Sextortion Should Be A Capital Offense

Recently someone came to me and asked for help after being a victim of sextortion. What is sextortion? Simply put, it is when someone coerces you into sending naked pictures of yourself and then tries to get you to pay money to keep from sending those pictures to your friends and family. Often times a bad actor will pose as a teenage girl and offer to exchange nude pictures with teenage boys. About the best advice I can give is just don't do it. That is often easier said than done though.

The unfortunate thing and why I think it should be a capital offense is that a large number of teenage boys have ended up committing suicide over sextortion schemes. Parents involved in these tragedies from different states have lobbied their legislatures to make the crime a felony, which it is as of today in Utah. Personally I don't think it is enough of a deterrent. Due to all of the lives that have been lost, I think we should be able to up the punishment so that a criminal that has caused a suicide should suffer the same punishment, death.

Now I know I am a bit harsh and many will point out that death-row inmates cost more than someone doing life in prison. I understand that. I also know that others will be upset at me for being so willing to take the life of another person. I only wish the criminals extorting money from teenage boys worried as much about the effects of their actions.

Unfortunately the reality is that with the ubiquity of the Internet, most bad actors dabbling in sextortion don't reside in the United States. When I wrote about this same subject half a decade ago, the e-mail started in Panama. I know there are other documented cases with criminals in various African countries. That means bad actors have some level of protection from prosecution in the United States.

So what can we do about sextortion? The first thing you can do is report it to the authorities. This includes local police and the FBI. The FBI's website where you can file a complaint is www.ic3.gov. You can also go to StopNCII.org to see about removing those images so they don't continue to propagate. Be forewarned that they have a 90% success rate. That is nowhere near the 100% we all hope for. Finally be prepared for all your friends and family to receive those embarrassing pictures. About the best you can do is respond with an apology when someone tells you they have been on the receiving end of those images.

To finish the story I started this post with, I advised the person not to pay the extortion fee. Once someone realizes you will pay, it only opens you up to more sextortion attempts later. A day later a number of friends and family received those compromising images. Everyone that received them reached out to the victim, showed support, and expressed concern. Nobody judged. We all have things in our lives we would like to keep private and don't want shared with the world which is why I never answer my phone in the bathroom. Friends and family understand that and won't rake you over the coals for a mistake you have made. 

My Time as an Expert Witness

Quite a few years ago I had my first experience as an expert witness. My grandfather had a law practice at the time and needed help with one of his criminal defenses. His client had been caught cheating on his wife and so naturally the wife kicked him out. Afterwards she went through his computer looking for any other activities that she might be able to use in a court of law to make his life miserable. She found a lot of pornography and some of it happened to be illegal. There were 7 images that could put my grandfather's client in jail.

I had the job of coming up with a plausible defense. Fortunately I had an idea of how to create reasonable doubt. The guy's soon-to-be former wife taught computer science at a major university. She had the knowledge of how to change the computer's clock, download an illegal image or two, and then change the clock back to the current time. All I needed to do was prove that the poor guy got framed. I never needed to look at any of the images which worked for me as I never wanted to see them. I just looked at the creation timestamps for each of the images in question. The 7 bad images all appeared on the computer within a 2-minute period and had creation dates that didn't match when the husband would have been at home. In fact, he would have been at work and that information could be verified through his employer.

Basically the wife had framed her husband but didn't do that great a job because she set the computer's clock to a time when he wasn't at home. I had my defense all prepared and was ready to go to court and help this poor guy. Then I learned that nobody ever wants to go to court and so my grandfather's client has struck a deal with the prosecutor and I was no longer needed.

Fast forward to a few weeks ago and my wife came to me with a similar case. My wife works for a local law firm and I need to be careful about privacy so I can't go into too many details. This time I would be working for the wife that discovered her husband cheating on her. This time the wife is pretty sure her soon-to-be ex-husband likes to view pornography and wanted someone to check if there might be any illegal images on his computer.

I have to be honest, I really dreaded this second case. I am not someone that views pornography and know how addictive it can be. I didn't want to have to spend my time going through movies or images and so I had a plan to simply identify questionable content and work with the wife to have her determine if it is legal or not.

The computer arrived at my house and I sat down with my wife to start going through it. I pulled out my video camera and directed it to the screen so that should I need to have anyone review the steps I took, I would have a visual record. I turned the computer on and it wouldn't boot. I ran through a few troubleshooting tips but ultimately couldn't get the computer to come up enough to do anything useful. Ultimately the wife will have to have someone get the computer in working order before anyone can search for illegal images.

I doubt I would have found anything of interest on this latest computer. For my first case, Internet speeds were slow and so people would collect images on their hard disks. Now those speeds have increased and it is easy to watch a streaming movies (clean or otherwise). About the best I could have hoped for is going through the browser history and seeing which websites have been visited. Of course, that assumes that the husband wasn't smart enough to use the incognito mode. Times certainly have changed.

Don't Hack a Hacker

This morning I got done skiing and had to work from my home office. I sat down at my desk and got an e-mail that began with the following:

   Hello!
   My nickname in darknet is HckD4*.

The poor grammar indicates that the person does not speak English as his/her native language. Already I am preparing for a SPAM e-mail, however I am intrigued. It goes on:

   I hacked this mailbox more than six 
   months ago, through it I infected your 
   operating system with a virus (trojan) 
   created by me and have been monitoring 
   you for a long time.

