugs.

[NoMoreNicksLeft]

His username is an identity of sorts, easily subpoenaed. His sentiments are ok, his logic faulty. Free speech *shouldn't* require anonymity. But I live in the real world. If he wants a taste of that world, he oughtta paste scientology texts here as non-AC, and see just how long his free speech rights last...

Re:Sigh, so many scumbags and thugs.

[Rev+Wally]

How does the ability to verify the real sender of an e-mail limmit free speech? If you are retaliated against for something you say, yes, that deos limit free speech, but its the retaliation, not the ability to trace, that would be the offending action. As far as I'm concerned, say what you want, but don't pretend you're someone else while you say it.

Re:Sigh, so many scumbags and thugs.

[jjoyce]

Why didn't you say, "like the DNC and RNC"?

Re:Sigh, so many scumbags and thugs.

[dprust]

Isn't it interesting that, to build a protocol like SMTP that is open and trustful, that the makers are considered naive for being open and trustful? How does a person have a positive, trusting attitude without being a naive moron because people are so evil? This is one of the many behavior paradoxes that make me want to kick every human I see [kick, kick, thump].

Re:Sigh, so many scumbags and thugs.

[david+duncan+scott]

Well, some of us aren't very imaginative when it comes to nicks...

Re:Sigh, so many scumbags and thugs.

[hitmark]

being killed for your opinions may well make you a martyr. and i can see the benefits of anonymity when it comes to things like telling the legal system about criminal acts.

but it should not be a requirement for just speaking up against actions you dont like (stuff that isnt illegal or coverd by law). but you should be be protected against physical retribution based on your opinions. basicly the first that uses physical ractions against verbal attacks have in my book lost the fight as they have shown themselfs as less of a person. and history will shown that im sadly that kind of person.

free speech says that you should be allowed to air your opinion without fear of retribution, this means that the goverment must protect your right to free speech even if they dont like what your saying against anyone that would like to shut you up on the basis that they dont like your statements.

i didnt say that anonymity dont have its place, but it should not be required for simple things like a unpopular webpage or similar. if the system cant protect you against that then the system have failed to fullfill its promise.

anonymity have its place in the system but it should not be the base requirement for free speech.

and martin luther king would not have force behind his protests if he didnt stand up on that podium and basicly taunting the opposision to react. basicly he stated by standing there that he was not affraid. his words would not have the same impact if he hid behind a cover of some sort.

the fact that people become violent about an idea makes me question humanitys ability to exist. and if one covers behind anonymity then the other side may as well have won. atleast they managed to scare you into hideing.

Re:Sigh, so many scumbags and thugs.

[bleckywelcky]

I have a simple solution:

1. Find out who is sending the extortion threats.
2. Break their legs.
3. Shoot them in the knee caps.
4. Profit.

Re:Sigh, so many scumbags and thugs.

[TrentTheWiseA]

I don't remember saying that anonymity was REQUIRED for free speech. What I meant is that the AVAILABILITY of anonymity, if desired, is necessary for free speech. There are a number of people/organizations that are quite proud of the message they put out. There are others with less power, political clout, or money that choose to say unpopular things anonymously so that they don't get 'squashed' by those not liking their position.

You SHOULD be protected by the government, as we are in the U.S. but that doesn't completely prevent reprisals. Being right and dead, still means being dead. And history is written by those that win/survive. If you're going to be a martyr for the cause, make DAMN sure it's the right cause, you only get to be a martyr once.

Not everyone has the moral fortitude to risk themselves, or more importantly, their family, friends, or other significant people in their lives to express their dissenting opinions. That doesn't mean that those opinions shouldn't be expressed, but are better expressed anonymously 'to protect the innocent' as the old Dragnet motto goes.

Re:Sigh, so many scumbags and thugs.

[hitmark]

ah, now we are on the same page. i dont recall the use of availability was ever used before now so it seems that we have been talking about the same thing but putting diffrent meanings into the others mounth. yes anonymity should be available if you so need, but dont be surprised if your words gets passed by as rambleing. atleast unless you help the goverment put someone in jail...

but many times, anonymity may well be seen as the same as not speaking at all as it means your "opponent" can control you by the use of terror or threats.

im sorry for this discussion, if i had read the original post correctly it would have been avoided. beer on me?

so the question is, how can we filter what is on the net without putting free speach at risk? or can we do so at all? maybe if we had a framework for signing mails? basicly makeing pgp or its equivalent a official function of the net? that way you could sign or even encrypt the mail. basicly build pgp into every mail client out there and make it easy for even technophobe grandma to use. maybe have a system for public key lookups buildt into the mail servers so that you dont have to rely on seperate servers for that. your public key is stored where you have your mailbox so that any person can have his client send a request to the mailserver for foobar.com (or whatever your domain may be) and request the public key of any of its users. maybe this is what sender id is about only that it puts the burden on the server rather then the client.

Re:Sigh, so many scumbags and thugs.

[Bachus9000]

Obviously because he's biased against the Democrats. :)

If these guys were smart

[SallyMac]

They'd send the emails first, and -then- blackmail.

This way they leave the victims with proof. Dumbasses.

But honestly, I agree with the getting rid of SMTP comment. But something better would have to be developed and become a proven technology before it even started to go anywhere, and I don't see that happening anytime soon.

People have said that.

[www.sorehands.com]

Peopla have told me that me that saying that spammers are one step above pedophiles is in exageration. This type of extortion shows that my statements are true. This shows that spammers are involved with child pornography.

Re:People have said that.

[sn0wflake]

What a load of crap. Spammers are in the game for profit.

Re:People have said that.

[Have+Blue]

It is most definitely a huge exaggeration. Annoying people over the Internet and wasting network resources is about as far from abusing children as you can get. You might as well claim that that jerk at the bar who made a pass at you earlier is "one step above" a serial rapist.

Re:People have said that.

[handslikesnakes]

Oh, come on. Spamming is about as morally bankrupt as stealing pennies from the "Leave a penny, take a penny" tin at the grocery store; not something that's going to make you popular, but nowhere near as wrong as murder or rape.

One more reason...

[jmcmunn]

...to clear your cache. Just what I need is some cached email shit from some spammer on my machine when the FBI comes to take back all of my Mp3's! Hahaha FBI, they are all legal from iTunes! (and then converted to Mp3 of course)

Dumbest Idea Ever.

[ntxb229]

I mean honestly... if you got an email with child porn, and it was from info@partypoker.com, is your first response going to be "Oh my gosh! What an awful company!!" Please... how stupid do you think people are? Well on second thought...

Re:Dumbest Idea Ever.

