Internet Based Attacks in a Physical World

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

That's an easy one:

If you don't want to be attacked on a large scale from the Internet, don't piss off Slashdot readers!
It should be a no-brainer by now, and we have shown the effectiveness!

Re:That's an easy one:

[captainclever]

Seriously, has anyone written a script to auto-signup the same address for lots of postal spam?

Perhaps there is a sourceforge project, or a module in CPAN?

Re:That's an easy one:

[BrokenHalo]

I, too, would be interested to hear about this. Junk email is easy to deal with by hitting the delete button, but if the bastards get so much dead-tree mail the post-office has to make special arrangements, the direct marketers are going to squeal.

Re:That's an easy one:

[Thud457]

United States : We'll kick the crap out of you for no good reason, and then maybe stop off in one or two countries we saw on the way over here.

Re:That's an easy one:

[rifter]

Then read the article. The source code for the script is even in there. Sheesh!

Re:That's an easy one:

[wljones]

Alan Ralsky is upset by excessive unsolicited mail. I did not participate, but what cooks his goose soothes my dander. Help him out. Unsolicited mail can be used to heat the home or bury it. Who cares about Alan's objections?

Re:That's an easy one:

[mrcurtain]

Or.... you just need to be very careful about keeping your real identity a secret.

Vernor Vinge's short story "True Names" is a classic and discusses this very topic.

Re:That's an easy one:

[DeputySpade]

LOL!

"Read the article... Sheesh." is modded up as "informative"? That's awesome.

Excellent ideas

[Luguber123]

or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

I've recently had a tumult with the local tax-office, so input like this is more than welcome, I'll be comming back to slasdot for more of this later when I know how my tax application turns out for this year.

Re:Excellent ideas

[jandersen]

Getting companies to mail you lots of rubbish may be an excellent way to ensure you never run out of things to burn to keep you warm.

Re:Excellent ideas

[Luguber123]

I've been trying this approch since the electricity prices tripled in the beginning of the year. It works except those companies that like to send crappy preprocessed paper, it doesn't burn that well and I don't like those flashy colors it produces. I even got a environment magazine that was made out of this crap, so ofcourse I had to burn it, most of all as a act of protest :)

Re:Excellent ideas

[Zeinfeld]

I've recently had a tumult with the local tax-office, so input like this is more than welcome, I'll be comming back to slasdot for more of this later when I know how my tax application turns out for this year.

That is not such a great idea. Any attempt to intimidate a federal official is likely to be a criminal offense. Tax officials in particular are protected by specific anti-harassment laws.

Second, most tax offices have addresses that are automatically blacklisted by the catalogue companies along with prisons and such. Signing up the tax office for junk is such an old game that the direct mail operations are onto it.

All we need

[OneArmedMan]

now, is a way for the internet to deliver a flaming bag of dog poo to the doorstep of your favourite enemy and life will be complete.

Re:All we need

[Libor+Vanek]

I wonder nobody didn't come out with this idea during .com boom :-) And I'd bet he'll be running a successful company now.

P.S.
Just imagine the load of shit at Microsoft HQ ;-)

Re:All we need

[WeirdKid]

Ask and ye shall receive. Actually, I'm surprised nobody's sent this to the spammers already.

Re:All we need

[Bonker]

I wish I had an option to mod this +1, Disgusting...

Re:All we need

[elementik]

:D

Re:All we need

[sporty]

You mean +1, Poop :)

Re:All we need

[CGP314]

I believe he asked for it to be flaming.

Re:All we need

[Fishstick]

like this? dogdoo.com

as discussed in this thread on DDOS'ing SCO

Mind you, the flaming part does not seem to be an option.

Re:All we need

[Aliencow]

Somebody did, I think it was www.dogdoo.com (Ain't checking from work...) . It wasn't on fire, but still!

Re:All we need

[drunk_as_in_beer]

+1, For me to poop on

Re:All we need

[rifter]

Obviously you have never been to this site. They had some troubles recently, and were selling the site before, but looks like they are still in business...

No flames, though. You can't mail flaming dogshit and it would be tough to convince the mailperson to set a package on fire on a doorstep. I suppose you could hire minions in various cities to do your bidding and they could deliver/ignite the dog shit.

Re:All we need

[JoshWurzel]

Actually, no. This is more up his alley. ;-)

Re:All we need

[gfim]

Their address can't be fair dinkum, can it?

22405 Box Butte Ave

Graham

Who trusts the US Mail anyway?

[efedora]

"A scenario could be imagined where an attacker would do this to delay the arrival of an important letter...."
I don't know about you but I haven't trusted an important letter the the USPS for many years. Tax returns etc. go Certified or Fedex only. The USPS is just not reliable any more when the mail item is important.

Re:Who trusts the US Mail anyway?

[HowlinMad]

I both agree and disagree. For $.37, if it is in fact important, then no, I would not use the standard option. But, the USPS does have other services available, i.e. Certified Mail, Registered Mail, Delivery Confirmation, Signature Required, etc. These all cost more money, but once again, if the package is important, it is well worht the small cost.

So basically I find the USPS to be reliable, if you pay for the proper service.

Re:Who trusts the US Mail anyway?

[jellomizer]

Like Spam can delay the arrival of an important email or even have it compleatly loss in the mass, filtering, or by accident. That is the real threat of Spam. The fact that an Import Message via E-mail gets cluttered with a bunch of spam. This makes the email difficult to find. It like those pieces of junk mail that look like they are bills so you have to open them up to make sure that they are not billinging you for something you didnt sign up for.
If Spam companies were really reptibual they would actually be working for their stuff to be easilly filtered like the ADD: to the subject line. Because there are some people who like Spam for some reason, and others who hate it, and the majority who dosent care. So by helping people filter out their own Spam give a less bitter taist in peoples mouth about the Spam. Also it helps controol their e-mail.

Re:Who trusts the US Mail anyway?

[Oswald]

This is wrong. The mail is not unreliable. In 25 years of paying my own bills, I cannot recall a single instance where somebody I owed money claimed not to have received the check I sent them. That's hundreds of pieces of important mail without a single loss or serious delay, going back to the late Seventies.

Mostly people bash the USPS because it's something they've heard others do, not because they've had bad experiences. Have you had trouble with your mail?

And what is Certified Mail if it isn't USPS?

Thirty-seven goddamn cents for three- or four-day delivery anywhere in the country. A couple bucks to send a book via Media Mail and have it arrive 5 days later (10 days sooner than the estimate). I don't know what you want.

Re:Who trusts the US Mail anyway?

[ComputerKarate]

I completely agree. At 39, I cannot remember the last time I lost anything in the mail.

DanH

Re:Who trusts the US Mail anyway?

I've never lost anything in the mail, and personally think the USPS is pretty reliable. However, it's never been exactly all that fast. I once sent some things at the media mail rate, a box, and it took about a month to arrive. This is shipping from one end of California (SF area) to the other (LA area), from myself to myself.

I mainly view certified mail and things as a way to make sure that the receiver doesn't shift the blame when he loses the letter in his system or something, not as a way to make the mail delivery more reliable. It's still the same system, after all. :)

Re:Who trusts the US Mail anyway?

[jridley]

I find the USPS to be extremely inexpensive and reliable. They have never lost a letter or package of mine.

UPS has. I have only used FedEx on a couple of occasions, so have no basis for comparison. Every damaged package I've ever gotten came via UPS; some was literally run over by a truck; they had tire tracks on the boxes. This has happened to me twice. UPS forklifted a telescope on me once. I've never seen anything that was properly packaged get damaged by USPS.

USPS is also amazingly fast. For reasonably local mail (within 200 miles or so) if I drop it in the mailbox today, the person will ALWAYS have it tomorrow. Long distance stuff can take a long time, up to a week or a little bit more, but that's to be expected; they MUST run hub/spoke distribution to be able to provide service for the piddling amount they charge.

I don't believe that a private company could do any better than USPS does. USPS is, after all, essentially a private company anyway. I believe that if you compare similar (and similarly priced) services from USPS and a private carrier, you'll see at least as good service from USPS.

Re:Who trusts the US Mail anyway?

[non-poster]

Mod that up! That's a very important point.

Re:Who trusts the US Mail anyway?

[Thuktun]

This is wrong. The mail is not unreliable. In 25 years of paying my own bills, I cannot recall a single instance where somebody I owed money claimed not to have received the check I sent them. That's hundreds of pieces of important mail without a single loss or serious delay, going back to the late Seventies.

Maybe you're just lucky. Admittedly it hasn't happened frequently, but it does happen. One particularly annoying instance was when we lost over a dozen outbound bill payments. We had even dropped them off in person at the Post Office. They were hand-cancelled and were tossed into a large tub-o-mail. No idea what happened to the rest of that mail, but all of ours disappeared without a trace.

In our current location, the Post Office seems to apply a random permutation to mail delivery, as we often get other people's mail and others seem to get ours. Not everyone seems to be as honest as we are, because we've had a significant number of inbound Netflix movies disappear, never to be seen again.

Not exactly 100% reliable for everyone, it would seem.

Re:Who trusts the US Mail anyway?

[duffbeer703]

All US Court Systems, the army, most all banks, etc.

You should tighten your tinfoil hat, the mind control beams are getting in!

Re:Who trusts the US Mail anyway?

[hazem]

I realize one case is only anecdotal, but here's one.

My dad was living in Salt Lake and I was in Portland, OR. He needed to send something quick, so he used the $3.00 "priority", and also sent a regular letter that wasn't urgent.

I got the regular letter the next day. The "priority" envelope didn't arrive for 5 days. Of course, the USPS doesn't guarantee "priority", and only suggests that it might get there within two days.

But, I find it ridiculous that the $0.34 letter arrived so much faster than the priority letter, especially when they were sent the same day, at the same post office, using the same technician.

Re:Who trusts the US Mail anyway?

[murdocj]

The USPS frequently gives me mail that was intended for my neighbors. Usually it's junk but on a few occasions it's been important (yes, I either tossed it back in my mailbox or hand-delivered it).

When I say "frequently" I mean currently about once every week or two, but in the past there have been periods where I got the wrong mail 3-4 times a week!

Of course, what bugs me isn't getting my neighbor's mail, but wondering where my mail is ending up.

Re:Who trusts the US Mail anyway?

[AhtirTano]

Have you had trouble with your mail?

Absolutely!

I have never had mail I sent out disappear, but I have had several instances of mail sent to me disappear. The very first month I was in my current appartment, none of my utility bills (except the phone bill arrived) until I got a missed-bill notice.

When my former roommate moved out last summer, he submitted all the mail forwarding forms, but about half his mail continued to arrive in our mailbox -- personal letters, not bulk mail.

I used to order books from Amazon regularly. They sent most the packages USPS, and they failed to arrive at a rate of once every two years: a roughly 1 in 10 failure rate.

That's not to mention the letters that have come ripped, bent, or water stained.

That said, they have done some very hard work to get me my mail at times as well. The last jury summons I received was addressed to an place I hadn't lived in for four years, and I had moved three times since then. (I wish the HAD lost that one, but I guess you gotta give credit where due.)

