Subject: IW Mailing List iw/951230
From: Walter Auch 
Subject: Re: IW Mailing List iw/951229

>>From: fc (Fred Cohen)
>>> From: Walter Auch 
>>> "Security through obscurity" is questionable, at best.  ...
>>1 - At some level, all technical info-sec depends on either physical
>>security or security through obscurity. [...]
>> [Holes] are found at a rate of about 10 a month. ...
>>3 - There's a lot more to info-sec than technology [and] a lot of it
>>depends on obscurity for its success.
>... Keeping the vulnerability obscure
>accomplishes nothing; keeping the countermeasure(s) obscure may. ...
>security does not
>depend upon the obscurity of the vulnerability, but in the countermeasures.

>Moderator's Note:
>...	- If a countermeasure is perfect, it doesn't have to be obscure.

I don't believe that there are ANY perfect countermeasures - except [shutdown]

>	- If a countermeasure is NOT perfect, it leaves some vulnerability
>	which had better be obscured or it will be easily exploited.

... We are now back to the begining.  Obscure the countermeasure for THAT
vulnerability, but not necessarily the vulnerability itself.

>Thus, obscuring countermeasures is, in essence, obscuring vulnerabilities.

Obscuring countermeasures is not obscuring vulnerabilites; does cryptography
obscure that communications exist?  "Traffic flow security" does provide a
measure of obscurity as to the quanity and/or length of the communications,
but it does not obscure the fact that communications has been established.

[Moderator's note: If you drill down another level, cryptography depends
on obscuring keys.  HOWEVER - this is now becoming a semantics issue
rather than an IW issue (or even a technical issue) - let's agree to
saying that effective non-physical information protection usually
depends, at some level, on something being kept obscure.]
Date: Sat, 30 Dec 95 04:36:40 0500
From: Vin McLellan 
Subject: Fundamentals Of Information Warfare - An Airman's View

AF Chief of Staff Fogleman on IW.  Interesting and unusually coherent.

[Moderator's note: I couldn't retrieve this document - perhaps someone else
on the list can provide us with a copy.]
Moderator's Note:

	The following is a bit strong - and a bit over the line.  (It is
copied from cypherpunks so what do you expect.) I thought it was a
little bit interesting - the use of the Internet as a vehical for
threats in the name of deterrence - assasination politics (as in
insighting homocide) - speculative hindsight about Nazi Germany being
stopped by the assasination of Hitler in 1932, and a call for immediate
action to kill a German prosecutor who is trying to enforce a law.  Is
this IW? Why and why not? Practiced by an individual? If this prosecutor
were shot dead tomorrow, would you have a different opinion?
Date: Fri, 29 Dec 1995 19:17:51 -0800
From: jim bell 
Subject: "Deterrence"

In the 1960's movie, "Dr.  Strangelove," the title character defined
"deterrence" as being "the art of making your enemies FEAR to attack

As has been well-publicized recently, pressure from a German prosecutor
had induced Compuserve to cease access to a number of sex-related
Internet groups.  Clearly, neither Compuserve nor its users nor the
Internet community in general has demonstrated adequate DETERRENCE to
him or people in his position. 

In my essay, "Assassination Politics," I pointed out that it would be
relatively easy to deter such official-type actions if enough of us
simply said, "NO!" and denominated it in terms of dollars and cents. 
After all, with four million Compuserve users, if they each were willing
to donate a penny to see this latter-day Fuhrer dead, that would be
$40,000.  (Pardon me if I don't translate this into marks and other

In practice, of course, if such a system were in place, it is highly
unlikely that he would have even dared try to put pressure on
Compuserve, and Compuserve wouldn't have dared respond cooperatively to
such outrageous influence. 

It is worth noting that if six million Jews had been willing to donate a
dime each in 1932 to see Hitler and his cronies dead, much of the late
thirties and forties would have ended up quite differently.  Some may
argue that today's situation isn't nearly as serious now as it was then,
but then again, the situation probably didn't really look very serious
in 1932, did it?!?

WHEN, exactly, would it be appropriate to act?