Interesting. I wonder if HckD4* is as tired of all the SPAM I get or if he/she thinks I get a lot of important e-mails? The message goes on:

   If you don't belive me please check 
  'from address' in your header, you will 
   see that I sent you an email from your 
   mailbox.

Well that's not that hard to do. If you know anything about Simple Mail Transport Protocol or SMTP, then you know that is a fairly simple task. Any hacker with about an hour of experience can fake a message to look like it came from your own server. The trick is to look at the headers for the e-mail to see if that is actually the case. In my e-mail client, I selected the box to show all of the header information and see that the message came from a server named z3.hck7.pro, which is located in the country of Panama. Needless to say that is not even remotely close to where my e-mail server is located. My original hunch is correct and this is just a SPAM e-mail.

For your enjoyment and mine, the message continues:

   I have access to all your accounts, 
   social networks, email, browsing 
   history. Accordingly, I have the data 
   of all your contacts, files from your 
   computer, photos and videos.

Even if I believed this person, there is nothing of value there. I don't do a lot of social networking. I don't visit questionable or incriminating websites. All of my photos on my computer are tasteful and probably boring to most people besides me. So at this point, there is nothing compelling me to be to afraid. Now we get to the point of the message:

   I was most struck by the intimate 
   content sites that you occasionally 
   visit. You have a very wild imagination, 
   I tell you!

Wow! If I didn't know this was a fake before now, I do now. Sure I visit a lot of video game sites but that shouldn't be embarrassing. What else would make me embarrassed?

   During your pastime and entertainment 
   there, I took screenshot through the 
   camera of your device, synchronizing 
   with what you are watching. Oh my god! 
   You are so funny and excited!

Oh if this was real, he/she must have a picture of me picking my nose or something. That really isn't that embarrassing. Furthermore my e-mail computer doesn't have a camera connected. My laptop does, but it is from work and so locked down with security software, there is not a chance in the world that someone has hacked into it. Trust me, our IT department takes a lot of crap because we have so much anti-virus software. For once I am glad it is there. Oh, my laptop is also a Mac and there are significantly fewer virus programs written for the Mac.

Finally, the hacker tells me what he/she is really after:

   I think that you do not want all your 
   contacts to get these files, right? If 
   you are of the same opinion, then I 
   think that $1000 is quite a fair price 
   to destroy the dirt I created.

The message then goes on to give me a bitcoin wallet and where to send the money.

Messages like this really make me angry. I have been using computers for a long time and know how to verify if the message is real or not. What about other people that don't? Hopefully you don't fall for such an obvious fake. How can you tell if it is a fake message? Well think about legitimate e-mails from people like your credit card company. An extortion e-mail should include some of the following:

1. Your actual name - This e-mail did not contain my name at all. It had my e-mail but that is necessary to contact me in the first place. If the hacker had really been spying on me, he/she would at least know my real name.
2. Some other information about you - Credit card companies always tell you the message is from your account ending in 4 specific digits. If those digits don't match any of your credit cards, you know it is a fake, unless someone has opened a credit card in your name without you knowing about it (but that is a topic for another time). This e-mail had nothing like that.
3. Some sort of proof - If you are going to try and extort $1000 from me, you better have some sort of proof that I have done something worth hiding from all of my contacts. How hard is it to send an image with proof? If you have the images claimed in the e-mail, it isn't. If you don't, it is impossible.

The more I thought about this e-mail, the more I realized how fake it actually is. Let's assume I have spent some of my computer time doing something I want to hide from my wife or contacts. Is it actually worth $1000 to keep hidden? Most of the people I know that cruise the Internet for pornography don't try to hide it. They may not brag about it in mixed company, but they are also not ashamed of it. Sure some people will be embarrassed but it might start a conversation that needed to take place anyways.

Hopefully none of you fall for such a scam. If you would like another source talking about this same e-mail in more detail, here is a good article.

OpenDNS

Last Friday I briefly mentioned some of the dangers of the Internet. While most know that they exist, a large number of people are not quite sure what to do about them. When there was only one computer in the house, it was easy to install filtering software and make sure it stayed updated. Now it is not uncommon to have a number of computers and devices like iPhones, iTouches, and iPads using a common Internet connection. Trying to maintain all of those filtering software installations can be a chore.

Recently I had a friend explain OpenDNS and so I set myself up an account. Once you have an account, you can modify the router settings for your home Internet connection so that it goes through their servers. You can then control how much of the Internet all of the computers on your network can see. If you are only concerned about pornography, you can choose to filter out only those websites. While they still exist on the Internet, the domain name service or DNS system that is used to look up the offending site's computer address is redirected to a message saying the site is blocked.

There are a few other settings that I found particularly helpful. I really hate websites that try to install a bunch of junk on my computer and so there is a setting to filter out adware. When I first set up OpenDNS for my home network, I was only concerned about a few things. Since then I have set up a number of new filters, not because I feel they are bad for my kids, but because they are annoying. It is like being able to turn off all of the commercials on your TV. Now who wouldn't want that? I highly recommend OpenDNS even if it is just so you don't infect your computer with junk.