1996-08-29 - Re: In reference to comments made to me and to the Group

Header Data

From: “William H. Geiger III” <whgiii@amaranth.com>
To: “Barry C. Collin” <isi@hooked.net>
Message Hash: 56b2e911cf8013c35447b6ad025c30c427a91117863b16d9cc9bce52c035b45f
Message ID: <199608290528.AAA08702@mailhub.amaranth.com>
Reply To: <3224A412.D05@hooked.net>
UTC Datetime: 1996-08-29 08:50:21 UTC
Raw Date: Thu, 29 Aug 1996 16:50:21 +0800

Raw message

From: "William H. Geiger III" <whgiii@amaranth.com>
Date: Thu, 29 Aug 1996 16:50:21 +0800
To: "Barry C. Collin" <isi@hooked.net>
Subject: Re: In reference to comments made to me and to the Group
In-Reply-To: <3224A412.D05@hooked.net>
Message-ID: <199608290528.AAA08702@mailhub.amaranth.com>
MIME-Version: 1.0
Content-Type: text/plain


In <3224A412.D05@hooked.net>, on 08/28/96 at 12:54 PM,
   "Barry C. Collin" <isi@hooked.net> said:

Well folks,

I am not in the habit of jumping into flame wars, but......


>This message was in response to comments made by E. Allen Smith on my recent remarks on cyberterrorism.

>Dear Mr. Smith:

>Thank you for your perspectives.  Save for the irrelevant flaming, I appreciated your taking time.  
>Following are my comments.
>  
>>>Terrorism to CyberTerrorism
>>
>>>   The face of terrorism is changing. While the motivations remain the
>>>   same, we are now facing new and unfamiliar weapons. The intelligence
>>>   systems, tactics, security procedures and equipment that were once
>>>   expected to protect people, systems, and nations, are powerless
>>>   against this new, and very devastating weapon. Moreover, the methods
>>>   of counter-terrorism that our world's specialists have honed over the
>>>   years are ineffectual against this enemy. Because, this enemy does not
>>>   attack us with truckloads of explosives, nor with briefcases of Sarin
>>>   gas, nor with dynamite strapped to the bodies of fanatics. This enemy
>>>   attacks us with one's and zero's, at a place we are most vulnerable:
>>>   the point at which the _physical _and _virtual _worlds converge. Let
>>>   us first define theses two domains.
>>
>>	Ever since the dawn of technological civilization, we've been vulnerable
>>to terrorism inflicted by those with technological knowledge and intelligence.
>>Ever since someone discovered how to produce poisonous gases, we've been
>>vulnerable to attacks such as those in the Japanese subways. Ever since the
>>electrification of countries, we've been vulnerable to attacks on power
>>production and distribution systems. Ever since most vehicles became
>>petroleum-powered, we've been vulnerable to attacks on petroleum production and
>>distribution systems. Ever since we found out how to cultivate anthrax, we've
>>been vulnerable to any competent bacteriologist.

>These are all different tools.  Some are simple to create and deploy, some are not.  While the 
>definition of classical terrorism (and its motivations) remain the same, we must study each of 
>these tools separately if we are to understand how to detect, prevent, and respond to the 
>threats.

>>	All the above is is Information Super-Highway hype.

>Thank you for your opinion.

I beleive the concern of Mr. Smith and my others concerning myself is that the methods used to "protect" us from such events are more harmfull than the initial threat.

It is all too often that a minor threat receives massive publicity in the press. Then politions jump in with knee-jerk reactions to add "new and improved" restrictions to ones liberties & give law-enforcement sweeping new powers, Consitution be damed. If you paied any attention to the Senate hearing after Oklahoma and TWA 800 you could such behaviour of our polititions even though such laws will not help 1% to prevent such acts in the future.


>>[...]
>>
>>>Achieving CyberTerrorist Goals
>>
>>>   So how does a CyberTerrorist achieve his mission? Like any terrorist,
>>>   a CyberTerrorist actively exploits the goals of the target population
>>>   in areas in which they take for granted.
>>   
>>>   There are three potential acts in CyberTerrorism at the point of
>>>   convergence:
>>>     * 1.Destruction;
>>>     * 2.Alteration; and
>>>     * 3.Acquisition and retransmission (these are a unit).
>>       
>>   I would point out that many instances of the last (I would guess you refer to
>>the getting and distribution of, say, ITAR-restricted information - you do
>>accuse crackers of complicity in "CyberTerrorism" by breaking military
>>security) are not, properly speaking, terrorism; they are instead the
>>distribution of information that should not be restricted.

