From: “Barry C. Collin” <isi@hooked.net>
To: EALLENSMITH@ocelot.Rutgers.EDU
Message Hash: b702c12e04431d455b1f56e90fd2d5654eb0ef54db0e9005daa8022dc7852168
Message ID: <3224A412.D05@hooked.net>
Reply To: N/A
UTC Datetime: 1996-08-29 00:31:06 UTC
Raw Date: Thu, 29 Aug 1996 08:31:06 +0800
From: "Barry C. Collin" <isi@hooked.net>
Date: Thu, 29 Aug 1996 08:31:06 +0800
To: EALLENSMITH@ocelot.Rutgers.EDU
Subject: In reference to comments made to me and to the Group
Message-ID: <3224A412.D05@hooked.net>
MIME-Version: 1.0
Content-Type: text/plain
This message was in response to comments made by E. Allen Smith on my recent remarks on cyberterrorism.
Dear Mr. Smith:
Thank you for your perspectives. Save for the irrelevant flaming, I appreciated your taking time.
Following are my comments.
>>Terrorism to CyberTerrorism
>
>> The face of terrorism is changing. While the motivations remain the
>> same, we are now facing new and unfamiliar weapons. The intelligence
>> systems, tactics, security procedures and equipment that were once
>> expected to protect people, systems, and nations, are powerless
>> against this new, and very devastating weapon. Moreover, the methods
>> of counter-terrorism that our world's specialists have honed over the
>> years are ineffectual against this enemy. Because, this enemy does not
>> attack us with truckloads of explosives, nor with briefcases of Sarin
>> gas, nor with dynamite strapped to the bodies of fanatics. This enemy
>> attacks us with one's and zero's, at a place we are most vulnerable:
>> the point at which the _physical _and _virtual _worlds converge. Let
>> us first define theses two domains.
>
> Ever since the dawn of technological civilization, we've been vulnerable
>to terrorism inflicted by those with technological knowledge and intelligence.
>Ever since someone discovered how to produce poisonous gases, we've been
>vulnerable to attacks such as those in the Japanese subways. Ever since the
>electrification of countries, we've been vulnerable to attacks on power
>production and distribution systems. Ever since most vehicles became
>petroleum-powered, we've been vulnerable to attacks on petroleum production and
>distribution systems. Ever since we found out how to cultivate anthrax, we've
>been vulnerable to any competent bacteriologist.
These are all different tools. Some are simple to create and deploy, some are not. While the definition
of classical terrorism (and its motivations) remain the same, we must study each of these tools separately
if we are to understand how to detect, prevent, and respond to the threats.
> All the above is is Information Super-Highway hype.
Thank you for your opinion.
>[...]
>
>>Achieving CyberTerrorist Goals
>
>> So how does a CyberTerrorist achieve his mission? Like any terrorist,
>> a CyberTerrorist actively exploits the goals of the target population
>> in areas in which they take for granted.
>
>> There are three potential acts in CyberTerrorism at the point of
>> convergence:
>> * 1.Destruction;
>> * 2.Alteration; and
>> * 3.Acquisition and retransmission (these are a unit).
>
> I would point out that many instances of the last (I would guess you refer to
>the getting and distribution of, say, ITAR-restricted information - you do
>accuse crackers of complicity in "CyberTerrorism" by breaking military
>security) are not, properly speaking, terrorism; they are instead the
>distribution of information that should not be restricted.
You guessed incorrectly; I'm not talking ITAR. Test yourself: Can you think of any sensitive or personal
information, that if exposed or utilized, could cause terror -- or destabilization? If you can't, you are
not trying; you should know more than most the value of privacy, whether it be military, corporate, or
personal.
>One person's
>terrorist is another person's freedom fighter (I'd call both sides in
>Nicaragua's Sandanista-Contra conflict terrorists).
This nifty statement frequently comes from people who've never seen a child blown up, seen people
disfigured, seen property damaged beyond all recognition. Perhaps it is a safe place in your office, Mr.
Smith, behind your terminal judging other's thoughts. I don't have that luxury. I've spent more than
anyone's fair share of time going through rubble, identifying pieces of what were once people, and telling
their families.
Freedom fighters who kill random and innocent victims are terrorists and cowards. If you feel otherwise,
Mr. Smith, perhaps it is time to step out into harm's way, and then perhaps you too will waken in the
night with the images that haunt me. *Then* you can talk to me about such matters. Until then, stick to
coding.
>
>[...]
>
>>Potential CyberTerrorist Acts
>
>[...]
>
>> * A CyberTerrorist will attack the next generation of air traffic
>> control systems, and collide two large civilian aircraft. This is
>> a realistic scenario, since the CyberTerrorist will also crack the
>> aircraft's in-cockpit sensors. Much of the same can be done to the
>> rail lines.
>
> Only a bloody utter idiot would build such systems without enough
>backups to avoid these problems; they could come about through computer bugs
>or component failures as well. Networked systems are notorious for going down
>(see the recent happenings with AOL, for instance); they're _going_ to have
>backups if anyone intelligent is running them. Of course, you may have a point
>with a government-controlled air traffic controller systems.
