Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Based Attacks in a Physical World

Posted by Hemos on from the too-bad-it's-not-internet-based-attacks-on-The-Real-World dept.

scubacuda writes "In light of the /. backlash against Spam King, Alan Ralsky, (in which /.ers published his info online--including an overhead shot of his house--and signed him up for junk) Simon Beyers, Aviel Rubin, and David Kormann have written a report entitled Defending Against an Internetbased Attack on the Physical World. Bruce Schneier notes that there's no easy defence against such an attack, largely because companies want to make it easy for consumers to get their promotional information:'Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the post office and catalog mailings. All the pieces (that) are required for the attack to work.' But as Rubin and his colleagues point out, there's a real danger in this ploy, one that few people have likely thought about. 'A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'"

23 of 290 comments (clear)

  1. That's an easy one: by Anonymous Coward · · Score: 5, Funny

    If you don't want to be attacked on a large scale from the Internet, don't piss off Slashdot readers!
    It should be a no-brainer by now, and we have shown the effectiveness!

  2. All we need by OneArmedMan · · Score: 5, Funny

    now, is a way for the internet to deliver a flaming bag of dog poo to the doorstep of your favourite enemy and life will be complete.

    1. Re:All we need by WeirdKid · · Score: 5, Funny

      Ask and ye shall receive. Actually, I'm surprised nobody's sent this to the spammers already.

  3. dirty magazienes? by corsec67 · · Score: 5, Funny

    Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale.

    Heh, I gotta rember this excuse. "No, I didn't sign up for these dirty magazienes. It is some internet conspiracy..."

    That, and why is he complaigning?

    --
    If I have nothing to hide, don't search me
  4. Re:The Economist by mlush · · Score: 4, Informative

    I think The Economist has the easiest and cheapest answer to the problem of spammers. Charge large emailers per send.. the economic disadvantage of sending out wasted emails would then help reduce the number and encourage targetted sending...

    You missed the point here. The problem is not spam email, its a DOS attack using snail mail which damages both the target and the bulk mailers.

  5. Dupe attacks are similar by worst_name_ever · · Score: 5, Funny

    Tryint to get people to subscribe to Slashdot and making them read embarrassing dupes is an old trick. These attacks exploit the lazy properties of the editors as well as their unprofessionalism. All the pieces (that) are required for this attack to work. There's a real danger in this ploy, one that few people have likely thought about: "A scenario could be imagined where a story could be posted to Slashdot, and then the same story could be posted again a couple weeks later, to wreak havoc on the Internet for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the posting of a goatse link."

    --

    In Soviet Rush, today's Tom Sawyer gets high on you.
  6. DOS by lawsuits? by joostje · · Score: 5, Insightful
    I've always thought that in a way, a lawsuit often serves like a DOS attack, especially if it's a big company filing against an individual.


    Basically, the individual is swamped with requests s/he has to answer, and using up larges amount of resources (lawyer fees).

    Very similar to a DOS attack where a server has to answer loads of requests, eating away in its resources (CPU/netwerk traffic).

  7. They forgot a key tactic by Anonymous Coward · · Score: 4, Funny

    I always liked the idea of placing a classified ad for a mint 1978 Camero for $750 (b/c you're getting a divorce yadda yadda) and then listing your bud's phone number as the contact info. Best to use Auto Trader or the like because the ads run longer than newspapers and can't be cancelled in a day. Never done it, but sure have been tempted on occasion...

  8. Re:Who trusts the US Mail anyway? by HowlinMad · · Score: 5, Insightful

    I both agree and disagree. For $.37, if it is in fact important, then no, I would not use the standard option. But, the USPS does have other services available, i.e. Certified Mail, Registered Mail, Delivery Confirmation, Signature Required, etc. These all cost more money, but once again, if the package is important, it is well worht the small cost.

    So basically I find the USPS to be reliable, if you pay for the proper service.

    --
    Great Linux Site
  9. Re:stop terrorism paranoia by tarogue · · Score: 5, Funny

    If it's a rughead

    So, if it is sent by William Shatner or Ted Danson it would be terrorism?

    --
    Life sucks, but death doesn't put out at all. -- Thomas J. Kopp
  10. Idiot by theLOUDroom · · Score: 5, Insightful

    or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter.'

