ICANNWatch
 
  Inside ICANNWatch  
Submit Story
Home
Lost Password
Preferences
Site Messages
Top 10 Lists
Latest Comments
Search by topic

Our Mission
ICANN for Beginners
About Us
How To Use This Site
ICANNWatch FAQ
Slash Tech Info
Link to Us
Write to Us

  Useful ICANN sites  
  • ICANN itself
  • Bret Fausett's ICANN Blog
  • Internet Governance Project
  • UN Working Group on Internet Governance
  • Karl Auerbach web site
  • Müller-Maguhn home
  • UDRPinfo.com;
  • UDRPlaw.net;
  • CircleID;
  • LatinoamerICANN Project
  • ICB Tollfree News

  •   At Large Membership and Civil Society Participation in ICANN  
  • icannatlarge.com;
  • Noncommercial Users Constituency of ICANN
  • NAIS Project
  • ICANN At Large Study Committee Final Report
  • ICANN (non)Members page
  • ICANN Membership Election site

  • ICANN-Related Reading
    Browse ICANNWatch by Subject

    Ted Byfied
    - ICANN: Defending Our Precious Bodily Fluids
    - Ushering in Banality
    - ICANN! No U CANN't!
    - roving_reporter
    - DNS: A Short History and a Short Future

    David Farber
    - Overcoming ICANN (PFIR statement)

    A. Michael Froomkin
    - When We Say US™, We Mean It!
    - ICANN 2.0: Meet The New Boss
    - Habermas@ discourse.net: Toward a Critical Theory of Cyberspace
    - ICANN and Anti-Trust (with Mark Lemley)
    - Wrong Turn in Cyberspace: Using ICANN to Route Around the APA & the Constitution (html)
    - Form and Substance in Cyberspace
    - ICANN's "Uniform Dispute Resolution Policy"-- Causes and (Partial) Cures

    Milton Mueller
    - Ruling the Root
    - Success by Default: A New Profile of Domain Name Trademark Disputes under ICANN's UDRP
    - Dancing the Quango: ICANN as International Regulatory Regime
    - Goverments and Country Names: ICANN's Transformation into an Intergovernmental Regime
    - Competing DNS Roots: Creative Destruction or Just Plain Destruction?
    - Rough Justice: A Statistical Assessment of the UDRP
    - ICANN and Internet Governance

    David Post
    - Governing Cyberspace, or Where is James Madison When We Need Him?
    - The 'Unsettled Paradox': The Internet, the State, and the Consent of the Governed

    Jonathan Weinberg
    - Sitefinder and Internet Governance
    - ICANN, Internet Stability, and New Top Level Domains
    - Geeks and Greeks
    - ICANN and the Problem of Legitimacy

    Highlights of the ICANNWatch Archive
    (June 1999 - March 2001)


     
    The Big Picture When Semantics Attack
    posted by tbyfield on Sunday October 21 2001, @03:42PM

    fnord writes "The recent report, apparently from CNN, of pop music star Britney Spears death seems to have been greatly exaggerated. Tim Fries, an online cartoonist, set out last week to conduct an experiment in how far and fast an internet rumor could spread. He sent a specially crafted URL to only three people via AOL's IM Chat pointing to an apparent CNN.com story that Ms. Spears had been killed in a car accident. Within twelve hours the bogus news had been read by at least 150,000 people and became CNN's Most Popular Story, quite an accomplishment given other news du jour, and given that the article wasn't even on the CNN site." [The rest: a long, thorough explanation of "semantic attacks" and how they bear on ICANN issues, the IP lobby, etc.--tb]"



    Fries pulled this off by using some little known internet addressing features (they're not bugs) that may have security implications. As an example, where does it look like this hyperlink will take you, either by clicking it or copying and pasting it in the URL line of your web browser?

    http://www.cnn.com&breaking-story=icannwatch-is-dead.html=@2155471987
    http://www.cnn.com&breaking-story=icannwatch-is-dead.html=@2155471987

    And Hey Presto! ICANNWatch lives again.

    This sleight of mousehand is done through a combination of two little known URL features (they're not bugs!). First, anything to the left of, and including, the @ ampersand is ignored unless one is logging onto a site that requires it for username authentication. Second, URLs can be obfuscated by converting them into dword, octal, or hex, and various permutations thereof, and they will often still resolve. See this excellent article from pc-help.org for more on how and why this works.