> The same can be said of most of your other scenarios.
These require more than once person be involved. Do not kid yourself, we are not dealing with stupid
people here. And bloody utter idiots we have a-plenty -- too many administrators more concerned with
their balance sheets to provide the tools people like you need to build safe systems. You'd be surprised
of the amount of criminally-inadequate systems out there. That's why it _is_ important that folks like
you push the envelope to better the systems. The goal here, Mr. Smith, is to put me out of business, not
by flames, but by helping to build better systems. I think we share that goal.
>
>>CyberTerrorists: Who, Where, and Why?
>
>> The purpose of this paper is to help you understand the threats that
>> exist, and hopefully, to help you prevent these types of atrocities.
>> But know this - there are people out there with very different goals,
>> who are our real threats, and who are, or will be, attacking us. Make
>> no mistake, _the threats are real, today___.__
>
> Most people with technical knowledge have a pretty large motivation to
>keep the technical society going. One, the loss of it would make our knowledge
>useless. Two, we have enough contact with technology and science to want it to
>continue - how many neo-Luddite engineers do you know? The Unabomber is the
>main exception... and even he didn't use his main area of knowledge in his
>bombings.
We are not concerned with engineers. We are concerned with fanatics, and fanatics are fanatics whether
they are engineers or gardeners. Do not be so naive to believe that everyone shares the morals you have.
Mr. Smith, there are people out there who want you dead, and will use all the techniques you pointed out
above to accomplish their goal. As I said before, technology is just another tool.
>> Who are the CyberTerrorists? There a great many poor movies and too
>> many works of fiction about the hacker and cracker communities. In the
>> popular media, there recently was the Kevin Mitnick incident, where
>> one cracker broke into another cracker's systems. This spawned endless
>> press and at least two best selling books. While this incident
>> received much attention, the events amounted to meaningless children's
>> games.
>
> I'd agree with that, from what I know of the Mitnick incident(s). I'm
>not sure if Shinomura (sp?) should be called a cracker; others with more
>knowledge can comment on this.
Agreed.
>> By and large, the cracker community, based primarily in the United
>> States, Europe, the Middle East, Asia, and in the nations of the
>> former Soviet Union, is composed of individuals who see the cracking
>> process merely as a challenge, a brain teaser, a puzzle. They view
>> themselves as not only being innocent of any crime, but perhaps even
>> doing something righteous, something to counter the dark monoliths of
>> the corporate and government worlds. They believe they are being
>> persecuted. These individuals believe that what they are doing is not
>> doing any true damage. At its least harmful, these crackers just look
>> at information. However, privacy issues and military secrecy can
>> render such infiltrations acts of terror.
>
> Often, military secrecy is just an excuse to not allow information
>damaging to governments, etcetera from getting out. With NSC involvement, how
>deeply do you think the Iran-Contra dealings were classified? I would, however,
>agree with you about privacy issues... but governments are far greater threats
>in this regard than all the crackers in the world. Much of the information in
>question would not be around in so many places (such as notoriously accessible
>government databanks) except for governments gathering information they
>shouldn't have in the first place.
Whether you are right or wrong about what governments have locked away is not in my work area. As I've
said, my work is in fanatics, the disenfranchised, etc. People are people, and some turn rogue. It
happens. And people are purchased. My work keeps me entrenched in such mire regularly.
>
>[...]
>
>>Crackers as Facilitators
>
>[...]
>
>> Historically, individuals engaged in the practice of terror tended not
>> to be people working upon a computer 20 hours per day. Terrorists have
>> not been in the business of tracking the latest holes found in UNIX or
>> an obscure government telnet opportunity. There _are _people, however,
>> who are in that business - for illicit as well as good cause. As
>> stated, just as indigenous people may be turned into soldiers, so can
>> crackers be turned into CyberTerrorists. Sometimes such a transition
>> may be motivated by money or prestige. Usually, this transition will
>> occur without the cracker's cognizance. The potential threat from such
>> transitions is mind boggling, considering the damage even one
>> mis-directed cracker can cause.
>
> The first statement is correct... and is likely to continue to be the
>case. We would appreciate some evidence for such transitions occurring without
>cognizance, or indeed being at all likelyLet me know what you do for a living, and then we can share more. Not trying to be "spooky", but
understand that my piece of the world rests in the violent world, and I need to watch my own back.
>
>> Further, as young, educated people are brought into the folds of
>> terrorist groups, this new generation will have the talent to execute
>> the acts of CyberTerrorism of which we have spoken.
>
> Unlikely. For state-sponsored terrorism, for instance, countries with
>the motivation for such are also ones that tend to block people from computer
>experience. Getting on the Internet is rather likely to expose the people in
>such countries to information that will destabilize them... including programs
>such as PGP that are restricted by ITAR in the name of (among other things)
>decreasing terrorism.
You might be interested in the number of "students" attending our universities that have solid terrorism
backgrounds. The ones I spoke to made their purpose very clear.
