Subject: IW Mailing List iw/951207
From: iw (Information Warfare Mailing List)
Subject: War Games
Date: Wed, 6 Dec 1995 22:36:24 -0500 (EST)

Would you like to play a game?

	I have just about worked out the technology for running an
on-line strategic wargame.  If I get support for the idea, I will reach
into my bit-bucket of old wargame scenarios and try to initiate the
first game next week.  Please mail to the list and let me know if you
would like to participate.  If you want to be a team leader, let me know
so I can enlist you.

Date: Wed, 6 Dec 1995 22:30:17 -0500 (EST)
From: Sick Puppy 
Subject: Data Integrity in Information Warfare

With experience as both a cracker and a defender of systems, it seems to 
me that the most effective way I personally could wage IW would be to crack
a system with stealth techniques and modify critical data that my target 
was depending upon for some kind of planning or decision making.

Consequently I think that assuring data integrity is vital in any kind of
IW.  Many modern systems apply some kind of data integrity checking in 
the front end or data input process.  If the system is cracked, those 
front end checks can be subverted.  However, some databases, like Sybase, 
also apply data integrity rules on the backend, by applying a rule which 
imposes some kind of constraint on the content of a column.  The database 
security is usually a damn sight harder to crack than the system security 
and in my opinion beyond the skills of most crackers.  (Watch out for 
ProKappa though, it is really easy to crack.)  So the data is easy to 
modify as it enters the system, but hard to change once it is stored in 
the database.

Do any of the readers on this list know of any formal studies on the 
subject of data integrity in the context of Information Warfare?
Moderator's note:

	There was a DISA study completed in late 1993 titled:
	"Planning Considerations for Defensive Information Warfare -
	Information Assurance" that looked into this issue at a
	top level.  An on-line copy is available at
	under browse -> books (according to the November "What's New"
	column).  This study also also points to many other references.

	You might also look at the 1994 DSB Summer Study on Information
	Architecture for the Battlefield (October, 1994) which looks into
	many of the same issues.
Date: Wed Dec  6 23:45:16 1995
From: (Whyte Jesse CDT)
Subject: Let's take a leap ahead...

Let's jump ahead a little into the future - not too far, but far enough
to "possibly" look at the future of the network and telecommunications
perhaps five years from now.  (Please, no flames, just a personal
prediction...if you disagree --- then POST! and I'll gladly argue!)
  [Moderator's note: no flames allowed on this list - discuss politely]

From a personal standpoint, I think that networking and internetworking
is perhaps the computer science that will be most applicable to everyday
life.  We can all see it easily - imagine watching a five minute block
of commercials and comparing it to the same experience today.  In only a
two hour segment of television, I rapidly lost count of the number of
World Wide Web URLs that I saw flash across the TV screen.  AT&T and MCI
have been working on interactive TV for quite some time and the WWW,
along with rest of the Internet, would provide quite a good stepping
stone into the future. 

What will this step bring - most importantly and within the confines of
this list - what will this mean for the information pirates and bandits
of the early-twenty-first century? Only three and a half years ago Ross
Perot was discussing the possibility of direct democracy through
interactive television, does this lead to better democracy, or another
era of eighteenth century Tammany Hall style politics? Obviousely, we
make risks when we adopt new untested technologies, but how much risk
are willing to take? How much risk can we afford to take?
Moderator's Forwarded message: (LONG)
Date: Wed, 6 Dec 1995 20:22:43 -0800
Subject: Re: [FYI] FBI Training Eastern European Police

Working relationships.

Anyone that a firm would expect to have a contract with, isn't
probably someone you should be sharing a bed with -- as they say -- in
the first place.

>   Some teachings do not translate for the European
>   students. For example, there is no Russian RICO - the Racketeer
>   Influenced and Corrupt Organizations Act that is one of the strongest
>   American legal tools against organized crime.

Some teachings also probably don't translate well for the American
instructors.  Cultural differences and expectations, as an example,
which are born out of history.

While the idea of a Russian RICO is interesting, it's not overly
realistic.  RICO is meant for a region that has established rules of
engagement -- the breach of which calls for quick "rubber-hose"
justice to ensure the system continues to function.  RICO is best
reserved, in that sense for a litigious America, to make sure that
everyone remembers where their allegiance should lie.

It has very little applicability in a chaotic system.  Not only is
there nothing to "preserve" -- but it truly begs the question of who'd
administer a Russian RICO?  

You can't expect someone who's earning the equivalent of $50/month
not to supplement their official "pay".

>   Eastern European crime syndicates tend not to be based in crime
>   families, instructors said. And organized crime in Russia and Ukraine
>   is so much a part of the society, that it's hard to stop it, said Amy
>   O'Neil, a State Department official not involved in the ILEA.

