The XXX-piring Namespace - More Semantic Attacks
Date: Sunday October 28 2001, @05:40PM
Topic: The Big Picture

fnord writes "For a year or so I've noticed a pattern of news stories, both online and off, about domain name owners who have had their registrations expire, intentionally or otherwise. They (or others) then find out to their surprise that these names have been re-registered and are being used to host or point to pornography sites, even though the original site, including in most cases its domain name, had absolutely nothing to do with pornography. Why would porn sites do this?"

The most charitable explanation is that many such porn sites earn money by pageviews, they are simply intended to waylay eyeballs, even if only for a second. A more troubling explanation is that, as a considerable percentage of these sites were originally aimed at children, changing the ownership and content does not change that aimed at audience, it exploits it. While I haven't kept or can't link to more than a few of these stories, the following are typical, including the ratio of children's sites hijacked in such fashion, which seems at least 50/50 compared to sites which wouldn't be considered primarily children's sites. I doubt anywhere near half of all current sites online are intended for children, so that ratio of hijacked sites implies that this targetting of children by the porn industry isn't entirely random.

The most recent example comes from this week's NY Times (free registration required), concerning a financial site for children that was taken over by a porn site when the name expired. And I seem to be damned to making Britney Spears references on ICANNWatch. Parents, or others, going to what had been a home schooling site, could instead apparently see her naked.

What can be done about this? Like the proir owner of the "Catylaine" site, perhaps one could complain to ICANN, except it is well known ICANN pays its message boards little attention so they can claim plausible deniability. Or perhaps one could complain to the Police, unless one is in Flint, Michigan (or to the federal government, but not via whitehouse.com, which was not such a re-registration SFAIK, but has the similar intended effect).

In one of the most egregious examples I've heard of, the heidisearchcenter.org site for missing children, named after an 11 year old girl who was abducted and murdered in 1990, wound up as a porn site. The linked article is somewhat outdated. Within a few days of its publication, the site was back to its original function, though the homepage rather strangely uses a redirect to a Geocities site so I am not convinced without further checking that the domain name has yet been properly returned, the WHOIS is inconclusive. The Heidi article gets closest to giving an idea of the extent of this misuse (it seems to be standard operating procedure for some porn purveyors), as well as the possible intent, and lack of care.

A bit (too much) of history here. This appears to be an improvement on a previous technique, a semantic attack if you will, used by some in the online porn industry a few years ago. Some search engines were targetted by what was somewhat misleadingly called the meta-tag exploit. Many search engines allow repeated submissions of pages to be listed in their index (though with some restrictions ranging from days to months between submissions). The submissions could also come from anywhere, including various anonymous free and for-pay services, there was no check done that the submitter was the site owner, or acting on their behalf. In fact it wasn't unknown for a business to submit their competition's site more often than allowed (called spamdexing), thus getting the competitor's listing removed entirely from that search engine for apparently spamming their index. Many sites, even some belonging to large corps, are rarely submitted more than once by their owners, who are often unaware that one can resubmit so they have no reason to suspect others are doing so. The online porn industry took this loophole a step further and would simply copy another site's page, change the URL to their own, sometimes adding a line or two of redirect script that the search engines spiders ignored, and resubmit the listing. Because the content appeared identical the original listing and new listing often appeared one after the other when searching on a given term.

I had personal experience with this when doing a search for the term cheat+codes to help (?) a pre-teen neighbor with a computer game. A listing came up for the site avault.com, a games site, with an apparently identical listing immediately following. Without paying too much attention I clicked on the second link and was immediately mousetrapped and deluged with multiple pop-up porn windows, A rapid CTRL-ALT-DEL and subsequent browser shut down minimized the damage, but how many others, including children, wound up in a similar situation without knowing an easy way out? I did some research and wrote avault about this (I wasn't the only one, I did figure out they weren't to blame, others weren't so forgiving) and it was largely as a result of avault's complaints to the USG that such sites were cleaned up (avault were then negotiating to be bought out so really didn't appreciate being misused, and this was back in the free-flowing big money internet days).

Estimates at the time were as many as a million pages had been similarily hijacked, including religious sites and children's sites and, because of the nature of the exploit, most any indexed site was used as a target including otherwise normally assumed safe sites in .edu, .gov and .mil. It is impossible to imagine a million or so such submissions were done by hand, it had to have been done by automated scripts. If nothing else, the estimated billion dollar per year online porn industry can afford the best coders (and now, apparently, expiring domain names). As I recall there were a half-dozen or so people in Australia found to be responsible for at least some of this at the time and taken in by the police. I don't know if there were subsequent charges or convictions.

