(I would like to apologise in advance for this post – it’s full of ill informed ranting. This is nothing unusual of course, but in this case it’s pretty bad. Hey, why don’t you go and read some other, more sensible post instead? Please?)
Apparently overnight the image hosting site Image Shack has been hacked by a group of people calling themselves “the Anti-Sec movement”. They’ve replaced (presumably) tens of thousands of images hosted on the site with a manifesto opposing the “full disclosure” method of publicising security flaws, and threatening “through mayhem and […] destruction” to force the abandonment of the same.
Well.
On the one hand I have to agree with some of their points. Full disclosure does have its share of problems – the main one being that the black hat hackers and the software companies get the same information at the same time, starting a race to patch the issue before it can be exploited (a race that the black hats usually win). That said, I do have some issues with the Anti-Sec manifesto as it currently stands.
(Edit: As it turns out that’s actually wrong – full disclosure policies almost always have a delay built in so that the companies responsible are told first and get time to patch the hole before the black hats find out about it. So Anti-Sec are basically talking out of an orifice other than their mouths.)
The first is the problem of security through obfuscation. Anti-Sec seems to be suggesting that if you discover a security hole you should shut up and sit on it so that no one can exploit it. This would work fine if it could be guaranteed that you’re the only person who would ever find it. This is, of course, ridiculous. Someone else will discover the same exploit and they may not have the same, upstanding community attitude that you do. The sensible thing would be to report the flaw to the company responsible so they can patch it before the knowledge becomes public. Anti-Sec may well support this method, but their manifesto says nothing about it.
(Edit: Actually they’re actively opposing it.)
The second problem I have is with their methodology. Let me quote…
It is our goal that, through mayhem and the destruction of all exploitative and detrimental communities, companies and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.
How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits… “you are a target and you will be rm’d. Only a matter of time.”
This isn’t like before. This time everyone and everything is getting owned.
Right. Well, opening a debate is one thing. Opening a debate and then forcibly silencing everyone with a dissenting viewpoint is completely another. And when that forcible silencing is achieved via threats and “unrelenting, unmerciful elimination” it’s basically terrorism.
So, it’ll be interesting to see how this thing plays out. If indeed it does play out and Anti-Sec don’t just vanish into the digital woods they suddenly emerged from like so many other online ‘movements’.