>You guessed incorrectly; I'm not talking ITAR.  Test yourself:  Can you think of any sensitive or personal 
>information, that if exposed or utilized, could cause terror -- or destabilization?  If you can't, you are 
>not trying; you should know more than most the value of privacy, whether it be military, corporate, or 
>personal.

I think what we have here is the all to common practice of grouping all criminal activities under the heading of "terrorism".While this may be advantagious for the Federal Government to do so placing what was once the juristiction of the States into the hand of the Feds. It does make nice splashy headlines for the newsmedia so they can sell more newspapers. It has no place in a rational disscusion of the security issues of Computers, Networks, and the Internet.

If someone aquires personal information about myself and at worst steels all the money out of my bank account. That is a crime, it is theft, and their are plenty of laws on the books to handle such a crime. It is NOT terrorism. 

While I agree that there is potential for harm being caused by a sofisticated, well orginised, state sponcered terrorist orginization, I for one am not going to lose any sleep over it. Yes there is a "threat" but No the sky is not falling.


>>One person's
>>terrorist is another person's freedom fighter (I'd call both sides in
>>Nicaragua's Sandanista-Contra conflict terrorists).

>This nifty statement frequently comes from people who've never seen a child blown up, seen people 
>disfigured, seen property damaged beyond all recognition.  Perhaps it is a safe place in your office, Mr. 
>Smith, behind your terminal judging other's thoughts.  I don't have that luxury.  I've spent more than 
>anyone's fair share of time going through rubble, identifying pieces of what were once people, and telling 
>their families.

>Freedom fighters who kill random and innocent victims are terrorists and cowards.  If you feel otherwise, 
>Mr. Smith, perhaps it is time to step out into harm's way, and then perhaps you too will waken in the 
>night with the images that haunt me.  *Then* you can talk to me about such matters.  Until then, stick to 
>coding.


<SIGH> Pulling at ones hartstrings in such a debate only shows the wekness and emptyness of your argument. I am unaware of you location but between growing up in the MiddleEast & my service in the military I have seen my fair share of the "better" side of Man. You by no means have a monopoly on this.

Mr. Smith bring up a vailid point. It is one of perspective. Who you consider terrorist and who you consider heros depends on what side of an issue you stand. The American saw no problem with the 10's of thousands who died in the fire bombing of Dresdin or the Atomic Blasts over Japan. The populations Germany & Japan were supportive of their leadership in the murder of millions durring their campaines of expantion. Look at Ireland; if you are Prodistant or British the IRA are the terrorist while
if you are Catholic then it is the British & Prodistant that are the "terrorist". The Jews in Israel had no problem with blowing up the British but don't like it too much now that the Palisinians are doing the same thing to them.

The whole issue of "Terrorist" vs. "Freedom-Fighter" is one of perspective.

>>   
>>[...]
>>   
>>>Potential CyberTerrorist Acts
>>
>>[...]
>>
>>>     * A CyberTerrorist will attack the next generation of air traffic
>>>       control systems, and collide two large civilian aircraft. This is
>>>       a realistic scenario, since the CyberTerrorist will also crack the
>>>       aircraft's in-cockpit sensors. Much of the same can be done to the
>>>       rail lines.
>>
>>	Only a bloody utter idiot would build such systems without enough
>>backups to avoid these problems; they could come about through computer bugs
>>or component failures as well. Networked systems are notorious for going down
>>(see the recent happenings with AOL, for instance); they're _going_ to have
>>backups if anyone intelligent is running them. Of course, you may have a point
>>with a government-controlled air traffic controller systems.
>>	The same can be said of most of your other scenarios.

>These require more than once person be involved.  Do not kid yourself, we are not dealing with stupid 
>people here.  And bloody utter idiots we have a-plenty -- too many administrators more concerned with 
>their balance sheets to provide the tools people like you need to build safe systems.  You'd be surprised 
>of the amount of criminally-inadequate systems out there.  That's why it _is_ important that folks like 
>you push the envelope to better the systems.  The goal here, Mr. Smith, is to put me out of business, not 
>by flames, but by helping to build better systems.  I think we share that goal.


>>
>>>CyberTerrorists: Who, Where, and Why?
>>
>>>   The purpose of this paper is to help you understand the threats that
>>>   exist, and hopefully, to help you prevent these types of atrocities.
>>>   But know this - there are people out there with very different goals,
>>>   who are our real threats, and who are, or will be, attacking us. Make
>>>   no mistake, _the threats are real, today___.__
>>
>>	Most people with technical knowledge have a pretty large motivation to
>>keep the technical society going. One, the loss of it would make our knowledge
>>useless. Two, we have enough contact with technology and science to want it to
>>continue - how many neo-Luddite engineers do you know? The Unabomber is the
>>main exception... and even he didn't use his main area of knowledge in his
>>bombings.