I doesn't surprise me that most people have decent service, but some have terrible service; it all depends on the person working your route. The guy who delivered to my parents' place while I was in high school was very popular with the us teens. He never missed a basketball game in somebody's driveway. He'd always take the losing side, and he was a pretty good shot. He'd spend a good 5-10 minutes at each game. He'd also disappear into people's houses for 30 minutes (coffee breaks, affairs, who knows?), leaving the truck on the street.

Re:Who trusts the US Mail anyway?

[wass]

When my former roommate moved out last summer, he submitted all the mail forwarding forms, but about half his mail continued to arrive in our mailbox -- personal letters, not bulk mail.

I believe that mail forwarding (for reasons I do not understand) only automatically forwards 1st-class mail to the new address (and maybe some bulk 3rd class). Handwritten letters, IIRC, must explicitly state to be forwarded to sender.

Re:Who trusts the US Mail anyway?

[fishbowl]

Handwritten or not, if it has a 1st class stamp, it's 1st class mail.

Re:Who trusts the US Mail anyway?

[drunkenbatman]

Mostly people bash the USPS because it's something they've heard others do, not because they've had bad experiences. Have you had trouble with your mail?

Actually, yeah I have... a ton. Never had a problem with stuff getting out, but I had huge problems getting stuff in- almost all of it was foreign correspondance though. It was literally a crap-shoot... it got to the point where it was a joke, they'd pay for this super-duper type of mail that had to be signed, and it would just never get here... call the post office and they'd say you were able to get a refund for the costs. Lost some really important stuff that way- just wouldnt use them again for anything mildly important.

Re:Who trusts the US Mail anyway?

[Galvatron]

Yes, it is unreliable. I've had letters disappear, I've had packages delayed by over a month, I've had things delivered to the wrong address, delaying things by over 6 months, and on and on. I think you've been lucky. If all you use USPS for is paying bills (with printed return envelopes that get machine sorted), then yeah, you're probably alright. Anything else and it's not great.

Re:Who trusts the US Mail anyway?

[chimpo13]

Luckily, thanks to the spammers, there is no longer a majority who doesn't care about spam. It's no longer just a few messages. Of course, I get about 200-250 spams a day.

I'm still waiting for the crazy slashdotter who goes nuts and shoots a spammer to death. Who's it going to be? You?

dirty magazienes?

[corsec67]

Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale.

Heh, I gotta rember this excuse. "No, I didn't sign up for these dirty magazienes. It is some internet conspiracy..."

That, and why is he complaigning?

Re:dirty magazienes?

[jonnyfivealive]

are straight magazines embarassing to you? well, then perhaps you are the one that is gay. i would be much more embarassed to have something i didnt want than something i liked.

Re:The Economist

[mlush]

I think The Economist has the easiest and cheapest answer to the problem of spammers. Charge large emailers per send.. the economic disadvantage of sending out wasted emails would then help reduce the number and encourage targetted sending...

You missed the point here. The problem is not spam email, its a DOS attack using snail mail which damages both the target and the bulk mailers.

stop terrorism paranoia

[borgdows]

to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

This is NOT terrorism, it IS a crime!

Re:stop terrorism paranoia

[Luguber123]

This is NOT terrorism, it IS a crime!

I guess that depends more or less on what country it ends up in and who you send it to and most of all who sent it :)

Re:stop terrorism paranoia

That all depends on the intent of the letter. Terrorism is the use of force or threat of force for political or social objectives. So if the intent of sending a contaminated letter has either of those in mind, then it is terrorism.

Re:stop terrorism paranoia

[Larsing]

And if it's an Irishman? Or a Corsican..?

Re:stop terrorism paranoia

[tarogue]

If it's a rughead

So, if it is sent by William Shatner or Ted Danson it would be terrorism?

Re:stop terrorism paranoia

[Bartmoss]

One man's terrorist is another man's freedom fighter.

Re:stop terrorism paranoia

[Divide+By+Zero]

Depends on the perpetrator.

Depends more on the date.
Before 11 Sept 2001: a crime (harassment)
After 11 Sept 2001: a vicious terrorist act orchestrated by Osama bin Laden, and supported by Saddam Hussein's totalitarian regime to undermine the Homeland Security of the US (and justify the existence of Tom Ridge)

Bombing a building is terrorism. Gassing a subway is terrorism. Holding hostages is terrorism. These acts inspire terror.

Getting too much mail is just a pain in the butt. Maybe a crime, but mostly a pain in the butt. If getting too much mail is a crime, and mail is comparable to email, then getting too much email is a crime and we need to call out the feds on spammers. Maybe not a bad idea.

Re:stop terrorism paranoia

[kubrick]

William Shatner is...... already guilty of... acts of... terrorism...... against. TheEnglishLangauge.

Re:stop terrorism paranoia

[Larsing]

Depends on whether, with rughead, you refer to he hair-style of the person or that some cultures tend to wear "rug-like" head-wear. In my experience, it can be used both ways...

Either you have an even worse sense of humour than I have (which is very, very sad, indeed) or you honestly didn't get that joke... being a /.-er, I don't know which is worse!?

Re:stop terrorism paranoia

[CausticWindow]

I can only guess it haves something to do with the numbers used inside computers (binary, on the fsb or something), how that relates to Slashdot is beyond my comprehension.

Re:stop terrorism paranoia

[Larsing]

It all boils down to your definition of "nerd"...

Re:stop terrorism paranoia

[Joe+the+Lesser]

Did you see the movie 'Patriot' with Mel Gibson. Basically him running around sabotaging and murdering British troops during our revolution. I wonder why no one brings that up... hehe

Re:stop terrorism paranoia

To quote the estimable George Carlin, "If crime fighters fight crime and fire fighters fight fire, what do freedom fighters fight?"

Re:stop terrorism paranoia

[hoggoth]

> And btw, if there are 10 kinds of people in the world, why do you only list two?

I *think* you are pretending not to get it...
But just in case... try pronouncing it "there are one-zero kinds of people in this world..."

Re:stop terrorism paranoia

[SquirrelCrack]

Terrorism is *not* "the use of force or threat of force for political or social objectives".

It is the use of force, or threat of force against a civilian population for political or social objectives.

Re:stop terrorism paranoia

[Efreet]

In one snese that is true, but it also obsucres a lot of issues that shouldn't be obscured.

Most poeple would call anyone who uses violence against civilians to directly achieve their political objectives. Guerrillas might snipe at our soldiers form hiding, they might dress in civilian clothing, they might even blow themselves up next to our warships, but as long as they don't cross the line and go bombing civilians they can still be negitiated with, sympathized with, etc.

It really distrubs me to see the extent to which people are willing to call their enemies "terrorists" without proper justification. When someone in the Bush administration calls an Iraqi guerilla a terrorist, or someone on the Left accuses Nike of practicing "ecconomic terrorism" I can't help but feel that they are blurring a line that helps define what it mean to be civilized.

Re:stop terrorism paranoia

[Uri]

One man's cliché is another man's stereotype.

Re:stop terrorism paranoia

[Ozymandias_KoK]

My ass. Terrorists purposely attack civilian targets. It is their focus. Freedom fighters attack military targets. There is a difference, and it isn't related to whose side you are on. Ireland is a good example of this, much terrorism on both sides...

Trite phrases are no better an argument than analogies are.

Re:stop terrorism paranoia

[Bartmoss]

Your point being?

Re:stop terrorism paranoia

[Bartmoss]

Ah, and the US Military bombed Al Jazera (sp) in both Afghanistan and in Iraq. Coincidence? I think not. Military target? Uhm..... right.

I know perfectly well to distinguish between "real terrorists" and the propaganda ones. But that's the point - Propaganda works BOTH ways. For the US, the propaganda decries them as terrorists, for the other guys, the propaganda paints them as freedom fighters.

Note that I no where claimed that a "terrorist that is really freedom fighter" was one who attacked civilian targets. My point was that it's a broad label applied to everybody - case in point, Iraq and Al-Qaeda. Bush needed a reason to attack them, and when WMD didn't work, he tried the terrorist game.

Re:stop terrorism paranoia

[stanmann]

Troops /= civilians.

and if you recall, he went nuts because the British troops massacred civilians....

Re:stop terrorism paranoia

[be-fan]

So Hiroshima was terrorism? Makes sense. Also, in the long run, more Iraqi civilians died as a result of the Gulf War than did Iraqi troops. Another act of international terrorism? To be truthful, the definition of terrorism just depends on who you ask.

Re:stop terrorism paranoia

[Exantrius]

Does that mean we can arrest him without a trial, then execute him in a few years? If so, I heartily agree with this. After that Iron Chef USA fiasco, he deserves to... Go elsewhere. /ex

Re:stop terrorism paranoia

[stanmann]

And war is hell.
And the job of a soldier is to make the other guy die for his country, or else die trying.
IT is a line of work with certain known, quantifiable, accepted risks.

Re:stop terrorism paranoia

[SquirrelCrack]

I believe that Hiroshima would fall under the umbrella of terrorism as would any military campaign directed specifically at civilians.

check out this Book by Calib Carr.

It lays out the clearest definition "terrorism" that I've read yet. -T

Re:stop terrorism paranoia

[Fulcrum+of+Evil]

Did you see the movie 'Patriot' with Mel Gibson. Basically him running around sabotaging and murdering British troops during our revolution.

Well, it is a declared war, and that makes all the difference. I wonder if the US media will start using the Terrorism moniker for the up and coming mess in Iraq (when the Iraqis decide to evict us).

Re:stop terrorism paranoia

[kubrick]

Sure, we just have to be careful the Federation doesn't pull a Star Trek IV on us... time-travelling to "Save the Whale!" :)

Re:stop terrorism paranoia

[Exantrius]

I don't think there's anything to worry about. Noone will miss him in the future... Well, so much as us MST3k fan(atic)s will always pine over the MST-worthy crap that he puts out...

If anyone decides to do a MST4k, and does it well, I think you should look at http://us.imdb.com/Name?Shatner,+William for ideas on what to put in the premiere issues. Notice the "born in canada". I can see a whole season dealing with just his feces (maybe put it off a couple seasons, until you can take advantage of the cheap crap like netforce, "dude, where's my car" and anything with a pop musician in it. /ex

How to avoid an attack:

[akadruid]

This article doesn't really add anything new IMHO.
There is one sure way to keep yourself free of such an attack, which also helps to protect you against more common attacks such as burglary, car theft and mugging.
Keep a low profile.
It sounds blase but it is one of the simplest and most effective defenses.
In this case, the target has set himself up for attack, and IMHO deserved it.
For more common attacks, you can avoid notice by not flaunting stealable possessions, avoiding dangerous areas where possible, and not provoking other members of the public.
All of the above apply well to target in question.
Just my £0.02

Dupe attacks are similar

[worst_name_ever]

Tryint to get people to subscribe to Slashdot and making them read embarrassing dupes is an old trick. These attacks exploit the lazy properties of the editors as well as their unprofessionalism. All the pieces (that) are required for this attack to work. There's a real danger in this ploy, one that few people have likely thought about: "A scenario could be imagined where a story could be posted to Slashdot, and then the same story could be posted again a couple weeks later, to wreak havoc on the Internet for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the posting of a goatse link."

Re:Dupe attacks are similar

[Fallen_Knight]

well maybe to those who don't read ./ every single hour of every single day do not mind dupes as it gives them a chance to see stories on the frontpage again.