[freeze128]

Where you laugh, I cry.
Our director of IT got a virus on her laptop and started spreading it around the company. When I got one of the emails, I looked at the header, found the originating IP address and tracked it back to her machine. She proclaimed "It didn't come from me, it came from finance first."

Re:Oh the irony

[NotQuiteReal]

one form of scum preying on another form of scum with threats to turn them into scum

Hey don't knock it - that's how we all got here, what with primordial soup, evolution, and all that ;-)

Anonymity did

[Anonymous+Brave+Guy]

For society to work, with freedom must come responsibility. As long as you can effectively send anonymous information via the Internet, there is no way to hold someone responsible for this sort of action. Even if the laws are there, without any effective way to enforce them, what does it matter?

It really took this long?

[Juvenall]

..really, I'm shocked. The company I worked for a few months back on a contract basis was getting threats like "If you don't ____________ we'll spam in your name/send people fales rates for your service/send a virus from your accounts/send magic pixies to rearrange in your sock drawer". This really seems like the natural progression of things, as sad as that sounds. You can really only hope for one of two options. Either inform the media and hope if and when it goes down, enough people are "in the know" that you can avoid any backlash or keep your fingers crossed that one of the proposed email verification ideas takes off.

this reminds me...

[to+be+a+troll]

...of something i was thinking about the other day after a couple weeks of hunting spyware on my PC. what if someone comes along and designs some spyware that actually functions quietly (without the random popup windows and other tell-tale signs of infection). And they are able to open a port and upload any sort of incriminating evidence they would like into your own home... what is there to stop this sort of thing from happening? remember the /. article about north korea waging a cyber war on americans? ITS ONLY A MATTER OF TIME

Re:this reminds me...

[sokoban]

You mean, someone may write a trojan/virus that allows access to the hard drive? That will never happen. At least certainly not on Windows.

Re:this reminds me...

[Ironsides]

what if someone comes along and designs some spyware that actually functions quietly (without the random popup windows and other tell-tale signs of infection). And they are able to open a port and upload any sort of incriminating evidence they would like into your own home.

It's called a Trojan. And that has been used succesfully as a defense in court cases. Yes, someone actually claimed they were trojaned and thats why the evidence was on their machine and was found not guilty. If they were actually guilty or not, I don't know.

Interesting...

[Saint+Aardvark]

Compare and contrast with this editorial from The Guardian, which suggests a SETI@Home-like client to DDOS sites that host child porn.

OT discussion follows: My first reaction was, what a stupid idea -- all it takes is one faked entry on the list to turn it into a great weapon against whoever you hate today. Then I remembered Artists Against 419 and its many clones. Funny how I'm willing to trust one but not the other...

Re:Interesting...

[Saint+Aardvark]

I'd argue that "saturating the connection" is a red herring; the real purpose of either action: to make the website unavailable to others. (The motive behind that purpose is, of course, very different.)

In any case, it doesn't change the implicit question: who d'you trust when it comes to this sort of thing, and why? Why do I feel more comfortable with AA419, and less comfortable with the editorialist's suggestion?

good luck with that

[poptones]

since they're probably in some flea bit FSU state. and given what many (if not most) in the US call "pornography" (when it comes to children) it wouldn't be hard at all to fill that promise by sending out a few pictures of the local kids playing on the beach.

You seem to have forgotten that the internet doesn't end at the coasts?

This isn't about framing them legally - it's about smearing their reputation further. Any competent website op is going to have logs, and their tiering partners are going to have logs as well. It would be almost trivial to prove to the FBI the "bad stuff" didn't come from them, but it would likely be a fair sight harder getting the luser recipients of said material to believe it.

Re:good luck with that

[Scrameustache]

It would be almost trivial to prove to the FBI the "bad stuff" didn't come from them, but it would likely be a fair sight harder getting the luser recipients of said material to believe it.

Unless there is a very public investigation of a child pornography ring using legitimate businesses' name to distribute. Have the cops and the company's PR rep on the news saying how horrible these people are...etc.

Re:Man...

[crimethinker]

Couldnt they just find this suckers IP and track him down and get him fined or arrested?

RTFA. These are online gambling sites. Most gambling has a large amount of organized crime involved. I think that getting fined/arrested should be the least of these scumbags' worries. And whatever the mob would do to them, they would deserve it.

-paul

This sounds really stupid.

[RealAlaskan]

I predict that cops everywhere, including the extortionist's home countries, will be willing to cooperate (for once) to fix their wagons.

The article says the message was signed 'Bohan Krascevic'. Most of the old Eastern Block countries are really protective of their kiddies. Bohan better hope he gets extradited fast, if they catch him.

Getting your local cops angry is a really bad idea, and this sounds like a really bad idea. I don't think it'll catch on.

Sheesh

[HarveyBirdman]

Will one brave company open Soldier Of Fortune and hire a mercenary already?

A few spammers in an open field killed execution style will rein in this stuff faster than any legislation.

There. Problem solved. You'd be suprised just how many problems violence CAN solve.

Re:Sheesh

[stratjakt]

The dude is pretty much threatening the mafia for 7000 bucks. I'd say his chances of winding up killed execution-style are higher than average.

Oh, and anyone who doesn't think organized crime is balls deep in online gambling is a complete dope.

Re:Sheesh

[HarveyBirdman]

What did the soldiers killed execution style in Iraq last weekend solve? Did anything change? Was there a huge outcry? Will it change the political situation of this country?

Wow! You might just be completely and perfectly stupid! :-)

Re:Sheesh

[Demonspawn]

"There is no problem that cannot be solved through sufficent ammounts of brute-force and ignorance." --Me?

If someone else said this first, correct me and I'll update my funny quotes file.

--Demonspawn

I swear...

[indros13]

that sort of thing ain't my bag, baby.

nothing new.

[Lumpy]

Mothers angry at their soon to be Ex-husbands use the "child porn or Molestation" card all the time to try and ensure that the father can not get custody or even visitation. This is usually used as a way for her to "punish" him for what he may have done and is typically found in divorce cases where the husband was fooling around.

People have been using the boogymen like that for decades... Even when proven innocent it will haunt the accused for their life.

It's too easy to accuse without proof and be sure it will cause huge damage.

Re:nothing new.

[ahfoo]

Well you also touch on the very real issue which is completely obfuscated in the fear mongering over child pornography which is the fact, and this is a very well documented fact, that the vast, vast majority of child molestation cases take place within the family and have absolutely nothing to do with this mythical image of the child predator.
Sure, you can document the sick twisted case of the totally whacked out career child killer freak all you like, but those are the extreme exceptions to the rule. The rule is that child molestation occurs within the home at the hands of an offender who is either a member or the family or close associate.
But the hype over child pornography literally pays thousands of people's salaries and forms the backbone of political careers and so you won't see it going away soon depite the fact that it has little to do with the real situation regarding the crime that it supposedly is targeting --child molestation.

