Interesting People mailing list archives
IP: Making something look hacked when it isn't: Risks Digest 21.16
From: Dave Farber <farber () cis upenn edu>
Date: Tue, 26 Dec 2000 20:35:15 -0500
Date: Sat, 16 Dec 2000 15:03:27 -0500 From: "Richard J. Barbalace" <rjbarbal () MIT EDU> Subject: Making something look hacked when it isn't A brief e-mail has been getting forwarded around our campus which reads: Check out breaking news at CNN: http://www.cnn.com&story=> http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm At first glance, this appears to be a genuine article on CNN, but a quick read reveals that a cute joke. Most people who have seen the fake article have immediately assumed that www.cnn.com has been hacked in some manner. Those more familiar with HTTP specification, however, will notice that the URL is completely valid, and does not lead to or redirect from any cnn.com computers. No machines have been hacked. Instead, the e-mail just plays with your expectations of what a URL should look like. The risk here is not a computer one at all, but a social risk that even (or perhaps especially) knowledgeable people will assume something has been hacked when it hasn't been. An even sneakier URL might be: http://www.cnn.com&story=> http://www.cnn.com&story=breaking_news@306511916/evarady/www/top_story.htm For those of you still pondering why that URL works, read the HTTP spec and try the equivalent: http://> http://username@18.69.0.44/evarady/www/top_story.htm Richard J. Barbalace <rjbarbal () mit edu> ------------------------------ Date: Mon, 18 Dec 2000 21:09:19 -0800 (PST) From: rpw3 () rigden engr sgi com (Rob Warnock) Subject: The risk of a seldom-used URL syntax Recently, a mailing list I'm on forwarded a report of a "hack" of the CNN.com site. Upon looking closely, I found that the CNN site hadn't been hacked at all -- it was the *minds* of readers of this hoax "report" that were being hacked! Rather cute, actually, but it exposes what is perhaps a larger RISK, so please bear with me while I set up the story... An MIT student named Eric Varady took a parody news article from The Onion <URL:http://www.theonion.com/onion3637/bush_horrified.html>, edited the layout to resemble CNN's format, and copied it to his own site <URL:http://salticus-peckhamae.mit.edu/evarady/www/top_story.htm>. (Note that multiple threatened legal actions have since forced him to remove the original content, but an explanation page is still there.) He then passed around a "report of a hack of the CNN site" with a URL [which I *do* hope makes it through the mail-to-HTML scripts at Catless!] of <URL:http://www.cnn.com&story=><URL:http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm>. If you look very closely, you'll see that the actual host named by this URL is not "www.cnn.com", but "18.69.0.44" (a.k.a. salticus-peckhamae.mit.edu). That is, for IP-based/Internet URL "schemes" such as HTTP or FTP, the general format defined in RFC 1738 is: <scheme>://[<user>[:<password>]@]<host>[:<port>]/<url-path> The "user" field is very rarely used, and even then is more often seen with FTP than HTTP. But since it contained an at-sign before the first slash, the hoax URL was really <URL:http://18.69.0.44/evarady/www/top_story.htm> with the (ignored) user field of "www.cnn.com&story=breaking_news". Cute, eh? More serious scams of this sort are possible, given the number of users who (1) have *no* idea what the formal syntax of a URL is, and (2) routinely access the Web through "portals" which often create complicated indirection URLs to aid with logging or tracking to support advertising revenue, e.g.: <URL:http://www.foo.bar.com/logger.cgi?http://www.other.place.com/some_article> The RISK is that users are being bombarded with these monstrosities so often that they've grown used to it, and that they'll fail to recognize when they're being sent someplace they might not really want to go!! (Perhaps when it's not a joke, such as being sent to a porn site while working at a company with a "no tolerance" policy.) ------------------------------
For archives see: http://www.interesting-people.org/
Current thread:
- IP: Making something look hacked when it isn't: Risks Digest 21.16 Dave Farber (Dec 26)