1/2 of the "dupes" are not "dupes" to me because i missed the orignal "dupe"

thou the ones where its 2 on the front page are bad... i will admit that.

But either way, why can't people just IGNORE dupes. THEY DO THEIR BEST!! IF IT IS A DUPE IGNORE IT!!

This always sneaks in...

[Kirin3]

"But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter."

You know, aparently *nobody* thinks up terrorist acts until the newsmedia lets them know everything they need to know to pull one off.

DOS by lawsuits?

[joostje]

I've always thought that in a way, a lawsuit often serves like a DOS attack, especially if it's a big company filing against an individual.

Basically, the individual is swamped with requests s/he has to answer, and using up larges amount of resources (lawyer fees).

Very similar to a DOS attack where a server has to answer loads of requests, eating away in its resources (CPU/netwerk traffic).

Re:DOS by lawsuits?

[Redking]

You're forgetting about the lawyer fees associated with launching such an attack. Yeah the big company has deeper pockets but it's not like companies are swimming in cash to launch a physical DDoS at their whim. There are significant "overhead" costs such as bad publicity and loss of reputation. And the company has to have some legal basis to file a lawsuit otherwise it's libel/slander city. However, if the company has a case against an individual, I would think ONE lawsuit is enough to cause the loss of the individual's resources (time, money, lack of stress).

Besides, launching an DDoS attack on the internet is relatively cheap in comparison. Once you have a large group of zombied computers on broadband you can control them to do your bidding with relatively no cost to yourself, unless you count the time used to conceal your activities.

rk

Re:DOS by lawsuits?

[joostje]

You're forgetting about the lawyer fees associated with launching such an attack. Yeah the big company has deeper pockets but it's not like companies are swimming in cash to launch a physical DDoS at their whim. There are significant "overhead" costs such as bad publicity and loss of reputation

True. That does make a real difference. On the other hand, $BIGCOMPANY has big pockets to spend on laywers, whereas I don't. Also, $BIGCOMPAN can send out thousands of cease and desist letters, at virtually no cost per letter.
But if I get one, that's gonna cost me dearly.

Simmilarly, in most DOS attacs, the atacking server also uses bandwidth (the money from the laywer DOS), but it eighter is on a bigger network (bigger pockets), or it is sending special small requests that use a lot of resources at the atacked site.

Re:DOS by lawsuits?

[Efreet]

The big company doesn't have to launch them on a whim, it just has to do so occasionaly, and with sufficient randomness to keep everybody intimidated.

Re:The Economist

[Timesprout]

Ths article is not about preventing spam. Its about how the postal serices, and probably a few others are vunerable to malicious disruption via abuse of internet capabilities

It's a way people express themselves

[shadowtramp]

All other ways being stripped from them on behalf of the terrorism fighting.

Oh! Wait!

to serve as a diversion for a terrorist act

Here i smell terrorism fighting again!

It'll be in the news soon: spam retailation prohibited because if you don't like spam you're helping terrorists!

Give me a break.

All credibility was lost with this scare tactic:

"to serve as a diversion for a terrorist act"

Re:Give me a break.

[Schezar]

I believe that this "slash-period" is a haven for terrorists, and I believe that they have weapons of mass destruction. It is therefore my duty, as the president of the great nation, to eliminate this threat to our freedom. In the next 12 hours, a campaign of "shock and awe" will be undertaken, the likes of which have never been seen. Nasty emails will be sent in unprecedented numbers. Trolls will abound, and will overcome the enemy.

The pentagon has recently developed a new weapon, a kind of super-goatse, and this new weapon will be used to great effect.

But, remember that this war is not against the people of "slash-period," but is against their terribly regime. CowbowNeal and his associate, Commander Taco. are the enemies here. Our targetted trolling will not be directed at the innocent and oppressed ACs of "slash-period" We are liberators, not conquerors.

Thank you, and goodnight.

(I'm not sure if I was trying to be funny, or if I'm just bored at work..)

Re:Give me a break.

[bhsx]

They say they are here; buy clearly you (boom!) see that they (boom!) are not. They are (boom!) liars and we shall choke them with their small intestes sending (pow!) them to hell (bang!), of all them to (krutch! [krutch?]) hell. I talk English better than you.
Mohamed Sayed Al-saCowboyNeil* (...boom!)

*or something like that, leave me alone I'M DRUNK

Guerrillas and gorillas...

[jkrise]

"Let's hope anti-spam, anti-marketing guerrillas can keep their perspective and priorities in order."

When the spam and other ass-orted gorillas get their perspectives in order - then let's talk of anti-spam guerrillas.

"A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"

Pure FUD and crap. How many times has spam stopped important mail? How many times anti-spam filters have deleted the 'wrong' mails? Apparently spammers have exclusive abuse rights on the 'system' while lesser users don't! Intriguing.

Re:Guerrillas and gorillas...

[irving47]

I'd submit there's a little difference between guerillas and vigilantes. I suspect that with these guys, if this stuff shows up on their doorstep, chances are, they did something to bring it there.

Re:Guerrillas and gorillas...

[dave_mcmillen]

"A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"

Pure FUD and crap.

Oops, I'm sorry . . . They've invoked the T-word ("terrorist"), so you are no longer allowed to express any doubts, reservations, or hesitation. Your Patriotic Duty(TM) is to wave a flag and go along with whatever they say. If you're not one of Us, you're one of Them.

Re:Guerrillas and gorillas...

[mdfst13]

I don't think that FUD is the right phrase, maybe scare tactics instead. Someone could use that kind of attack to do those things. However, as you note, they could also do the same thing with email (replace contaminated letter with virus). That's the whole point. I've already faced the problem of someone accidentally deleting an email from me because they thought it was spam (didn't recognize the account from which I sent it after I changed accounts).

Spam does me real damage five ways: I pay added costs to support delivery of the spam to me (not a cost of postal junk mail, which is sender paid; in fact, postal junk mail actually helps keep my postage down due to economies of scale); my time recognizing and deleting spam; the opportunity cost of missing a legitimate email because it looks like spam; the opportunity cost of my email not being read because someone thinks it's spam; the opportunity cost of not being able to post an email address on the web for fear of spam. Not to mention the fact that spam drowns out the possibility of legitimate use of email for lists and marketing purposes (opt-in lists, etc.).

Re:The Economist

[locarecords.com]

You feel there is no causal link in this attack?

Thats like saying how do we solve the problem of cluster bomb removal without looking at the cause being the fact that they get dropped!

Spammers are a social ill, and an attempt at revenge is simply sending lots of post to them. If anything we should be asking about the issue of revenge and not the problem of individual attempts at revenge.

If someone shot him would you be asking about the abolition of guns? Or would you be trying to draw a causal link of what drives people to do these things?

Technologists look at things from funny angles....

the point of preventing an important mail getting through is banal in the most extreme...

The question is surely that this man has caused this social disturbance by his actions, and he should be hit where it hurts in his wallet...

They forgot a key tactic

I always liked the idea of placing a classified ad for a mint 1978 Camero for $750 (b/c you're getting a divorce yadda yadda) and then listing your bud's phone number as the contact info. Best to use Auto Trader or the like because the ads run longer than newspapers and can't be cancelled in a day. Never done it, but sure have been tempted on occasion...

Re:They forgot a key tactic

[beacher]

The next best thing is to place an ad in the sunday paper for a yard sale for the mark's place, make sure you mention that a lot of collectibles/antiques are up for sale, and that early birds are welcome.

I'm not sure which collectibles/antiques have the most rabid followers, but I'm sure some research will maximize your fun.

-B

usps doesn't help things, but that's the way it go

[supernova87a]

take for example the post office -- you'd think that one of their aims would be to promote less junk mail for all of us. But that's not how it works in a society where the bottom line is how much money you can rake in. And god forbid the government take an "anti-business" stance.

So what is their pricing scheme? It costs 37c to mail a single letter, but if you're a physical spammer, you can get huge bulk discounts, effectively making it more attractive to spam. I say, why not make junk mail *more* expensive?

Will email, if charged per-piece, be any different?

What about me?

[the_Bionic_lemming]

'A scenario could be imagined where an attacker Sending Spam would do this to delay the arrival of an important letter, to wreak havoc on the Internet Infrastructure for Selfish Profit reasons, or even worse, to serve as a diversion for a Virus, such as the mailing of a Trojan.'"

Easy!

[WetCat]

New BMWs have windows as their main computer.
If they are connected to Internet via wireless connection, and are hacked...
For example you can turn off engine, block doors and lock windows. Slow death...

important letter scenario

[wjvdt]

'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter...'

What about the important e-mail that is delayed/deleted when we run SPAM filters on our e-mail?

Real life damage

[termos]

This one guy I know were loosing over someone in Quake3, and came to the other guys door to beat him up.
I can only imagine his frustration.

Mass Showing

[Flamesplash]

I think that when a large number of people are willing to spend their time physically DoS attacking someone then maybe that person deserves it. I don't think that if an individual just had a grudge against the spam king that person would have been able to really do much damage, but obviously enough people felt the same way.

I see it kind of like picketing, one person doesn't really do that much harm, but if enough people are pissed off....

Re:Mass Showing

[Eimi+Metamorphoumai]

Obviously you didn't read the article. The whole point is that instead of being limited by the free time of the people you piss off, the attack can be automated. That is, I could (were I that sort of person) whip up a quick perl script, search google, and sign the target up for literally thousands of different mailings all by myself. So where the attack on Ralsky came from a cadre of attack geeks, the attack against YOU could come from that one script kiddie who has nothing better to do with those ten minutes.

Re:Mass Showing

[Eimi+Metamorphoumai]

Ok, so it's a bit harder than that, but I'm not convinced it's much harder. Randomly check and don't check boxes, a little logic based on "Please" or "Please don't", if there's a required field you don't have information for put in 12345, else leave it blank. There will always be a few that slip through the cracks, but the idea is the spammer approach, that if you can only get half of them to work you've still launched a bewildering attack. It might take more than ten minutes, but I bet it wouldn't take a good hacker more than a day or two to get one that could successfully work for more than half of the forms out there. The lesson of script kiddies is it only takes one person with the knowledge to write it and the perverse nature to make it widely available before anyone with a grudge starts using it. Really, the hardest part of the whole thing is getting the information.

The easy way to avoid tons of junkmail...

[WegianWarrior]

...as well as deathtreats, flaming dog-do on your front door and drive-by TPing of your home; don't spam or otherwise piss off a lot of geeks.

Or, if you live in Norway (and I recon several other places offer this as well), tell the postal service that you don't want the junkmail... It still won't stop the rest of the nasties, but your postbox won't fill up as you stomp out the burning poo.

Idiot

[theLOUDroom]

or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'

God damn. This just makes me want to punch him in the face. Why the fuck does everyone always have to bring terrorism into everything? Ever since 9/11 we have had idiots, making comments like this about EVERYTHING. I am so sick of it.

This guy's statement require ridiculous stretches of the imagination of one to even think of a way it might benefit a terrorist. I mean, seriously, use some common sense here. If you're trying to send someone a letter full of anthrax, you want it to actually get there.

Yes, terrorists could use cars too. Maybe we should ban cars! That way a terrorist can't get his hands on a car and start running people over. Just imagine how many people he could kill by driving down a busy sidewalk! We better hurry!