Re:nothing new.

actually in my city there is a team of lawyers that are making a nice profit out of suing the crap out of people that wrongly accuse this and the media and others that run with the story before it was proven.

there were 7 cases last year that this group won against women accusing others and men in their life over the "molestation" card... and they sued them HARD as well as a localTV station.

Now the local TV will not touch any of those stories until it is decided in court.

Re:nothing new.

[bani]

which city? which team? which tv station? names please

Could be wrong, but

[Dachannien]

I could be wrong about this, but my guess is that the whole child pron thing is just a bluff. The extortionist already has enough zombie machines to do a DDoS attack, so there's no need to risk a more severe prosecution if caught when a lesser means will do the same job. The additional threat is likely just a kick in the seat of the pants of the target, to make sure the extortionist has their attention.

Joe Jobs.

[SeanDuggan]

Sounds like a fairly standard Joe Job such as has happened with DarkProfits. Only difference being here, they're actually extorting on the threat rather than simply trying to damage someone's reputation. Thing is, this could be very damaging. When it comes to child pornography, people tend to get very irrational and seldom check for any form of proof or second opinion. It's kind of like being accused of being a child molester IRL. Even once you prove your innocence, no one will quite look at you the same again and some people will never truly believe your innocence. Heck, the more squeaky-clean of life you lead, the more guilty you may seem to them. After all, you must have something to hide.

Re:Joe Jobs.

[allankim]

I remember a similar but even more explicit "Joe Job" e-mail to a journalism mailing list back in the mid-'90s, complete with name, RL street address and phone number. List subscribers (mostly working journalists or academics) called every law enforcement agency in sight, and IIRC at least one person claimed to have gone to the address. (!)

Eventually someone figured out that it was a hoax. (Eventually.) I can only imagine that the average person would be almost as credulous as a crowd of professional journalists.

Re:Joe Jobs.

[pommiekiwifruit]

e.g. in the UK a while back the harrassment of people who look vaguely like or have similar names to people who were "named and shamed" by a national newspaper.

Re:Joe Jobs.

[Lost+Race]

Pedophilia is sexual attraction to people under puberty and is clearly a mental illness, as people under the age of puberty cannot reproduce.

Doesn't this imply that homosexuality is also clearly a mental illness?

Re:Joe Jobs.

[myowntrueself]

Good point. Maybe it is.

Re:Joe Jobs.

[pipingguy]

As it was stated, sort of (the implication, not the reality).

Sexual attraction to children implies a projection of power towards the innocent on the part of the offender.

I'm no expert on the subject but it just seem to me that people that are turned-on by kids are brain-wired improperly.

Re:Joe Jobs.

[ynotds]

There's another "just so" evolutionary explanation that suggests that young males stay small and soft longer so that dominant males will not see them as threatening while the youngsters learn what they might need to survive as adults.

If that were true, attraction to prepubescent males might only be slightly displaced from attraction to reproductive age females.

Attraction to prepubescent females may have more problems and be are hard to separate from traditional notions of females as property to be protected.

Re:Joe Jobs.

[pipingguy]

Evolutionary explanations tend to leave out the existing "natural" mind-state of adults wanting to care for the littler people. Some might say that this is just silly modern conditioning of a few thousands years' worth of parenting.

I am not a religious person.

I like kids because they are neat intellectually, and yes, vulnerable (that's why silly jokes can be played on them). As a father myself, of course I am biased.

Anyone that can look at a child and think of personal, selfish "opportunity" instead of "wow, pretty nifty creation" probably has the wrong outlook. If I may be so bold as to define a "proper" outlook.

Re:Joe Jobs.

[ynotds]

Yeah, adults tend to react badly when they get caught out by a silly joke, though they are mostly just as easy to trick, maybe moreso if they have come to take life too seriously.

But I have great difficulty thinking of any human being as an "opportunity" for anything more than voluntary collaboration. Likewise for most living critters. Guess that's why my wealth isn't measured in dollars.

It's all USPS's fault!

[thisissilly]

Using US Postal Service as our default mail system has got to go...

USPS is wide open to the kind of attack that is being discussed here. Since there's no authentication of the sender, anybody can send out messages with the "From:" address of the desigated victim, and can smear their reputation into being anything from a spammer to a pornographer.

The only surprise to me is that it took the bad guys this long to make the connection into this being something to make extortion threats over. It's not like this was a well-hidden problem with USPS, sender spoofing has been done by spammers and phishers for years.

We need to retire this standard and find a better way to move mail with the ability to authenticate that the claimed sender is the real sender. It'd solve this problem and a whole bunch of other ones at the same time.

Re:It's all USPS's fault!

[quantum+bit]

Thank you!

That is the same analogy I like to use when my users complain about spoofed bounces/virus messages and ask why I don't stop them.

Setting up SPF records only does any good if other people are actually checking for them, which few are so far.

Re:It's all USPS's fault!

[hopemafia]

An interesting analogy....

But walking into a Post Office and sending child porn pics to 10,000,000 people from a forged address, would be sure to draw some attention. Not to mention how expensive it would be, the enormous time involved, the fact that there are video cameras at most PO's, and you're sure to leave some type of physical evidence on the envelopes.

Anonymous mass snail-mailing is just not feasible at the scale it is possible via e-mail.

Re:It's all USPS's fault!

[AuMatar]

There's this thing called junk mail. You can easily send a letter to everyone in New York that way if you're willing to pay. Its more expensive, but no more difficult.

Solution is painful.

[tomstdenis]

Don't pay under any circumstances and do your best to track down the people responsible. Paying or otherwise giving them the ego-stroking they want is just counterproductive.

This is also a good reason why companies should have gotten into the habit of using PGP/GPG to sign their emails as policy... But I guess they get what they pay for now...

Tom

Comment removed

[account_deleted]

Comment removed based on user account deletion

huh?

[MarcoAtWork]

if digital signing was mandatory and everybody had certs (chicken and egg problem the poster was alluding to) their name would *NOT* be associated to anything untowards, as it would be impossible to spoof an email from somebody else (yeah, you could munge the 'from:' but your mail client would alert you that the email has an invalid signature (and possibly if this is the case the mail wouldn't even get routed in the first place)).

maybe it's just me.....