>
>> We are going to see increasing levels of in-house expertise, and
>> concomitant exponential increases CyberTerrorism. Unlike other methods
>> of terrorism, CyberTerrorism is safe and profitable, and difficult to
>> counter without the right expertise and understanding of the
>> CyberTerrorist's mind. Combine our increasing vulnerability, with the
>> explosive increases in the level of violence, and increasing expertise
>> available inside terrorist organizations through new blood popular
>> media, there recently was the Kevin Mitnick incident, where one
>> cracker broke into another cracker's systems. This spawned endless
>> press and at least two best selling books. While this incident
>> received much attention, the events amounted to meaningless children's
>> games.
>
> You appear not to be making much sense here, but I'll put it down to
>misformatting.
Yes, there is a block of text missing. If you have any interest, I can resend.
Exactly how is CyberTerrorism profitable? Certainly, it's
>_possible_ for people to be _hired_ to do things that may enable some form of
>terrorism... but that doesn't make the _terrorism_ any more profitable than
>before.It's more profitable since the cost of entry, and continued operations, are less. In addition, access to
financial resources (computer crime) is readily available. And you don't lose someone after they've been
blown up.
>
>[...]
>
>> If a computer security advisor states that you, your organization, and
>> your country are safe behind firewalls, behind a system put into place
>> by people who have never fought cyberbattles, behind audit trails,
>> passwords, and encryption, then a great and dangerous fallacy (or
>> fantasy) is being perpetrated upon you. The only solution is the quick
>> deployment of a counter-CyberTerrorist - someone who knows what you
>> are up against today, someone who lives in the world of the people who
>> are, and will be, attacking - someone who can train the people who
>> must fight the battles.
>
> Passwords and encryption can do a very good job of stopping crackers,
>thank you - that's one major concern for which they're developed.It's all in the implementation, Mr. Smith. You know that.
>Economic and
>other espionage are very much already on the minds of those suggesting using
>firewalls, passwords, and encryption; they're a lot more experienced, when
>the computer community's expertise is summed up, than you are.Again, just because the tools for protection are there, doesn't mean they are properly implemented. You
could not possibly be telling me that everything is locked down safely at this point. Bottom line, if you
can make it, someone can break it. Always has been, always will be.
> In other words, the above just translates into "give us money." Have some idea of what you speak before you speak, Mr. Smith. We do not accept funding from the private
or public sector. We are all volunteers who research high-intensity crime and low-intensity conflict.
When I am not volunteering, my job is to make sure you can safely send out your emails without getting
blown away or blown up.
>
>>Ex Post Facto
>
>> An effective auditing system will only inform the target manager that
>> they have taken a hit; perhaps a fatal hit. By that point, it is too
>> late. _Now _is the time to take action. Unfortunately, due to this
>> open nature of this document, specific counter-CyberTerrorism measures
>> cannot be discussed. Those discussions must be reserved for secured
>> facilities.
>
> Nobody disagrees with that auditing isn't the _only_ method needed;
>_everyone_ uses other methods.Watch your generalizations. You'd better tune in to how bad things really are.
Remember that old saying about prevention and
>cure?
> Your claim that you can't discuss security in the open is laughable.
>Quite simply, security by obscurity doesn't work; in cryptography, it's one of
>the signs of "silicon snake-oil" - which is what this document looks like in
>any event. First, making a system obscure motivates a lot of people to try to
>find out how it works; intelligent people are curious, and don't like
>unnecessary secrets unless they're authoritarians. Second, the less people
>know about a system, the less people can spot bugs to be _fixed_ in that
>system. I prefer a system that has been tested by as many people as possible,
>thank you, particularly if my life may depend on it.Again, I'm not worried about you at your keyboard clicking away and offering opinions. There's more to
this than encryption. Take off the blinders, Mr. Smith: encyrption is just one little piece of this
puzzle. It comes down to psychology, far more than technology. I appreciate your curiousity, your wish
for totally open systems. In a perfect world, or even a sane world, that would be ideal. I would love
society to be filled with people like you who believe in improving the state of the art, the pushing of
the envelope, etc.
But you are not who I deal with every day. Unfortunately, just because you don't see these folks, doesn't
mean they are not there. They are not the ones with cutesy handles and who send messages to usenets and
such. It's the people off the radar screen, the one's that know better than to go public. I've spent way
too much time with these nutcases, and I assure you, Mr. Smith, they are very real.
> In other words, go back to the drawing board and find something else to
>try to sound a tocsin over.
> -AllenOpen up your world, Mr. Smith. There is a whole parallel universe of garbage that exists with yours.
Whether or not you believe or understand that is frankly irrelevant to me or my work. But hopefully this
will open your eyes to the fact that this is not about evil governments, nor military spookery, nor
commercialization, nor fear of crackers. The next time I have to travel to a bomb site, and as I try and
figure out what cause could justify the death of someone who just happens to be in the wrong place at the
wrong time, I will not be thinking of you in your office lecturing me on the computer world.
Barry C. Collin
--
Institute for Security and Intelligence
A Non-Profit Research Institution
P.O. Box 9877
Stanford, California 94309-9877 USA
Return to August 1996
Return to ““William H. Geiger III” <whgiii@amaranth.com>”