So much for history. Now we have a nextgen exploit that works even better and doesn't in any way appear to be against any ICANN policy, let alone illegal. By re-registering an expired name one doesn't mirror a previous search engine submission, one becomes it. And unlike the duplicate search engine technique, one also becomes the site, along with any description of it, on any other site which links to it, not just search engines. One also becomes the site that users have previously bookmarked, or that users time in their URL line, or that users send email to. Isn't this that situation M. Stuart Lynn spoke of in his anti-alternative root paper where one won't know where a given address goes? Well, this isn't an alternate root Mr. Lynn, it's yours, and it's targetting children with porn on your watch. Is it any wonder that the hammering of servers with requests for expiring names are being done by scripts? Where have we seen that before? And is it any wonder that it is sometimes difficult to re-register one's domain name? Why should a registrar re-sell you the name for a similar price when they can let it expire and then re-sell it, perhaps to the porn industry, perhaps at a markup?

This should hardly come as a surprise when ICANN Accredited Registrar register.com, using the name DiscountBin, auctions off childrenporno.com for $66. Discountbin is a register.com username (used on afternic, which it owns) for selling off names for which it wasn't originally paid. The sale has apparently gone through as that site now resolves with multiple pop-up porn windows and register.com makes more money than if it was a regular registration or re-registration, and supports childporn at the same time. Charming.

And BTW, while it seems to me of less potential damage, at least to children, it might get more of ICANN's attention (seeing as ICANN are almost entirely policy driven by the intellectual property folks). I'd like to ask why register.com is the putative owner of so many domains containing the string aol, for example, including many variations on aol and billing. Did America Online not pay their bill for these, or were they intended to be used for semantic attacks by others? Many ISP's including AOL, have been hit by the semantic attack in my previous submission on this topic, often tricking users into giving up passwords or even credit card info. As others asked, why use an obfuscated URL when you can use a real one? Indeed, get on over to afternic where they can be had for $12 to $56. If I was the first registrant, or a re-registrant of one of those names and attempted to sell it on afternic, I imagine I'd have some trouble. Interesting that register.com seems immune to the UDRP. Then again, ICANN registrars, once accredited, seem to have total immunity.

Seeing as register.com is not just auctioning names that were registered but never paid for, but they are now also auctioning off expired names, and seeing as the porn industry seems to have the most reason to register expired names, perhaps ICANN should become aware (assuming they aren't) to what extent the online porn industry, even the child porn industry, has become an ICANN source of funds. Oh well, not to worry, it seems even parents aren't above making ends meet through virtual pimping of children, though it is sad that father of the internet Vint Cerf has let his offspring fall so far from grace and into the gutter.

Given that ICANN's mandate is (apparently now) DNS security and (apparently now) the security of not going to alternate root URLs, and not the security of children to not be deluged by porn through alterated (I would say hijacked) second level domains for which ICANN has responsibility, and through its registrars which it seems entirely loath to police, no matter how loathsome their actions, perhaps this latest exploit should more properly be handled by the real government.

First time registrations in the legacy root are way down, first time registrations in the new TLDs are tepid and full of problems, re-registrations are also way down except (to some yet to be determined extent) for those taken by the porn industry. ICANN has a dirty little secret, a financial interest in the online porn industry, as they seem one of the few sources still willing and able to buy names in quantity. ICANN is not much closer to coming up with policies on expired names than they ever were, and that becomes less surprising when one sees the financial incentive to maintain the status quo. Clearly this semantic attack needs to be dealt with, and clearly it should be taken out of ICANN's hands, the sooner the better. -g

This discussion has been archived. No new comments can be posted.
The XXX-piring Namespace - More Semantic Attacks | Log in/Create an Account | Top | 15 comments | Search Discussion
Click this button to post a comment to this story
The options below will change how the comments display
Threshold:
Check box to change your default comment view
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Re: The XXX-piring Namespace - More Semantic Attac
by fnord (groy2kNO@SPAMyahoo.com) on Sunday October 28 2001, @07:30PM (#3226)
User #2810 Info
A bit of follow-up. Perhaps being pressed for time, I mistakenly typed:
that users time in their URL line
which should read:
that users type in their URL line
I also neglected to point out another angle. At least as far back as last February Declan McCullagh and USA Today were reporting that Osama bin Laden and other terrorist organizations were using steganograpy, which is a method for hiding files within other files, for example a text file within a picture, perhaps on a porn site. Such a choice would make good sense, even with access to the server logs it would be difficult to decipher which hits on such high trafficked sites might be more meaningful. And just to bring my two recent submissions into some kind of closure, Bruce Shneier, from whom I borrowed the phrase semantic attacks, isn't very optimistic about the ability to stop such traffic. -g
[ Reply to This | Parent ]
  • 1 reply beneath your current threshold.
Re: The XXX-piring Namespace - More Semantic Attac
by Ron_Bennett on Sunday October 28 2001, @08:31PM (#3227)
User #3011 Info | http://www.wyomissing.com/bennett/
Relax...the adult industry has been using similar tactics with toll-free phone numbers for years...this is nothing new.