    Some spammers make use of this so that one cannot easily tell the name of their website and thus report it. For example, http://www.icannwatch.org/ is not only also accessible via its IP dotted decimal number of http://128.121.228.115/, but also by each of the following...
    (Notes: 1. I have provided them in both hyperlinked and in plaintext versions so that you can copy and paste the plain versions in your URL line to verify that the hyperlinked versions are what they appear to be, I am not using an inherent further level of obfuscation by having the link point to something other than what it appears to be, though that too is obviously possible. 2. While some browsers do not support all of these variants, they all work in Internet Explorer and many work in Netscape. 3. If you're on a LAN and using a proxy they may not work. 4. Your system may not recognize that it already has a cached copy of the page, perhaps increasing the reloading time. That said, here we go...):

    http://2155471987/
    http://2155471987/

    http://%32%31%35%35%34%37%31%39%38%37/
    http://%32%31%35%35%34%37%31%39%38%37/

    http://%31%32%38%2E%31%32%31%2E%32%32%38%2E%31%31%35/
    http://%31%32%38%2E%31%32%31%2E%32%32%38%2E%31%31%35/

    http://%77%77%77%2E%69%63%61%6E%6E%77%61%74%63%68%2E%6F%72%67/
    http://%77%77%77%2E%69%63%61%6E%6E%77%61%74%63%68%2E%6F%72%67/

    I doubt most users would easily be able to decipher such gibberish, and why bother if it is also prefixed by what appears to be a valid address? Should you ever come across such an obfuscated URL and want to decipher it, SamSpade.org has a decipher tool which will translate each of these back to its DNS name or IP dotted decimal number.

    This recent Britney Spears hoax is only the latest in a long line. Indeed, Britney, who is best known for the hits Oops! I Did It Again and Hit Me Baby One More Time, was previously hit by a report that she was killed in a car accident as recently as four months ago. That incident may well have provided the genesis for this next generation hoax, in the earlier instance the rumor was started by two radio DJs. Someone then created and circulated a similarily bogus URL that appeared to point to a BBC news website report confirming the story. Tim Fries simply combined the two, though also making use of CNN's Recommend feature (that was a bug) did, as a bonus, yield some numbers that clearly point out the potential for exponential growth of such hoaxes.

    In another example, Rapper Eminem was also pseudo-dispatched in a car accident last year, though the linked article is incorrect about the URL being clearly a homepage. While it no longer works, the original page had the CNN look and feel and the URL was:
    www.cnn.com&story=breaking_news@1079066066/mathers.html

    While CNN seems the de facto site preferred by such hoaxes, their targets are not limited to killing musicians in cars. This apparent news article, regarding President Bush's anger at finding out his salary, looked like a CNN page last January and was pointed to via:
    http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm
    The link no longer works but an explanation and some history can be found here. While this latter example doesn't obfuscate the URL beyond using the IP number, as recently as a month ago some members in a politically oriented Usenet newsgroup were repeating it as though it was fact. After all, wasn't it on CNN?

    To finally get to my point, perhaps ICANN should deal with such semantic attacks at its upcoming meeting on security at MDR. Such hoaxes (and there are a number of others I haven't covered) aren't without cost. Some of them caused hundreds of phone calls to the police and other critical parts of the infrastructure. Some of them raised the general level of anxiety of a number of people, which in the current climate of fear is a Very Bad Thing. It isn't beyond the realm of possibility that such memetic virii (I still remember first hearing about the death of Princess Diana via a Usenet posting) could be used as a weapon at a critical time.

    I find it somewhat ironic that ICANN only has the power it does because just about everyone puts so much stock in a domain name. Speculators think they're worth a fortune, but you can have cnn.com right now for free. Corporations worry about their intellectual property being misused by some unrelated domain name registrant when again, cnn.com, or any alphanumeric string, is free at any time for the taking. Given that a majority of SLDs point nowhere or to for sale or just registered (up to years ago) pages, given that so many names that are in use are misleading, or the subject of UDRP or court action, or belong to defunct dotcoms, or have been hijacked by the online porn industry, or some combination thereof, why not just scrap the DNS and go back to numbers? Language is flawed, perhaps fatally so. -g

     
      ICANNWatch Login  
    Nickname:

    Password:

    [ Don't have an account yet? Please create one. It's not required, but as a registered user you can customize the site, post comments with your name, and accumulate reputation points ("karma") that will make your comments more visible. ]