Yep.  This is a very serious problem.  

Some circles have suggested that the Russian nationalist Zhirinovsky is
involved in some fashion in these syndicates; they've drawn a parallel
to Sinn Fein. 

Others think that there is a utilization of KGB remnants (including
those former communists which have now been _absorbed_ into the
"unified" Germany, and continue to hold positions of power there).  They
believe that these sympathizers wish to restore and rebuild Mother
Russia and the old social state. 

Some believe that these elements -- those that have a political /
nationalistic allegiance -- are very friendly with the Eastern European
crime syndicates.  A reciprocal arrangement, if you will. 

One thing is clear.  Whether or not any of the foregoing hold, or
whether or not this syndicate's motivations are capitalistic or
nationalistic -- their tentacles extend worldwide.  Not only through a
Moscow - St.Petersberg - Frankfurt - Brussels backbone, but even into
the heartland of the United States. 

Hard to believe??

The FBI (I think) has identified about 220 "Eurasian" (mostly Russian)
gangs operating in 17 U.S.  cities in 14 states.  And I believe they've
identified 5,700 crime gangs in the former Soviet Union (which is up
_significantly_ from the 785 identified in 1991). 

The Russian Ministry of Internal Affairs has estimated that gangs in the
former USSR employ about 100,000 _full-time_ members and an estimated
3,000,000 part-timers. 

These gangs' tentacles even by FBI estimates extend worldwide. 

The FBI (again) said that Russian gangs are entrenched in 29 foreign
countries and maintain contacts with nearly 100,000 criminal enterprises
worldwide ranging from illegal alien smuggling rings, and drug gangs,
through the child prostitution trade in China and Southeast Asia. 

If these enterprises are even somewhat loosely organized -- as Sinn Fein
was -- then they probably have access to good crypto.  Very good crypto. 
There can be no question of that. 

The belief that this syndicate is composed solely of thugs is actually

The ISSA (Information Systems Security Association) has suggested that
these transnational gangs employ out of work or underemployed Russian
scientists, mathematicians and computer experts, who earn as _little_ as
$50 to $100 a month in their legitimate jobs because of inflation of
Russia's currency. 

The ISSA, has written that these specialist scientists penetrate the
Internet's global web of more than 60,000 computer networks.  Radicals
even suggest that this group is unique in having access to their own
constellations and communications systems -- but I personally think that
could only be civilian speculation. 

This group is well organized, well financed and has a breadth and depth
of manpower that has never before been confronted. 

The idea that those Russians who now winter at St.  Tropez and who have
joined Monte Carlo cafe society must simply be very effective
"capitalists" doesn't float.  They are true natural talents who
understand the financial system and its networks -- personal networks,
financial networks, and silicon networks. 

The former Russian bankers who managed the countries Gold & Oil Sales,
the ones who achieved understandings with De Beer's, the ones who
managed Soviet international FOREX operations, and the ones who visited
with Armand Hammer, and learned from him personally, probably had some
sophistication in these matters. 

They've "dirtied" their hands with matters of Western finance, before. 

If they or their lieutenants have donated their talents to these
enterprises, then Burwitz truly has his work cut out for him in
educating and training at the new FBI School. 

He's not just facing some Caspian caviar smugglers.  He's up against
some of the finest talent available. 

>   Both students and teachers said there was a remarkable similarity,
>   however, in the use of evidence and investigatory tools among the
>   countries. Eastern Europeans are very familiar with the use of DNA
>   testing, for example, to identify suspects, although they don't
>   always have the money to do it, Burwitzsaid."There are different
>   orders of laws between the U.S. and here," said a Czech student who
>   would identify himself only as Milan. "But essentially, we have the
>   same methods of investigation."

A far worse scenario can come forward than Milan's. 

Let's suppose that the other side not only has complete familiarity with
your arsenal of investigatory and evidentiary tools, but also has a
superior knowledge of your own systems and their vulnerabilities, -- a
knowledge that is superior to that you yourself possess. 

Let's assume that while you were building your systems, hard and soft
systems, the other side has been studying them -- looking for holes and
vulnerabilities, and quietly documenting them. 

Taking an action, no different than your very own study of their
systems, actually. 

Now lets suppose that you destroy the other side's system, and cause
economic collapse, social chaos, and national humiliation, while
preserving your own system.  An attempt at supremacy through "other
means".  Have you not invited a retaliatory attack?

Some might suggest that you have ... 

Not that Eastern syndicate elements might wish to see the disease which
has effected post-Soviet Russia propagate.  A share in the taste of it. 
They're too busy tasting what was promised to them by the Voice of
America and living the life of a model capitalist -- one of the
characters from Dynasty. 