Then we'll have to ban chair-lifts too. Imagine how many people would be injured or killed if someone cut the cable! We can't have that, now can we?

Ya know, they used fertilizer to make that there Oklahoma City bomb. We better get rid of fertilizer too.

But wait! That still leaves arson! We better make matches a restricted item. Can't have a terrorist going around burning down houses, no can we?

This kind of moronic reasoning makes me want to get this guy alone and "exploit the automation properties" of a few choice power tools.

See! Power tools can be used for evil! Better get rid of those too. Never mind that the benefit they provide to society far outweighs the cost. Never mind that this is supposed to be a "free" society. Won't someone please think of the terrorists?

Re:Idiot

[brettlbecker]

I completely agree.

The culture of fear is just sickening, and the fact that the government and state agencies are exacerbating the 'terrorist' buzzword is repulsive. As if it wasn't bad enough, the major media outlets are constantly trying to one-up each other with hysterical reporting.

All of this serves to show how gullible, how willing most people are to accept all of this as fact. It brings out the frightened-herd metaphor in all of its glory. And it makes one wonder what happens when the world's greatest superpower is also the world's most terrified nation. What happens when animals are backed into corners?

This is not likely to end soon. Things are going to get worse before they get better... that is, if there is a chance for things to get better.

B

Re:Idiot

[curtisk]

This is not likely to end soon. Things are going to get worse before they get better... that is, if there is a chance for things to get better.

....elections are coming up before you know it....make 2004 count!

I'm a severe cynic as far as the election process goes, but if you don't even vote thats even more useless.

Good post and parent post BTW

Re:Idiot

[swordgeek]

Well since you're already modded up to 5 (i.e. I can't moderate it up anymore), I might as well post.

Agreed 100%. I keep hearing about the potential for "Terrorist attacks," mostly coming from US government officials or Concerned Citizens(tm). Do they forget that the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen? Or that they killed less people in total than are killed in the US by handguns every single day?

Give it a rest folks! There will always be some way for psychopaths to kill people, possibly en masse. All that regulating every aspect of life does is annoy people, and make it impossible to live normally anymore.

Re:Idiot

[/dev/trash]

Do they forget that the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen?

They were? And what was this person's name?

Re:Idiot

[Seraphim_72]

Let us not forget that the current mantra actually dates from a book published in 1949. That mantra is of course - "War Is Peace" the book of course is 1984 by George Orwell. A perpetual war state is need to keep the masses in line and so whipped up into a frezny so they dont think about the rest of thier "prole" lives.

Re:Idiot

[datawar]

Rubin isn't proposing that we ban anything. He's simply pointing out that such possibilities exist. Security experts are paid to think up of unlikely, yet problematic scenarios, and he's doing exactly that. His statement WAS insightful, and doesn't all have to do with terrorism, but rather with disruption of service (which is one of the subheaders of terrorism).

And yes, cars and power tools can be used for evil too (see Oklahoma City bombing), and so can pencils and scissors. However no one is rushing out there to ban any of those things! In fact, as far as I understand, signing people up for junk mail is mail fraud and is already illegal.

The guy simply made a statement that has real value (it's not trivial, and I bet you didn't think of the possiblity) and may have scholarly reprecussions within security circles, or somehow factor into decisions of policy-makers.

Anyway, point being the man was simply making a true statement. If you see his statement being spun out of control by politicians or enforcement agencies or something, then you can get angry at them.

Re:Idiot

[chriso11]

I was reading your post until the "t" word. Then I got so scared, I pissed in my pants and put plastic wrap around my cube!

Re:Idiot

[theLOUDroom]

Rubin isn't proposing that we ban anything.

Way to miss the point.

He's simply pointing out that such possibilities exist. Security experts are paid to think up of unlikely, yet problematic scenarios, and he's doing exactly that. His statement WAS insightful, and doesn't all have to do with terrorism, but rather with disruption of service (which is one of the subheaders of terrorism).

I don't think his statement was insightful. As I said, it reqires extreme strteches of the imagination just to even come up with a scenario where this could become a real problem. Using bulk mail to clog the USPS is not likely to happen. It's not as if the companies have infinate resources and are going to send out an infinate number of catalogs, with no checking. The whole idea is just silly fear-mongering.

This reeks of an "Oh, well maybe if I can figure out a way to associate this with terrorism people will pay attention." line of thinking.

Anyway, point being the man was simply making a true statement.

Yeah, because the USPS is clogged by terrorist junk mail as we speak.

Security experts are paid to think or scenarios that could actually happen. They aren't paid to think of things like: "Wait...I got one! What if the terrorists start calling everyone up on the phone, every time they try and get some work done! It could bring our nation's economy to a standstill."

Re:Idiot

[Fulcrum+of+Evil]

,i>They aren't paid to think of things like: "Wait...I got one! What if the terrorists start calling everyone up on the phone, every time they try and get some work done! It could bring our nation's economy to a standstill."

Oh My GOD! Telemarketers are in league with Al queda!

Re:Idiot

[datawar]

Security experts are paid to think or scenarios that could actually happen.

Until 9/11, you would've said the same thing about airplanes flying into buildings.

I'm also rather skeptical of the statement that it will take infinite resources to clog the Post Office (and it definitely would not take an infinite amount of resources to clog the internal post offices of corporations or government offices).

Just as its a good idea for sys admins to think about their networks' response to [D]DoS attacks, it's probably a good idea for corporations/government offices to think about how to respond to physical DoS attacks (whether it be from terrorists or kids). If inserting the word 'terrorism' is the only way things get done these days, so be it. Note that I'm not supporting that mind set, I'm simply saying that the word 'terrorism' carries a big stick behind it, and often the only way to get policy makers to do something/anything is to somehow tie it up to terrorism...

If only there existed a tie between the RIAA and terrorism...

Re:Idiot

[theLOUDroom]

Until 9/11, you would've said the same thing about airplanes flying into buildings.

Nope, not really. It's not like 9/11 was the first time a plane was ever hijacked. Know what I have?
A poster with the WTC bombing on one side and the Air France hijacking on the other side. It was produced by the US government prior to 9/11.
9/11 exploited a flaw in policy. It doesn't require much of a stretch of the imagination that someone who hijacks a plane could be suicidal, yet our policy was not to resist the hijacker. It's not like 100 people couldn't have kicked the ass of a few guys with box cutters.

I'm also rather skeptical of the statement that it will take infinite resources to clog the Post Office

You should be. But I never said that. I said all those companies that send out free catalogs don't have infinate resources. Big difference. The point is that an attack of this type can only be of very limited proportions. It won't take long before AOL notices that it is sending 2/3 of it's CDs to Somewhere, Somestate. It does cost them money to procude them.

If inserting the word 'terrorism' is the only way things get done these days, so be it.

Not for me. When someone tries to tie terroism to something silly, they look like an idiot. If you really think fear-mongering is a valid way of getting things done, that's a real shame.

Folks, this is a good thing

[hafidhahullah]

Support your local post office! Business junk mail helps subsidize the government's insatiable need for tax revenues. Less taxes for you. The end product of a mailstorm is lots of paper for your local recycle centers. Everybody benefits.

Re:Folks, this is a good thing

[maxume]

The post office is required by mandate to be self sufficient.

Try it with a Harley

[maddogsparky]

A few years ago, some of my dad's coworkers posted an add for a brand new Harley-Davidson motorcycle in one of those trader magazines. They listed their plant manager's number and stated that he worked evenings, so the best time to call was between 1-4 AM.

Apparently, he started getting calls from several states away from irate bikers who were pissed at HIM when he told them he wasn't selling one (he never owned a motorcycle).

Utter Nonsense

[ePhil_One]

A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.

What a load of self serving crap. Which of course is completely shocking coming from such a community oriented guy such as a Spammer.

When I read this, I expected it to be about something a bit more substantial, such as using the internet to have someones electricity turned off, or altering a sattelite tragectory to include someones house in its path; or maybe even taking over Dr Evil's Moon Laser to burn nasty messages in someones lawn.

But really, taking out the postal service with a series of mass mailings? What kind of fool thinks that an attack that works on one person will scale large enough to take out the post office, or hinder any sort of criminal investigation?

Re:usps doesn't help things, but that's the way it

[andkaha]

(slightly offtopic, sorry)

Will email, if charged per-piece, be any different?

How would that be implemented in a secure and reliable way? In the MUA or in the MTA? How would mailing lists be treated? How would you get everyone to use it (and not start using e-mail by ftp, http, or some other tunnel)? Would there be a threshold that you had to pass before the charge was applied? Where to place that threshold and would it be in bytes or in number of e-mails?

Re:The Economist

[mlush]

You feel there is no causal link in this attack?

You have again missed the point. Smail mail DOS can be targed against people who arn't spammers!!! (Gasp!) The article (if you care to read it) mentions it is a farily trivial script would automate the signup process to some 250,000 sources of junk mail. The fallout from such an attack would affect everyone in the area causing lost and delayed mail as well as exploiting many legitamate companys sending the mail.

Re:usps doesn't help things, but that's the way it

[bofkentucky]

Spam and Periodicals actually use more efficent methods to deliver mail, those fancy bar codes make their mail easily routable, your scriblings on the envelope require human eyes to sort to the correct address, human's cost money...and postal workers are some of the most expensive, the added inefficency of union workers and gov't workers makes for very little work.

Another Reason For Online ID

[lysurgon]

This whole mess (spam, snail-mail attacks, etc etc etc) is just one more reason to salivate over the day when a legal and user-friendly online indentification system is in place (e.g. ping id or some further derivation). This will drastically reduce spam as well as making it very difficult to sign other people up for things. It will also kick start the next .com boom (as individuals and businesses worldwide will be able to easily form binding agreements instantly across the globe).

GPG isn't enough. Don't wait for passport. Get your company/family/self started on federated ID today.

Executable script-kiddies?

[Potor]

It's their view that a small program could be written, such as an easy-to-execute "script kiddie," that could effortlessly scan millions of sites on the Internet, detect which ones have free online subscription or information request forms, and fill out the forms with a victim's name and address.

what's your favourite way to execute a script-kiddy?

Re:Executable script-kiddies?

[zhrike]

what's your favourite way to execute a script-kiddy?

Drawn-and-quartered. It's still too good for em.

Re:Executable script-kiddies?

[Surak]

Apparently, anthrax, disuised in a sea of junk mail and magazine subscriptions so that the victim script kiddie never opens it. ;)

Re:Executable script-kiddies?

[msouth]

I think the answer to that was already given in Slaughterhouse Five.

Coordinated?

[zhrike]

In a co-ordinated effort, anti-spam activists dug up Ralsky's home address, his telephone number, even pictures of his extravagant home, and the information was posted online.

Coordinated my ass. I know that there were calls in the discussion to do some of this stuff, but someone I know very well decided to do that as soon as this person (who shall remain nameless) read the article where this arrogant ass bragged about making a fortune by disregarding all sense of decency.

Fuck him, and fuck this author. People will act and react to certain behaviors. They're called "informal sanctions" in anthropological terms.
Ralsky got a taste of his own medicine based upon the fact that a lot of people were very pissed off at his actions, and there was no "co-ordination"(sic) necessary. Calling it coordinated lessens the impact of the largely spontaneous reaction.

Re:Coordinated?

