Bluesky Has an Extortion Problem

A cybersquatting scheme targeting prominent writers and entrepreneurs has exposed flaws in Bluesky's domain-based verification system, newsletter Tedium reports, citing users.

Bloomberg columnist Conor Sen reported receiving an extortion attempt this week when an anonymous user who had purchased his namesake domain demanded payment to transfer ownership. The episode has unraveled wider revelations of similar attacks targeting at least five other well-known users, including political blogger Matt Yglesias and The Hustle founder Sam Parr.

The platform's moderation team initially banned Parr's legitimate account while leaving the impersonator active, Sen told Tedium. The fake account was only removed after users escalated the issue to senior Bluesky staff.

Re:

[Pascoea]

You keep saying this like it's unexpected, or in some other way newsworthy. Bluesky is the current "new shiny thing" on the Internet, what do you expect? I'm not saying having kiddie porn on there is a good thing, I'm not saying it should be allowed/condoned/whatever, I'm just saying that it's a pretty "yawn" topic.

Re:

[GoTeam]

I'm just saying that it's a pretty "yawn" topic.

Despite your qualifications preceding this comment, your final statement is never true. If it ever becomes true we fail as a society.

Re:

[Pascoea]

If it ever becomes true we fail as a society.

That's a fair assessment. To further qualify the statement: It's "yawn" because dealing with it is a solved problem. There's perverts and trolls in the world, that's unfortunately not going to change. The only thing a service like Bluesky can do is delete the nonsense that they post, and from what I've read in the five minutes I spent "researching" the topic, they have a decent enough system in place to do so. [safer.io] But, again, you are right. Hand-waving it away as isn't the right way to put it. It should be de

Re:

[GoTeam]

Well said, however, with stuff like this involving children you should never stop stigmatizing it. It's a growing issue thanks in large part to the internet. So the current methods to fight it aren't good enough. Stricter penalties isn't the solution either since that hasn't helped so far. I'd have thought chemical castration would be a probable solution, but then I found out these sick fucks will get testosterone injections just to get that rush from offending again.

I got slightly off topic, but my point

Re:45000...

[dgatwood]

I'm just saying that it's a pretty "yawn" topic.

Despite your qualifications preceding this comment, your final statement is never true. If it ever becomes true we fail as a society.

Nope. The GP is absolutely right. Bad people exist, therefore bad people exist on the Internet. Child porn exists, therefore child porn exists on the Internet. And so on. So it should be a pretty "yawn" topic that it exists on a popular Internet site. The mere fact that it exists is entirely expected, because the site's contents are demographically representative of the people who use it and the people who advertise on it and the world in which it exists.

This is not the same thing as saying that it would be a "yawn" topic if it starts showing up unexpectedly for people who aren't intentionally trying to find it, of course, because that would be an epic algorithmic fail. It should be taken down when someone reports it, and if the site is big enough, they should be actively trying to prevent it, but expecting it to not exist is like expecting drivers not to speed or the wind not to blow.

Similarly, the number of reports is indicative of the number of users, not indicative of anything particularly problematic. 45,000 reports across 25 million users means that at *most* 0.18% of their users posted that sort of content, assuming that every one of those reported posts came from a different account, and the real number is probably a tiny fraction of that.

And this assumes that all the CSAM takedowns really were CSAM, too. Just because they took it down doesn't mean there was any abuse. Companies are likely to take down anything reported that even plausibly could be CSAM out of an abundance of caution, whereas some portion of that content could really be generative AI content that "looked too young", pictures of somebody's kid's rash sent to the doctor (probably not on that site, but you get the point), young people sending borderline images to their friends/girlfriends/boyfriends, and so on. So I wouldn't automatically assume that all of those 45,000 reports were legitimate CSAM.

Now if you said that there were 45,000 new burner accounts created every day that were all posting CSAM, that might be indicative of a real weakness in their new account validation, but otherwise, that's not a particularly alarmingly large number, IMO. Google had 5 million takedowns in 2023 (source [debuglies.com]), which is about 14k per day, and Google doesn't even run a social media site anymore. Meta had 24 million, which is ~66k per day.

So yeah, 45,000 really is not hopelessly outside the expected range for a social network. It's maybe 20x higher than Facebook based on the number of users, but that assumes that Facebook's user count actually matches reality, which it probably does not, so I wouldn't read too much into it.

In other words, it's not a yawn because CSAM isn't important to prevent. It's a yawn because given the number of users and how active they presumably are, that's not a surprisingly high number compared with other similar sites.

