Esce oggi la newsletter di Bruce Schneier. Ho la coscienza sporca perché il mese scorso c'erano un paio di cose da commentare e a forza di rimandare mi è passato di mente. Rimedio oggi.
Il buon Bruce parla di sicurezza, e non solo informatica. Per esempio questo mese si occupa di scontrini:
Store owners want their salespeople to ring up a sale and provide a receipt, because that practice also generates an internal register receipt and makes it harder for salespeople to steal from the register: It produces an accurate audit trail. Honest salespeople don't care one way or another, and in stores where returns are not common -- such as fast-food restaurants or convenience stores -- neither do the customers. A common security practice is to put a sign on the register that says: "Your purchase free if I fail to give a receipt." What that sign does is give the customer an interest in paying attention to whether or not she gets a receipt and immediately reporting an employee who doesn't give her one (by demanding her purchase free). It enlists her as a security agent to defend against employee theft. The customer has the capability to perform this security function, and the sign gives her the incentive.
Si parla anche di spam e del fatto che la polizia americana non ha difficoltà a decodificare le telefonate criptate. Il mese scorso, dicevo, la newsletter era più interessante. Vi si trattava, con la consueta intelligenza, della vicenda dello spammer sommerso dalla posta cartacea:
In December 2002, the notorious "spam king" Alan Ralsky gave an interview. Aside from his usual comments that antagonized spam-hating e-mail users, he mentioned his new home in West Bloomfield, Michigan. The interview was posted on Slashdot, and some enterprising reader found his address in some database. Egging each other on, the Slashdot readership subscribed him to thousands of catalogs, mailing lists, information requests, etc. The results were devastating: within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.
La vicenda è nota a tutti. Meno noto è forse come si fa a replicare l'attacco:
If you type the following search string into Google -- "request catalog name address city state zip" -- you'll get links to over 250,000 (the exact number varies) Web forms where you can type in your information and receive a catalog in the mail. Or, if you follow where this is going, you can type in the information of anyone you want. If you're a little bit clever with Perl (or any other scripting language), you can write a script that will automatically harvest the pages and fill in someone's information on all 250,000 forms.
La morale (ci vuole sempre una morale) è che ci attendono tempi difficili:
What's interesting about this attack is that it exploits the boundary between cyberspace and the real world. The reason spamming normally doesn't work with physical mail is that sending a piece of mail costs money, and it's just too expensive to bury someone's house in mail. Subscribing someone to magazines and signing them up for embarrassing catalogs is an old trick, but it has limitations because it's physically difficult to do it on a large scale. But this attack exploits the automation properties of the Internet, the Web availability of catalog request forms, and the paper world of the Post Office and catalog mailings. All the pieces are required for the attack to work.
Ok. Il perl l'abbiamo, il programma non sembra molto difficile, mancano solo gli indirizzi di quelli che vogliamo ricoprire di guano. Qualche suggerimento?
Disclaimer: io voglio bene a tutti, non ho tempo di scrivere il programma, non conosco il perl, non ho mai scritto questo post, non so cos'è internet, ecc..
10:13:50 PM
|