Fries pulled this off by using some little known internet addressing features (they're not bugs) that may have security implications. As an example, where does it look like this hyperlink will take you, either by clicking it or copying and pasting it in the URL line of your web browser? http://www.cnn.com&breaking-story=icannwatch-is-dead.html=@2155471987 http://www.cnn.com&breaking-story=icannwatch-is-dead.html=@2155471987
And Hey Presto! ICANNWatch lives again. This sleight of mousehand is done through a combination of two little known URL features (they're not bugs!). First, anything to the left of, and including, the @ ampersand is ignored unless one is logging onto a site that requires it for username authentication. Second, URLs can be obfuscated by converting them into dword, octal, or hex, and various permutations thereof, and they will often still resolve. See this excellent article from pc-help.org for more on how and why this works. Some spammers make use of this so that one cannot easily tell the name of their website and thus report it. For example, http://www.icannwatch.org/ is not only also accessible via its IP dotted decimal number of http://128.121.228.115/, but also by each of the following... (Notes: 1. I have provided them in both hyperlinked and in plaintext versions so that you can copy and paste the plain versions in your URL line to verify that the hyperlinked versions are what they appear to be, I am not using an inherent further level of obfuscation by having the link point to something other than what it appears to be, though that too is obviously possible. 2. While some browsers do not support all of these variants, they all work in Internet Explorer and many work in Netscape. 3. If you're on a LAN and using a proxy they may not work. 4. Your system may not recognize that it already has a cached copy of the page, perhaps increasing the reloading time. That said, here we go...):
http://2155471987/ http://2155471987/
http://%32%31%35%35%34%37%31%39%38%37/ http://%32%31%35%35%34%37%31%39%38%37/
http://%31%32%38%2E%31%32%31%2E%32%32%38%2E%31%31%35/ http://%31%32%38%2E%31%32%31%2E%32%32%38%2E%31%31%35/
http://%77%77%77%2E%69%63%61%6E%6E%77%61%74%63%68%2E%6F%72%67/ http://%77%77%77%2E%69%63%61%6E%6E%77%61%74%63%68%2E%6F%72%67/ I doubt most users would easily be able to decipher such gibberish, and why bother if it is also prefixed by what appears to be a valid address? Should you ever come across such an obfuscated URL and want to decipher it, SamSpade.org has a decipher tool which will translate each of these back to its DNS name or IP dotted decimal number. This recent Britney Spears hoax is only the latest in a long line. Indeed, Britney, who is best known for the hits Oops! I Did It Again and Hit Me Baby One More Time, was previously hit by a report that she was killed in a car accident as recently as four months ago. That incident may well have provided the genesis for this next generation hoax, in the earlier instance the rumor was started by two radio DJs. Someone then created and circulated a similarily bogus URL that appeared to point to a BBC news website report confirming the story. Tim Fries simply combined the two, though also making use of CNN's Recommend feature (that was a bug) did, as a bonus, yield some numbers that clearly point out the potential for exponential growth of such hoaxes.
In another example, Rapper Eminem was also pseudo-dispatched in a car accident last year, though the linked article is incorrect about the URL being clearly a homepage. While it no longer works, the original page had the CNN look and feel and the URL was:
www.cnn.com&story=breaking_news@1079066066/mathers.html While CNN seems the de facto site preferred by such hoaxes, their targets are not limited to killing musicians in cars. This apparent news article, regarding President Bush's anger at finding out his salary, looked like a CNN page last January and was pointed to via: http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm The link no longer works but an explanation and some history can be found here. While this latter example doesn't obfuscate the URL beyond using the IP number, as recently as a month ago some members in a politically oriented Usenet newsgroup were repeating it as though it was fact. After all, wasn't it on CNN? To finally get to my point, perhaps ICANN should deal with such semantic attacks at its upcoming meeting on security at MDR. Such hoaxes (and there are a number of others I haven't covered) aren't without cost. Some of them caused hundreds of phone calls to the police and other critical parts of the infrastructure. Some of them raised the general level of anxiety of a number of people, which in the current climate of fear is a Very Bad Thing. It isn't beyond the realm of possibility that such memetic virii (I still remember first hearing about the death of Princess Diana via a Usenet posting) could be used as a weapon at a critical time. I find it somewhat ironic that ICANN only has the power it does because just about everyone puts so much stock in a domain name. Speculators think they're worth a fortune, but you can have cnn.com right now for free. Corporations worry about their intellectual property being misused by some unrelated domain name registrant when again, cnn.com, or any alphanumeric string, is free at any time for the taking. Given that a majority of SLDs point nowhere or to for sale or just registered (up to years ago) pages, given that so many names that are in use are misleading, or the subject of UDRP or court action, or belong to defunct dotcoms, or have been hijacked by the online porn industry, or some combination thereof, why not just scrap the DNS and go back to numbers? Language is flawed, perhaps fatally so. -g
|