If companies would pay their bills ONTIME they wouldn't lose their domains and thus wouldn't have such problems...Right?

And the most important aspect being missed here is the fact that adult oriented companies actually make money using such tactics...NOW WHY IS THAT?? Think about it for a second...if one intends to reach website "company.com" and they somehow are redirected to "nudepixs.com" instead, one would expect they would LEAVE and correct their mistake...right? But it turns out that some people when misdirected for whatever reason, instead of leaving, they will actually whip out their credit card and SPEND MONEY on a website they didn't even intend to reach...and NO ONE FORCED them to do that. Right?

I think it's high time for people to assume responsibility for their own actions - namely, renewing their domains on time...and lastly, why let expired domains go unused anyways...the adult industry helps maximize economy by recycling domains which helps registrars stay in business and in turn reduces the need to add more TLDs. A win win situation :-)
[ Reply to This | Parent ]
Re: The XXX-piring Namespace - More Semantic Attac
by fnord (groy2kNO@SPAMyahoo.com) on Thursday November 01 2001, @08:20PM (#3346)
User #2810 Info
At least one more expiring domain becomes a porn site, and as the prior owner let numerous desirable names expire, it might not be the only one. Quite an interesting article on that and other namespace sillyness here. -g
[ Reply to This | Parent ]
Re: The XXX-piring Namespace - More Semantic Attac
by fnord (groy2kNO@SPAMyahoo.com) on Friday November 02 2001, @06:07AM (#3356)
User #2810 Info
An article and user comments on this from Afternic. -g
[ Reply to This | Parent ]
Re: I'm not too concerned about this -- and here's
by fnord (groy2kNO@SPAMyahoo.com) on Monday October 29 2001, @04:47AM (#3235)
User #2810 Info
Anon writes:
Why is it the public's responsibility to protect other people's children from porn?
Why is it the public's responsibility to provide schooling, crossing guards, crosswalks, stop signs, or for that matter to protect children from predators? Is that all a waste of your tax dollars?
I say it is the parent's responsibility to monitor this stuff.
I couldn't agree more that parents need to be involved. My own then pre-teen children were writing code and hacking back when there were almost no other children to be found online. They still needed to be monitored and made cyberstreetwise as there were already pedophiles online who pretended to be children. But leaving it entirely up to parents just doesn't work, we're dealing with non-tech savvy parents monitoring non-tech savvy children to protect them from tech-savvy predators.
Buy filtering software and use it! There are many pieces of software that can filter URLS, eliminate pop-up ads, and ad banners
And there is counter-software to defeat that. I don't care for filtering software, for a number of reasons, here's a few. And as my submission dealt in part with porn sites buying up and using previously childfriendly URLs (did you even read it?) filtering based on URLs isn't just exceedingly dumb, it is now actually counter-productive, perhaps that is one reason such names are being bought.
If you are a religious fanatic and don't want your kids exposed to ANYTHING -- take away their computer. It is a safe bet that the Amish don't have problems like this in their house.
Actually you'd lose that bet, there are Amish online. Perhaps the Taliban would be a better example, perhaps not. FWIW, my opposition to this use of expired names has nothing to do with religion.
I have yet to see evidence that pornography in general is "harmful" to anyone. When I was a young kid I stumbled on my dad's Playboys
There is considerable research about the effects of pornography on children, much of it negative, much of it available online. Playboy style porn is far from the worst, though I don't think Playboy should market to children either, any more than the tobacco companies. But I guess that should be left to the parents too, every image on TV, movies, video games, comic books, billboards, is the sole responsibility of the parent to monitor? Guess your father's monitoring left a bit to be desired.

There are certain images that transcend my ability to properly process them, a horror is left etched on my mind. Examples include the Nazi death camps, the Zapruder freeze frames, the WTC on September 11. Another is a porn site, apparently from an orphanage in what used to be the Soviet Union, of emaciated children, many of them pre-teen, engaged in posed, though real and explicit, sexual acts. If this can sear the mind of an adult one cannot imagine what it might do to a child. Sorry, the internet is not your father's Playboy. -g

[ Reply to This | Parent ]
  • 2 replies beneath your current threshold.




  • This article comes from ICANNWatch
    http://www.icannwatch.org/

    The URL for this story is:
    http://www.icannwatch.org/article.pl?sid=01/10/28/214046