>We are not concerned with engineers.  We are concerned with fanatics, and fanatics are fanatics whether 
>they are engineers or gardeners.  Do not be so naive to believe that everyone shares the morals you have. 
>Mr. Smith, there are people out there who want you dead, and will use all the techniques you pointed out 
>above to accomplish their goal.  As I said before, technology is just another tool.


>>>   Who are the CyberTerrorists? There a great many poor movies and too
>>>   many works of fiction about the hacker and cracker communities. In the
>>>   popular media, there recently was the Kevin Mitnick incident, where
>>>   one cracker broke into another cracker's systems. This spawned endless
>>>   press and at least two best selling books. While this incident
>>>   received much attention, the events amounted to meaningless children's
>>>   games.
>>
>>	I'd agree with that, from what I know of the Mitnick incident(s). I'm
>>not sure if Shinomura (sp?) should be called a cracker; others with more
>>knowledge can comment on this.

>Agreed.

>   
>>>   By and large, the cracker community, based primarily in the United
>>>   States, Europe, the Middle East, Asia, and in the nations of the
>>>   former Soviet Union, is composed of individuals who see the cracking
>>>   process merely as a challenge, a brain teaser, a puzzle. They view
>>>   themselves as not only being innocent of any crime, but perhaps even
>>>   doing something righteous, something to counter the dark monoliths of
>>>   the corporate and government worlds. They believe they are being
>>>   persecuted. These individuals believe that what they are doing is not
>>>   doing any true damage. At its least harmful, these crackers just look
>>>   at information. However, privacy issues and military secrecy can
>>>   render such infiltrations acts of terror.
>>
>>	Often, military secrecy is just an excuse to not allow information
>>damaging to governments, etcetera from getting out. With NSC involvement, how
>>deeply do you think the Iran-Contra dealings were classified? I would, however,
>>agree with you about privacy issues... but governments are far greater threats
>>in this regard than all the crackers in the world. Much of the information in
>>question would not be around in so many places (such as notoriously accessible 
>>government databanks) except for governments gathering information they
>>shouldn't have in the first place.

>Whether you are right or wrong about what governments have locked away is not in my work area.  As I've 
>said, my work is in fanatics, the disenfranchised, etc.  People are people, and some turn rogue.  It 
>happens.  And people are purchased.  My work keeps me entrenched in such mire regularly.



<SIGH> More unwarrented use of "acts of terror" and "terrorism". Unauthorised access to information is not an act of terror. PEROID. Someone looked at somthing they shouldn't have. that's it. Put that at the criminal level of a mistamener <sp?>. Could someone use that information for a more serious criminal act at some later point in time. Yes. Is this likely, eh mabye, mabye not. If it is illegal for me to carry a knife then I am only guilty of carring a knife I am not guilty of commiting
murder even though it is possiable for me to commit murder with a knife.


>> 
>>[...]
>>  
>>>Crackers as Facilitators
>>
>>[...]
>>
>>>   Historically, individuals engaged in the practice of terror tended not
>>>   to be people working upon a computer 20 hours per day. Terrorists have
>>>   not been in the business of tracking the latest holes found in UNIX or
>>>   an obscure government telnet opportunity. There _are _people, however,
>>>   who are in that business - for illicit as well as good cause. As
>>>   stated, just as indigenous people may be turned into soldiers, so can
>>>   crackers be turned into CyberTerrorists. Sometimes such a transition
>>>   may be motivated by money or prestige. Usually, this transition will
>>>   occur without the cracker's cognizance. The potential threat from such
>>>   transitions is mind boggling, considering the damage even one
>>>   mis-directed cracker can cause.
>>
>>	The first statement is correct... and is likely to continue to be the
>>case. We would appreciate some evidence for such transitions occurring without
>>cognizance, or indeed being at all likelyLet me know what you do for a living, and then we can share more.  

>Not trying to be "spooky", but understand that my piece of the world rests in the violent 
>world, and I need to watch my own back.

We all live in a "violent" world. Alway have and alway will. Just the nature of the beast.

>>   
>>>   Further, as young, educated people are brought into the folds of
>>>   terrorist groups, this new generation will have the talent to execute
>>>   the acts of CyberTerrorism of which we have spoken.
>>
>>	Unlikely. For state-sponsored terrorism, for instance, countries with
>>the motivation for such are also ones that tend to block people from computer
>>experience. Getting on the Internet is rather likely to expose the people in
>>such countries to information that will destabilize them... including programs
>>such as PGP that are restricted by ITAR in the name of (among other things)
>>decreasing terrorism.

