From: iw@all.net
Subject: IW Mailing List iw/951229
---------------------------------------------
From: rjones@wicker.com (Ry Jones)
Subject: Navy Hacking Clarification
Date: Thu, 28 Dec 1995 20:43:19 -0800 (PST)

I have gotten 3 emails from people defending Hanscom as a fine
upstanding place.  No slight was intended on my part! The moderator
removed the quote marks from the letter, and the line being attributed
to me was not written by me.  Sorry for the confusion!

[Moderator's Note: I too am sorry for any confusion - rjones was only
being helpful in providing an anonymous conduit for information.  I
probably moderated out one too many lines.]
---------------------------------------------
Date: Thu, 28 Dec 1995 21:46:56 -0600
From: Walter Auch 
Subject: Re: IW Mailing List iw/951228

>From: fc (Fred Cohen)
>> From: Walter Auch 
>> "Security through obscurity" is questionable, at best.  ...
>1 - At some level, all technical info-sec depends on either physical
>security or security through obscurity. [...]
>
> [Holes] are found at a rate of about 10 a month. ...
>
>3 - There's a lot more to info-sec than technology [and] a lot of it
>depends on obscurity for its success.

My meaning of "Security through obscurity" must be slightly different
than yours.  I am speaking of the "Oh yeah, this could happen, if that
happened, but don't tell anyone, and it won't" - an all too common
attitude within the commercial sector.  This, I believe, is what was
meant by an attacker having to learn "unique methods" and therefore
making an attack difficult.  Keeping the vulnerability obscure
accomplishes nothing; keeping the countermeasure(s) obscure may.  If
that was NOT what was meant, I have somewhere lost the thread. 

There IS a lot more to info-sec than technology, and a lot of it depends
on some level of obscurity for its success - but security does not
depend upon the obscurity of the vulnerability, but in the countermeasures.
---------------------------------------------
Moderator's Note:

	This last statement seems very astute in that it differentiates
the "security through obscurity" issue into two areas - vulnerabilities
and countermeasures - and yet I am a bit puzzled about whether it really
differentiates anything.  How do we deal with this analysis:

	- If a countermeasure is perfect, it doesn't have to be obscure.

	- If a countermeasure is NOT perfect, it leaves some vulnerability
	which had better be obscured or it will be easily exploited.

Thus, obscuring countermeasures is, in essence, obscuring vulnerabilities.
---------------------------------------------
Date: Fri, 29 Dec 1995 12:45:09 -0500 (EST)
From: Sick Puppy 

> >From: Tad Cook 
> Subject: Stalking Cellular Bandits
...
> If you can learn the "fingerprints" of all the different transmitters
> ... you'll know a lot, such as
> whether a given transmission is from the massive aircraft carrier
> Admiral Kuznetsov or the lowly supply ship Ivan Kucherenko. 

Yup, that's why we had special hardware and software to randomly change
our transmitter signatures.  I have not seen this kind of hardware and 
software offered for sale anywhere, even among "educational" electronic
suppliers so it seems that cloned cellular phones will swiftly become a 
historic problem.
---------------------------------------------