Re:

[jhoegl]

And I honestly doubt it, since Twitter has such lax policies now. Why would people who are doing their weird shit without restriction, move from it?

Re:

[Pascoea]

Because trolls will troll.

White lists to the rescue

[shanen]

[Feeding the trolls never helps, but Slashdot makes it too easy to propagate vacuous Subjects.]

The bad guys will keep looking for ways to break any nice thing. The economic models need to be carefully designed. On one side that means to benefit ALL of the people using the system (or company or technology) and on another side that means to block the bad economic models. (But in the case of Slashdot the economic model can't support fixing ANY of the problems and annoyances.)

But I do have a constructive sugges

Re:

[PPH]

The person (or company) that is actually famous can prove their identity,

Assuming that the white list maintainer can properly verify their claim. It doesn't seem to have worked out well for Google/GMail. I could be wrong. Perhaps there are really that many deposed Nigerian finance ministers.

If Google can't handle it (given their resources), who can? Perhaps Google just doesn't want to (for free, that is). Want to get on the white list? How much money do you have?

Re:

[Anonymous Coward]

Sounds like you're intimately familiar with (other) pedos.

Re:

[Anonymous Coward]

I know a guy that keeps popping up in photos with Epstein https://www.theguardian.com/us... [theguardian.com]

Re:45000...

[smooth wombat]

He shows up 67 times in pictures with Epstein, more than any other person. He also gave Epstein 14 different phone numbers he could be reached at.

Re:45000...

[ArchieBunker]

https://mynbc15.com/news/natio... [mynbc15.com]

The former president continued, saying the release of the documents could pose a hazard to major figures such as former independent presidential candidate Robert F. Kennedy Jr., who openly admitted to having traveled with Epstein on his jet.

To quote Elon Musk "concerning"

Re:

[smooth wombat]

How many of those reports are duplicates? Is this any different than the 200,000 children abused by the Catholic Church [bbc.com] in Spain?

What an appropriate name

[Rosco P. Coltrane]

exposed flaws in Bluesky's domain-based verification system, newsletter Tedium reports

Indeed...

Re:

[fleeped]

They take self-deprecation seriously! At the end, the author blurb starts with "Your time was just wasted by Ernie Smith"

Re:

[PPH]

Interesting reading on tedium.co

I'll have to hop over and read the retorts on tedium.com, tedium.c0m, tedium.con, ....

DNS based auth has DNS problems.

[MachineShedFred]

Why would anyone be surprised that DNS-based authentication might suffer from the same problems that DNS has been facing since the 1990s?

Domain squatting is a thing. It's always been a thing. And it will always be a thing until something is done to actually prevent it.

Re:

[Megane]

This.

Re:

[redback]

who hurt you?

Domain registrar problem

[Comboman]

Sounds more like a domain registrar problem than a Bluesky problem. Though in fairness, they are piggybacking their verification process onto a system was designed with brand names/trademarks in mind rather than personal names.

Re:Domain registrar problem

[pjt33]

Why would anyone expect people to treat their usernames as brands for which they should own the .com? Especially when most people have different usernames on different sites. It's absolutely a Bluesky problem.

Re:

[alvinrod]

In the age of the Internet influencer, the person has become the brand. In the past this was limited to celebrities, but the Internet has democratized this to the extent that it's now possible for the average Joe and Jane at home. Some of these people (including some who aren't even legally adults yet) are making hundreds of thousands or even millions of dollars. For any individuals this isn't a problem because they're largely limited to one platform (YouTube, Twitch, Instagram, etc.) and don't have as much

Bluesky Has an Extortion Problem?

[PhunkySchtuff]

Bluesky Has an Extortion Problem? No, DNS has an extortion problem.

Bluesky uses domains as a way to verify people who want a handle that doesn't end in *.bsky.social.

If I registered phunkyschtuff.com then I could use that as my handle on Bluesky.

Cybersquatters are buying domain names in the names of famous bloggers and other online personalities. When a domain name costs $20, it beats me why these people have not protected their own brand and registered their own domain names.

Bluesky is behaving exactly as intended - if you buy a domain name, you can use it, or a subdomain thereof, as your handle.

The problem is cybersquatters buying domain names to impersonate other people which, iirc, is already illegal – but good luck getting anything restitution on this, it's a notoriously difficult area to litigate and unless you're a company with lawyers on your payroll looking for something to do, it's simply not going to be worth taking it to court.
Look up the ACPA: https://en.wikipedia.org/wiki/... [wikipedia.org]