Mike McNally <m5@vail.tivoli.com> queried the List:

By the way, there was a thing in the Yahoo/Reuters feed about "attacks" on DoD computers; apparently British police arrested a "hacker" the other day. Anyway, the article included a claim that there have been 250,000 attempted break-ins on DoD computers over the past year.

Does anybody know how they count that?

I don't know if they go so far as to count pings, but it seems they do try to count ISS/Satan/Pingware scans -- and then they project off what numbers they have to come up with the estimates. But no one is particularly careful about these numbers... certainly not the politicians nor the press. The estimates come from the Defense Information Systems Agency (DISA) and refer to "attacks" on the 2.1 million computers, 10,000 LANs, and 100 long-distance networks. (It is unclear whether DISA also includes the defense contractors' machine and networks -- another 2 million, as I recall -- but, by US law, those are also considered Defense systems.) According the May 22 GAO report: "DISA estimates indicate that Defense may have been attacked as many as 250,000 times last year. However, the exact number is not known because, according to DISA, only about 1 in 150 attacks is actually detected and reported. In addition, in testing its systems, DISA attacks and successfully penetrates Defense systems 65 percent of the time." (It is unclear whether this estimate process is circular, with DISA -- all and all, a generally capable crew, which normally doesn't bother with this sound-bite silliness -- "projecting" the total number of attacks by taking the number of reported attacks and then enhancing that number by multiplying it by the percentage of their own attacks on DoD systems which go unremarked.) Jack Brooks, the director of the GAO's Defense Information and Financial Management Systems, who presented the GAO's formal report ("Computer Attacks at Department of Defense Pose Increasing Risks") gave some further explication: "Not all hacker attacks result in actual intrusions into computer systems; some are attempts to obtain information on systems in preparation for future attacks, while others are made by the curious or those who wish to challenge the Department's computer defenses." Some numbers seems slightly less puffy: officials at Wright-Patterson Air Force Base reported that, on average, they receive 3,000 to 4,000 "attempts to access information each month from counties all around the world." There are real problems effectively securing DoD's unclassified computers -- both the military's own systems and the defense contractors -- but its sad how completely the real problems are being overlooked (or, at least, overshadowed) but the obsession with the InfoWar threat and teen cyberdemons being manipulation by Iraqi secret agents. Historically and at this moment, the vulnerability of the DoD computers -- as illustrated by hacker attacks and (almost certainly) by DISA itself -- lies in untrained and poorly managed system administrators who simply do not bother to apply even the CERT-labelled patches to their systems. There are brilliant hackers about (some in DISA; maybe even a few on this list) but they would but rarely need that brilliance to penetrate the typical DoD system. I'd bet cold cash that DISA's own tiger-team attacks on DoD systems are almost always successful with nothing more innovative than an ISS or SATAN scans and/or a list of CERT-announced security problems from the previous six months. The real threat is incompetent, poor-trained DoD system administrators -- and a class of computer-illiterate senior managers who define "system security" and routine administration as a marginal expenses and scorn readily available options like one-time passwords as too complex for the military mind. Much, much, easier to rail at the terrorist threat exemplified by the 16 year-old Brit who called himself "Datastream Cowboy" and to hint darkly that his unidentified cohort "Kuji" may have been a Russian or an Iraqi. The hell with security, let's wiretap the phones of all 16 year-olds! Cliff Stoll and Peter Neuman of SRI are supposed to testify, and they might bring some common sense to bear -- but I for one desperately wish to hear the like of acid-tongued Bob Courtney, IBM's former director of Info Security, chew this fluff up. The Datastream attack, btw, didn't occur "the other day," as Mike McNally suggested -- this whole media flurry is built around a retelling of Datastream's 1994 attack and arrest. It's just that the Air Force CERT did a nice job of documenting the good guys' effort to identify and track him down -- although Lord! the kid was dumb, no Morris Jr. there! -- and writing up a report. Makes you realize how desperate some folks are for cyberterror stories, doesn't it? Wonder why????? Suerte, _Vin Vin McLellan +The Privacy Guild+ <vin@shore.net> 53 Nichols St., Chelsea, Ma. 02150 USA Tel: (617) 884-5548 <*><*><*><*><*><*><*><*><*>