>You might be interested in the number of "students" attending our universities that have solid 
>terrorism backgrounds.  The ones I spoke to made their purpose very clear.

And what did you do after speaking the these "students"? As a concerned citizen did you bother to report this information to the State Department, FBI, Immigration? Or did you just walk away with all kinds of warm fuzzies because you got dirty talking to potential "terrorist".

[more bloated rehash of media-catch phrases]  


>>>Ex Post Facto
>>   
>>>   An effective auditing system will only inform the target manager that
>>>   they have taken a hit; perhaps a fatal hit. By that point, it is too
>>>   late. _Now _is the time to take action. Unfortunately, due to this
>>>   open nature of this document, specific counter-CyberTerrorism measures
>>>   cannot be discussed. Those discussions must be reserved for secured
>>>   facilities.
>>

>>	Nobody disagrees with that auditing isn't the _only_ method needed;
>> _everyone_ uses other methods.

>Watch your generalizations.  You'd better tune in to how bad things really are.

>Remember that old saying about prevention and cure?

>>	Your claim that you can't discuss security in the open is laughable.
>>Quite simply, security by obscurity doesn't work; in cryptography, it's one of
>>the signs of "silicon snake-oil" - which is what this document looks like in
>>any event. First, making a system obscure motivates a lot of people to try to
>>find out how it works; intelligent people are curious, and don't like
>>unnecessary secrets unless they're authoritarians. Second, the less people
>>know about a system, the less people can spot bugs to be _fixed_ in that
>>system. I prefer a system that has been tested by as many people as possible,
>>thank you, particularly if my life may depend on it.

>Again, I'm not worried about you at your keyboard clicking away and offering opinions.
>There's more to this than encryption.  Take off the blinders, Mr. Smith: encyrption is just one 
>little piece of this puzzle.  It comes down to psychology, far more than technology.  I 
>appreciate your curiousity, your wish for totally open systems.  In a perfect world, or even a 
>sane world, that would be ideal.  I would love society to be filled with people like you who 
>believe in improving the state of the art, the pushing of the envelope, etc.

>But you are not who I deal with every day.  Unfortunately, just because you don't see these 
>folks, doesn't mean they are not there.  They are not the ones with cutesy handles and who send 
>messages to usenets and such.  It's the people off the radar screen, the one's that know better 
>than to go public.  I've spent way too much time with these nutcases, and I assure you, Mr. 
>Smith, they are very real.

>>	In other words, go back to the drawing board and find something else to
>>try to sound a tocsin over.
>>	-Allen

>Open up your world, Mr. Smith.  There is a whole parallel universe of garbage that exists with
>yours. Whether or not you believe or understand that is frankly irrelevant to me or my work.
>But hopefully this will open your eyes to the fact that this is not about evil governments, nor 
>military spookery, nor commercialization, nor fear of crackers.  The next time I have to travel 
>to a bomb site, and as I try and figure out what cause could justify the death of someone who 
>just happens to be in the wrong place at the wrong time, I will not be thinking of you in your 
>office lecturing me on the computer world.

>Barry C. Collin


Well you have artfully side-steped the issue with a rather self-indulgend tear jerker. The issue presented was that security by obsecurity DOES NOT WORK! If you are that conserned about stoping the dreaded "Cyberterrorest" then you should present your solutions in a open forum for peer review. Ofcource sense we are not part of your elite "counter-cyberterrorest" force I imagine that you do not consider anyone else your peer. Or could it be you inability to debate and defend your ideas in a
public forum with those who have more experiance and better comprehention of the security issues we face at the dawn of the 21st century.

Hiding away is closed groups disscussing solutions to "THE THREAT" where you are the only voice on security may be a big bost to your ego but does little to improve security on a significant scale.


--
-----------------------------------------------------------
William H. Geiger III  http://www.amaranth.com/~whgiii
Geiger Consulting    WebExplorer & Java Enhanced!!!
Merlin Beta Test Site - WarpServer SMP Test Site

Author of PGPMR2 - PGP Front End for MR/2 Ice

Look for MR/2 Tips & Rexx Scripts
Get Work Place Shell for Windows!!
PGP & MR/2 the only way for secure e-mail.
                            
Finger whgiii@amaranth.com for PGP Key and other info
-----------------------------------------------------------
 
MR/2 Tag->You're throwing it all out the Windows!






Thread