     
      Related Links  
  • ICANNWatch.org
  • http://www.cnn.com&breaking-st ory=icannwatch-is-dead.html=@2 155471987
  • URL
  • this
  • http://2155471987/
  • http://%32%31%35%35%34%37%31%3 9%38%37/
  • http://%31%32%38%2E%31%32%31%2 E%32%32%38%2E%31%31%35/
  • http://%77%77%77%2E%69%63%61%6 E%6E%77%61%74%63%68%2E%6F%72%6 7/
  • decipher
  • This
  • report
  • was
  • This
  • here
  • semantic attacks
  • possibility
  • flawed
  • cartoonist
  •  
    This discussion has been archived. No new comments can be posted.
    When Semantics Attack | Log in/Create an Account | Top | 19 comments | Search Discussion
    Click this button to post a comment to this story
    The options below will change how the comments display
    Threshold:
    Check box to change your default comment view
    The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
    Re: When Semantics Attack
    by Anonymous on Monday October 22 2001, @04:35AM (#3069)
    FWIW, none of the examples worked for me under Netscape 4.77. They do tend to work under MSIE. So I wonder if this is a standards problem, or a failure-to-follow-standards problem?
    [ Reply to This | Parent ]
    Re: When Semantics Attack
    by dtobias (dan@tobias.name) on Monday October 22 2001, @08:09AM (#3074)
    User #2967 Info | http://domains.dan.info/
    But if it weren't, you could still figure out something else to register, like cnntoday.com or cnntomorrow.com or cnnthismorning.com or cnnnexttuesday.com or cnnlastcentury.com or whatever...

    This highlights why it's so stupid of big companies to use all sorts of marketing-gimmick domains instead of logical subdomains of their main domain... it leads to a public attitude where they expect domains with the company name as a substring to be official sites, when they could well be registered by cybersquatters or con artists instead. If all official CNN sites were subdomains of cnn.com, they'd be harder to fake or spoof.
    [ Reply to This | Parent ]
      Re: When Semantics Attack
      by ldg on Monday October 22 2001, @01:30PM (#3082)
      User #2935 Info | http://example.com/
      There is a portal in Hampton Roads, VA called hrtide.com. Wonder if they will be sued. If so, wonder which side would win? Tide is not just soap. It is the ebb and flow of the ocean.
      [ Reply to This | Parent ]
        Re: When Semantics Attack
        by fnord (groy2kNO@SPAMyahoo.com) on Tuesday October 23 2001, @03:16AM (#3089)
        User #2810 Info
        Anon writes:
        would it not perhaps be fairer to criticize the architects of the DNS for their disregard and/or apparent ignorance of intellectual property rights when they devised the system?
        No. Paul Mockapetris et al set out to map semantically meaningful alphanumeric strings to IP numbers. They succeeded spectacularily. That trademark owners would try to map their own semantics to this probably wasn't foreseen because it is so completely wrongheaded. My submission attempts to point out that it is also completely futile. -g
        [ Reply to This | Parent ]
      • 1 reply beneath your current threshold.
      Procter and Gamble domains
      by dtobias (dan@tobias.name) on Monday October 22 2001, @05:48PM (#3086)
      User #2967 Info | http://domains.dan.info/
      OK, you win... it's obviously quite essential that P & G register diarrhea.com
      to protect their vital trademark! :)
      [ Reply to This | Parent ]
        Re: Procter and Gamble domains
        by fnord (groy2kNO@SPAMyahoo.com) on Tuesday October 23 2001, @03:24AM (#3090)
        User #2810 Info
        Proctor and Gamble? I guess they'd logically be found at proctorandgamble.com. -g
        [ Reply to This | Parent ]
          Re: Procter and Gamble domains
          by fnord (groy2kNO@SPAMyahoo.com) on Tuesday October 23 2001, @11:37AM (#3105)
          User #2810 Info
          I suspect P&G will get around to attempting to take away proctorandgamble.com. I think they should as it is clearly intended to mislead.

          As for chevrolet.com, it does in fact lead to the auto maker. Likewise ford.com does in fact lead to the auto maker of that name. So all's right with the world?

          Well, no. That isn't the whole POINT of the DNS. If it was then those looking for the Ford (the link bypasses the Flash intro) model company would be lost. Even doing a search on Ford models is imprecise. :)

          Or perhaps they wanted the Ford Foundation, which is quite properly at .org, though not at Ford.org, or fordfoundation.org.

          Or perhaps they wanted the Ford Theatre, is that .commercial or an .organization? And which Ford Theatre do they want? And is the latter a theatre or should it be in the new .museum along with this Ford Museum and this Ford Museum?

