Subject: IW Mailing List iw/960306
Date: Wed, 6 Mar 1996 13:10:01 -0500
From: (John W. Cobb)
Subject: Mail Bomb terrorism and its derivatives (Re: iw/960305)

Bob Bowes ask in iw/960305:
>The question for the group is: Could someone effectively use this method
>to "terrorize" a company, or government (or individual) into meeting the
>"terrorist's" demands? I don't think so.  I believe it is a means of
>communicating displeasure, but I do not believe it can "force" a change.

There is is related phenomena that has already been widely occurring. 
Often a user of a hardware or software vendor's product will find a bug
that they feel needs immediate attention.  After they have become
dis-satisfied with some vendor's lack opf customer support, some often
post directly to relevant usenet newsgroups what there problem is and
how they have not received satisfaction.  In fact this was the genesis
of the famous Intel Pentium flap where a researcher discovered the
problem but Intel refused to acknowledge it so he went to a newsgroup. 
Later Andy Grove went online to the newsgroup with remarks trying to
paper over the problem and got his self-serving PR shoved back down his
throat.  Now THERE is a case history in how NOT to handle a product
defect in the information-age!

This sort of "threat of public humiliation" tactic also happens with
frequency when it comes to spotting OS security flaws.  The rationale is
that OS security flaws are software problems of such importance that
vendors should feel compelled to respond quickly by making patches
available.  Publizing the flaws on the net is not seen as disclosing
unknown information since hacker information circles are often much more
effective at disseminating info.  than any other developed lines of
communication.  Often some more nettlesome bug-reporters will submit
their reports with wording to the effect of "I have isolated problem XXX
(specifically stated).  If I do not receive notification of a fix and
location of a patch I will post the text of this problem to newsgroup
#### after 48 hours." I'd be interested in hearing what opinions IW's
think about such tactics.  One thing to be said for it is that many
vendors are a LOT more attentive to developing and posting security
patches in near real time and I am sure that has prevented some systems
from being compromised because of OS software errors. 

At a much lower intensity level, using mailing list and newsgorups as a
feedback mechanism often gets a lot of vendor response.  Comments like
"I like to use compiler XXX from vendor YYY for my new Power PC computer
because compiler ZZZ from vendor WWW doesn't optimize my code well/
takes longer to compile/ has a bug when I use such-n-such template class
library/ etc." get noticed and responded to.  I don't know how many
times I have seen vendor DEVELOPMENT staff followup to such gripes. 

As the system evolves further, one can know also see some vendor's
competitors use their personal accounts (which have addresses like instead of to smear competitors'
products while disguuised as a simple user experiencing a problem. 

As I have said before, some of the most interesting aspects of what I
consider IW in its broadest definition (which I prefer) is directed at
targets which have no connection with military objectives and which is
not particularly war-like.  Many others have commented on the close
connections between what military types call PsyOps (Us common folk just
tend to call it press spinning and media manipulation :>).  I guess
really it is a broad spectrum of activity that spans from both ends of
the scale.  In some portions of the spectrum these types of activities
seem to provide clear social benefit.