Slashdot Mirror
Internet Based Attacks in a Physical World
scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"
If you don't want to be attacked on a large scale from the Internet, don't piss off Slashdot readers!
It should be a no-brainer by now, and we have shown the effectiveness!
now, is a way for the internet to deliver a flaming bag of dog poo to the doorstep of your favourite enemy and life will be complete.
"A scenario could be imagined where an attacker would do this to delay the arrival of an important letter...."
I don't know about you but I haven't trusted an important letter the the USPS for many years. Tax returns etc. go Certified or Fedex only. The USPS is just not reliable any more when the mail item is important.
Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale.
Heh, I gotta rember this excuse. "No, I didn't sign up for these dirty magazienes. It is some internet conspiracy..."
That, and why is he complaigning?
If I have nothing to hide, don't search me
I think The Economist has the easiest and cheapest answer to the problem of spammers. Charge large emailers per send.. the economic disadvantage of sending out wasted emails would then help reduce the number and encourage targetted sending...
You missed the point here. The problem is not spam email, its a DOS attack using snail mail which damages both the target and the bulk mailers.
to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.
This is NOT terrorism, it IS a crime!
Tryint to get people to subscribe to Slashdot and making them read embarrassing dupes is an old trick. These attacks exploit the lazy properties of the editors as well as their unprofessionalism. All the pieces (that) are required for this attack to work. There's a real danger in this ploy, one that few people have likely thought about: "A scenario could be imagined where a story could be posted to Slashdot, and then the same story could be posted again a couple weeks later, to wreak havoc on the Internet for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the posting of a goatse link."
In Soviet Rush, today's Tom Sawyer gets high on you.
"But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter."
You know, aparently *nobody* thinks up terrorist acts until the newsmedia lets them know everything they need to know to pull one off.
Basically, the individual is swamped with requests s/he has to answer, and using up larges amount of resources (lawyer fees).
Very similar to a DOS attack where a server has to answer loads of requests, eating away in its resources (CPU/netwerk traffic).
Ths article is not about preventing spam. Its about how the postal serices, and probably a few others are vunerable to malicious disruption via abuse of internet capabilities
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
"Let's hope anti-spam, anti-marketing guerrillas can keep their perspective and priorities in order."
When the spam and other ass-orted gorillas get their perspectives in order - then let's talk of anti-spam guerrillas.
"A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"
Pure FUD and crap. How many times has spam stopped important mail? How many times anti-spam filters have deleted the 'wrong' mails? Apparently spammers have exclusive abuse rights on the 'system' while lesser users don't! Intriguing.
If you keep throwing chairs, one day you'll break windows....
I always liked the idea of placing a classified ad for a mint 1978 Camero for $750 (b/c you're getting a divorce yadda yadda) and then listing your bud's phone number as the contact info. Best to use Auto Trader or the like because the ads run longer than newspapers and can't be cancelled in a day. Never done it, but sure have been tempted on occasion...
take for example the post office -- you'd think that one of their aims would be to promote less junk mail for all of us. But that's not how it works in a society where the bottom line is how much money you can rake in. And god forbid the government take an "anti-business" stance.
So what is their pricing scheme? It costs 37c to mail a single letter, but if you're a physical spammer, you can get huge bulk discounts, effectively making it more attractive to spam. I say, why not make junk mail *more* expensive?
Will email, if charged per-piece, be any different?
I think that when a large number of people are willing to spend their time physically DoS attacking someone then maybe that person deserves it. I don't think that if an individual just had a grudge against the spam king that person would have been able to really do much damage, but obviously enough people felt the same way.
I see it kind of like picketing, one person doesn't really do that much harm, but if enough people are pissed off....
"Not knowing when the dawn will come, I open every door." - Emily Dickinson
or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'
God damn. This just makes me want to punch him in the face. Why the fuck does everyone always have to bring terrorism into everything? Ever since 9/11 we have had idiots, making comments like this about EVERYTHING. I am so sick of it.
This guy's statement require ridiculous stretches of the imagination of one to even think of a way it might benefit a terrorist. I mean, seriously, use some common sense here. If you're trying to send someone a letter full of anthrax, you want it to actually get there.