[redheaded_stepchild]

Ok, so let's get coordinated!
We'll call the past posting a retaliatory action.
Next up- the pre-emptive strike!
1. Get the names of spam-king wannabes (doesn't really matter if their have weapons of mass mailing NOW, does it? We'll just pick some names out of the business listings, specifically the section entitled "Mail Order")
2. Post their info
3. ....
4. Anti-spammer joy!

Info: related attacks

[jtheory]

Newsflash: the evil spammers are fighting back and hitting slashdot where it hurts, by submitting stories to the slashdot site that have already been posted and discussed.

These stories are known in the slashdot community as "dupes", and the practice (now becoming well-celebrated in the spammer community) is called "duping the nerds".

Stay tuned for more details in the next posted article, (and again next week, ...and probably again a few days after that, if a new newspaper article is written about it).

Don't make the mob mad.

[Ironpoint]

The best way to defend from internet attack also works in the real world. Its called "Don't make large groups of people angry."

This seems like complaining that the internet allows collaboration of large numbers of like minded people. Yeah, thats the point. The failure of this article is to understand that it is not organized. Thats like saying that all the death threats the Dixie Chicks got all came from one organized structure.

Hundreds of thousands of people are not going to conspire to commit a single crime (Anthrax letter example). That's ridiculous.

To suggest that just because a large number of people are equally angry and respond in a similar way (through mailing etc), that the response is organized is stupid. People who want control set up straw man organization because they can't compete against 100,000 individuals. How many times have we heard "Those protests are completely organized by organization XYZ, they have buses that bring people in". Or in labor problems: "Its XYZ union that is causing the strike, most of the workers don't care" By using the tactic of combining the perception of voice down to a single entity, detractors can be more persuasive in gaining mindshare.

My solution

[goldcd]

Spam exists purely because the time spent by the spammer is of less value than the reward he gets. We don't need to completely eradicate spammers, just slow then down until it's no longer worth the effort and they quit. Try mposing limits on the amount of email that can be sent per ISP user. If it's set high emough then it'll very rarely bother a legitimate user, but make it stop it being cost effective for spamming. Say 500 emails per 7 days from one user on an SMTP or 1000 from a mailserver running on an ADSL. If you're having to send 1 million mails then signing up for/hijacking 2000 accounts is going to slow you down a bit. This would hopefully stop spamming from 'friendly' services.
Rogue ISPs are trickier to deal with, perhaps the throttling could be used? e.g. AOL trusts MSN, therefore anything originating from MSN would be allowed straight through. AOL is slightly more warey of rogueisp.cn so throttles the acceptance of messages from them to say 50,000 a day before it starts bouncing them. If rogueisp.cn behaves then everything will work perfectly, if they allow their network to hammer AOL then AOL will start chucking the emails back at rogueisp.cn clogging up their system. A perceived problem with this is that legitimate email gets bounced - tough. Rogueisp.cn gets to explain to their customers why "AOL has returned this message because of flood of crap sanctioned by your ISP" is attached to the message that's just been returned unsent. RogueISP can now decide to enforce sendmail throttling as mentioned at the top, or lose its customers.
Tweak the quotas so the better an ISP behaves, the higher it's quota goes and vica-versa and we can polarise connected ISPs, and it's then not to hard just to blanket ban the bad guys.

Think about what this can do to companies..

[defile]

Imagine though, that instead of signing up just any plain individual with an ego problem, that you signed up a business for all of this junkmail.

Think about a company sabotaging its upstart competitor by saturating their mailbox with junk. The competitor starts missing bills, notices from vendors, etc.

Or even worse, imagine someone who has been screwed by the phone company one too many times decides to mailing list bomb their bill payment center. The costs of processing payments shoots up while mail peons have to separate the payments from the junk.

Congresspeople start getting cut off from their constituency.

etc...

And the worst part is that this is so hard to undo. Even if you take the effort to unsubscribe from every single mailing list you're on, it would take the attacker mere seconds to re-add you to all of them.

This is probably one of the most devastating non-violent denial of service attacks you can utilize today.

Moral of the story: don't piss people off.

Re:Think about what this can do to companies..

[stephenbooth]

Congresspeople start getting cut off from their constituency.

If politics in the US is anything like it is in the UK then junk mail bombing is not required, it's already happened. Politicians are already cut off from the electorate; isolated behind walls of secretaries, PAs and special interest group contributions.

Maybe things are better in the states? But here in the UK it's rare to find someone who can name their MP or local councillor, let alone remember any of their election promises. I've been eligable to vote for 15 years now, I've written to my MP about once every 18 months on average (5 different MPs) about various local and national issues. So far I've received only one reply, and that tried to dodge my questions.

Stephen

Re:Think about what this can do to companies..

[Efreet]

I think that it would be a lot harder for a large company to get away with something like this than a large mob.

In the company, you have one person who gives an order to start, and then a lot of other poeple who are supposed to help, but not all of them will agree with a tactic like this. Its almost graranteed that someone will blab to the press, and then the damage to the attacker will probably suffer even more than their intended victim.

With a mob, on the other hand, nobody knows the identities of any substantial portion of the other people initiating the attack. Also, since nobody has ordered anyone else to do it, everybody is morally culpable to the same extent, and you can only rat out yourself and maybe a few friends.

Re:Think about what this can do to companies..

[bluesangria]

Moral of the story: don't piss people off.

How about Moral of the story: get rid of companies and spammers who mass mail un/solicited junk.

It's not like they can claim "targeted mailings" when every piece of junk mail you get is addressed to you or "Current Resident".

Fscking spam....

blue

Re:Think about what this can do to companies..

[krysith]

I wonder if someone mailing-list-bombed the home address of every congresscritter, federal judge and cabinet member, how long it would take for spam to rise to number 1 on the govt's priority list?
Not that I'm gonna be the dude stupid enough to try such a thing. Hello, Guantanamo!
(what do you think the chances are of this post showing up on an Echelon-type scan? "someone...bomb...home address of every...federal judge...cabinet member..." I'm guessing the Men in Black are already on their way. ;)

Re:Think about what this can do to companies..

[dnahelix]

Congresspeople start getting cut off from their constituency.

In Washington State, I just heard that legislators will start ignoring emails for constituents because there are just too many to read. I think this is awfully lame. I guess when there's too much snail-mail, they'll just ignore the constituents altogether! However, don't hesitate to try to contact your representative!

Re:Think about what this can do to companies..

[Jouster]

(Except in the D.C.,) every American has three Congressional representatives. Most (barely over 50%, but it is over 50%) can name at least one of these.

I have sent correspondance to my congresspeople about every six months. I send emails, and get postal mail back in reply; it's usually a three-page form letter that touches on all the issues important to my congressperson and thanks me for writing to them. I get the feeling that there's a short and a long representation of their views on each issue; the letter has the form of:
<Long representation of feelings on the issue about which I wrote>
<Short representation of all other issues>
<Thanks for writing>

I don't know about the U.K., but in the U.S., members of Congress can send postal mail by signing the envelope. No postage required. Perhaps that's why they're so quick to respond? After all, the first three or so times I wrote the members of Congress from my district, I wasn't even eligible to vote yet; the response was just as quick as my more recent letters (in which I cited my voter registration number, to make sure I got their attention. ;>).

Jouster

Re:Think about what this can do to companies..

[WNight]

When you receive a *lot* of mail the post office starts to sort it for you. If nothing else, you can get it bagged by envelope dimensions (catalogs seperated from letters, seperated from 9x12 envelopes, etc) and by payment class (bulk mail, first class, etc).

Which means, if you want to cause the most problems you need to get envelopes that look like bills and business mail sent to the victim. Catalogs and such will probably be caught at the post office, at least once you notify them that they're unwanted.

Re:usps doesn't help things, but that's the way it

[bert33]

As was pointed out by another poster, pre-sorted mailings actually consume much less USPS resources than private mailings. Often the sending company actually delivers the mailing to the regional post office of their destination. Additionaly, the bulk mailers actually (in effect) subsidise private use of the post office. In other words, without junk mail you're be paiying considerably more for a stamp as mail-people would be walking around delivering one or two peices of paid mail to each household instead of 1 or 2 pieces of private mail and 4 or 5 pieces of paid bulk mailings.

The solution is with the mailers

[mlush]

It would be very simple for a company to defend against being used in a scripted mail DOS attack.

• Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
• Some simple question/answer system to demonstrate the user is human
  • What is this a picture of? (multiple choice)
  • Enter the word in this picture
  • Could you type the company name in backwards (for lynx users)
  • etc
• Use obscure names for the CGI paramaters
• Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

With a bit of imagination the authentication could be turned into a compatition...

Oh really?

[inaneboy]

Merge an online directory lookup with your junk mail script. Now junk mail bomb a single zip code. Sounds to me like it scales.... I doubt the whole USPS, but for one or two post offices? Easy!

Re:Oh really?

[stray]

i guess that would be blocked right at the dead-tree-spam-outlets, as i doubt that any company would send out 20'000 copies of their catalogue to 20'000 people from the same neighbourhood who allegedly signed up for them within just a couple of minutes - unless the process there is highly automated too.

Re:Oh really?

[WNight]

The USPS is pretty hard to DoS. They get paid for every piece of mail they deliver and they can bring in off-duty mailmen, then temps (the people who work the christmas season) and so on. DoS them, they'll love it. They'll make a ton of money and all the workers who get the opportunity for 2.5x overtime pay will love it.

Besides, I remember watching a program (similar to "How'd they do that?") that talked about the USPS and their procedures for sudden unexpected loads of up to twenty times normal. This happens when companies offer mail rebates for popular products, when radio stations have contests, when a rock star gets fan mail, etc.

It basically ammounts to telling the automated sorting machines to pull out the mail to the specific receiver that's being mass-mailed and they send it in seperate bags. It doesn't usually need extra sorting so the branches that collect the mail can send it, ready for delivery, to the delivering branch. The spam-a-neighborhood thing is a bit different but they could probably cope.

Physical Attacks in an Internet Based World

[Col.+Klink+(retired)]

From the headline, I thought this article was going to be about that shooting at Case Western. The apparent motive was that the victim left a nasty message on the shooter's guest book: Biswanath Halder vs. Shawn Miller, et al.

OMG, the sky is falling

[g4dget]

'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter,

Letters that are that important should be sent by registered mail.

to wreak havoc on the postal system for political reasons,

Provided the US government isn't subsidizing junk mail (if they are, they should stop), every piece of junk mail that is sent makes the USPS a small profit. Well, then let them "wreak" away.

or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'

I somehow have a hard time seeing how this is a serious risk, over and above the general risk of "contaminated letters".

Remember that security consultants and "experts", like politicians, have a tendency to create unnecessary fear in order to hype up their own importance.

Word of the Day

[CGP314]

Germans, who evidently have a hate-on for AOL

A new word finds its way into my lexicon.

Sorry, but

[tacocat]

I hate to sounds callouse, but anything it takes to shut down the spammers, short of death or injury, is an acceptable cost in the long run.

The problem of spam has not received any reasonable consideration by The Powers That Be in the Political engine until it starts to cause real, tangible, measureable harm.

If it's a Corsican

[BigBadBri]

then it is defined as

resistance against cheese-eating surrender monkey imperialism

If it's an Irishman, then it depends which way the wind is blowing - at the moment, it'd be terrorism, but in the good old days when Noraid had the ear of the presidency, it was freedom fighting.