Groups such as the Congress of Russian Communities, and the decorated
Afghan war hero, Gen.  Alexander Lebed -- who Yeltsin asked to resign as
commander of the 14th Russian Army following Lebed's criticism of the
Kremlin -- certainly would have nothing to gain by retaliating in kind
to the disease introduced into the Motherland. 

Striking at the state's head, clearly didn't solve this problem.  The
essential "talent" has simply re-organized into a new structure, one
which is not under any central command or control hierarchy or
authority.  Simple chaotic self-interests organizing and emerging. 

Certainly upcoming Presidential Elections in June and November won't
play a part in this. 

"I treat the word democracy with respect," fourty-five year-old Lebed
told the newspaper Segodya recently.  "But I am sure democracy will not
be established within my lifetime.  Our country is such that democracy
will have to be built by authoritarian methods."

Luckily, for all of us, President Boris Yeltsin is firmly in control. 

He has little to fear.  Some people might be looking for a parallel to
MacArthur / Truman, in this instance.  But I personally wouldn't hang my
hat on that hope. 

Lebed certainly wouldn't subscribe to Douglas MacArthur's statement
after he was relieved of command in the Far East, in 1951, when he said,
"I find in existence a new and heretofore unknown and dangerous concept
that the members of our armed forces owe primary allegiance or loyalty
to those who temporarily exercise the authority of the Executive Branch
of the Government rather than to the country and its constitution which
they swore to defend.  No proposition could be more dangerous."

The April/May ISSA Password had this to say. 

     "Unless something is done by law enforcement and private security
     agencies on a global scale to deter these Russian criminals, they
     will be looting banks, corporations, and government agencies of
     billions of dollars -- without using guns or the traditional
     methods.  Their modus operandi will be to rely solely on computer
     keyboards and the Internet.

     In an article published in the February 6, 1995, issue of the
     "Washington Times," international security expert and former
     Times editor-in-chief Arnaud de Borchgrave said: (sic)
     "Cyberspace detectives" report that financial thefts by Russian
     organized crime hackers on the Internet last year exceeded an
     estimated $5 Billion in the United States alone.

     Furthermore, he reports that about $300 million in untraceable
     computer transfers have vanished during the past two months
     (Jan/Feb 95) from banks and securities firms based on the East
     and West coasts of the U.S.

I think in February (1995), the CIA and the National Security Agency
(NSA) warned in a joint security report that, "The security of
information systems and networks is the major security challenge of this
decade and possibly the next century."

Burwitz faces a challenge.  If you face talent, information, money, and
organization, while you can't even get your ducks lined up, if you can't
maintain team discipline, then you might pretty well surrender. 

You've already ceded much of the high ground, as Burwitz can probably

To prevent the accusation of being a "red-baiter" perhaps, I might say
that Mao Tse Tung, himself once noted:

   "Some people are intelligent in knowing themselves but stupid in
   knowing their opponents, and others the other way round; neither
   kind can solve the problem of learning and applying the laws of war."

And to close, a return to de Borchgrave, who according to ISSA Password,

     "And it's not juvenile hackers who are committing these crimes.
     "Those doing it for the sheer pleasure of causing chaos on the
     net -- usually very young super-hackers -- have rapidly become
     the minority," one cyber detective told de Borchgrave.
     "Transnational crime gangs operating on several continents at
     almost the speed of light are now the main problems."
From: "Donald E. Elam" 
Date: Thu, 7 Dec 1995 12:36:06 -0800

If asked for a definition of IW, my initial response would be: what do
you want it to be? It can be anything and everything depending on how
you define it.  This is perhaps the greatest challenge facing us right
now.  Only by agreeing on a common view of IW can the various endeavors
effectively be coordinated.  The thesis chapter that I am currently
working on is focused on definition.  I have collected the party-line
defintions of IW from various government and commerical entities.  I am
trying to make sense of the mess and perhaps add to it by offering my
own spin.  Once I make my final decision, I will forward it to the
newsgroup for critique. 

I look forward to interacting with others that share my fascination with the
truly interesting subject of IW.
From: fc (Dr. Frederick B. Cohen)
Subject: PM in Bosnia
Date: Thu, 7 Dec 1995 17:13:48 -0500 (EST)

Today, Serbs stamped on an American flag for CNN cameras as part of
their IW campaign relating to the Bosnians getting control of Sarajevo. 

The Serbs thought the city should be split, but since the Serbs couldn't
win it in the negotiations, they decided to try to win it via IW. 

