Slashdot Mirror
DOS Attack Via US Postal Service
Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree,
a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
It's like an executive summary of all the above links.
here
http://starboard.flowtheory.net/
Take:
Empirically, 1000 pagers (at 3-4 dial sequences per minute) equals about 4 days of constant calls to the vicitim's phone. How I know this is another discussion...
Of course, this was more effective when digital pagers were much, much more popular. Today, it probably wouldn't go over as well, but back in the late 80s and early 90s, it worked flawlessly. Essentially, it was distributed crank calling before the "DDOS" term was coined.
The most interesting part was that the pager companies explicitly refused to do anything about it. No tracing of calls, no attempts to halt sequential dialing, etc. Not their problem.
"the companies that are sending these items are directly bearing the cost of your DoS."
Costs passed on to the consumer.
"Sure, Sears can probably afford to send out one more letter, but catalogs are more expensive to print and mail."
No, they're cheaper. Instead of sending at Standard Mail rates, they're either mailed at Periodicals or Bound Printerd Matter. And the printing is also cheaper because there's no envelope stuffing or card folding involved. And the lighter-stock paper is cheaper.
"All these companies are getting screwed out of real money"
Measured in cents or franctions of cents per recipient. And depending on how much they're shipping and where, it may actually be cheaper for them to add in a few extra addresses to bump the mailing into the next rate (we're not talking bandwidth here). The more mail they have going to a three, five or nine-digit ZIP code, the finer level of presortation they can do and the cheaper the postage for everything in that particular sack of mail.
And don't forget these mailers are interested in addresses whether you're really interested or not. If you're not giving them Ralsky's address, rest assured that they're probably interested in buying his address from his bank, credit card company, car dealer, etc. The whole philosophy of bulk mail is that you're sending this information to people who may not know they're interested in something the mailer is selling.
The worst money loss comes from paying $0.37 + fee for the Business Reply Mail card you send in. If you feel guilty, don't use the BRM card and pay for the postage yourself. (Just putting a stamp on a BRM card/envelope doesn't work unless you remember to cover/obscure the "Business Reply Mail" box above the address, the five vertical bars to the left of the "stamp" area, and all those horizontal bars along the right-hand side.)
Alan Ralsky aliases and addresses.
Seems like his "real" address is:
Alan Murray Ralsky
6747 Minnow Pond Dr,
West Bloomfield,
MI 48322
Telephone: 248-926-0688
Current email address: amr777@comcast.net