[to_kallon]

but if a company, and granted i don't gamble so i don't know what their typical mailings are like, that i do business with sends me an e-mail with pornography in it my first thought is not going to be, "sick bastards! i'll never gamble there again!" it's going to be "one more victim, how sad." i think this type of thing get's blown out of preportion, which if i might add is what the spammers are really looking for (next to money). no i'm not proposing that if we ignore it the problem will go away, find the useless scum and string them up, but i think people in general are smart enough to figure out that the companies they do business with aren't involved in the child pornography industry. i see this as a hollow threat because even if it is followed through with it's an annoyance at best (spoken as someone who has an effective spam filter). the worst part about this is the precedent it sets because i can garauntee this is not the last we've heard about this.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Oh look

[Turn-X+Alphonse]

No officer I did not send that e-mail, it was spoofed.. I do not have any child porn no sir...

Anyone seeing a problem here? If we start spoofing things like this is becomes much harder ro prove person X did send e-mail Y..

Re:Oh look

[bwcbwc]

It's even harder if the email isn't spoofed, but the extortionist actually has control of a machine in the victim's domain from which they can send the CP. At that point the victim actually does have the material on their machine. And under US law, they could be charged at that point. The law here is posession of CP is illegal regardless of intent. The victim is screwed either way at this point: They have to admit that the computers were compromised in order to prove the CP isn't theirs.

"from the sounds-like-an-fbi-method dept"

[stratjakt]

When has the FBI extorted anyone under the threat of spamming kiddy porn in their name?

WTF was that little comment supposed to mean? Anything deeper than "I hate the gummint"? Explain please.

In the absence of an explanation, then you, timothy, are now officially a bigger asshat moron than michael (albeit, not by much).

Re:"from the sounds-like-an-fbi-method dept"

[stratjakt]

Alright then, I'll write it off as a reference to one of the biggest piles of crap that ever plopped out of America's asshole (Hollywood, CA).

It's still seems more like a stupid way to insert a "Bush is teh suck" comment into a completely unrelated story to me.

Re:"from the sounds-like-an-fbi-method dept"

[ed__]

well now that you bring up the whole bush-is-teh-suck thing. bush is indeed teh suck.

but i dunno, your comment seems a bit off topic for this article since it has nothing to do with bush at all.

Re:"from the sounds-like-an-fbi-method dept"

[geoffspear]

Oh please. J Edgar Hoover become the director of the FBI a month before W's father was born. I hardly think comments about the FBI being evil can be taken as anti-Bush rhetoric.

Re:Oh the irony

[Jeremy+Erwin]

Bookmaking is perfectly legal in Britain.

Wonder sometimes?

[glrotate]

I'd say that the scammer/pervert/pirate to free speech soldier is about 5000:1.

SPF helps here

[wayne]

One of the things that publishing SPF records does is that it creates a public statement about which email servers are authorized by you to use your domain name and which aren't.

This is somewhat like posting a "no trespassing" sign, and a chain link fence around your property. It doesn't prevent the people from cutting through the fence and getting hurt on your property, but it lets you show to the courts that you took reasonable steps to prevent it.

This is also a good reason to check SPF records. If your company or ISP lets child porn email go through that the domain owner explicitly said should not be allowed, you may have to show why you aren't contributing to the libelling of the domain owner and why you didn't protect your employees/customers from preventable child porn.

Yeah, at this instant, SPF is not enough of a standard to give you strong protection, but in 5-10 years, I think that will change.

Slander hurts, even if your reputation is good.

[adb]

Like Lyndon Johnson said, it's doesn't have to be true; it's enough to make the poor bastard deny it.

War

[flibuste]

This scumbag by e-mail thing has got to stop somehow. This has just gotten too far with child porn.

This whole way of extracting money from people just reach an unacceptable point here.

There are many good techies in Slashdot, why not retaliate against those scumbags in an "open source retaliation scheme against scumbags". I am thinking of some sort of open source militia that would take down the systems from those criminals with the same kind of attacks (or more clever) that they do.

AskSlashdot::How can I contribute in stopping this electronic non-sense?

Re:War

[MarkByers]

This whole way of extracting money from people just reach an unacceptable point here.

And other forms of blackmail are acceptable?

Re:War

[flibuste]

Did I say such a thing or are you just trying to troll undercover?

Do these sites get phished?

[Jonny+Royale]

Given the recent spate of attention given to these offshore gambling sites, I'm suprised these criminals haven't resorted to phishing for user ID's and passwords yet.

Think about it: These are sites with heavy online use, lots of cash transactions, and, unlike a bank, users (and supposedly some of the operators) are unable or unwilling to go to authourities for help tracking down the perpetrators.

So, how long will it be until my daily fake citibank account request is replaced with a fake request for my offshore gambling account number? And how many people will happily go to the phishing site, drop off their account name and password, and next thing you know, they're account is empty?

Re:Do these sites get phished?

[stratjakt]

Of course they do. The only phishing email I've ever recieved was "from" some online gambling site.

Citibank or Bank of America, etc, phishes are more popular because chances are much higher that the recipient has a bank account at one of the worlds largest banks, than they have a gambling account on an online casino.

That and people who run online Casinos are waist-deep in spamming schemes too.

Whoever sent that extortion email was a complete idiot. He's literally threatening the mafia. Maybe he really just wants to wake up with a severed horse head in his bed.

Hmmm...

[temojen]

On reading the headline I thought the extortionists were threatening to upload child pornography to their servers then call the authorities.

This would likely get their servers seized at least long enough to figure out that they'd been hacked. To an on-line business, that may just be long enough to put them out of business.

With just emailing in their name, all the extortionists are doing is causing a breif blip of bad publicity before they get the word out that they're being framed.

Re:Hmmm...

[YrWrstNtmr]

That brief blip may be enough to get their name on several lists.

[newpaper headline]
"XYZ.com implicated in child porn ring! Here is an example of an email sent from their coroprate office."
Various religious groups, web filtering db's (i.e. WebSense or NetNanny), and the like seize on this. Online traffic and sales plummmet.

[a few days/weeks later, buried on page 8]
"XYZ.com was the victim of an extortion ring. However, the child porn connection has not been totally ruled out. FBI and local police are still investigating."

How much work do you think it would take to their name removed from all those lists and db's?

This is what happens...

[MillionthMonkey]

... when you establish thought crimes.

If times were different the threat might be to send Communist propaganda.

Re:This is what happens...

[julesh]

I wouldn't describe child pornography as a 'thought crime'. It involves posession of a material which, to be produced, requires that a crime be committed which is frequently harmful to the children involved, and therefore implicitly condones the fact that that crime took place.

Re:This is what happens...