Now, if CNN would only report it properly (and if I could only spell properly):

	"In Bosnia today, Serb information warfare troops raised the ante
	in their campaign to retake Sarajevo.  They are seen here posing
	for CNN cameras with a shreaded American flag underfoot.  Their
	use of children in this campaign is seen by many as a violation of
	international law, and according to Amnesty International, it's
	against the Geneva convention.  Dispite the winter temperatures,
	Serb propaganda troops here in Sarajevo are in full bloom today."

-> See: Info-Sec Heaven at URL
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
Date: Thu, 7 Dec 95 20:40 EST
From: Michael Wilson <>
Subject: RE: IW Mailing List history/951206

Mr. Watson raises a few points that I think worthwhile to address.

> Like Sun Tzu said, "while you're studying warfare I'll be snacking on
> your crops." Well, maybe he didn't really say that.  But you can't
> prove it. 
> It is my hope that we'll focus on how to keep the bad guys out of my crops.

If you are up to your knees in mud with someone firing rounds at your
head, you don't need your mates expounding on the philosophies of
warfare; this implies, however that you are a grunt who has no need of
understanding such concepts beyond the minimal amount necessary to
achieve your objective.  Farther along in the military command
structure, or informational value chain, you had certainly better be
concerned with the philosophies of war, otherwise a wily opponent who is
more versed than you will be grinding your men down until you lose the
battle and the war. 

There are many places on the net that are geared towards the specifics
of fighting hacker intrusions; newsgroups, mailing lists, manuals, tools
all wait for your willing hand and eager mind to take them up.  Lacking
on the net, however, is any forum designed for discussion of the greater
issues at hand (barring RISKS); there are those whose interest is
'firefighting' and those whose interest is the nature of fire.  Note
that most of what we know about firefighting comes from understanding
the nature of fire; note similarly how design of secure information
systems comes from understanding the attacks of aggressors and
integrating such understanding -into- the basic system design.

This is why professionals in the information warfare business
contemplate philosophies; the details of hacking a system may change,
but the higher level understanding of what makes flawed systems
vulnerable will serve you well over time.  For specific case studies,
see the stories of John Draper; attend a 2600 meeting (be careful not to
attend the NAMBLA meeting on the night after) where the hottest
properties are internal manuals of targets; or pull apart the internals
of AOHell to see how they took advantage of design flaws in the system,
and the credit card clearing mechanism. 

Richard Feynman once commented that the reason that individuals aren't
susceptible to statistical predication of their movements is that they
are't a body of data.  Predicitive sciences need scale to have any

Like it or not, you are trapped by your dependency infrastructure, and
you have your place in the value chain.  Most likely you would have a
very difficult time weathering a hacker attack that hit you, personally,
one-on-one along such lines.  Your phone bill comes delivered by UPS. 
Your credit cards are being used by people not yourself.  Your utilities
get shut off.  Your name shows up in a police database stating that you
are a cop killer.  The IRS gets a fake tax return where you declare your
drug profits.  Loans are taken out in your name, and not repaid.  Your
close connections (anyone you called on your phone, showing in the
Message Unit Detail) have the same done to them.  Look at the case
history of a journalist named Richard Sanza if you want to see how an
individual can be hung by his dependency-infrastructure short-and-curlies. 

I think you fail to understand how large scale societal pressures can
act in the small.  What created the flash-crowd riots post-King verdict
in Los Angeles? Why will any prosecuting attorney tell you that a case
is decided in the jury selection process? Larger groups are in no way
immune to hysterical crowd action (see the classic _Popular Delusions
and the Madness of Crowds_ [damn, lent it out, hope the title is
correct]); witness fads such as the Pet Rock or any New Age religion. 

You also mention the 'Seven Samurai' example of the classic attrition
warfare model: give me your crops or we'll hurt/maim/kill you.  Or until
you hire some ronin to protect you.  You're rebuilding the basis of the
value chain.  An understanding of the infosphere and physical
environment, the material and informational value chains, gives you a
tool to understand what form of conflict works at what level.  That is
the point of building such a cognitive model. 

By the way, how do you handle the concept of nuclear war, where nobody
gets the crop in a lovely lose-lose mutually assured destruction game?

Dependency infrastructure attacks work just as well in the small as the
large--is there really much difference between the OPEC use of the oil
weapon as making certain that your competitors' suppliers don't sell to
them anymore (particularly effective in kanban/just-in-time supply
systems)? Is having satellite coverage of Iraq in the Gulf War terribly
different than having sniffers placed in all the routers that move net
traffic in your direction?

I vote for macro level discussions, punctuated with concrete, micro
level examples for clarity.  An understanding of the
motive/method/opportunity triad is critical for robust thought;
misunderstanding or discounting of 'fuzzier' concepts leads down a
twisty path, to places such as Viet Nam, or even the family argument.