Yes, terrorists could use cars too. Maybe we should ban cars! That way a terrorist can't get his hands on a car and start running people over. Just imagine how many people he could kill by driving down a busy sidewalk! We better hurry!
Then we'll have to ban chair-lifts too. Imagine how many people would be injured or killed if someone cut the cable! We can't have that, now can we?
Ya know, they used fertilizer to make that there Oklahoma City bomb. We better get rid of fertilizer too.
But wait! That still leaves arson! We better make matches a restricted item. Can't have a terrorist going around burning down houses, no can we?
This kind of moronic reasoning makes me want to get this guy alone and "exploit the automation properties" of a few choice power tools.
See! Power tools can be used for evil! Better get rid of those too. Never mind that the benefit they provide to society far outweighs the cost. Never mind that this is supposed to be a "free" society. Won't someone please think of the terrorists?
Life is too short to proofread.
Apparently, he started getting calls from several states away from irate bikers who were pissed at HIM when he told them he wasn't selling one (he never owned a motorcycle).
science is a religion
What a load of self serving crap. Which of course is completely shocking coming from such a community oriented guy such as a Spammer.
When I read this, I expected it to be about something a bit more substantial, such as using the internet to have someones electricity turned off, or altering a sattelite tragectory to include someones house in its path; or maybe even taking over Dr Evil's Moon Laser to burn nasty messages in someones lawn.
But really, taking out the postal service with a series of mass mailings? What kind of fool thinks that an attack that works on one person will scale large enough to take out the post office, or hinder any sort of criminal investigation?
You are in a maze of twisted little posts, all alike.
You have again missed the point. Smail mail DOS can be targed against people who arn't spammers!!! (Gasp!) The article (if you care to read it) mentions it is a farily trivial script would automate the signup process to some 250,000 sources of junk mail. The fallout from such an attack would affect everyone in the area causing lost and delayed mail as well as exploiting many legitamate companys sending the mail.
I believe that this "slash-period" is a haven for terrorists, and I believe that they have weapons of mass destruction. It is therefore my duty, as the president of the great nation, to eliminate this threat to our freedom. In the next 12 hours, a campaign of "shock and awe" will be undertaken, the likes of which have never been seen. Nasty emails will be sent in unprecedented numbers. Trolls will abound, and will overcome the enemy.
The pentagon has recently developed a new weapon, a kind of super-goatse, and this new weapon will be used to great effect.
But, remember that this war is not against the people of "slash-period," but is against their terribly regime. CowbowNeal and his associate, Commander Taco. are the enemies here. Our targetted trolling will not be directed at the innocent and oppressed ACs of "slash-period" We are liberators, not conquerors.
Thank you, and goodnight.
(I'm not sure if I was trying to be funny, or if I'm just bored at work..)
GeekNights!
Late Night Radio for Geeks!
Spam and Periodicals actually use more efficent methods to deliver mail, those fancy bar codes make their mail easily routable, your scriblings on the envelope require human eyes to sort to the correct address, human's cost money...and postal workers are some of the most expensive, the added inefficency of union workers and gov't workers makes for very little work.
09f911029d74e35bd84156c5635688c0
Newsflash: the evil spammers are fighting back and hitting slashdot where it hurts, by submitting stories to the slashdot site that have already been posted and discussed.
...and probably again a few days after that, if a new newspaper article is written about it).
These stories are known in the slashdot community as "dupes", and the practice (now becoming well-celebrated in the spammer community) is called "duping the nerds".
Stay tuned for more details in the next posted article, (and again next week,
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
The best way to defend from internet attack also works in the real world. Its called "Don't make large groups of people angry."
This seems like complaining that the internet allows collaboration of large numbers of like minded people. Yeah, thats the point. The failure of this article is to understand that it is not organized. Thats like saying that all the death threats the Dixie Chicks got all came from one organized structure.
Hundreds of thousands of people are not going to conspire to commit a single crime (Anthrax letter example). That's ridiculous.
To suggest that just because a large number of people are equally angry and respond in a similar way (through mailing etc), that the response is organized is stupid. People who want control set up straw man organization because they can't compete against 100,000 individuals. How many times have we heard "Those protests are completely organized by organization XYZ, they have buses that bring people in". Or in labor problems: "Its XYZ union that is causing the strike, most of the workers don't care" By using the tactic of combining the perception of voice down to a single entity, detractors can be more persuasive in gaining mindshare.