[MillionthMonkey]

It involves posession of a material which, to be produced, requires that a crime be committed which is frequently harmful to the children involved, and therefore implicitly condones the fact that that crime took place.

Yeah that would be a reasonable definition. You'd think the law ended there. There was a case in 2001 where a law (the Child Pornography Prevention Act of 1996) banning "virtual child porn"- i.e. cartoons- was struck down by the Supreme Court in a 6-3 decision on First Amendment grounds. That went close to defining a thought crime. The Child Obscenity and Pornography Prevention Act of 2002 amended the law by adding the words "virtually indistinguishable from" to the statute- creating an exemption for obvious things like cartoons- but still covers "generated images" and "computer generated images" if they're "virtually indistinguishable from" real child porn with real children. That one passed the House but was never considered in the Senate. The Child Obscenity and Pornography Prevention Act of 2003 was included as an amendment to the PROTECT Act (outlawing digitally morphed images, where you paste the kid's head on a naked body). That one doesn't care about whether it's real or fake. It simply outlaws any solicitation to buy or sell child porn advertised as such. See here for details.

It's a lot like flag burning- where constitutional amendments often sit squarely in the way of a desire to be seen as "doing something".

Re:This is what happens...

CNN owns footage of the WTC falling. A crime (or at the least a very bad thing) had to be committed for the WTC to fall. ... Connecting dots ... CNN condones the Sept. 11 attacks?

Risk vs Reward ?

[vhold]

The guy doing the extorting now has to actually have child porn and has to send it himself. The risk if he gets caught is -way- greater then if he were just cooridinating simple DDOS attacks. He'll get all kinds of scrutiny from all kinds of groups that oridinally wouldn't bother. If he's in some totally untouchable country, he's in the unique position that now if the locals find out they'll probably actually care.

I think the extra risk this behavior exposes the perpetrator to will go a long way to self regulate this trend.

Re:Risk vs Reward ?

[stratjakt]

He's threatening a type of online business that's well known to have deep ties to organized crime. Online Casino's are what Vegas was before the mob was driven out.

Either his nuts are made of steel, or his head is. Either way, his chances of turning up dead far exceed his chances of making 7000 pounds.

Which makes me wonder. Maybe it's a reverse Joe Job. Send an extortion threat to the mafia and sign it CmdrTaco, hmmmmm...

Re:Risk vs Reward ?

[vhold]

"Which makes me wonder. Maybe it's a reverse Joe Job. Send an extortion threat to the mafia and sign it CmdrTaco, hmmmmm..."

I'm kinda amazed I've never heard or thought of that entire concept... Are there any famous examples of it ?

Re:Risk vs Reward ?

[t_allardyce]

What if he's bluffing? It would be pretty easy to send out mass emails to all sorts of people (ie spam) and just see who sends you the money, if its a small enough amount some people are going to pay. Its a pretty low form of blackmail, i guess it really comes down to how the general public treat pedophilia, the general feeling at the moment is total witch-burning, so if someone threatens you with that you're more like to want to just make it go away - even if you are totally innocent, if you get charged for child porn people will just think you're guilty anyway.

Re:Risk vs Reward ?

[vhold]

I donno, that's interesting, but I think the risk factor still plays an important role. Just by threatening something like child porn, you've greatly increased your risk of being caught and punished.

If I threatened that you better give me $50 or I'll shine your shoe while you wait, I don't think I'd face very significant punishment relatively. So the level of the threat, even if it's a bluff, matters I think.

Re:Risk vs Reward ?

[advocate_one]

he doesn't actually have to have child porn on his machine... he can quite easily send an html mail containing a link to a picture located online... less capable email clients will nethertheless go online and fetch the image when the email is viewed... try explaining that away...

Re:Risk vs Reward ?

[vhold]

Good point, but I think the overall impact would be way lower then actually sending the real material. But yea, it'd still be bad.

The site would most likely immediately go down. How many of those sites do you think sit unpassword protected? Seems like it'd be next to nil. Lots of people would get the email after the site went down, having almost no impact on them at all.

Also, the process of discovering such a site would pretty much mean one way or another you're now entangled with child porn, which is the main thing. You are right though that he could mitigate the risk of storing the material with the trade off of diluting the actual attack.

Re:Huh?

[NarrMaster]

One thing you're not understanding: it was Catholic policy to move the priests to different locations which led to more children in danger instead of getting them help. That is just one notch below endorsement. Its sick.

Extortion is outdated... do people fall for this?

[DroopyStonx]

1. Don't give them money, if you do you're stupid.
2. Let em do what they claim they're gonna do. It won't hurt your company.

Anyone with a brain will be able to realize, "Hey, maybe it isn't them doing this nasty deed."

Do you REALLY think if Best Buy spams some dog sex images that people would think, "Best Buy is sick! What are they doing?!" Nah.

That's like getting those "Arnold Says 'Don't be a girlie man and vote for Bush'" spams and thinking Arnold actually approved it.

C'mon... people know better. Extortion is outdated.

I didn't say

[www.sorehands.com]

I didn't say that they were not in it for profit. But to get that profit they will steal, lie, and kill. Here, in this case they blackmail for profit. Why wouldn't a spammer profit by producing child porn and running child prostitution rings?

Re:I didn't say

[sn0wflake]

A spammer would certainly profit by producing child porn and running child prostitution rings. Your idea is just far out. It's like saying that people who drive too fast are killers because people get killed every second due to traffic accidents.

Re:Huh?

I don't think that's entirely true. It wasn't that the Catholic church had a specific policy to simply shuffle the criminal priests around. One thing you find in the organization of the Catholic church is that there tends to be one man in charge at any given time on any given level. And, since shit doesn't tend to roll uphill, things like this rarely made it past a single level of authority up the chain. So, aside from the same rumors that everyone heard, the Catholic church as a whole wasn't aware of specific cases. Priests get shuffled around regularly anyway, so putting in for one of your subordinate priests to be transferred elsewhere is a common occurrance and not questioned.

Other major religions don't fall into that trap so easily because of their structure. For example, any Jewish synagogue that I've seen (which isn't very many, I admit, so I could be mistaken here) has been run by a board of clergymen, with meetings and whatnot. It's harder to keep things quiet when more ears are turned your way. But in Catholicism things happen behind more tightly closed doors (good things as well as bad things) where some of the primary concerns are the privacy of the people involved and the sovereign authority of the one man in charge (priest, bishop, etc.) of that particular setting.

These posts are sad.

[WindBourne]

I see so many ppl here willing to give up animinity and the ensuing free speech, to stop such harassments.

But this is no different than Gun Rights. Many in the USA want to stop gun sales. But that will not stop crimanals from obtaining and using guns. That has been shown in numerous cultures over the years.