    God damn. This just makes me want to punch him in the face. Why the fuck does everyone always have to bring terrorism into everything? Ever since 9/11 we have had idiots, making comments like this about EVERYTHING. I am so sick of it.

    This guy's statement require ridiculous stretches of the imagination of one to even think of a way it might benefit a terrorist. I mean, seriously, use some common sense here. If you're trying to send someone a letter full of anthrax, you want it to actually get there.

    Yes, terrorists could use cars too. Maybe we should ban cars! That way a terrorist can't get his hands on a car and start running people over. Just imagine how many people he could kill by driving down a busy sidewalk! We better hurry!

    Then we'll have to ban chair-lifts too. Imagine how many people would be injured or killed if someone cut the cable! We can't have that, now can we?

    Ya know, they used fertilizer to make that there Oklahoma City bomb. We better get rid of fertilizer too.

    But wait! That still leaves arson! We better make matches a restricted item. Can't have a terrorist going around burning down houses, no can we?

    This kind of moronic reasoning makes me want to get this guy alone and "exploit the automation properties" of a few choice power tools.

    See! Power tools can be used for evil! Better get rid of those too. Never mind that the benefit they provide to society far outweighs the cost. Never mind that this is supposed to be a "free" society. Won't someone please think of the terrorists?

    --
    Life is too short to proofread.
    1. Re:Idiot by brettlbecker · · Score: 5, Insightful
      I completely agree.

      The culture of fear is just sickening, and the fact that the government and state agencies are exacerbating the 'terrorist' buzzword is repulsive. As if it wasn't bad enough, the major media outlets are constantly trying to one-up each other with hysterical reporting.

      All of this serves to show how gullible, how willing most people are to accept all of this as fact. It brings out the frightened-herd metaphor in all of its glory. And it makes one wonder what happens when the world's greatest superpower is also the world's most terrified nation. What happens when animals are backed into corners?

      This is not likely to end soon. Things are going to get worse before they get better... that is, if there is a chance for things to get better.

      B

      --
      "We must still have chaos within in order to be able to give birth to a dancing star." --Friedrich Nietzsche
    2. Re:Idiot by swordgeek · · Score: 4, Insightful

      Well since you're already modded up to 5 (i.e. I can't moderate it up anymore), I might as well post.

      Agreed 100%. I keep hearing about the potential for "Terrorist attacks," mostly coming from US government officials or Concerned Citizens(tm). Do they forget that the anthrax attacks in the US, terrible as they were, were initiated by a born-and-raised American citizen? Or that they killed less people in total than are killed in the US by handguns every single day?

      Give it a rest folks! There will always be some way for psychopaths to kill people, possibly en masse. All that regulating every aspect of life does is annoy people, and make it impossible to live normally anymore.

      --

      "People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
  11. Try it with a Harley by maddogsparky · · Score: 4, Funny
    A few years ago, some of my dad's coworkers posted an add for a brand new Harley-Davidson motorcycle in one of those trader magazines. They listed their plant manager's number and stated that he worked evenings, so the best time to call was between 1-4 AM.

    Apparently, he started getting calls from several states away from irate bikers who were pissed at HIM when he told them he wasn't selling one (he never owned a motorcycle).

    --
    science is a religion
  12. Re:stop terrorism paranoia by kubrick · · Score: 5, Funny

    William Shatner is...... already guilty of... acts of... terrorism...... against. TheEnglishLangauge.

    --
    deus does not exist but if he does
  13. Executable script-kiddies? by Potor · · Score: 5, Funny
    It's their view that a small program could be written, such as an easy-to-execute "script kiddie," that could effortlessly scan millions of sites on the Internet, detect which ones have free online subscription or information request forms, and fill out the forms with a victim's name and address.
    what's your favourite way to execute a script-kiddy?
  14. Info: related attacks by jtheory · · Score: 4, Funny

    Newsflash: the evil spammers are fighting back and hitting slashdot where it hurts, by submitting stories to the slashdot site that have already been posted and discussed.

    These stories are known in the slashdot community as "dupes", and the practice (now becoming well-celebrated in the spammer community) is called "duping the nerds".

    Stay tuned for more details in the next posted article, (and again next week, ...and probably again a few days after that, if a new newspaper article is written about it).

    --
    There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
  15. Don't make the mob mad. by Ironpoint · · Score: 5, Insightful

    The best way to defend from internet attack also works in the real world. Its called "Don't make large groups of people angry."

