DOS Attack Via US Postal Service 332
Phronesis writes "Bruce Schneier reports in Crypto-Gram about the slashdot-inspired Post-office DOS attack on SPAM-king Alan Ralsky. More interesting, Schneier writes, is a recent paper on Defending against an internet-based attack on the physical world, which generalizes this attack and discusses how it could be automated and how one might defend against it (you can't stop it, but you could make it harder to effect). From the abstract of the article: 'The attack is, to some degree,
a consequence of the availability of private information on the Web, and the increase in the amount of personal information that users must reveal to obtain Web services.'"
Politics that hard way (Score:2, Interesting)
Re:Lack of authentication (Score:5, Interesting)
Automated Spam attacks... (Score:5, Interesting)
If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms.
What's the chance of setting up a perl script to automatically find Junk Mail Kings and sign them up for the service? I'm sure many of these 250,000 would be junk mail kings. Just set them on each other!
Though environmentally bad in the short term, if it shuts them down in the long term, it would save a heck of a lot of trees!
Re:Hardly DOS is it (Score:4, Interesting)
Re:Hardly DOS is it (Score:5, Interesting)
I recently was out of town for a few days. The tiny little mailbox that my apartment complex provides probably filled up on the second day, so the postal carrier took all of it back to the post office, and left me a lovely note that if I didn't pick it up in a few days, they'd send it all back. Luckily I got back in time to pick up my mail, but it was definitely an inconvenience tracking down which post office outlet had my mail and then taking the time to go get it.
So for a few days my postbox was shut down (mini DOS), because the postal carrier wouldn't leave me any new mail until I found the time to pick up what had already been taken away.
Re:Hardly DOS is it (Score:2, Interesting)
Re:Lawsuit Result (Score:5, Interesting)
Anti-spam crusader wins court battle Last Updated Tue, 15 Apr 2003 15:31:49
ELLICOTT CITY, MARYLAND - A Maryland court has ruled in favour of an anti-spam activist who was sued by an Internet marketing executive for harassment. Spam is the common name given to junk e-mail.
Francis Uy posts the names and addresses of spammers. This enables network operators to block junk e-mail or sue them.
But George Allen Moore of Maryland Internet Marketing Inc. said Uy's site posting such information is harassment and wanted it pulled off the Web.
Judge Robert Wilcox says there's no evidence Uy had harassed Moore directly, as Moore had alleged.
Moore says he has received about 70 packages and 200 magazines at his house because of Uy's site. Moore also says he's received threatening phone calls, including one person who he says threatened to kill him.
Moore is the owner of Maryland Internet Marketing. He's also listed as a prolific spammer by Spamhaus.org, which maintains a world directory of bulk e-mailers.
His company hawks everything from software to diet drugs.
"Every time you try to mess with me, I will post it and more people will learn about you," Uy warned other spammers. "I don't need to encourage harassment against you, and I don't need to. Your best option is to crawl back under a rock."
Moore says he's considering further legal action.
Lex Talionis is a morally bankrupt code (Score:-1, Interesting)
Lex Talionis, the principle of an eye for an eye, is a morally bankrupt code of law we've been moving away from for the past few thousand years, thankfully. It can't deal with the complexities of the modern legal order, and it ignores all proper justifications for systems of punishment: rehabilitation, prophylaxis, etc. It makes an assertion of rigid judgment in an attempt to avoid judgment itself. We can't live in a world without judgment.
Ask yourself this: should we rape the rapist? If not, why not? (Ignore for a moment that we essentially do rape rapists by committing them to so-called "maximum security" prisons where they get systematically brutalized and raped by guards and other inmates.) It's not a morally tenable position to lower ourselves to the level of brutes just so we can vindicate some idea of retribution.
Therefore, ask yourself why we should be happy when the spammer gets spammed? No one should have to endure the pain and annoyance of spam: it's the scurge of the online world. Not even the spammer, who may be in his business because of factors outside his control like debt or bills for an illness in the family, etc. We should be outraged when anyone is spammed, and we should put the full force of the state and the law against the perpetrator no matter who the victim! Picking and choosing among which victims to protect is something the legal order of former barbaric times did. I'd be disgusted if our government returned to those days.
Spam == bad. Victimization == bad. Why do people conflate the two? What kind of giddy moral superiority to you get from seeing anyone hurt?