          The relevant original POINT of the DNS was to allow one Ford commercial entity at .com, one Ford network at .net, one Ford organization (or other entity) at .org, first come, first served, and a ton of Fords at com.au, org.uk et cetera with varying levels of control. If you weren't the first Ford in your space you might have to get only slightly creative. That worked quite well for quite a long time. When it was clear that it wouldn't scale (about a decade ago), we could have gone to ford.auto and ford.agency and ford.theatre and ford.museum. Well, not that last one, but as a matter of fact the registry for .museum won't allow such collisions, and that too is part of the solution. I didn't consider it sufficiently newsworthy to submit it separately, but new.net's announcement of yesterday is interesting in this regard.

          Regardless, all this only deals with the artificial scarcity which is used by insiders as a cash cow. It still doesn't solve the problem of:

          http://icann.theatre&=sendintheclowns=@128.121.228.115/
          http://icann.theatre&=sendintheclowns=@128.121.228.115/

          which was my original point. As Dan and others have pointed out, one needn't even use this exploit, a hoaxer could simply register a confusingly similar .com domain name for less than $10, perhaps giving bogus WHOIS info, perhaps using an untraceable credit card number, and use it for the hoax. I guess the answer is to not take domain names, or hyperlinks, or search engine results, as authoritative, at least until Veri$ign and/or Micro$oft come out with something that provides absolute verification. We all trust them, right? -g

          [ Reply to This | Parent ]
            Re: Procter and Gamble domains
            by dtobias (dan@tobias.name) on Tuesday October 23 2001, @02:11PM (#3118)
            User #2967 Info | http://domains.dan.info/
            So, if you founded the Fnord Motor Company and started making cars, would you get sued?
            [ Reply to This | Parent ]
              Re: Procter and Gamble domains
              by fnord (groy2kNO@SPAMyahoo.com) on Tuesday October 23 2001, @05:36PM (#3121)
              User #2810 Info
              Of course. Then I'd be a typo-squatter (and BTW, Procter is spelt wrong). No new carmaker in their right mind would choose something confusingly similar to an existing carmaker and attempt to get away with it in the real world. Cyberspace is different, but it's not that different. Some of us have a nose for smelling a scam, the rest of us either rely on government departments to do our thinking for us or we get taken in. I'm beginning to think that is as it should be. One can only deal with so many morons peeing in the gene pool. The US Government has chosen to let ICANN do its cyberspace thinking via ICANN and that is demonstrably a Very Bad Thing, the morons have assumed control of the asylum. My handle actually has absolutely nothing to do with automobiles, it comes from the Illuminatus trilogy (if icannwatch has an amazon affiliate account I would gladly credit it), by the late Robert Shea and Robert Anton Wilson. I've used it as a moniker on Usenet since the '80's, but so have others. This one at least isn't related in any way to any domain name containing that alphanumeric string SFAIK. Of course without some form of authentication YMMV. -g
              [ Reply to This | Parent ]
                Re: Procter and Gamble domains
                by dtobias (dan@tobias.name) on Wednesday October 24 2001, @05:49AM (#3125)
                User #2967 Info | http://domains.dan.info/
                As I once said in a Mensa newsletter, if Mensa administered its entrance examination in a casino, they could proctor and gamble...
                [ Reply to This | Parent ]
                  Re: Procter and Gamble domains
                  by fnord (groy2kNO@SPAMyahoo.com) on Saturday October 27 2001, @04:30AM (#3192)
                  User #2810 Info
                  Perhaps the .iq TLD should be redelegated to Mensa for vanity domains. They could use subdomains like johndoe.154.iq. Meanwhile, fnord.info is registered to Fnord Datacenter Systems of Bellingham WA USA, ford.info seems to be owned by someone other than the automaker, and in the latest twist on the Afilias abomination, it seems that registrant information of supposedly locked sunrise registrations can be changed. Afilias is an unmitigated disaster and the ICANN staff should be hung out to dry for their incredible mismanagement. -g
                  [ Reply to This | Parent ]
                • 1 reply beneath your current threshold.
        • 1 reply beneath your current threshold.
    • 1 reply beneath your current threshold.
  • 2 replies beneath your current threshold.

  • Search ICANNWatch.org:


    Privacy Policy: We will not knowingly give out your personal data -- other than identifying your postings in the way you direct by setting your configuration options -- without a court order. All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 by ICANNWatch.Org. This web site was made with Slashcode, a web portal system written in perl. Slashcode is Free Software released under the GNU/GPL license.
    You can syndicate our headlines in .rdf, .rss, or .xml. Domain registration services donated by DomainRegistry.com