Internet Based Attacks in a Physical World

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

Utter Nonsense

[ePhil_One]

A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

What a load of self serving crap. Which of course is completely shocking coming from such a community oriented guy such as a Spammer.

When I read this, I expected it to be about something a bit more substantial, such as using the internet to have someones electricity turned off, or altering a sattelite tragectory to include someones house in its path; or maybe even taking over Dr Evil's Moon Laser to burn nasty messages in someones lawn.

But really, taking out the postal service with a series of mass mailings? What kind of fool thinks that an attack that works on one person will scale large enough to take out the post office, or hinder any sort of criminal investigation?

The solution is with the mailers

[mlush]

It would be very simple for a company to defend against being used in a scripted mail DOS attack.

• Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
• Some simple question/answer system to demonstrate the user is human
  • What is this a picture of? (multiple choice)
  • Enter the word in this picture
  • Could you type the company name in backwards (for lynx users)
  • etc
• Use obscure names for the CGI paramaters
• Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

With a bit of imagination the authentication could be turned into a compatition...

250,000+ catalog forms? Try 839.

[rednox]

I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.

Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.

I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.

Chris Crawford and Terrorism

[Jeremy+Erwin]

In his book Balance of Power (1986, the game designer Chris Crawford describes Terrorism thusly:

Terrorism: The first step [in the development of an insurgency] comes when some hothead carries out an act of violence against the government. It is neccesarily rather puny; after all we can't expect every hothead to have much military power at his disposal (thank heaven!). This act serves to galvanize opposition. Once people realize that there are others willing to fight back, they gravitate towards each other, and the insurgency begins to take shape, During this early stage, the insurgents will lack any real military power. They operate as part-time rebels, living during the day as regular citizens, but plotting their revolution in secrecy and making occasional strikes.

It's a little dated, but it's a straight definitiom. Terrorists strike at target of opportunities in urban areas. The goal of their attacks is usually not to go after military targets--in most cases the're too well defended (although see Beirut, Khyber Towers, Pentagon and if you're willing to split hairs. the King David Hotel) but to inspire confidence in those who would support them ("We can win this struggle!") and inspire fear in their enemies ("They came out of nowhere. How could we let this happen?").

Many terrorist organizations don't have a sufficiant grasp of political reality to transform their terrorist activities into an effective opposition. Al Quada's goal was something along the lines of "worldwide Islamic Revolution"-- something that can probably be characterized as "pure fantasy." Although bin Laden's "simultaneous , multiple target" signature may have won him respect from other terrorist organizations, his tactics did little, if anything, to secure his stated political goals, and have instead (deservedly so) marked him as a mass murderer.

Christopher Hitchens defined terrorism as the tactic of demanding the impossible, and demanding it at gunpoint. It's a interesting definition, but, of course it all depends on what one views as impossible.