Subject: IW Mailing List iw/951219
Date: Mon, 18 Dec 95 21:19:27 -0500
From: (A. Padgett Peterson, P.E. Information Security)
Subject: RE: IW Mailing List iw/951218

>Does this group pose a threat? What targets are they likely to hit? Who
>are they going to get funding from? What do you do to counter the threat
>or disperse the focus of the group? Any thoughts?

a) yes
b) logistics (food, fuel, & firepower)
c) amateurs rarely need funding, just aiming  (professionals now...8*) 
d) feedback mechanisms & redundancy
e) give the oppo a target they can't refuse & mine it
From: Potter B MSgt ACC/SCXX 
Subject: French IW Attack
Date: Tue, 19 Dec 95 07:28:00 EST
Perhaps I overreacted a bit concerning safety of flight :^}  However, I 
firmly believe that this action will have impact far beyond the Web servers, 
themselves.  I submit that thousands of international users attempting to 
bombard these servers at once will also shut down domain gateways, DNSs, 
routers, PSNs, and all other devices "in-line" or associated with these web 
sites.  Locking these associated devices will effectively lock the 
government.  Our moderator's warning to the targets may help, provided they 
advise domain administrators to block international access.
From: "Marcus J. Ranum" 
Subject: Re: IW Mailing List iw/951218
Date: Tue, 19 Dec 1995 08:46:17 -0500 (EST)

>Lets take a hypothetical situation in which a group tries to delay or
>stop the deployment of NATO troops in Bosnia.  We'll make a few
>They are well organized.  They have global membership.  They are
>technologically savy.  They have limitted funding.  Extremism is an
>attractive option to some group members. 

[Moderator's note: political satire to follow]

	First off, I'll assume you're NOT talking about Congress. 
Except for the global membership and technologically savvy part, you
could have been describing them to a 'T'.  :)

[Moderator's note: political satire completed]

	Why do "IW?" at all? Conventional terrorist and guerilla war
tactics would be more effective.  This is why I continue to maintain
that "IW" is bogus and only attractive to those with large cold war
budgets at stake, that they are still trying to protect. 

	Periodic handheld missile launches against troop aircraft low to
the ground (those cluttered German cities are great for that, and there
is a nice civilian population to blend into) would mire operations and
raise casualty levels.  Grenade and conventional sniping attacks against
troops on the move would raise casualties and further impact morale. 
The occasional mortar bomb lobbed into a supply pool would delay
movement of material, increase costs, and further aggravate the
situation.  Terrorist troops in US equipment beating up a few civilians
while "arresting" or "questioning" them about terrorist activity would
raise tensions.  Lastly, since this is a long-range supply operation,
the supply line can be attacked anyplace between Bosnia and the U.S.  --
it's so large it is impossible to defend.  The basic problem is moving
goods in the face of anonymous hit-and-run attacks designed to slow the
movement of those goods. 

	Since you used the example of delaying deployment into Bosnia,
specifically, I will give you the terrorist answer: ramp up casualties
associated with the project until Congress has a belly-full and pulls
the US out.  The Somalis proved how easily that can be implemented, and
they were already localized and pinned (roughly) by troops. 

	Conventional terrorist tactics work better than "IW" for most of
the situations where "IW" is touted.  Conventional terrorist tactics are
lower-tech, cheaper, easier, more visible, more demoralizing, and
require less skill to employ.  "IW" is bogus, but it sure sounds cool
and sexy. 
Date: Tue, 19 Dec 95 11:02:57 EST
From: (Bob Bowes)
Subject: Re: CERT Advisory CA-95:18

Since the rpc.ypupdated vulnerability was recently discussed on [a
widely read mailing list], it seems that some less desirables have taken
it upon themselves to "try it." This brings up the age old question of
releasability.  CERT's position has always been to never release
information unless there was a "fix" for it.  Others advocate full
disclosure of everything.  IMO, information should be published as
widely as possible, but actual working (exploit) programs should not. 
Security programs should be released.  Now, what's the difference
between an exploit program and a security program? SATAN seems to be a
good example of a security program because it searches for
vulnerabilities, but does not take advantage of them to gain
unauthorized access to the host. 