Re:This is a serious issue (Score:3, Interesting)
Maybe, but it wouldn't even take a group of people. All you'd need is one motivated person with a search engine and a Web manipulation module like Perl's LWP. You could easily write a script to flood a person with junk mail all by yourself. A little easier to trace maybe, but still damn hard to stop.
re: Google and DOS Attack Via US Postal Service (Score:4, Interesting)
Google now kicks back one hit - the article itself...
You really have to strip your search down before it starts returning anything.
What about the USPS? (Score:2, Interesting)
I mean, logistically, how do they cope with it?
retaliatory postal spamming works (Score:5, Interesting)
Re:no, it is not (Score:3, Interesting)
I agree that you shouldn't piss off too many people. Believe me, I haven't shed any tears over Ralsky's fate. But the power of DOS attacks is that they can be initiated easily by motivated *individuals*. As I said on another post, it would be easy to automate what happened to Ralsky such that a single person could initiate a flood of junk mail to any specified postal address. Or maybe you could flood a town's post office with junk mail to create a diversion and then send a real nasty letter (e.g. Anthrax) to the same place in an attempt to hide it. That is the real danger.
Gees! I'm becomming such a conspiracy theorist!
Re:Lex Talionis is a morally bankrupt code (Score:5, Interesting)
Wrong. Lex Talionis was the principle that you take NO MORE than an eye for an eye - promulgated as an "improvement" in an era where the response to losing an eye (or a purse) might be to do in the alleged perpetrator and confiscate all his worldly goods.
It's morally bankrupt, all right. But only to the extent that if the thief only loses what he stole, and has a nonzero chance of getting away with it, theft remains a profitmaking enterprise despite full enforcement of the law. So it becomes an endorsement of theft as a lifestyle. This is why there are "puntitive damages" - extra penalties to punish the perpetrator (thus making continued misbehavior a losing proposition even with imperfect law enforcement).
None of which applies here. Applying "Lex Talionis" to the spammer would mean spamming him, rather than seeking compensatory and puntitive damages.
===
Which is what they did, isn't it? B-)
===
Lex Talionis also recognizes a moral principal of equivalency, to wit: In an egalitarian society, regardless of what actions you think are fair, you have NO moral gripe if someone does to YOU what YOU did to them. If it was wrong for them to do in retaliation, it was AT LEAST as wrong for YOU to do without provocation.
===
I note, by the way, that your posting is IDENTICAL to one you made several [slashdot.org] times [slashdot.org] previously [slashdot.org] - including in the slashdot article credited with inspring the USPS DDoS attack in the first place. (And that last one I cited was under your own slashdot ID of Chuck Flynn [slashdot.org].) Given that, I felt free to repeat, almost verbatim, my response to your most recent previous missive.
The posts that recieve your canned response seem to be any suggestion about spamming the spammers. You wouldn't happen to be a spammer, would you?
Property value (Score:3, Interesting)
Got Ralsky's Home Number? or Fax Number? (Score:4, Interesting)
First - get his fax number into some key marketing/questionaire databases and blamo! - Fax Spam Ahoy!
Second - Setup a couple of "Faxback" server attacks on those numbers. Faxback servers are fantastic because they're realllly dumb. Call them up on an toll-free number and order up a mess of documents to be faxed to wherever you want. The best part is that they're relentless - they will just keep on calling (up to 10 times) to try to make a connection
Its mega-annoying - especially if you get a couple of them going at once - and at 3AM
But heck
Wouldn't it be more effective... (Score:4, Interesting)
to determine the business addresses that those who actually respond to his spam would be sending their checks too and swamp those? Spammers depend on a very low operational cost model to make money. If they have to sort through 100s of items of mail for every one that has a check in it, you've just increased their cost of doing business.
If they're doing most of their business electronically, publishing a list of their SSL sites could be interesting. If we all ran something to walk the list once an hour and just make a connection to the SSL sites and leave it, they'd be effectively down. Negotiating the SSL connections has a high computing cost on their side.
If someone were to design a virus that does that and continuously checks into sites for new lists, I might actually try to get the virus.
In other words, if you want to have a real effect, go for cutting off the money.
If you read the article... (Score:2, Interesting)
When I scrolled through the posts, I was really looking to see if anyone here had been sued, or even contacted, about this potential suit.
So,has anyone heard anything yet? Personally, I think they'll have a hell of a time proving that anyone did anything. It might be a false threat to try to get the postal DDOS attack to stop.