What I find sad about this, is that many of the same ppl who fight for the right to own guns (and even unregistered) are the same ones that would remove our rights to be anonomous.

Instead of saying to remove SMTP, it would be better to suppliment it with new controls (sender-id) that will allow users to decide if the want anonymous senders.

What is happening is that you have some ppl who have figure it out how to use the system to hurt others. So many here are now proposing to element the advantage of the system to try and stop the problem.

Re:These posts are sad.

[julesh]

I see so many ppl here willing to give up animinity and the ensuing free speech, to stop such harassments.

Assuming you mean anonymity, I disagree that it is a requirement for free speech. Free speech is being able to say what you want (within reason) without fear of recrimination. Only if you were afraid of recrimination would you want to do so anonymously. So the need for anonymity is actually evidence that free speech does not exist.

Ooopps, wrong link.

[www.sorehands.com]

The correct link.

never a better case for encryption

[path_man]

Crypto doesn't solve everything... but in this case its capability to create messages which can or cannot be repudiated would solve this flat. This is something that has been missing from our email systems for ages -- and until we can get something reliable in place by which a user can absolutely know that the sender is authentic, we'll continue to suffer from SPAM, scams, forgeries, and these attempts at extorsion.

Never a better time for email encryption.

There is only one way...

[eno2001]

...this is ever going to change. Someone will need to create a new protocol for sending mail that will provide the anti-spam features, but more importantly will provide some new, very desirable feature(s) that people will desperately want. This is the only way to get lazy asses to move to a new protocol. The problem lies in who that someone turns out to be. If Microsoft comes up with some whiz-bang new protocol for sending mail that does what I mentioned above, then all the folks who are Microsoft shops will move in that direction and the openess of the internet will have dissipated that much more. If Sun, or Novell do it (assuming they could manage to get an original idea out of their R&D at all. ;P ) the adoption of this new protocol would be slow. If the IETF come up with something, then we'll get the usual people joining in later in this order: *nix vendors first, ISPs with proprietary setups next, and finally Microsoft after their initial attempts at mimicking the IETF but in a backwards way fail. It happened with HTTP that way...

So the real question isn't, "how do we stop spam by getting rid of SMTP" but it's, "what can a new protocol do that will up the ante in functionality so that everyone and his brother just HAS to have it"? Personally, I have a completely different solution that I've been using with friends and family using freely available open source tools. Think about your phone numbers (work, home, cell) and you'll get the idea... (Come on folks! I can't feed you everything ;P )

BULLSHIT

[schon]

But we have technology that works almost perfectly with existing SMTP servers that combats this very threat.

No, we most certainly don't.

SPF, Sender ID et al are designed to confirm that the sender or sending domain is reflected accurately.

And how, exactly, does this "combat" anything?

Assume a scammer wants to extort money from "UpstandingCo.com". What's to stop them from registering "UpstandingCo.cx", "Upstanding-Co.com", "UpstandingCompany.com", or any one of a zillion other domains, setting up the appropriate SPF/SenderID record, and using that to send out their hoax emails?

Anyone who would believe that "UpstandingCo.com" would send kiddie porn in the first place isn't going to be smart enough to realize that "Upstanding-Co.com" isn't the same outfit.

*THAT* is the problem here. It's not a technical problem, it's a social one - and you can't solve a social problem with a technical solution.

Re:BULLSHIT

[Zork+the+Almighty]

*THAT* is the problem here. It's not a technical problem, it's a social one - and you can't solve a social problem with a technical solution.

Then I guess there's no point in changing SMTP... :p

Couple of Things

[Undefined+Parameter]

First off, it seems to me that the weak link in this extortion scheme would be the money transfer. The extortionist (not to be confused with "contortionist" or "exorcist", or some combination thereof) would have to be very clever not to be caught by the transfer. If it's something as simple as a wire or drop-off, catching the person or persons responsible would be a snap.

Second, there is no reason to believe that the person(s) making the threat actually has child pornography (not that I'm defending him/her/them). The posession of the material is not required to make the threat. The extortionist could be like a bank robber without a firearm, either claiming to have one but not, or having a toy pistol (having "barely 18" pornography that looks like child pornography).

In short, in order to actually pull something like this off without getting caught, one has to either be very smart or have a very stupid target.

~UP

Asking for all the trouble in the world

Could we come up with a more motivated group of people, than gamblers? How about people who are often smart, with good memories? How about people with time and money on their hands? How about people, who are social, many of them, to some degree? How about their being *everywhere*?

How about their not wanting to have their "vice" (gambling) even remotely connected to child pornography?

Post a reward to catch the extortionist. Include benefits a high roller would love to get a chance at, say, travel, being able to access certain games or more access to them.

Catching the extortionist, could make everyone involved, at the very least,a very happy gambler and very possibly a local hero with international renown. Worse for the extortionist, I'm sure there are local bookies and mafia sorts which would act, help, simply to keep their reputations from being mired with child pornography in the media.

This doesn't even include all of the various policing agencies which are now going to cooperate to get the extortionist because they have reasonable grounds to suspect child abuse.

If the extortionist keeps it up, they'll be caught & I can't imagine their making any money because really, what company wants to be seen as funding a child abuser?

So ....

[gstoddart]

because basically the threat is that their name would get associated with child pornography.

you can't really fight against such threats any other way than making it national news that someone is extorting you that way...

... anyone who was actually dealing in such stuff would just have to announce to the world that someone was going to claim they had kiddie-porn and not to believe it?

What about people putting out claims on behalf of you that there really is no kiddie porn and you're being extorted? Your solution becomes as unverifiable as the claims you had it in the first place.

I'm not dissing your solution, but if nothing in the chain is authenticated, then it just becomes an annoying problem.

Re:So ....

[geoffspear]

Yes, because the first thing child pornographers want is a bunch of police around investigating to try to find the made-up person who's extorting them. "Look, officer... the extortionist broke in and left this camera full of pictures of naked kids taken in my home. Now you can investigate him for breaking & entering, too!"

Even worse for the recipients?

[thesandtiger]

Aside from the utter fucking nastiness of getting this stuff, it is just as bad to get busted receiving this shit as it is to be busted for sending it, in a frame-up such as this.

I may be completely off here, but I seem to recall a case where a guy was persecuted/prosecuted based on some email he'd gotten via some group but hadn't requested. At least, that's what he claimed.

Even if it were true that he requested it, the problem is with the ambiguity in the law but the complete lack of ambiguity in public opinion. Even if he were eventually found completely innocent and publically touted as a model citizen, there are still going to be all kinds of people who now know way more about his masturbation habits than he'd like, and probably quite a few who refuse to believe that he didn't do it - where there's smoke there's fire.