250,000+ catalog forms? Try 839.

[rednox]

I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.

Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.

I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.

Re:The Economist

[cHiphead]

If someone shot him would you be asking about the abolition of guns

actually i think thats precisely why we should have guns. ;)

Re:The Economist

[theLOUDroom]

You missed the point here. The problem is not spam email, its a DOS attack using snail mail which damages both the target and the bulk mailers.

Nope. The problems is spammers. The "target" of that DOS attack you're talking about is a spammer. Do you think this is a coincidence or something?

What you see as a problem, I don't really see as one. Replace "target" with "spammer" and you get:

The problem is not spam email, its a DOS attack using snail mail which damages both the spammer and the bulk mailers.

Sounds like killing two birds with one stone to me. What's the problem again?

Those "mail dumping" incidents a few years back

[swb]

Weren't there a couple of "mail dumping" incidents a couple of years ago?

IIRC, they found one postal worker with a whole basement/attic/whatever filled with undelivered mail, and other worker was found to be dumping it under an overpass or something.

The residents had complained for years about poor mail service, lost mail, etc and when they finally found out what was going on it looked like the whole postal zone was a fscking disaster (bad management, etc etc etc).

Overall, this seems like a rare exception. I've never had a bill not get paid or not gotten something due to the post office.

In fact, I've had more problems with UPS trashing packages.

Re:Those "mail dumping" incidents a few years back

[Warlover]

Considering what the USPS is actually tasked to do, the service is actually pretty reliable. And unlike most publicly run institutions, it does *not* hemorrhage money year after year.

Now if you want to talk about criminally inept public services, don't even get me started on the entire public school system.

Re:Those "mail dumping" incidents a few years back

[Jaysyn]

U.S.P.O. was privatized a few years back, and they've been raising the price of postage stamps ever since. That being said, they still do a pretty damn job a such a enormous task.

Jaysyn

Re:Those "mail dumping" incidents a few years back

[nelsonal]

They are semi private, its still a government institution, and protected monopoly. It's not as privatized as GinneMae, the mortgage bank, but its more privatized than the Department of State. Also in reply to the grand parent, they are hemmoraging buckets of cash, due to large unionized workforce, and significant reduction in first class mail volume due to email. I think they lost 2-3 billion last year, they get congressional subsides to continue operations. Hence the postage stamp price increases. Also realize that UPS and Fedex are barred from doing first class delivery, but USPS could use profits in first class mail to reduce prices in overnight mail, but the others can't do the reverse.

Re:Those "mail dumping" incidents a few years back

[duckpoopy]

IIRC it was all bulk-rate junk mail that had been dumped. Of course, this is still despicable because the advertisers were not receiving the service which they paid for.

What's the inverse of a mailing list?

[raehl]

A sending list.

Instead of buying a CD with a million email addresses, you buy a CD with the location of 100,000 catalgue/political/newsletter mailing list signup forms and a program to fill them out with your victim's information.

Make sure to Panic!

[BCW2]

Face any form of technology can probably be exploited for terorist purposes. Plan on how to counter it but don't knee jerk any more idiotic laws.

An evil person can use anything for evil. Outlaw everything!

Re:The Economist

[Acidic_Diarrhea]

But don't you see that the target of the current attack isn't always going to be the same. There is no reason that this DoS attack must be directed at spammers and spammers only. And the reason the spammer has brought this attack on himself is by upsetting a great number of people. Now, as the article mentions, a script which would simulate the large number of people could be written so that one person could launch the attack and sign a single person up for a huge amount of junk mail. So, basically - if you, as a non-spammer, upset someone with a modest amount of technical saavy, it could lead to the same type of DoS attack that this spammer is enduring.

There is no reason that only a spammer could be attacked in such a manner.

What about my important email?

[alanjstr]

What about all the important email that gets buried under a deluge of electronic spam? Aunt Martha's prize winning cookie recipe, for example, might get lost among the hot naked teens emails. At least with email we can try to put a filter on it. But what is the government's policy about XXX regular mail coming to a 10 year old? Does that child really need his penis enlarged? An email from a teacher or college professor could easily be buried.

Re:What about my important email?

[pbemfun]

Um, if you can get Aunt Martha's cookie recipe confused with a hot naked teen email, I'd like to eat those cookies! :)

Time-Delayed Dupe

[t0ny]

wow, this is the exact same subject that was posted a few weeks ago, but it has more links.

Someone should write a white paper detailing ways to get Slashdot to post dupes, and how it could potentially be used to do malicious things, like delaying the posting of real news.

Re:Time-Delayed Dupe

[dodobh]

No, the dupe was delayed due to being DOSsed by slashdot readers annoyed with dupes.

Re:Time-Delayed Dupe

[qbwiz]

..white paper detailing ways to get Slashdot to post dupes...
That's about as useless as writing a paper teaching people how to beat their heart.

Re:Time-Delayed Dupe

[the+endless]

Someone should write a white paper detailing ways to get Slashdot to post dupes

Fifty smackeroos says they'll post it twice.

Re:Time-Delayed Dupe

[ErikZ]

feh. You know what the smackeroos to dollar exchange rate is?!

Re:The Economist

[theLOUDroom]

First the script you mention does not exist. The reason this attack actually worked on the spammer is bacuse of a HUGE number of people who signed this guy up for crap BY HAND.
Second, creating such a script would be incerdibly time comsuming. Each site that lets you submit catalog requests, etc does it in a different way.
Third, all those requests would be coming from one IP address.


Even if such a script were to be created, it would be possible to sue anyone using it. Right now its saftey in numbers. He can't possibly go after everyone, and even if he did, a judge is going to wonder if maybe he did do something to deserve it. This won't be the same for a single person attack.

Re:usps doesn't help things, but that's the way it

[ojQj]

I know it's offtopic but:
Even scriblings on an envelope can be automatically read these days. Only about 1-5% which the machine can't manage get sent to humans for decyphering. Which means that hand-scribbling should only be marginally more expensive than the bar codes.

I had the privilege of seeing one of those machines in action here in Aachen Germany. They sort so fast, you can't follow the letters with your eyes! Pretty cool stuff.

A slightly unrealistic way to prevent mail attack

[Speequinox]

One way to prevent a scripted catalog-signup attack would be to centralize the processing of the signup forms. If all signup requests were routed through a single source, that source could easily detect a spike in signups. At that time, a confirmation phone call or letter could be sent to the recipient to determine whether they actually want all the junk, much in the same way that email list signups often generate an email that requests confirmation.

Of course, there are privacy concerns, centralization vulnerability concerns, and the issue of getting people to use the system. There is a collective action problem because normal members of the public don't have much of a reason (or way) to pay for this, and the catalog companies don't have much incentive to pay for it either since it's probably cheaper to send the occasional unwanted catalog than it is to restructure and pay more for their signup system.

-Mason

Re:The Economist

[JMS-Web]

Spam will not go away until the legislators put some real teeth into the laws preventing spam. We get innundated with junk regularly and have to resort to program like MailWasher just to keep the clutter down.

Really sux and is quite a drain on resources especially for a non-profit such as our small CT one.

I agree with the comments on/by The Economist though. Good point.

physical v logical

[genzil]

I find it hard to see how he is going to find a person to take to court in the physical attack. When you sign up for some thing they don't take many details. But the internet keeps records and so it could be easier to trace.

Re:physical v logical

[DeputySpade]

The internet keeps records?

USPS bulk mail impedes delivery of important mail

[kobotronic]

Americans : Ever been away on vacation only to find your mailbox stuffed full of mail? Likely one or two important letters was in that big heaping wad of damp and compressed paper and coupons and shit.

So now you must sit and spend an hour or more sorting through this mess, time wasted on a menial dumb stupid sorting task for which you receive no pay. Is this fair? Is this freedom? From what? It feels like slavery to a dumb system.

At least in some enlightened European countries you can magically block bulk mail delivery using nothing more than a free sticker applied to your mailbox, which the postal service is then obligated to respect. Why don't USPS offer this?

Peel, apply, press, presto! No more bulk mail!

SHUT UP! !! !!!! !!!

[twitter]

If you folks don't be quite, the post office might detect the thermo nuclear bomb I mailed Alan Ralsky, the FBI and Elanor Roosevelt. If we are all very very quiet, these packages will quietly make their way through the masses of mail the targets recieve.

Yes, I know old Elanor is dead, but others still talk to her and I just want to make my point to them. I would have mailed Santa Clause at North Pole, but that's where the nukes will go off in event of accedental firing. To take care of that, I'm emailing a nice computer called Wopper about a few games.

Back to my evil plans, such as a distributed timed arson attack using nothing more than an old truck, soda pop bottles, gasoline and a few hundred stollen watches. Oh wait, that plan could be implemented and does not have any place in the nuke/anthrax/killer ant fantasy presented above. I'll be quiet now before some moron gets ideas about the destructive uses of simple tools. No, I know that anyone with a modicrum of research and desire will continue making and executing such plans, I just don't want some moron thinking that I might and messing with me in unAmerican unconstitutional ways.

compute charges

[mikeee]

The STMP protocol should be extended; the receiver can require the sender to factor a large prime number before the message will be accepted. A few seconds CPU time per legitimate message is no biggie, but...

Re:compute charges

[Suidae]

There are too many installations to change.

Besides, the receiver can force the sender to wait simply by responding slowly, no need to change the protocol.

I think that instead we should all just run programs that scan all incoming mail for URLs and then load the referenced page, and spider the website, including all linked images, etc. So when spammer sends out 1,000,000 messages, and the 1% of people running this spider receive the message, spammers website, his host gets hit by 100,000 download request over and over. Not enough to be considered a DOS when considering a single user, but enough to destroy the server when everybody does it. Bandwidth costs will force spammers out of business.

Re:compute charges

[mikeee]

Waiting doesn't help much; the spammer can just multiplex with multiple connections (maybe you can counter this, but it gets to be a real PITA).

Conversion doesn't have to be all-or-nothing; mail for which compute tax wasn't paid can just be flagged with an X-Might-Be-Spam header.

Re:The Economist

[Efreet]

It would also be in the economic interest of service providers to do this, since they are currently having their no-cost-per-email policy exploited.

The obvious answer...

[KC7GR]

...is "Don't Spam."

Ralsky has no one to blame but himself. If he didn't make a career out of abusing other people's private property, none of the crap that's happening to him would ever have happened.

No matter if it's 'right' or 'wrong' to take someone's personal info and feed it to catalog houses, it still comes back to one simple idea; You Reap What You Sow, or 'Do Unto Others,' etc. Ralsky has been heaping abuse on other people's in-boxes, servers, etc. for years, and now he's reaping the fruits of his labors. If they're inedible, it's his own fault.

People are the problem!

[FatalTourist]

Anthrax doesn't kill people. People kill people. The solution? Ban people! Let's nip terrorism right in the bud! The majority of terrorists are people, not so much dogs, or robots (until maybe Judgement Day). I'm going to get a people detector installed in my house, with an automated gun turret! Hasta la vista, people!

Plutos Kiss?

[pjh3000]

Is that like Pluto's Kiss? Or am I thinking of .hack?

