From: iw@all.net
Subject: IW Mailing List iw/951220
---------------------------------------------
From: "Jesse A Whyte" 
Date:          Tue, 19 Dec 1995 20:34:04 +0000
Subject:       Re: IW Mailing List iw/951219

Mr. Schwarau said:
>IW is now wageable (to varying degrees) by just about anyone with a
>little technology and a little know-how and a very small amount of
>money.  Increase any of these variable significantly, add a healthy 
>dose of motivation, and suddenly you have an adversary to be recokoned 
>with guns, tanks or howitzers notwithstanding. 

Although I grant that IW is an upcoming weapon on the electronic
battlefield, I would hardly say that one individual, with even a
moderate amount of resources, could harness enough IT to potentially
come to bear against actual armed forces.  Even with the tremendous
influence of information assets exercised in the Persian Gulf arena, the
war would not have been won without the "guns, tanks or howitzers".  IW
is a weapon, but it is not strong enough to deal with the real bombs and
bullets of the battlefields.  Yet... 
---------------------------------------------
Date: Mon, 18 Dec 95 13:54:26 -0800
From: "Darrell D. E. Long"  (via the Risks forum)
Subject: Navy hacked by Air Force

http://www.telegraph.co.uk/et/

A few clicks and then the e-mail message entered the ship's control
system...

War of the microchips: the day a hacker seized control of a US battleship

BY SIMPLY dialing the Internet and entering some well-judged keystrokes,
a young US air force captain opened a potentially devastating new era in
warfare in a secret experiment conducted late last September.  His
target was no less than gaining unauthorised control of the US Navy's
Atlantic Fleet. 

Watching Pentagon VIPs were sceptical as the young officer attempted to
do something that the old Soviet Union had long tried to do and failed. 
He was going to enter the very heart of the United States Navy's
warships - their command and control systems. 

He was armed with nothing other than a shop-bought computer and modem. 
He had no special insider knowledge but was known to be a computer
whizzkid, just like the people the Pentagon most want to keep out. 

As he connected with the local node of the Internet provider, the
silence was tangible.  The next few seconds would be vital.  Would the
world's most powerful navy be in a position to stop him?

A few clicks and whirrs were the only signs of activity.  And then a
seemingly simple e-mail message entered the target ship's computer
system. 

First there was jubilation, then horror, back on dry land in the control
room at the Electronic Systems Centre at Hanscom Air Force Base in
Massachusetts.  Within a few seconds the computer screen announced
"Control is complete."

Out at sea, the Captain had no idea that command of his
multi-million-dollar warship had passed to another.  One by one, more
targeted ships surrendered control as the codes buried in the e-mail
message multiplied inside the ships' computers.  A whole naval battle
group was, in effect, being run down a phone-line.  Fortunately, this
invader was benevolent.  But if he could do it ... 

Only very senior naval commanders were in the know as the "Joint
Warrior" exercise, a number of experiments to test defence systems,
unfolded between September 18-25.  Taking over the warships was the
swiftest and most alarming of the electronic "raids" - and a true shock
for US military leaders.  "This shows we have a long way to go in
protecting our information systems," said a senior executive at the
airbase where the experiment was conducted. 

The exact method of entry remains a classified secret.  But the Pentagon
wanted to the first to test the extent of their vulnerability to the new
"cyberwarriors" - and had the confidence to admit it. 

Now they believe they know what they are dealing with and the defences
are going up. 
---------------------------------------------
Date: Tue, 19 Dec 1995 21:05:31 -0500
From: mdevost@chelsea.ios.com (Matthew G. Devost)
Subject: Re: IW Mailing List iw/951219

>---------------------------------------------
>>From: Potter B MSgt ACC/SCXX 
>Subject: French IW Attack
>Date: Tue, 19 Dec 95 07:28:00 EST
>...
>Perhaps I overreacted a bit concerning safety of flight :^}  However, I 
>firmly believe that this action will have impact far beyond the Web servers, 
>themselves.  I submit that thousands of international users attempting to 
>bombard these servers at once will also shut down domain gateways, DNSs, 
>routers, PSNs, and all other devices "in-line" or associated with these web 
>sites.  Locking these associated devices will effectively lock the 
>government.  Our moderator's warning to the targets may help, provided they 
>advise domain administrators to block international access.

Perhaps...but I still haven't seen any indication that this "offensive"
IW attack is going to be any worse than an unexpected server being
selected Cool Site of the Day.  Perhaps a tech person from the group can
give us a realistic estimate.  What are the effects of 10,000 people
trying to hit the same site at the same time?

