A brief e-mail has been getting forwarded around our campus which reads:
Check out breaking news at CNN:
http://www.cnn.com&story=breaking_news@18.69.0.44/evarady/www/top_story.htm
At first glance, this appears to be a genuine article on CNN, but a quick
read reveals that a cute joke. Most people who have seen the fake article
have immediately assumed that www.cnn.com has been hacked in some manner.
Those more familiar with HTTP specification, however, will notice that the
URL is completely valid, and does not lead to or redirect from any cnn.com
computers. No machines have been hacked. Instead, the e-mail just plays
with your expectations of what a URL should look like. The risk here is not
a computer one at all, but a social risk that even (or perhaps especially)
knowledgeable people will assume something has been hacked when it hasn't
been.
An even sneakier URL might be:
http://www.cnn.com&story=breaking_news@306511916/evarady/www/top_story.htm
For those of you still pondering why that URL works, read the HTTP
spec and try the equivalent:
http://username@18.69.0.44/evarady/www/top_story.htm
Richard J. Barbalace ["Richard J. Barbalace" via risks-digest Volume 21, Issue 16]
0:00
#
G!