I can't be certain, but I bet there are some people who have emailed child porn to people and then called the police to turn in the recipient, banking on exactly this kind of thing.

What we need is one of 2 things:

1: A system where we have some reasonable definition of what a person's intent is. Just because Joe Schmo signs up to recieve Hot Anal Action pictures from a Yahoo! group does not mean he is culpable when some asshole spams that group with child porn.

2: A way to absolutely verify where an email came from and then ruthlessly bitchslap the person or people responsible for this kind of shit.

In a reasonable world, I'd hope for 1, but who can say what'll happen.

DNS, not SMTP

[gp310ad]

While zombies seem to be a big problem for DDOS and SPAM, what about...

I send your DNS a IP address on my network.

Your DNS looks it up and sticks the name-address pair in it's cache.

That name happens to be canonically valid in your domain.

I send a batch of spam with that domain name in the 'from' field. The receiving MTA does a reverse lookup on my IP address and I verify it as from your domain.

This is not a SMTP problem and proposed user authentication will not solve it.

You live in Texas don't you?

[hsoft]

"Vote Bush in november" is the next thing you'll say I guess.

Re:You live in Texas don't you?

[HarveyBirdman]

"Vote Bush in november" is the next thing you'll say I guess.

Wow! Another complete dumbass! They are legion on /. these days. It's a dumbass marathon! Wheeee!

Have a sense of humor surgically installed, lackwit, if they can fit one inside your junk cluttered brain.

And smile. :-) A smile makes a cloudy day go- no, wait... a smile only takes... a smile is better than a... um... ah fuck it.

And for the record, I'm voting Kerry. I like the idea of an orange Frankenstein's monster in da House.

Yes they will

[nuggz]

Yes people fall for this all the time.
They would be offended and blame that company.

Look how many people will blindly send their banking details to ANYONE claiming to be a representative of a financial company.

The masses are dumb and believe whatever crap they're shoveled. If you don't believe me, look up numbers on how many think Iraq was behind 9/11. It is really mindblowing considering the CIA has clearly stated there is no link.

Why security matters

[gmuslera]

Some time ago (when terrorist attack/paranoia/etc was on rise) my explanation to people for trying to be secure when online, and try to avoid virus, open shares, being hacked, etc, or just what kind of damage could do to him an enemy, is that is not just bandwidth that could be consumed, but in their computers/servers could be put an child pornography site, a fake al-qaeda site or a credit card sharing site, something that almost ensures that will have severe legal problems.

Now, threatening with sending child porn with their email is not very serious. A lot of spam was sent with my email address (some spammers send spam with real email addresses instead of totally fake ones to try to have more luck, and being hit with that a few times), but checking mail headers normally clean a bit what really happened (why i would travel to mexico just to send spam? :).

Of course, if the mail server of this people is an open relay or is hacked, and is used to send child pornography, spam, 419 scams, Al-Qaeda advertisement or any kind of law-breaking stuff, well, there mail headers will not help a lot, and they will have a bit of responsibility on that.

I'M NOT GIVING YOU MONEY

[AvantLegion]

So you may begin sending me porn now!

Ridiculous

[hoggoth]

The child-porn spams would have a trail of servers that clearly did NOT come from the company's mail server.

By the way, SPF checking on mail servers would stop this kind of garbage.

Re:Ridiculous

[geoffspear]

Do you read all of the Received: headers on every piece of email that you get?

Do you think the average email user has ever even seen a Received: header?

Re:Ridiculous

[hoggoth]

> Do you read all of the Received: headers on every piece of email that you get?

I absolutely DO read the headers before accusing an otherwise reputable company of sending child pornography, yes.

Re:These days I get a good laugh

[symbolic]

... every time I fetch my mail from one of my accounts with a well-known service provider. According to these phishing schemes, my account with my provider has been cancelled for failing to "update my credit card information" at least five times now. In this case, all it takes is just a second or two to THINK before acting. Admittedly this is a far cry from the extortion mentioned in the article, but people need to start taking some responsibility.

big brother

[apollo_tsg]

You bet extortion is alive and well. The meatheads who keep saying "how could anyone fall for this" are the same meatheads who fear the government is after them wrongly and watching every step they take. Let me be the first to let you know that I can't believe you fell for all the big brother syndrome bullshit. People are stupid, the stupid ones get caught most times, and there is so much fraud going on that it has got to make you sad - but I am sure you have never been swindled, you have mad wizard like puter skilz - but your mom doesn't, neither does your uncle and your sister. When the bad guys figure out a way to scam someone, and it works - it gets worse. It is very similar to supply and demand - you supply your dumbass sister's bank account and they demand the money. In the spirit of this particular thread, image is everything, why would I be associated with or continue doing business with someone who is fucked up and sending out child porn? The fact that I get spam from any company is good enough reason to stop business with them. On the technical side, it is not going to get fixed because the corporate world does not see a way to make a buck on it.

It's called "The Internet"

[cdrguru]

It is provable that the Internet is a consequences-free zone. Even if there is a law against it, it probably isn't going to be enforced. If it is enforced, I can always say they aren't going to catch me. If I am caught, wow, I get a fine. Maybe.

Laws don't carry any weight at all on the Internet.

police are wising up

[davidwr]

At least one alleged pedophile in England got off (no pun intended) by claiming "the virus did it."

Police are learning how to tell virus-borne nastypics from those people manually download.

Of course, that too could become an arms race of sorts.

expert witnesses and police integrity

[davidwr]

If the police's experts say "this guy DEFINATELY has a virus that dropped the KP, and there's no evidence that the person we arrested downloaded it manually or deliberately infected himself" the charge will be dismissed.

If the police's experts say "this PC has no known viruses, etc. at all" or "this PC has viruses, etc., but we ananlyzed them and they did not drop this KP" then the jury will hear about it. This will short-circuit defense claims to the contrary, unless of course the defense has equally-credible expert witnesses to claim "there definately was a virus at fault, and here it is and here's how it works...."

Basically, good cops like making good busts, they don't like railroading innocent people.

Good point about getting arrested being worse than convicted. However, if the police issue a statement saying "this guy was the victim of a computer virus" I think the general public will not hold it against the victim. They realize it could just as easily happen to them too.

Re:expert witnesses and police integrity

[Psychotext]

Of course, this defence worked on the basis that the guy wouldn't have known the virus was on his machine. Had he been a sysadmin or employed in IT in any way, shape or form they would have nailed him , no doubt.

