Notes on "Defending Against an Internet-based Attack on the Physical World"
Major Variola (ret)
mv at cdc.gov
Mon Apr 14 21:39:30 PDT 2003
http://www.avirubin.com/scripted.attacks.pdf
is an interesting, clueful paper that suggests that by exploiting
search engine APIs, one can find large numbers of dead-tree info request
forms, parse them, and submit a victim's info such that
said victim (or their deadtree post office) is overwhelmed
with physical mail.
Some small comments:
1. The "Turing Tests" (sec 5.3) which try to assure that
a human is doing the submission have two weaknesses.
First, visual tests (which OCR can't handle) discriminate
against the visually impaired, FWIW. Second, OCR
folks (and machine vision folks in general) are always
trying, for their own purposes, to make OCR as capable
as humans. The gaps, point-noise, odd fonts, and distractors
in "catpcha.net" like tests are all surmountable challenges for
machine vision. And once solved once, they are available for all, as
Schneier
once emphesized (the script kiddy / internet problem)
2. The deadtree postal system is tolerant (because of
humans in the loop) of small misspellings and other
errors. As a result, automated counter-systems (possibly
including honeynets) which attempt to detect
address flooding would have a harder time
recognizing semantically but not literally identical addresses..
3. The authors' claim that part of their motivation for publishing
(after sitting on this exploit for a while) is the availability
of search APIs (sec 2).
Frankly I don't see how Google (or other) APIs
gives an advantage over scripts which emulate
browsers paging through searches, except perhaps
being a bit more direct for programmers/scripters.
Doing a bit more parsing of HTML search results
eliminates the need for any special API -in fact,
it may be more general, and we do favor
nonproprietary open standards over someone's
beta API.
...
Additional case studies are needed, however, to determine which traits
of chemical and biological terrorists might help identify them
because charisma, paranoia, and grandiosity are alo found to varying
degreees among, for example, leaders of political parties, large
corporations, and academic depts. --John T Finn, _Science_ v 289 1
sept 2000
More information about the cypherpunks-legacy
mailing list