IP: Making something look hacked when it isn't: Risks Digest 21.16

[Dave Farber <farber@cis.upenn.edu>]

>Date: Sat, 16 Dec 2000 15:03:27 -0500
>From: "Richard J. Barbalace" <rjbarbal@MIT.EDU>
>Subject: Making something look hacked when it isn't
>
>A brief e-mail has been getting forwarded around our campus which reads:
>   Check out breaking news at CNN:
>   http://www.cnn.com&story=>   http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm
>
>At first glance, this appears to be a genuine article on CNN, but a quick
>read reveals that a cute joke.  Most people who have seen the fake article
>have immediately assumed that www.cnn.com has been hacked in some manner.
>
>Those more familiar with HTTP specification, however, will notice that the
>URL is completely valid, and does not lead to or redirect from any cnn.com
>computers.  No machines have been hacked.  Instead, the e-mail just plays
>with your expectations of what a URL should look like.  The risk here is not
>a computer one at all, but a social risk that even (or perhaps especially)
>knowledgeable people will assume something has been hacked when it hasn't
>been.
>
>An even sneakier URL might be:
>   http://www.cnn.com&story=>   http://www.cnn.com&story=breaking_news@306511916/evarady/www/top_story.htm
>
>For those of you still pondering why that URL works, read the HTTP
>spec and try the equivalent:
>      http://>   http://username@18.69.0.44/evarady/www/top_story.htm
>
>Richard J. Barbalace <rjbarbal@mit.edu>
>
>------------------------------
>
>Date: Mon, 18 Dec 2000 21:09:19 -0800 (PST)
>From: rpw3@rigden.engr.sgi.com (Rob Warnock)
>Subject: The risk of a seldom-used URL syntax
>
>Recently, a mailing list I'm on forwarded a report of a "hack" of the
>CNN.com site.  Upon looking closely, I found that the CNN site hadn't
>been hacked at all -- it was the *minds* of readers of this hoax "report"
>that were being hacked! Rather cute, actually, but it exposes what is
>perhaps a larger RISK, so please bear with me while I set up the story...
>
>An MIT student named Eric Varady took a parody news article from
>The Onion <URL:http://www.theonion.com/onion3637/bush_horrified.html>,
>edited the layout to resemble CNN's format, and copied it to his own site
><URL:http://salticus-peckhamae.mit.edu/evarady/www/top_story.htm>.
>(Note that multiple threatened legal actions have since forced him
>to remove the original content, but an explanation page is still there.)
>
>He then passed around a "report of a hack of the CNN site" with a URL
>[which I *do* hope makes it through the mail-to-HTML scripts at Catless!] of
><URL:http://www.cnn.com&story=><URL:http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm>.
>
>If you look very closely, you'll see that the actual host named by this URL
>is not "www.cnn.com", but "18.69.0.44" (a.k.a. salticus-peckhamae.mit.edu).
>That is, for IP-based/Internet URL "schemes" such as HTTP or FTP, the
>general format defined in RFC 1738 is:
>
>     <scheme>://[<user>[:<password>]@]<host>[:<port>]/<url-path>
>
>The "user" field is very rarely used, and even then is more often seen with
>FTP than HTTP. But since it contained an at-sign before the first slash,
>the hoax URL was really <URL:http://18.69.0.44/evarady/www/top_story.htm>
>with the (ignored) user field of "www.cnn.com&story=breaking_news". Cute, eh?
>
>More serious scams of this sort are possible, given the number of users
>who (1) have *no* idea what the formal syntax of a URL is, and (2) routinely
>access the Web through "portals" which often create complicated indirection
>URLs to aid with logging or tracking to support advertising revenue, e.g.:
><URL:http://www.foo.bar.com/logger.cgi?http://www.other.place.com/some_article>
>
>The RISK is that users are being bombarded with these monstrosities so
>often that they've grown used to it, and that they'll fail to recognize
>when they're being sent someplace they might not really want to go!!
>(Perhaps when it's not a joke, such as being sent to a porn site while
>working at a company with a "no tolerance" policy.)
>
>------------------------------



For archives see: http://www.interesting-people.org/