Slashdot Mirror
DOS Attack Via US Postal Service
Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree,
a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
What if people started doing this to political parties donation mailing addresses. They would not be able to sort it out to get their money effectivly shutting them down.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
So instead of 600 magazines in my mailbox next month, I get 600 letters asking me if I want to subscribe? Sure, it's only a one time hassle instead of a monthly hassle, but it's still annoying. And calling to confirm is no less of a pain.
do not read this line twice.
If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms.
What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!
Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!
What about possible collateral damage: did any of SpamKing's neighbors' mail delivery get slowed down (or otherwise affected)? (Is there any way to tell?)
Fun little story...
I recently was out of town for a few days. The tiny little mailbox that my apartment complex provides probably filled up on the second day, so the postal carrier took all of it back to the post office, and left me a lovely note that if I didn't pick it up in a few days, they'd send it all back. Luckily I got back in time to pick up my mail, but it was definitely an inconvenience tracking down which post office outlet had my mail and then taking the time to go get it.
So for a few days my postbox was shut down (mini DOS), because the postal carrier wouldn't leave me any new mail until I found the time to pick up what had already been taken away.
If the mail volume to Raskey (The spam king) was great enough, I imagine the post office would have begun seperating his mail before it got to him (as I imagine they already do) and sending it in a seperate bin/bag to him. The post office is able to handle the volume... they have the technology... they can resort it, make it better..
Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
He suggests that you type "request catalog name address city state zip" into Google whereupon Google will kick back some 250,000 pages with online web forms to fill out.
Google now kicks back one hit - the article itself...
You really have to strip your search down before it starts returning anything.
I wonder, how does the USPS deal with a person who gets that much mail? Obviously they have to deliver it since that's their whole purpose, but I know the little mail truck that comes to my house probably couldn't fit a few extra hundred pounds of mail. And the poor mailman, and the mailbox itself.
I mean, logistically, how do they cope with it?
I work for a scummy direct marketing company, and can tell you that when people mail back dog shit, dead cats, bricks, etc. it really does slow business down because that mail is not sorted from the legitimate mail. From time to time the bomb squad is even called in to check an unexpected parcel and that can gum up the whole works.
I agree that you shouldn't piss off too many people. Believe me, I haven't shed any tears over Ralsky's fate. But the power of DOS attacks is that they can be initiated easily by motivated *individuals*. As I said on another post, it would be easy to automate what happened to Ralsky such that a single person could initiate a flood of junk mail to any specified postal address. Or maybe you could flood a town's post office with junk mail to create a diversion and then send a real nasty letter (e.g. Anthrax) to the same place in an attempt to hide it. That is the real danger.
Gees! I'm becomming such a conspiracy theorist!
Four fifths of all our troubles in this life would disappear if we would just sit down and keep still. -C. Coolidge
Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law we've been moving away from for the past few thousand years, thankfully.
Wrong. Lex Talionis was the principle that you take NO MORE than an eye for an eye - promulgated as an "improvement" in an era where the response to losing an eye (or a purse) might be to do in the alleged perpetrator and confiscate all his worldly goods.
It's morally bankrupt, all right. But only to the extent that if the thief only loses what he stole, and has a nonzero chance of getting away with it, theft remains a profitmaking enterprise despite full enforcement of the law. So it becomes an endorsement of theft as a lifestyle. This is why there are "puntitive damages" - extra penalties to punish the perpetrator (thus making continued misbehavior a losing proposition even with imperfect law enforcement).
None of which applies here. Applying "Lex Talionis" to the spammer would mean spamming him, rather than seeking compensatory and puntitive damages.
===
Which is what they did, isn't it? B-)
===
Lex Talionis also recognizes a moral principal of equivalency, to wit: In an egalitarian society, regardless of what actions you think are fair, you have NO moral gripe if someone does to YOU what YOU did to them. If it was wrong for them to do in retaliation, it was AT LEAST as wrong for YOU to do without provocation.
===
I note, by the way, that your posting is IDENTICAL to one you made several times previously - including in the slashdot article credited with inspring the USPS DDoS attack in the first place. (And that last one I cited was under your own slashdot ID of Chuck Flynn.) Given that, I felt free to repeat, almost verbatim, my response to your most recent previous missive.
The posts that recieve your canned response seem to be any suggestion about spamming the spammers. You wouldn't happen to be a spammer, would you?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Theoretically they may have lowered the value of his house upon resale. Like murders or other infamous events in a house it's the sellers responsibility to inform the buyer or the deal can be busted at a later date. So the spammer must inform the next buyer that they may recieve a monthly flood of "For Alan Ralsky or current occupant" mail. I know I would think twice about moving into a cursed address.
I've hit Karma 50 and gotten a Score:5, Troll... I win!
If we could get any of these, we could have some serious fun!
... i.e. "ring ring - 'hello, Ralsky here' - *beep* *beep* - hang up - repeat 5 minutes later"
... we should at least be able to get this douchebag's fax number for his company - yes?
First - get his fax number into some key marketing/questionaire databases and blamo! - Fax Spam Ahoy!
Second - Setup a couple of "Faxback" server attacks on those numbers. Faxback servers are fantastic because they're realllly dumb. Call them up on an toll-free number and order up a mess of documents to be faxed to wherever you want. The best part is that they're relentless - they will just keep on calling (up to 10 times) to try to make a connection
Its mega-annoying - especially if you get a couple of them going at once - and at 3AM
But heck
---- "Logoff! That cookie shit makes me nervous!" - A. Soprano
to determine the business addresses that those who actually respond to his spam would be sending their checks too and swamp those? Spammers depend on a very low operational cost model to make money. If they have to sort through 100s of items of mail for every one that has a check in it, you've just increased their cost of doing business.
If they're doing most of their business electronically, publishing a list of their SSL sites could be interesting. If we all ran something to walk the list once an hour and just make a connection to the SSL sites and leave it, they'd be effectively down. Negotiating the SSL connections has a high computing cost on their side.
If someone were to design a virus that does that and continuously checks into sites for new lists, I might actually try to get the virus.
In other words, if you want to have a real effect, go for cutting off the money.
When I scrolled through the posts, I was really looking to see if anyone here had been sued, or even contacted, about this potential suit.
So,has anyone heard anything yet? Personally, I think they'll have a hell of a time proving that anyone did anything. It might be a false threat to try to get the postal DDOS attack to stop.
IAAL