Spam exists purely because the time spent by the spammer is of less value than the reward he gets. We don't need to completely eradicate spammers, just slow then down until it's no longer worth the effort and they quit. Try mposing limits on the amount of email that can be sent per ISP user. If it's set high emough then it'll very rarely bother a legitimate user, but make it stop it being cost effective for spamming. Say 500 emails per 7 days from one user on an SMTP or 1000 from a mailserver running on an ADSL. If you're having to send 1 million mails then signing up for/hijacking 2000 accounts is going to slow you down a bit. This would hopefully stop spamming from 'friendly' services.
Rogue ISPs are trickier to deal with, perhaps the throttling could be used? e.g. AOL trusts MSN, therefore anything originating from MSN would be allowed straight through. AOL is slightly more warey of rogueisp.cn so throttles the acceptance of messages from them to say 50,000 a day before it starts bouncing them. If rogueisp.cn behaves then everything will work perfectly, if they allow their network to hammer AOL then AOL will start chucking the emails back at rogueisp.cn clogging up their system. A perceived problem with this is that legitimate email gets bounced - tough. Rogueisp.cn gets to explain to their customers why "AOL has returned this message because of flood of crap sanctioned by your ISP" is attached to the message that's just been returned unsent. RogueISP can now decide to enforce sendmail throttling as mentioned at the top, or lose its customers.
Tweak the quotas so the better an ISP behaves, the higher it's quota goes and vica-versa and we can polarise connected ISPs, and it's then not to hard just to blanket ban the bad guys.
Imagine though, that instead of signing up just any plain individual with an ego problem, that you signed up a business for all of this junkmail.
Think about a company sabotaging its upstart competitor by saturating their mailbox with junk. The competitor starts missing bills, notices from vendors, etc.
Or even worse, imagine someone who has been screwed by the phone company one too many times decides to mailing list bomb their bill payment center. The costs of processing payments shoots up while mail peons have to separate the payments from the junk.
Congresspeople start getting cut off from their constituency.
etc...
And the worst part is that this is so hard to undo. Even if you take the effort to unsubscribe from every single mailing list you're on, it would take the attacker mere seconds to re-add you to all of them.
This is probably one of the most devastating non-violent denial of service attacks you can utilize today.
Moral of the story: don't piss people off.
It would be very simple for a company to defend against being used in a scripted mail DOS attack.
With a bit of imagination the authentication could be turned into a compatition...
I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:
Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.
If someone shot him would you be asking about the abolition of guns
;)
actually i think thats precisely why we should have guns.
This is my sig. There are many like it, but this one is mine.
Weren't there a couple of "mail dumping" incidents a couple of years ago?
IIRC, they found one postal worker with a whole basement/attic/whatever filled with undelivered mail, and other worker was found to be dumping it under an overpass or something.
The residents had complained for years about poor mail service, lost mail, etc and when they finally found out what was going on it looked like the whole postal zone was a fscking disaster (bad management, etc etc etc).
Overall, this seems like a rare exception. I've never had a bill not get paid or not gotten something due to the post office.
In fact, I've had more problems with UPS trashing packages.
A sending list.
Instead of buying a CD with a million email addresses, you buy a CD with the location of 100,000 catalgue/political/newsletter mailing list signup forms and a program to fill them out with your victim's information.
paintball
Um, if you can get Aunt Martha's cookie recipe confused with a hot naked teen email, I'd like to eat those cookies! :)
Someone should write a white paper detailing ways to get Slashdot to post dupes, and how it could potentially be used to do malicious things, like delaying the posting of real news.
Manipulate the moderator system! Mod someone as "overrated" today.
One way to prevent a scripted catalog-signup attack would be to centralize the processing of the signup forms. If all signup requests were routed through a single source, that source could easily detect a spike in signups. At that time, a confirmation phone call or letter could be sent to the recipient to determine whether they actually want all the junk, much in the same way that email list signups often generate an email that requests confirmation.