IW is not only about attacking other systems; more importantly, it's
about protecting your own information systems.  Information about how to
protect your site is vitally important.  And I think this includes
knowing what attacks are being used, and which one CAN be used.  Of
course, whoever is trying to attack systems would like that information
close held so their potential targets are left unawares.  Personally, I
think it's more important to teach people how to protect their systems. 
Moderator's Note:
	Without true exploit code, how do you test a defense?
Date: Tue, 19 Dec 1995 11:59:55 -0500
Subject: IW = The Weapons

IW is NOT making bombs and bullets more efficient killing machines, it
is a new dimension in conflict altogether. 

I do not believe that Fred's definition is overly broad at all: he says
that IW is:

	"Conflict where IT is the weapon, the target, the objective, 
	or the method."

I would only add/change it to read "IT or Infomation is the weapon ..."

[Moderator's Note - Cohen defines IT in this context as information or
information technology, so these definitions agree exactly.  Also, Cohen
has suggested several definitions and he only claims that this one covers
everything people on the list have given as examples, not that he embraces
it as his own.]

When one includes all 3 classes of IW into one's thinking, it becomes
clear that any individual can wage at least limited forms of IW and
that's the whole point. 

IW is now wageable (to varying degrees) by just about anyone with a
little technology and a little know-how and a very small amount of
money.  Increase any of these variable significantly, add a healthy dose
of motivation, and suddenly you have an adversary to be recokoned with -
guns, tanks or howitzers notwithstanding. 

The military is still trying to come to grips with the fact that IW is a
new dimension.  I agree with the Pentagon that we need to make smarter
bombs and smarter soldiers who are better wired to an instantly
iterative information-rich decision making cycle. 

But that still ain't information warfare. 
From: fc (Dr. Frederick B. Cohen)
Subject: Forged email to sway Congress
Date: Tue, 19 Dec 1995 16:01:45 -0500 (EST)

It seems like a trivial thing to do, but if email to Congress works to
sway opinion (as it apparently did in a recent email campaign), it
should be fairly easy to create thousands of pseudo-randomly generated
email messages from different apparent sources each hour, all supporting
a point of view.  Suppliment this effort with a small telephone room
full of people to fill congressional switchboards with supportive phone
calls, and you have an interesting PM attack on Congressional decision
Moderator's Note:

In a discussion yesterday with a real one-time information warrior, the
subject matter swayed into one of our mutual pet peves about how open
source people discuss IW - the lack of understanding about how to use
controlled force (as opposed to the 'stick a thousand viruses on the
net' tactic so widely used in non-military examples).  Just look at
today's postings: rightly points out that there may be
	many unpredictable side effects of the French attack - and in
	war - this creates major problems - especially for the US which
	strives to limit collateral damage. points out that "amateurs rarely
	need funding, just aiming" but of course aiming amateurs rarely
	produces the sort of predictable effect on an enemy's dependency
	structure desired in a military situation. rightly points out that many of the IW attacks
	discussed to date on this list are little more than random acts
	of violence.  As he says, in this context: "Conventional
	terrorist and guerilla war tactics would be more effective." tells us that: "IW is now wageable (to varying
	degrees) by just about anyone with a little technology and a
	little know-how and a very small amount of money." but I don't
	think that random cyber-violence is managable at all.

If we are to understand IW at a level beyond that of random acts of
violence, we must presumably understand a great deal more about the
weapons, their effects, their strategic, operational, and tactical value
in conflicts of different intensities, and their ability to achieve
specific goals in support of a specific greater effort.

Even if we are to embrace the view of IW as covering non-violent
conflict between personal rivals for a third person's affection, in
order for the field to move ahead, we must move toward a deeper
understanding of these issues.

I would like to hear some discussion at a finer level of granularity,
perhaps starting with a list of the issues that are important to
getting a real deep understanding of IW and then proceeding to deal
with these issues in a significant way.