From: iw@all.net
Subject: IW Mailing List iw/951227
---------------------------------------------
Date: Tue, 26 Dec 1995 19:43:11 -0600
From: Walter Auch 
Subject: Re: IW Mailing List iw/951226


>Date: Tue, 26 Dec 1995 14:29:39 -0500
>>From: kenpyle@annap.infi.net (kenpyle)
>...
>The military is not known to follow many civilian approaches to problems
>and often, this situation included, adopts its own unique approach to
>its problem.  The importance of this is that it would take any group of
>cyber terrorists a significant amount of prior planning and espionage to
>learn the intricacies of the DoD internal network.  
>...

"Security through obscurity" is questionable, at best.  In the case of IW,
one would have to assume that significant amounts of research (from open
source documents, amoung other sources) will have been done.  To depend upon
a "unique approach" to provide any level of security is not, IMHO, reasonable.
---------------------------------------------
Date: Wed, 27 Dec 1995 15:45:48 -0500
From: cobbjw@ornl.gov (John W. Cobb)
Subject: Re: IW Mailing List iw/951225

Robert Steele wrote:
>	I would just like to note that while I am one of those warning
>of the possibilities of "Net Strikes", ...
>
>	While the law may be unclear in some areas, "reason" can always
>overrule the law, and I for one would suggest that the French government
>would be well within its rights as a sovereign state to seek out and
>execute anyone foolish enough to wage piracy, information terrorism, or
>quasi-war against French infrastructure and French electronic property.

Well, IMO execution seems quite extreme. Robert must be joking somewhat (or
else lets hope he does not have access to the levers of power. :> )

However, the line of reasoning is a very interesting one to pursue here. 
IW, in its broadest sense is "Devilment" by one net-entity that does
harm to another, whether it is PW sniffing, phone phreaking, French
Net-strikes, or access to command codes of (mythical) U.S.  Atlantic
battleships.  The most usual response to these types of attacks is not
retaliation, but insulation from and attempts to prevent repetition of
these attacks.  The prosecution of the perpetrator seems to be the
exception rather than the rule.  Why as a society, doesn't the networld
take more active efforts at punishment?

Three reasons come to my mind:

1) The perpetrator is often unknown and it takes a great deal of effort
to identify him/her. 

2) The actual damage is usually minimal.  Loss of computer-time,
computer-access, etc.  This may change as more real-time systems become
net-work available.  It's one thing to start an e-mail chain letter, but
quite another to bring down a air-traffic control center. 

3) The perpetrator is often not motivated by greed, but by adventurism. 

I know that everyone can cite cases that are exceptions to this picture
(the Morris worm, corporate espionage, etc.), but one must agree that
this picture of reality is what is often portrayed in news accounts and
water-cooler conversations.  It is part of the mythology and lore of the
net. 

My questions to spark discussion are:

1) To what extent is the previous characterization accurate? Are most
intruders caught or not? Are they pursued under various state and
federal (and laws of other nations)? Are most intruders adventures or
are they maliciously looking for data to steal or destroy? Your
thoughts?

2) Would there be a better response than the current "kids-will-be-kids"
attitude? Considering the interests of those persons who subscribe to
this mailing list, I would suppose that the response would be pretty
hard-edged (such as Steele's "Shoot-zem, shoot-zem all" sentiments.)
Would it be advisable for the net as a whole to change its attitude in
this regard? What do we loose by doing so?

I certainly have my own opinions but my purpose here is to spark
discussion, not dominate it. 
---------------------------------------------
Moderator's Note:
	I want to limit this particular discussion to the issue of IW and
	not get overly broad.  The general issue of crime and punishment,
	whether it be on the Internet or not, is outside of this realm.
	A few additional guiding questions may be of interest:

	What is an "act of war"?  What is an act of IW?
	If someone commits an act of war (IW or just plain W)
		how do we react?
	Is there some reason that an act of IW is any different?
---------------------------------------------