    This seems like complaining that the internet allows collaboration of large numbers of like minded people. Yeah, thats the point. The failure of this article is to understand that it is not organized. Thats like saying that all the death threats the Dixie Chicks got all came from one organized structure.

    Hundreds of thousands of people are not going to conspire to commit a single crime (Anthrax letter example). That's ridiculous.

    To suggest that just because a large number of people are equally angry and respond in a similar way (through mailing etc), that the response is organized is stupid. People who want control set up straw man organization because they can't compete against 100,000 individuals. How many times have we heard "Those protests are completely organized by organization XYZ, they have buses that bring people in". Or in labor problems: "Its XYZ union that is causing the strike, most of the workers don't care" By using the tactic of combining the perception of voice down to a single entity, detractors can be more persuasive in gaining mindshare.

  16. Think about what this can do to companies.. by defile · · Score: 5, Insightful

    Imagine though, that instead of signing up just any plain individual with an ego problem, that you signed up a business for all of this junkmail.

    Think about a company sabotaging its upstart competitor by saturating their mailbox with junk. The competitor starts missing bills, notices from vendors, etc.

    Or even worse, imagine someone who has been screwed by the phone company one too many times decides to mailing list bomb their bill payment center. The costs of processing payments shoots up while mail peons have to separate the payments from the junk.

    Congresspeople start getting cut off from their constituency.

    etc...

    And the worst part is that this is so hard to undo. Even if you take the effort to unsubscribe from every single mailing list you're on, it would take the attacker mere seconds to re-add you to all of them.

    This is probably one of the most devastating non-violent denial of service attacks you can utilize today.

    Moral of the story: don't piss people off.

  17. The solution is with the mailers by mlush · · Score: 4, Interesting

    It would be very simple for a company to defend against being used in a scripted mail DOS attack.

    • Move the order forms to another location and slap a robots.txt on them to try and keep them out of Google et al
    • Some simple question/answer system to demonstrate the user is human
      • What is this a picture of? (multiple choice)
      • Enter the word in this picture
      • Could you type the company name in backwards (for lynx users)
      • etc
    • Use obscure names for the CGI paramaters
    • Perhaps some sort of tripwire paramater called 'postcode' that actually holds the phone number, if a postcode is entered it causes the submission to fail

    With a bit of imagination the authentication could be turned into a compatition...

  18. Re:Who trusts the US Mail anyway? by Oswald · · Score: 4, Insightful
    This is wrong. The mail is not unreliable. In 25 years of paying my own bills, I cannot recall a single instance where somebody I owed money claimed not to have received the check I sent them. That's hundreds of pieces of important mail without a single loss or serious delay, going back to the late Seventies.

    Mostly people bash the USPS because it's something they've heard others do, not because they've had bad experiences. Have you had trouble with your mail?

    And what is Certified Mail if it isn't USPS?

    Thirty-seven goddamn cents for three- or four-day delivery anywhere in the country. A couple bucks to send a book via Media Mail and have it arrive 5 days later (10 days sooner than the estimate). I don't know what you want.

  19. 250,000+ catalog forms? Try 839. by rednox · · Score: 5, Interesting

    I don't think this invalidates their conclusions, but there is one "fact" that is not actually true. The Star article states:

    Schneier discovered that by typing "request catalog name address city state zip" into Google, a person gets links to more than 250,000 sites containing subscription and request Web forms.
    Sure, Google says that it found "about 259,000" search results. However, paging through the results themselves reveals that it only found 839. Including the omitted, very similar pages, there are still only 997.

    I think that the web has a huge number of automated forms that could be used for this kind of attack, but you would have to do a little more digging for them than the article implies.

  20. Re:Guerrillas and gorillas... by dave_mcmillen · · Score: 5, Insightful

    "A scenario could be imagined where an attacker would do this to delay the arrival of an important letter, to wreak havoc on the postal system for political reasons, or even worse, to serve as a diversion for a terrorist act, such as the mailing of a contaminated letter,"

    Pure FUD and crap.

    Oops, I'm sorry . . . They've invoked the T-word ("terrorist"), so you are no longer allowed to express any doubts, reservations, or hesitation. Your Patriotic Duty(TM) is to wave a flag and go along with whatever they say. If you're not one of Us, you're one of Them.