Ever since then I've been really, really careful about keeping an eye on my virus protection / firewall.

Make it an offense to give in to blackmailers

[johntromp]

Of course a smart company will realize that giving in to blackmail will do nothing except encourage more blackmailing, to the detriment of the whole industry. But in order for all companies to take this stance, it should be made an offense to pay off blackmailers, subject to heavy fines. That makes it much easier for a company to reply to scammers "i'm sorry, we'd love to pay you for your lack of services, but uncle sam won't let us." Such a law would be much more effective than a similar one for kidnappings and ransom, as it becomes more of a pure business decision rather than a moral and emotional dillema.

Re:Extortion is outdated... do people fall for thi

[zygote]

People "with brains" fall for all sorts of dumb things. (Point of reference: the a political campaign.)
How about the various credit card phishing scams going around?

Unfortunately, plenty of people see "The Internets" as this mysterious place. Who knows what the computers can do? They're ALIVE!!!

But seriously, at $7,000 a pop, it only takes a few frightened, technologically-challenged small to medium-sized business owners to pay and this scam becomes pretty profitable.

Dell, Apple, Gateway, even Micro$oft, would do well to include a "Here's How the Internet Works" seminar with every PC or Mac that they sell. At least let people know the difference between things that are truly scary and things that are not.

"Ve vants za MONEY Lebowski!!"

[d474]

The irony of this story is that the blackmailers are making a big gamble by blackmailing a gambling company.

They want $7000? And they think sending a bunch of Kpr0n emails to gambling junkies is going to ruin the gambling companies reputation?!? IF the intended recipients even open the email, they'll probably think it's some sick under-world membership bonus prize and either get off on it or delete it and just go gamble some more. Like they've never seen spoofed pr0n email before. C'mon...

These blackmailers seem about as intelligent as the Nihlists that tried to get the ransom money in the Big Lebowski.

"YAA... Ve takes za MONey!!"

Re:It's all SMTP's fault!-a rebuttal of sorts.

[iamcf13]

The key is to read the SMTP headers and the underlying HTML (if any).

The phishers/extortionists are counting on people not being savvy enough to do that--thus, they 'win'.

LostCluster wants to scrap SMTP.

What other scheme with the reliability of SMTP is around now to take its place?

Then there is all the time, effort, and infrastructure invested in SMTP--no one is going to throw all that away if there isn't something better to take it's place.

All SMTP is is a transport medium--neither good nor evil.

The simple (but time consuming and resource draining) quick fix would be for all email to be publicly encrypted with public key cryptology [the Feds'll love that! >:) ]. Business sites publish their public key out in the open and use their private key to encrypt their email before sending it out. Authenticity problem solved except for two problems:

1) The bad guys correctly guess or generate the private key of bigsite.example.com This is laughably unlikely but possible which leads to the more likely possibility:

2) Someone at bigsite.example.com accidentally or deliberately divulges (under duress?) the secret key to the bad guys.

If 1 or 2 happens, the bad guys can now send email appearing to come from bigsite.example.com even though the email is transmitted from elbonia.example.com If TCP/IP spoofing or a compromised mailserver at bigsite.example.com is used, the desception apparently becomes perfect. Of course, should bigsite.example.com disavow their compromised key and issue a new one, everybody who does business with them have to change their keys and otherwise muck around with public key encryption which will be a stumbling block to the non-crypto savvy.

In the end I say, using crypto or replacing SMTP is not the answer. Just use a bit of detective work on the underlying SMTP headers and any imbeded HTML A HREF links to expose the fraud with the help of a whois service. If it still looks legitimate, you can:

1) Stop doing business with them.
2) Alert them to the situation so they can do something about it.
3) Contact the authorities and let them handle it.

What more can one do in this situation?

Re:Extortion is outdated... do people fall for thi

[MagicDude]

People ARE stupid, that's what this country works on. You can convince people to buy almost anything by showing some hot women holding your product on prime time TV, because that automatically makes it awesome. Politicians have known this for years. Is it any coincidence that one of Kerry's biggest problems is that Bush is considered more handsome and more likeable than Kerry (Even though you or I will never ever meet either of the two, and thus shouldn't matter in the election)? No, 90% of america will believe whatever they're told, and their emotions are easily swayed by the mass media. Also, if from this extortion, Best Buy lost as little as one quarter of one percent of their nationwide sales, I'd wager it'd still be considered a major hit on their bottom line.

The six phases of any project

[pipingguy]

1. Enthusiasm (widespread use of email)
2. Disillusionment (spam and UL transmission)
3. Panic and hysteria (scams, phishing, extortion)
4. Searching for the Guilty (ongoing)
5. Punishment of the innocent (Joe Jobs)
6. Praise and honor for the non-participants [...]

Re:huh?

[gl4ss]

ah.. but that would depend on the public believing such things.

it wouldn't really MATTER if it was provable that they didn't _necessarely_ send the mail, the damage would already be done if they saw images in their mailbox that were kiddie porn and had the name of the extortion victim painted on the pic.

it wouldn't really matter what was in the "from" field(the people extorting could just get a similar domain name anyways or whatever..).

Re:Extortion is outdated... do people fall for thi

[gl4ss]

you know, their business is gambling.

so their customers ARE people with NO brain cells.

Please don't call it the "Patriot" Act

[some+guy+I+know]

Look at the panic that led to the Patriot Act.

It's not the "Patriot" Act; it's the "USAPATRIOT" Act.
Please use the full acronym, or its full name: "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism".
The "USAPATRIOT" Act has nothing to do with patriotism, so calling it the "Patriot Act" is misleading.
(Considering how the Act is being misused these days, even using its full name is somewhat misleading. (How is copyright infringement "terrorism"?))
Personally, I pronounce it "the you sap at riot act" to avoid confusion.
Other pronunciations are "the US ap uh TRY ot act" and (as Jar-Jar) "the YOUsa pah TR-R-RE-E-E at act".

IDIOT

[Ensign+Trolltalk]

1. The Supreme Court ruled that non-photographic "child pornography" (i.e. "these amazing things called paper, ink, paint, etc") is not child pornography at all. So, you fail it.

2. Using phrases like "the existance of Christ" makes you look like an idiot because not only do you fail to spell "existence" right, you also admit that you believe in fictional fairy-tale characters. How can there be a time "before Christ" when Christ never existed? That's twice you fail it in that phrase alone, bringing your total failures to three.

3. Do you have any evidence for your assertion that childhood sexuality was stigmatized in the past? The concept of childhood sexuality being bad is a fairly recent invention (not counting puritanical philosophies where pretty much all sexuality is bad). So, for the fourth time today you fail it.