Subject: IW Mailing List iw/960105
Subject: Appology
Date: Fri, 5 Jan 1996 05:22:25 -0500 (EST)
From: (Fred Cohen)

Sorry for the length of that last IW email.  Several people asked that
the whole history of the game be sent out.  A few people might have also
gotten more than one copy (the disk that stores pending outbound mail
got rather overfull and the normal process had to be circumvented).

We hope to run another game soon - but this time, with very different
rules and goals.  Perhaps IW readers could suggest what they would most
like to get out of the next game.  Also, anyone interested in playing the
next game should send mail to letting the IW moderator know
to add you to the game list.
Date: Thu, 4 Jan 96 10:34:24 -0500
From: (A. Padgett Peterson, P.E. Information Security)
Subject: RE: IW Mailing List iw/960103

Highlights from the user agreement:
Section 2.7(b)
>   Member further agrees not to upload to the PCIX services any data or
>   software that cannot be exported without the prior written
>   government authorization, including, but not limited to, certain
>   types of encryption software.
Section 4.1
>   PCIX may elect to electronically monitor any and all traffic
>   which passes over our Wide Area Network. This monitoring may include
>   public as well as private communications and data transfers from our
>   Members and to our Members as well as any and all communications and
>   data transfers to and from any other internet sites. PCIX will
>   monitor our Members and those who use or transmit communications or
>   other data over our network to try and ensure adherence to
>   international, federal, state and local laws as well as the PCIX
>   Terms of Service Agreement.

Nothing unusual here or is it the fact that they are admitting it? Do
not see any prohibition to the use of crypto, just the posting of
anything ITAR covered.  Heck, we do more monitoring than that internally
(and tell employees that we do).  Just a modern CYA and indicates that
PCIX has at least studied the issues. 

[Moderator's Note: How about the PM implications if the posting?  Is this
disinformation?  Ignorance by the person making the post?]
From: (Fred Cohen)
Subject: Obscurity and Deceipt
Date: Fri, 5 Jan 1996 06:02:18 -0500 (EST)

I have been reading "Victory and Deceipt" and thinking about the security
through obscurity issue, and I would like to get other peoples opinions
of some thoughts I had on obscurity and decipt as an effective defense.

I'll start with the assumption that we are resource limited against
having really effective protection across the board.  I am certain that
this is true today based on my personal experience with clients.  A good
example is the $80 million being spent by the Air Force on defensive IW
(see General Fogleman's paper).  Please don't get me wrong.  I think
that $80M is a significant investment.  But considering the cost of a
single lost fighter and the likelihood that more than one fighter could
be lost as a result of a failure in defensive IW, I would think that a
larger investment would be called for.  I am certain that $80M per year
is hopelessly inadequate for effective defensive IW for the U.S.  Air

So given that we are resource limited, and given the choice between
security through obscurity (which comes with many systems today for
free) and no security, it would seem that security through obscurity is
a pretty good choice.  But in order for such a program to be effective,
it must be accompanied by an appropriate program of deception.

Deception has been categorized (in the referenced book) as consisting of:

	Concealment, Camoflage, False and Planted Information, Ruses,
	Displays, Demonstrations, Feints, Lies, and Insight

Here are some examples of offensive IW (info-sec) technique using deception:

	Concealment: Most computer viruses
	Camoflage: Stealth viruses
	False and Planted Information: Social engineering attacks
	Ruses: Social engineering attacks
	Displays: Phoney Hacker BBS systems to catch attackers
	Demonstrations: Satan is essentially this
	Feints: I know of no good examples
	Lies: Social engineering attacks
	Insight: Any attack against security through obscurity

And some defensive examples:

	Concealment: Obscurity is normally this
	Camoflage: Firewalls do this
	False and Planted Information: Application gateways do this
	Ruses: Honey Pots
	Displays: Warning banners on many systems
	Demonstrations: Auto-response to known threats
	Feints: Honey Pots
	Lies: "You will be prosecuted..."
	Insight: Any sound defense

Without taking too much space, I have two inquiries:

	1 - Does anyone have a good history of these sorts of deceipt in
	offensive and defensive IW (and also in info-sec) and could we
	see some other examples sent to the list?

	2 - Is this way of classifying deceipt useful in understanding
	this aspect of IW - to wit - the role of deceipt in security through
	obscurity in information systems - and more broadly to IW as opposed
	to other forms of war?

I look forward to your insights.
Forwarded from Fri Jan  5 18:38:54 1996
From: (Roger D. Thrasher)
Date: Fri, 5 Jan 1996 09:13:16 -0800
Subject: [C4I-Pro] Navy Symposium C4I & IW Realignments (Roger D. Thrasher)
<< start of forwarded material >>

Date: 4 Jan 1996 16:47:17 -0500
From: "Robbins Greg" 
Subject: Navy Symposium C4I & IW Realignments

Jan 23, 1996

Navy Symposium Focuses On Major

C4I and IW Realignments

"The Navy and the New Military Industrial Relationship"

  Dr. Marvin J. Langston ,  Deputy Assistant Secretary of the Navy (C4I/IW),
with the support of the Navy C4I Sub-Committee of the National Security
Industrial Association, will announce major changes in Navy organization and
acquisition-- as well as a new multi-million dollar program-- on Jan 23, 1996
in San Diego, California.  Held in cooperation with AFCEA West `96, Dr.
Langston will lead a team of Navy flag and other senior officers to announce
and discuss:

o SPAWAR's new organizational structure and new mission expansions with
respect to Copernicus and Information Warfare, including new "Protect"

o Role of streamlined acquisition approaches, including commercial leasing,
in future Copernicus C4I procurements;

o The expansion and alignment of Copernicus to new programs, including a new
multi-million dollar commercial and military SATCOM program called "JMCOMS"
(Joint Maritime Communications Systems);

o The relationship of JMCOMS to JMCIS.


Tuesday - 23 January 1996

0730:  Registration and Coffee

0830:   (Room 8/9 Upper level San Diego Convention Center)

0830: Keynote Speaker.

 Dr. Marvin J. Langston: "The New Military-Industrial Relationship"

0915: Navy Panel Presentations.

 "Buying INFOTECH in the Navy... The COTS Market in the next Decade" (How
Navy acquisition of INFOTECH will change...)

1145: Lunch.

  Speaker: Mr. Jim Clark:  President/CEO, NETSCAPE, Inc.    "Commercial
Initiatives Shaping Up for the 21st Century."

1330: Industry Panel Presentations.

"Selling INFOTECH to Navy in the next Decade."

1630: Closing Speaker.

  VADM Jerry O. Tuttle, USN (ret.) "Our Future Together as a
Technology-Industry Team"

Registration: Symposium will be at the unclassified level.  Fax or mail
requests to register to: NSIA, 1025 Connecticut Ave., NW, Suite 300, Dept
DNA-C3I, Washington DC 20036.  (Fax: 202-466-9080; Phone 202-775-1440 ext

Requests must be received no later than 17 January 1996.  No refunds after
1700 EST 12 January 1996.   Requests must include the following data:
Name, Title, Telephone Number, Company/Organization, Street Address, City and
State.   Visa, MC, Diner's Club and AMEX accepted.  Account No., expiration
date, and signature must accompany fax or letter.

Fees: Fees for the symposium are $125 per person for representatives of NSIA
member companies; $150 for non-members; and $95 for government employees and
active duty personnel.   Fee covers registration fee, lunch, refreshments and
administrative expenses.

Hotel Accommodations: Hotel accommodations are available under the same rates
as provided to AFCEA West `96 while they last.

<< end of forwarded material >>