Re:The Economist

[cK-Gunslinger]

I think that the script would be pretty easy to create. Just set up a web-page with some standard specs (variable names, etc) and have all the visitors submit a single script that fills out a single request (creating a list of sites.) Then, when you have enough scripts, open your web page for business.

Paypal the owner $5, send him a name & address, he batch-executes the scripts. Easy, fun and profitable. Excuse me, I, uh, have something to go do...

Re:The Economist

[StealthBadger]

I think the connection you're missing is this, partially taken from the article itself:

In the commercial environment we have on the Internet, companies have made it incredibly easy for the average person to trigger a flood of mail into your inboxes, physical and e-mail.

By making spam less profitable (and in fact subject to legal penalties for any company indulging in it), the mechanisms by which someone could do the equivalent of a DDOS on someone's snailmail box will become less available.

What would be wonderful is if the e-mail breed of spam was legislated against, and there was some kind of spill-over to paper spam which placed restrictions on it as well....

A Bad Experience

[krysith]

Well, I had a rather important letter go missing in the mail...
During my senior year of high school, I visited a college that I was interested in attending. They were very interested in me, and offered me a full scholarship. They gave me some papers to fill out while I was there. I filled those out, but apparently there were some papers they forgot to have me fill out while I was there, so they mailed them to me. They didn't call to say they had sent anything. Those papers never arrived. Later, when I called the financial aid office to check on my status, they said that I hadn't sent back the papers in time ("papers? what papers?") and the scholarship was awarded to another student. I don't know for certain that the US mail was at fault (it could have been the college just screwing me over, but I can't see their incentive to do so), but we lost an awful lot of bills when we had that particular mailman. Eventually they gave my mom a new mailman, and she stopped losing mail, but I was already going to a college I couldn't afford. Oh, well, $60,000 down the hole. Thanks US Postal Service!

Re:A Bad Experience

[Oswald]

You win the prize; that absolutely sucks. I'll bet you learned not only not to trust the Post Office, but to ride close herd on processes that are:
a) important, and
b) out of your hands.

(Here's where you mutter, "fuck you very much, old man." ;)

Re:A Bad Experience

[krysith]

Yes, it was a very good learning experience in the importance of "follow-up". It was also a good learning experience in "living cheaply". I learned many important things in college, such as: 1) Ramen is cheap, but spaghetti with butter is cheaper. 2) All-you-can-eat buffets are best utilized from 9am to closing time. Bring your homework. 3) Your friends will feed you if you do their mundane chores (dishes, laundry, etc.). Make lots of friends.

Who trusts the mail? The INS!

[Kphrak]

The US Immigration and Naturalization Service (now the BCIS as part of their re-org into Homeland Security) trusts the mail implicitly, unless they're sending you a notice that your application was denied (then they send it certified). A notice to come to a fingerprinting was not sent certified, got lost in the mail (although I have serious doubts on whether it was ever sent in the first place), and resulted in a $110 charge for me to reopen the case. Thanks a lot, guys.

I'm sure that plenty of important mail gets lost because some agency or another was too cheap to use a reliable mail service -- after all, if they send it reliably, it costs them a little extra. If, on the other hand, you lose it, they get a hundred bucks for refiling. No disrespect to the post office intended; it's the fault of the system design. Think of mail like you do UDP: Fast, simple, cheap, and unreliable.

Re:Who trusts the mail? The INS!

[rifter]

The INS was created to reduce immigration. It's not so much that they trust the mail service as that they don't care if you get something unless it is a notice to leave the country. They are also, as you observed, cheap bastards.

Re:USPS bulk mail impedes delivery of important ma

[Natestradamus]

Americans: Ever gotten so sick and tired of supercillious European assholes that you felt like writing off the whole damn continent?

Seriously though, if you need an hour to separate junk mail from real mail, you might want to review that superior attitude of yours.

Our Lovely Governmental Officials

[thechao]

Perhaps we should sign up some of our gov't officials to recieve massive-anonymous-mailings (MAMs) so that they might enforce some reasonable rules about snail-mail.

I recently went through a letter-war with my postman when I recieved a bit of junkmail sent to "occupant". The result was a much-mangled envelope with the word "occupant" scribbled multiple times in green (that was the Postman, did that). I finally fed it to my neighbors dog.

Re:usps doesn't help things, but that's the way it

[duffbeer703]

You're a real ass. The postal workers union is about as useless as tits on a bull, and the government exempts itself from all sorts of labor laws.

Postal workers, particularly those in the sorting centers work very hard -- they don't have a choice or a teamsters union to lighten the load.

Dare I dream it?

[clambake]

or even worse, to serve as a diversion for a terrorist act

Finally.. and answer to junk mail! In our society of banning the tool, not the act (a la Napster), this translates into banning all forms of junk mailings! WOOOOOOOT!

Re:The Economist

[nolife]

Replace "snail mail" with "email" in your comment and you have summed up what millions and millions of people with an email account have been dealing with for years on a daily basis and the problem is getting worse. I rely and use email much more then I use snail mail which componds the problem even more.

What about mistakes?

[leighton]

Of course, none of this takes into account what happens when an overexcited script kiddie targets the wrong address for attack. This happened in the Ralsky case--if you go back, you'll see that people mistakenly posted his old address, the wrong phone number, etc. So some poor innocent sap (who could just as well be you) gets a dozen subscriptions to Hot Wet Naked Shaved Teenage Catholic Schoolgirls and Buff Biker Bears that he has to explain to his wife.

I guess that's just "collateral damage," right?

I saw a live version of the /. effect llast week

[Savatte]

when the local LUG, gaming club, and anime association all stormed krispy kreme at the same time.

Argh NO MORE TERRORIST RHETORIC

[JebusTheImpaler]

argh, why must everyone in the government/news agencies/popular media/academy relate EVERY issue to terrorism? I'm sorry, but the idea that this has ANYTHING to do with terrorism is like saying that petitioning could be used for terrorism. Pretty soon anything that goes against businesses/government/assholes will be a "terrorist act". Wake UP America, there are other things to worry about (e.g. The increasing nat'l debt, growing inequalities between rich and poor, shitty public schools, RIAA, pissing off the world community, deregulation of the media, NO FRIGGIN' JOBS, tanking economony). Damn man, talk about WEAPONS OF MASS DISTRACTION!

Silly Linux geeks!

[Thud457]

Nobody said you couldn't use MS Passport or Gator. (Of course, you may want a sacrificial machine to run this on.) Heck, use the tools of the devil to attack his disciples!

Re:USPS bulk mail impedes delivery of important ma

[Thud457]

"if you need an hour to separate junk mail"

They get six weeks vacation over there, and hence, have a correspondingly bigger pile of mail when they get back from Spain.

Re:usps doesn't help things, but that's the way it

[bofkentucky]

The only postal workers I've run into are A) the morons working the counters at every post office in the US B) USPS logistics drivers, the lowest form of trucker on the planet, and C) Postal inspectors, say no more, and D) My rural route carrier who does a fantastic job BTW.

I've worked in high volume mail processing (check my resume, RR Donnelley and Son's Kentucky Magazine division), yeah its shitty work, but someone has to route your issue of Maxim or mother's day card. Pay is reasonable at the local mail sort facility, in line with the pay scale at the local factories for someone with a GED or High School diploma with the exception of the Corvette plant (UAW takes care of their people)

Re:The Economist

[BuckaBooBob]

Well This also happends with Email... You waiting for that important Email from a friend telling you that he needs a ride from the Air port and his email is lost amist Spam or gets filtered and they are completely unaware.. There is alot of important Email that is just as critical as Snail mail... There is No Difference other than Its somewhat easier to change your email address compared to changing your physical address.. Funny thing is you can submit a change of address form as all that Snail Spam will follow you with a Change of address...

All I can say is "Waaaa Waaaa Poor Spammers.. Waaa! Go Cry to your mom! or someone who really cares!" After all thats thier attitude when they send out all thier Spam.

If all Spammers were Reputable and didn't use underhanded tactics their business model wouldn't work.. Who in thier right mind wants to see all that UCE in thier mailbox?!? I am sure the few people that do wouldn't support them enough to actually make a living.

Re:The Economist

[rifter]

here is a certain amount of ironic justice in sending spam to a spammer but any figure that becomes infamous has a large number of people upset with him or her and thus, could bring this type of attack upon him.

You are thinking too small. If it is possible to send thousands (or hundreds of thousands) of snail mails trivially to one person and therefore DOS them, just think what would happen if you did it to thousands (or hundreds of thousands) of people. There are more than enough publicly available addresses to do that fairly trivially. They don't even have to be people you are upset with; they could be random. (After all, what if the person executing the attack is pissed at the Post Office? Or the government?)

Imagine even if someone did this to, say, all the people/government offices in DC (the whole congress, then all the aides and such, etc.)

Do script kiddies only dos people they know who have made them mad? Don't they very often, in the spirit of anarchy/random maliciousness attack random targets?

Inspire regulation against junk mail?

[lamontg]

Maybe some enterprising scriptkiddie could automate this attack and hook it into a worm. Worm spreads over the internet affecting millions of IP addreses. Catalog companies are inundated with requests and overload the Postal Service. US government steps in and actually starts regulating junk mail.

Nah, probably wouldn't work... The virus would produce enough publicity that the Catalog companies would know about it and it would be in their interest to eliminate bogus mails from going out. Someone would reverse engineer the virus and use that information so that catalog companies could protect their online forms.
Impact would be minimal.

Damn, I'd really like a way to stop junk mail though...

Chris Crawford and Terrorism

[Jeremy+Erwin]

In his book Balance of Power (1986, the game designer Chris Crawford describes Terrorism thusly:

Terrorism: The first step [in the development of an insurgency] comes when some hothead carries out an act of violence against the government. It is neccesarily rather puny; after all we can't expect every hothead to have much military power at his disposal (thank heaven!). This act serves to galvanize opposition. Once people realize that there are others willing to fight back, they gravitate towards each other, and the insurgency begins to take shape, During this early stage, the insurgents will lack any real military power. They operate as part-time rebels, living during the day as regular citizens, but plotting their revolution in secrecy and making occasional strikes.

It's a little dated, but it's a straight definitiom. Terrorists strike at target of opportunities in urban areas. The goal of their attacks is usually not to go after military targets--in most cases the're too well defended (although see Beirut, Khyber Towers, Pentagon and if you're willing to split hairs. the King David Hotel) but to inspire confidence in those who would support them ("We can win this struggle!") and inspire fear in their enemies ("They came out of nowhere. How could we let this happen?").

Many terrorist organizations don't have a sufficiant grasp of political reality to transform their terrorist activities into an effective opposition. Al Quada's goal was something along the lines of "worldwide Islamic Revolution"-- something that can probably be characterized as "pure fantasy." Although bin Laden's "simultaneous , multiple target" signature may have won him respect from other terrorist organizations, his tactics did little, if anything, to secure his stated political goals, and have instead (deservedly so) marked him as a mass murderer.

Christopher Hitchens defined terrorism as the tactic of demanding the impossible, and demanding it at gunpoint. It's a interesting definition, but, of course it all depends on what one views as impossible.

If you think unions are inefficient...

[No+Such+Agency]

... try not having them. Without the labour movement we'd all be working 14 hour days for $3.50 an hour (with no benefits of course). Try being efficient for $3.50 an hour, at 7 pm on a Sunday, with an untreated infection.

