Cyberattacks With Offline Damage

R. A. Hettinga rah at
Mon Apr 14 12:30:34 EDT 2003


New York Times

April 14, 2003 

Cyberattacks With Offline Damage 

WHAT'S virtual is virtual, and what's real is real. Right?

Maybe not. 

Most experts think of cyberattack as something that will
happen in the virtual world, with effects on, say, computer networks or
access to bank accounts. Cyberattacks involving the use of online tools
against the offline world would be much harder. 

But a recent paper by a
computer security researcher at Johns Hopkins University suggests that
there are plenty of gateways that connect the cyberworld with the more
familiar terrain that some call "meatspace." And, since he is a security
researcher, he does it by showing the potential for a cunning attack that
crosses that gateway. 

Aviel D. Rubin, the technical director of the
Information Security Institute at Johns Hopkins University, describes in
the paper with two co-authors a real-world attack that uses computers to
automate tasks and the power of the Internet to disseminate information.

Using tools that have been published by search engines like Google that
allow programmers to automate searches on a large scale, Mr. Rubin and his
colleagues described a relatively simple program that could set the victim
up to receive catalogs from hundreds of thousands of Web sites that have
sign-up forms. 

In fact, something like what Mr. Rubin describes has
already happened. Last year, Alan Ralsky, a spam-sending entrepreneur known
as the "spam king," gave an interview to The Detroit Free Press boasting
about his 8,000-square-foot house and all the money he made from sending
unwanted e-mail to hundreds of millions of people at a time. Shortly after
that article appeared on, a major online news source for
technophiles, its readers signed Mr. Ralsky up for thousands of catalogs,
brochures and more. Soon he was getting hundreds of pounds of mail every

That was a spontaneous effort by a large community. But Mr. Rubin's
paper suggests that anyone can get a computer to stand in for the
Slashdotters and bury someone in junk. And Google shows hundreds of
thousands of Web pages from which anyone could request a catalog. 

sounds like a new version of the oldest prank in the book ‹ the cyberspace
equivalent of the old order-50-pizzas-for-your-enemies trick. But it's much
bigger than that. Mr. Rubin's attack could be enormously disruptive to the
target, and could paralyze the local post office that has to deal with the
onslaught. As the report notes, the exploit could be used as a diversion to
accompany a deadly terrorist act, like mailing an envelope containing
anthrax spores. 

Some experts have talked about hypothetical,
sophisticated cyberattacks on real-world facilities that are connected to
the Internet, like the power grid and dams. But the situation described by
Mr. Rubin suggests that a far more low-technology approach could cross the
barrier between virtual and real realms. 

Other automated attacks could
easily follow, he said in an interview, including automated orders for
hundreds of maintenance requests, package pick-ups and service calls. 

risk unleashing such mischief by writing about it? That's always the
question security researchers face, and Mr. Rubin said that he would never
have released the paper if he thought that the attack would not emerge
otherwise, or if there were no way to stop it. But the programming tools
are out there, he said, and sites are vulnerable. It's only a matter of
time before the "script kiddies" who start cyberattacks from code that
others develop and share start trying to bury people in paper. "If we knew
about it and did nothing, and then the attack was launched, we would be
guilty of negligence," he wrote. "It is our judgment that the time has come
to reveal this threat." 

In the report, he also describes ways that Web
sites can make the process of filling out forms hard for automated programs
to do, in some cases simply by asking the user to answer an unexpected
question or to solve a simple puzzle before proceeding. One of the fathers
of computer science, Alan Turing, once suggested that artificial
intelligence could be tested by seeing if a program could be good enough to
fool a human being into thinking he was communicating with another person.

A "reverse Turing Test" ‹ already in wide use in computer security to
foil automated attacks ‹ would stump a silicon brain while letting people
get the information they need without much fuss, he said. 

The paper,
which can be found at, has impressed
Bruce Schneier, a security expert who has been looking at these issues. He
is writing about it for the latest edition of his widely read newsletter,
Crypto-Gram. "This interstitial area where cyberspace meets the real world
is a ripe area of attack," he said in an interview. He sees this problem as
being the real-world equivalent of a distributed "denial of service"
attack, in which the attacker gets computers around the world to inundate a
target machine with data, messages and other electronic detritus that make
it impossible for legitimate users to get through to it. 

A spokeswoman
for the Postal Service, Sue Brennan, said the attack described by Mr. Rubin
might not work in practice. "The concepts in the document, while
compelling, appear to be systematically flawed with regard to the controls
our major mailers would have in place to prevent such an event from
occurring," she said. 

"That's good," Mr. Rubin said, but he argued that
an attack that ordered only one catalog from thousands of sources might
have serious effects before it could be detected. "I hope she's right," he
said. But he did not sound optimistic. 

Copyright 2003  The New York Times
Company |Privacy Policy 

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list