Most experts on computer crime focus on attacks against Web servers, bank account tampering and other mischief confined to the digital world. But by using little more than a Web search engine and some simple software, a computer-savvy criminal or terrorist could easily leap beyond the boundaries of cyberspace to wreak havoc in the physical world, a team of Internet security researchers has concluded.

At a recent Association for Computing Machinery conference on privacy in an electronic society, the researchers -- including a Johns Hopkins faculty member -- described how automated order forms on the Web could be exploited to send tens of thousands of unwanted catalogs to a business or an individual. Such an onslaught would not only pose problems for the victim, but it could also paralyze the local post office charged with making such deliveries, the researchers suggested. After explaining how such attacks could take place, the researchers proposed several technological "fixes" that could help prevent them.

The rapid growth of the World Wide Web has enabled many merchants, government agencies and non-profit organizations to make sales catalogs and information packets available to anyone who can fill out a simple on-line form. But these forms, the researchers say, have also opened a gateway that could allow disruptive activity to spill out of cyberspace. "People have not considered how easily someone could leverage the scale and automation of the Internet to inflict damage on real-world processes," said Avi Rubin, technical director of the Information Security Institute at The Johns Hopkins University and one of the authors of the paper.

Rubin and two other researchers first determined that a popular search engine such as Google could be used to locate online order forms. They also discovered that simple software could be launched to automatically recognize and fill in fields such as "name," "address" and "city," and then submit the catalog request online. "It could be set up to send 30,000 different catalogs to one person or 30,000 copies of one catalog to 30,000 different recipients," said Rubin. "This could create a great expense for the sender, a huge burden for local postal facilities and chaos in the mail room of a business targeted to receive this flood of materials."

The technique could also be used to exploit the increasingly common Web-based forms used to request repair service, deliveries or parcel pickups, said Rubin, who also is an associate professor in the Department of Computer Science at Johns Hopkins. Tracking down the attacker could be difficult, he added. The offender could easily escape detection by loading the program onto a floppy disk or a small USB hard disk and paying cash for a few minutes of time at an Internet cafe. By the time the damage was discovered, the culprit would have vanished, Rubin said.

Because of the confusion and costs such attacks could inflict, Rubin and his fellow researchers wondered whether they should make public the technological weakness they'd uncovered