>>From: "Marcus J. Ranum" 
>Subject: Re: IW Mailing List iw/951218
>Date: Tue, 19 Dec 1995 08:46:17 -0500 (EST)

>	Why do "IW?" at all? Conventional terrorist and guerilla war
>tactics would be more effective.  This is why I continue to maintain
>that "IW" is bogus and only attractive to those with large cold war
>budgets at stake, that they are still trying to protect.

I'll agree with that conventional terrorism would be very effective.  A
blood flows thicker than bits approach.  But...what if the target group
did not want to shed blood? Lets clarify the original post and say that
group involved is similar to the SDS of the 60s (the mainsteam section). 
Same objectives, they just want to approach their objective without the
loss of public support and without causing direct harm to the troops.  I
realize that we getting really hypothetical here, but I want to maintain
the IW edge to the scenario and not discard it because IW would be the
least effective approach. 

"Tonight on news 5...Electronic intruders disrupted military computers
today delaying the deployment of troops in the Washington area for two
days.  As a result, the troops will be forced to spend Christmas with
their families.  The group claiming responsibility for the attack issued
a press release stating that ...."

>	Conventional terrorist tactics work better than "IW" for most of
>the situations where "IW" is touted.  Conventional terrorist tactics are
>lower-tech, cheaper, easier, more visible, more demoralizing, and
>require less skill to employ.  "IW" is bogus, but it sure sounds cool
>and sexy.

So we should ignore advances in offensive IW and thus expose our troops
to greater risk than is necessary? I hope your statement wasn't meant to
be blanket statement for all IW and only applied to the hypothetical
situation. 
---------------------------------------------
Date: Tue, 19 Dec 1995 23:35:26 -0500
From: gooddent@pa.net (Tom Goodden)
Subject: Re: IW Mailing List iw/951219

>I would like to hear some discussion at a finer level of granularity, ...

Now we are getting somewhere.  I propose that issue one is U.S. 
telecommunications law.  Why is issue one not the threat?

The threat has not yet shown itself in an orchestrated mode that would
provoke official policy reaction.  It will.  When it does, it will
demonstrate that for all that is 'old' about IW, the key 'new' feature
is the depth and breadth possible in a well synchonized attack. 

And before it does, a clear understanding of U.S.  law and precedence is
indispensible to crafting policy solutions.  I say this because my entre
into discussion of policy options shows me that there is at once: a
painful ignorance of law in some quarters, a plethora of agendas that
each seem to be agency turf related, and a painful unwillingness to work
within existing law. 

If I understand the law, the NII is and will ever be the province of
civilians.  I propose we start there. 
---------------------------------------------
Date: Wed, 20 Dec 95 11:23:15 -0500
From: padgett@tccslr.dnet.mmc.com (A. Padgett Peterson, P.E. Information Security)
Subject: RE: IW Mailing List iw/951219

Ah, people are thinking.  That is good.  Actually IW is more and less
(and if you consider that IW is about distorting perceptions then I
learned a lot from my sister at a very young age - "she would never do
anything like that so it must have been..."). 

Now lets lose some words.  The purpose of war is destabilization. 
Information Warfare is causing destabilization through the use of, or of
information.  Though it may be used by itself, it is just one element of
destabilization. 

It has the appeal of being very inexpensive to mount and can be launched
from almost anywhere - for many other attacks proximity is important and
logistics must be considered (the alternative view is that for IW
anywhere is proximate to everywhere else).  My comment about amateurs vs
professionals holds but the cost of the professional is bound in their
self-worth, not in any real differences in ability or even equipment,
rather in dependability (any one know the source of "every man has a
price, just the honest ones are free." ?)

All that is really necessary are thought control and some "random acts
of unkindness". 
---------------------------------------------
From: "G.Adamopoulos" 
Subject: Re: IW Mailing List iw/951219
Date: Wed, 20 Dec 1995 20:27:19 +0200 (EET)
> [...]
> ---------------------------------------------
> Moderator's Note:
> 	Without true exploit code, how do you test a defense?
> ---------------------------------------------

You can be warned only of a ghost.  I believe that full disclosure should be
established if those releasing exploit code know *exactly* to who they are
releasing it to and are certain that it reaches the right person as far as
they are concerned.

Maybe a courrier service with ID authentication should be a good way for 
releasing exploit code and make sure that as far as you are concerned, you
have sent info to the right place.  Just a thought...
---------------------------------------------
From: fc (Dr. Frederick B. Cohen)
Subject: Re: IW Mailing List iw/951219
Date: Wed, 20 Dec 1995 13:28:24 -0500 (EST)

> Moderator's Note:
> 	Without true exploit code, how do you test a defense?

At our site, we have taken the position that trusted testing services
can perform tests remotely without giving out the exploit code.  This is
not problem-free, but it reduces the number of people with exploit code
while providing a means for effective testing.  We have found this to be
a good compromise, except in that it forms an elitist group of testers.
---------------------------------------------