Of course, there are privacy concerns, centralization vulnerability concerns, and the issue of getting people to use the system. There is a collective action problem because normal members of the public don't have much of a reason (or way) to pay for this, and the catalog companies don't have much incentive to pay for it either since it's probably cheaper to send the occasional unwanted catalog than it is to restructure and pay more for their signup system.
-Mason
You're a real ass. The postal workers union is about as useless as tits on a bull, and the government exempts itself from all sorts of labor laws.
Postal workers, particularly those in the sorting centers work very hard -- they don't have a choice or a teamsters union to lighten the load.
Conformity is the jailer of freedom and enemy of growth. -JFK
Of course, none of this takes into account what happens when an overexcited script kiddie targets the wrong address for attack. This happened in the Ralsky case--if you go back, you'll see that people mistakenly posted his old address, the wrong phone number, etc. So some poor innocent sap (who could just as well be you) gets a dozen subscriptions to Hot Wet Naked Shaved Teenage Catholic Schoolgirls and Buff Biker Bears that he has to explain to his wife.
I guess that's just "collateral damage," right?
when the local LUG, gaming club, and anime association all stormed krispy kreme at the same time.
It's a little dated, but it's a straight definitiom. Terrorists strike at target of opportunities in urban areas. The goal of their attacks is usually not to go after military targets--in most cases the're too well defended (although see Beirut, Khyber Towers, Pentagon and if you're willing to split hairs. the King David Hotel) but to inspire confidence in those who would support them ("We can win this struggle!") and inspire fear in their enemies ("They came out of nowhere. How could we let this happen?").
Many terrorist organizations don't have a sufficiant grasp of political reality to transform their terrorist activities into an effective opposition. Al Quada's goal was something along the lines of "worldwide Islamic Revolution"-- something that can probably be characterized as "pure fantasy." Although bin Laden's "simultaneous , multiple target" signature may have won him respect from other terrorist organizations, his tactics did little, if anything, to secure his stated political goals, and have instead (deservedly so) marked him as a mass murderer.
Christopher Hitchens defined terrorism as the tactic of demanding the impossible, and demanding it at gunpoint. It's a interesting definition, but, of course it all depends on what one views as impossible.
That doesn't let you catch every spammer that spams you, but it's enough that it can theoretically be very annoying to small spammers, who have to show up personally, and are more likely to be receptive to the message that "everybody hates you, and we'll make you lose money and spend lots of time being told that everybody hates you." (And if not, then hey, it's an $200 check for an evening's trip to Small Claims - busting spammers can be profitable if you 're in a state with that kind of law.) Big spammers are likely to annoy more people, and usually incorporate to protect their owners, so they probably have to send a lawyer to the courts rather than the owner, but that's fine too. On the other hand, they're much more likely to locate to states that don't have such laws, so they're only subject to Federal laws.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
[An open letter to the paper authors:]
m
Your paper "Defending against an Internet-Based Attack on the Physical World" describes a number of coutnermeasures, almost all of which are focused on the Internet level of the attack.
Since most of the actual bad consequences of the attack come due to the "mail implosion" at the target address, it seems to me that there are other defensive possibilities based on detecting and averting the mail implosion before it happens.
The only entity in a position to do this is the post office itself. But the post office is already in the business of knowing the destination address of every piece of mail in its system. If the post office were able to mine the addressing data in its system to such an extent as to be able to detect sudden service-threatening implosions targeted at a particular address, the post office itself would be able to flag such mail as "nondeliverable due to system abuse" (perhaps with a notification to the target address that their mail was too voluminous to be delivered).
This would of course require exceptional investment in real-time tracking systems by the post office, although since all that is really required is a count of "number of mailings addressed to target" (and not an actual index of what the mailings themselves *are*), it is possible to avoid the overheads of constructing a full per-package tracking system.
This defense, it seems to me, would be performed by the actual victim of the attack -- the post office itself. Moreover, it is hard to see what countermeasures an attacker could employ to circumvent the post office's own monitoring of its traffic.
(I would imagine similar techniques at the email level are likely already used by ISPs to protect users against email implosion attacks...?)
What would you consider the strengths and weaknesses of this defense?
Thank you for a thought-provoking paper.
Sincerely,
Rob Jellinghaus
rob@helium.com
http://www.helium.co