Re:If you think unions are inefficient...

[bofkentucky]

The unions had a purpose back in the day, now they are pyramid schemes for taking money from the workers for decreased benefits and political contributions, ie the American Airlines labor situation a couple of weeks ago, where the union was all set to take a garbage contract that kept their funds flowing. Unions destroyed the factory that my Mother and Grandmother worked in, all becuase they wouldn't join up, they earned my wrath, and until they demonstrate a desire to correct their behavior, I'll oppose them.

Re:If you think unions are inefficient...

[Fulcrum+of+Evil]

The unions had a purpose back in the day, now they are pyramid schemes for taking money from the workers for decreased benefits and political contributions[...]

I'll remember that as I watch my industry sail off to India, China, and Vietnam.

Re:If you think unions are inefficient...

[bofkentucky]

That's where the teamsters sent my mother's and grandmother's jobs.

Snailspam washington!

[inaneboy]

Of course its automated.

OOooo.... SNAILSPAM Washington! There has to a be a list of all the congressmen's address....I think they'll 'get' it after that! (Crap...I'm gonna get blamed for this aren't I..)

Small-penalty Spam-suit State Laws

[billstewart]

Several states have anti-spam laws designed to make this easy. They're tort laws (person-sues-spammer-for-damages) rather than state-vs-spammer laws, and the damages are small (mostly $200-500) so you can sue in small claims court with minimal legal costs if you can catch the spammer (and if the spammer's in your state.)

That doesn't let you catch every spammer that spams you, but it's enough that it can theoretically be very annoying to small spammers, who have to show up personally, and are more likely to be receptive to the message that "everybody hates you, and we'll make you lose money and spend lots of time being told that everybody hates you." (And if not, then hey, it's an $200 check for an evening's trip to Small Claims - busting spammers can be profitable if you 're in a state with that kind of law.) Big spammers are likely to annoy more people, and usually incorporate to protect their owners, so they probably have to send a lawyer to the courts rather than the owner, but that's fine too. On the other hand, they're much more likely to locate to states that don't have such laws, so they're only subject to Federal laws.

Oh for fucks sake.

[CrazyJim0]

I can think of a million ways to use the internet to cause more havoc than just stuffing someone's mailbox with porn.

Probably the coolest thing you can do with the internet is to cause a revolution. And if you don't see it, you're the one who's losing.

Motel of the Mysteries - if you overdo it

[billstewart]

Motel of the Mysteries ISBN: 0395284252 Author: Macaulay, David Publisher: Walter Lorraine Books

It is the year 4022; all of the ancient country of Usa has been buried under many feet of detritus from an accident with a computer and a junk-mail system back in 1985. Amateur archeologist Howard Carson, crossing the perimeter of an abandoned excavation site, felt the ground give way beneath him and found himself at the bottom of a shaft, which, judging from the DO NOT DISTURB sign hanging from an archaic doorknob, was clearly the entrance to a still-sealed burial chamber.

And he goes on to describe the items in the Toot'n'C'mon Motel and speculate about what they must have been used for by the ancient inhabitants...

Email takes longer than calling...

[Kaki+Nix+Sain]

Seriously. I have been personallizing issue letters and emailing congress-critters for a couple of years (never more than a couple every few months). This past week I wanted to communicate something to them, but I didn't have the time to do all that work. So I looked up their office numbers, called, gave my opinion to the phone answering intern, and got back to my life quick. Hell, it has taken me as long to write and proof this post as it did to call.

Am I the only one

[Flavius+Stilicho]

Am I the only person that doesn't mind junk mail all that much? I mean the paper stuff. Anything addressed "Resident" (of course I screen it) goes to my 4 year old daughter. She loves getting 'mail'.

If the marketing companies want to waste their postage to provide my kid with entertainment, that's on them.

Re:A slightly unrealistic way to prevent mail atta

[DeputySpade]

Getting people to use the service would not be all that difficult.

Sending gobs of bulk mail to uninterested parties costs them money. This would be a valuable service for the bulk mailer to take advantage of.

Re:usps doesn't help things, but that's the way it

[bofkentucky]

I didn't realize that the systems had become that accurate, the last time we were working with auto-sorters it was about 25-30% kick rate, helpful, but you still needed a lot of human eyes.

anthrax initiated by who?

[sacrilicious]

the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen

As far as I know the anthrax attacks are as yet unsolved, and there is no evidence that they were or were not perpetrated by an American. Perhaps I missed something in the news; if so, would anyone care to enlighten me?

Re:The Economist

[DeputySpade]

Oh, come on??? Not one moderator thought this was funny?

The USPS must defend itself

[robj]

[An open letter to the paper authors:]

Your paper "Defending against an Internet-Based Attack on the Physical World" describes a number of coutnermeasures, almost all of which are focused on the Internet level of the attack.

Since most of the actual bad consequences of the attack come due to the "mail implosion" at the target address, it seems to me that there are other defensive possibilities based on detecting and averting the mail implosion before it happens.

The only entity in a position to do this is the post office itself. But the post office is already in the business of knowing the destination address of every piece of mail in its system. If the post office were able to mine the addressing data in its system to such an extent as to be able to detect sudden service-threatening implosions targeted at a particular address, the post office itself would be able to flag such mail as "nondeliverable due to system abuse" (perhaps with a notification to the target address that their mail was too voluminous to be delivered).

This would of course require exceptional investment in real-time tracking systems by the post office, although since all that is really required is a count of "number of mailings addressed to target" (and not an actual index of what the mailings themselves *are*), it is possible to avoid the overheads of constructing a full per-package tracking system.

This defense, it seems to me, would be performed by the actual victim of the attack -- the post office itself. Moreover, it is hard to see what countermeasures an attacker could employ to circumvent the post office's own monitoring of its traffic.

(I would imagine similar techniques at the email level are likely already used by ISPs to protect users against email implosion attacks...?)

What would you consider the strengths and weaknesses of this defense?

Thank you for a thought-provoking paper.
Sincerely,
Rob Jellinghaus
rob@helium.com
http://www.helium.com

Re:USPS bulk mail impedes delivery of important ma

[cant_get_a_good_nick]

I can think of two reasons just off the top of my head:

1) The Postal system is quasi-government, but they're in the business to make money (well not lose a lot anyway). Bulk mail postage helps keep the wheels moving.

2) A lot of junk mail now is tagged to look important. Makes it harder for a mail carrier to make that judgment call on the letter. Just easier to chuck the whole wad into your box.

An aside on 2 above:
When you get credit cards/ATM cards, they come in nondescript envelopes, to make it less likely to get stolen. I usually check all plain envelopes now, feel them for a plastic card to see if Citibank has sent me a new card, or if some bank sent me a credit card I didn't ask for (has happened). I'm starting to see junk mail taking advantage of that behavior, a plain envelope with a hard card in there someplace, to make me open the thing and look at the contents. The bastards.

Or respond to all spam!!!!

[xluap]

We need a script that sends email back to all email adresses in spam. If 99% of all answers to spam are bogus, they will stop spamming.

Re:Or respond to all spam!!!!

[Suidae]

Most of the spam I get doesn't contain any email addresses, presumably to avoid mail bombing and complaints. Usually its just a web address where you can place an order for the product.

Re:The Economist

[BuckaBooBob]

Blah Blah.... No your missing it actually... Its all about exploitation. Spammers Exploit email to send thier UCE with virtually no cost to them when looking at returns gained.. They have Ablosutlely no reguard for the service providers they spam... at 650,000 emails a hour how much time and bandwidth and computer resources are tied up at the reciving end? Especially when its it unwanted so anti-spam measures are put into place which the spammers do everything they can to get around so even more resources are needed at the reciving end of the spam.. I love to see it when spammers get it back in the face..

Why has SMTP remained broken for so damn long?!? While spending millions and millions of dollars fighting Spammers (Hotmail/AOL/Earthlink and the like) Why don't they fund a OS project to fix whats wrong with SMTP and make it the defacto stanard protocol... After if they team up to do this and offer a good portable free open source product that defeats spammers who in thier right mind wouldn't move to it and eliminate spam. When you look at how many ISP's would jump at the new stanard to eliminate spam from thier networks due the simple fact.. Its cheap.. and reduces overall overhead of managing a email service.. Its a brain dead decision.. Just looking at the number of email addresses that would be covered by the top 15 or 20 email providers would mostlikely add up to be 70% or more of active email addresses.. That right there would suddenly Break Spammers business models... Not to mention including AOL would encompass 90% of the guliable public thats on the internet... so that right there would send spammers into chaos as return on investment plummets to numbers aproaching Zero.

Getting rid of spam simply makes sence... You provide a better service to your customers.. Reduces overhead of offering email service.. Reduces Support costs as well.. you don't have so many customers having problems involved in people changing email addresses cause they are getting spammed to much (Try working for a ISP in the support depart ment talking to people complaining they can't mail people in thier contact list anymore cause they changed thier email address... or people having problems because they have changed thier email address because it was getting flooded.)

They could even build into the Licencing agreement factors that prohibit underhanded tactics used to Send UCE and suspend licencing to those that do not follow the terms and be prevented from sending email at all..

Otp-out doesn't work.. Its plain and simple.. optin is a way better aproach.. People will learn to make sure they don't opt-in.. and if they do by accedent or under handed hidden agreements they you click past to just get what you want. to easily and quickly get back off thier list... Poting out could consume many hours a day of new spammers that found your address any way they could... which is simply wrong... Once its in writing in licencing spammers can easily be charged under the DMCA wide spread umbrella.. (whoo! Imagine that! something good comming from the DMCA!)...

The solution isn't that hard to see at all... All it needs is some of the big players to step up to the plate and start the ball rolling and reap its long term benefits... Wel spammers don't get any benefits from this but they are internet Parasites that need to be exterminated as they are today.

Sorry got off on a bit of a rant... But still.. this would all be moot if a couple VP's at a few big email providers had a few brain cells to rub together.. Its just simply costing them money not to do this! Legislation wont make spam go away! People can setup spam souces off shores ect.. US law can't govern them... But protocol licencing is the only way it will work... as they can set the rules and require people adhere to the rules inorder for thier email to be accepted by servers that are authenticated as protocol compliant and no-Spam complient.

If for some unseen reason there are many ISP that lag and don't join the protocol group.. Hotmail an

Bruce Sterling already told in 1993

[Pseudonymus+Bosch]

Opening Statement to the House Subcommittee on Telecommunications and Finance, Washington DC, April 29, 1993

(...)These 15,000 users were enraged by what they considered the wanton destruction of their electronic community. They pooled their resources and took a terrible vengeance on the small town of North Zulch, which, by contrast, had only 2,000 residents, none of them wealthy or technologically sophisticated. Through a combination of harassing lawsuits and sharp real-estate deals, the vengeful board users bankrupted the town. Eventually the entire township was bulldozed flat and purchased for parkland by the Nature Conservancy.

"Thanks in part to the advances that you
yourselves set in motion, violent conflicts between virtual and actual communities have become a permanent feature of the cultural landscape in 2015."

Nope.

[jotaeleemeese]

Terrorism is whatever the far right in power in the US says it is.

And since you have raised objections you look actually quite suspect.

Welcome to the magical world of the PATRIOT act!