Re: [iwar] Arab/Israeli "CyberWar" of our own making

From: Fred Cohen (
Date: 2001-06-11 21:40:57

Return-Path: <>
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Mon, 11 Jun 2001 21:42:07 -0700 (PDT)
Received: (qmail 24847 invoked by uid 510); 12 Jun 2001 03:42:02 -0000
Received: from (HELO ( by with SMTP; 12 Jun 2001 03:42:02 -0000
Received: from [] by with NNFMP; 12 Jun 2001 04:40:59 -0000
Received: (EGP: mail-7_1_3); 12 Jun 2001 04:40:58 -0000
Received: (qmail 80704 invoked from network); 12 Jun 2001 04:40:58 -0000
Received: from unknown ( by with QMQP; 12 Jun 2001 04:40:58 -0000
Received: from unknown (HELO ( by mta2 with SMTP; 12 Jun 2001 04:40:57 -0000
Received: (from fc@localhost) by (8.9.3/8.7.3) id VAA02802 for; Mon, 11 Jun 2001 21:40:57 -0700
Message-Id: <>
In-Reply-To: <> from "B.K. DeLong" at Jun 11, 2001 11:27:34 PM
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <>
Mailing-List: list; contact
Delivered-To: mailing list
Precedence: bulk
List-Unsubscribe: <>
Date: Mon, 11 Jun 2001 21:40:57 -0700 (PDT)
Subject: Re: [iwar] Arab/Israeli "CyberWar" of our own making
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Per the message sent by B.K. DeLong:

> At 07:17 PM 06/11/2001 -0700, you wrote:
> >The Israeli attackers are quite vocal.  They appear in newspaper
> >interviews.  They use real names in many cases.  Israel has a far more
> >closely controlled and smaller infrastructure and for more suerveillance
> >capability per user than the US does.

> I guess what bothers me most about your claims is that you don't give any 
> proof. If you've read articles where attackers appear in newspaper 

I may as well put up the whole sequence from last fall...

So much for my online disk quota at the ISP...

> interviews and use real names then post the URL or cut and paste the 

Several of these are included in the web site just referred to.  In one
of them there were photographs and discussions with one of theIsraeli's
using his real name. 

> article. I should note that a lot of the US defacers (including pr0phet - 
>,1283,43134,00.html) have appeared in 
> articles and as far as we know, they're still at-large.

When you say "still at large" - I assume you mean to imply that someone
is actually trying to hunt them down? In these cases the governments are
not really trying very hard to hunt them down.  That's what I mean when
I say they are tollerated if not supported.

> But I will agree that there is no incentive to going after kids defacing 
> Web sites of nations that have an unfriendly or hostile status with your 
> country.

> >The US can indeed exert control over connections to Chinese sites should
> >it choose to do so.  In addition, many of those launching these attacks
> >are quite open about it and are not hard to track, meet, and chat with.
> >They are not exactly trying to hide.

> Agreed. See previous comment.

> >Indeed, some of the attacks came from Chinese government computers.

> Again, the proof? Where was this publicly stated?

As far as I am aware it has not been publicly stated before - but that
doesn't make it any the less true.  The people who tell me these things
don't always want their names in the newspapers - but are often willing
to provide the information they have to law enforcement.

> >  The
> >Chinese have arrested cyber criminals and have a demonstrated
> >surveillance capability for their Internet systems.  They could stop it
> >if they chose to.  Indeed I think that they did.  Once attribution to
> >the Chinese government started to be asserted, the attacks cooled
> >rapidly.

> um....this April 11th Wired article tied the attacks to the Chinese government:

> And while US hackers were actively defacing Chinese, Taiwanese and Korean 
> sites from as far back as March, the heavy activity from China didn't start 
> until around April 29th - May 1st and petered out around May 10th.

This was planned well ahead of time - a one week 'protest' hack.  The
reasons changed over time - depending on the source - but it was planned
well ahead of time and well coordinated.

> >I agree that the Us attackers have a relationship with the media that I
> >do not like.  But I disagree about the notion that these are not related
> >to government policy.

> That last sentence confused me. You disagree with my notion that Chinese 
> attacks on US servers are not government sanctioned? I would say it's 
> almost definitely not government policy HOWEVER I don't think the Chinese 
> government would lift a finger to stop the kids....but I wouldn't expect 
> public encouragement either.

The Chinese would not lift a finger to stop it and the US would not lift
a finger to stop it in the other direction.  Tollerated if not sanctioned.

When international attacks on systems are made and governments
intentionally permit them to continue, this is an act of policy.  It is
a policy just as the PLO has a policy of cyber attacks against Israeli
targets and the Israelis have a policy of cyber attacks against the PLO.

They all play the media game of using different names and hiding behind
different excuses, but they are all engaged in harrassment at one end of
the conflict spectrum, and on up through racial slurs, religious slurs,
open hostility, putting lives at risk, and occasionally death of
participants and innocents.  The level of all these things increases
under higher tension and decreases when they decide to play nice.  Their
rhetoric and direct involvement or lack of involvement are intentional
and directed toward controlling the intensities of these conflicts with
political and national interest as their goals.

Perhaps I am wrong about all of this, but I don't think so.  You can
call it varying intensity conflict of you like, and I will not argue
that it is lower intensity than many 'wars' we have seen - but then the
"Cold War" was of a similar intensity in many ways and few would really
call it anything less.

So now that I have provided gobs of additional information, I want you
to tell me what you think a cyber war might look like.  Remember that we
are talking about real capabilities available to the wafighters of each
side here - not about fantasy capabilities or classified capabilities of
superpowers - or even weapons demonstrated during the Gulf War.  Do you
really think th\at the PLO is holding back some more advanced weapons
that it would use in a 'real' cyber war? I think they have come with all
they had and it worked pretty well for a while.  Then they backed down a
bit under the control of Arafat and continued development.  The quesiton
I originally asked was weather the members of this forum thought they
would come back out with their new and improved capabilities this time.

Fred Cohen at Sandia National Laboratories at tel:925-294-2087 fax:925-294-1225
  Fred Cohen & Associates: - - tel/fax:925-454-0171
      Fred Cohen - Practitioner in Residence - The University of New Haven
   This communication is confidential to the parties it is intended to serve.
	PGP keys: - Have a great day!!!


Your use of Yahoo! Groups is subject to 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:17 PDT