Security

How anti-sec is Anti-sec?

Some person or organization, calling itself "Anti-sec", is waging war on full disclosure. What exactly does all this mean?

According to Wikipedia, as of 16 July 2009, full disclosure means:

to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.

The concept of security through obscurity is a policy whereby it is believed that keeping security practices and policies secret (or "obscure") strengthens security by denying information to security crackers that they might use to aid their attempts to crack security. Strident arguments are offered on both sides of the issue of full disclosure vs. security through obscurity.

Many security researchers practice a "full disclosure" policy to varying degrees, some discovering vulnerabilities and reporting them first to developers then, after a period of time, to the public -- in hopes that imminent disclosure of vulnerabilities will motivate the developers to produce patches for vulnerabilities sooner rather than later. Others simply report vulnerabilities to the world at large, including software vendors and developers, through mailing lists and other public venues, causing a mad scramble amongst developers to produce patches even faster (one hopes).

Anti-sec's ImageShack Message

In a very odd turn of events, some entity calling itself "Anti-sec" -- whether it is a single person or a group of them -- has taken to employing illegal security cracking as a means of combating the full disclosure policy, using disclosed vulnerabilities against those who use the vulnerable software as a means of spreading a message of fear. The intent is apparently to "scare" people away from supporting a full disclosure policy, bullying them into opposing the full disclosure philosophy. The oddest thing about this turn of events is that this entity appears to have sided with Microsoft and other large corporate software vendors, taking up their banner of security through obscurity.

Anti-sec's most well-known action so far was cracking security on ImageShack about a week ago, causing a single image to be displayed everywhere that any other ImageShack hosted image would otherwise appear. The image is text on a black background, and reads in part:

The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.

Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.

As one wit at reddit put it:

Someone introduce this poor soul to Free Software

Whoever is behind "Anti-sec" has clearly not gotten past the most basic, simplistic sense of what constitutes good security practice, and has predicated this whole idea of how security works on the policies of corporate software vendors more interested in protecting a revenue stream than in actually producing secure software. It might be a good idea for Anti-sec to pause a moment, and ponder Shannon's Maxim:

The enemy knows the system.

. . . or Kerckhoffs' principle:

a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

As Bruce Schneier explains it:

Kerckhoffs' principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility.

These are all very smart luminaries of the theory of security, particularly as it applies to IT security. My own take on it is that security through visibility is a far more effective approach to take than security through obscurity. The problems of security through obscurity, in fact, are the very reason why encryption that doesn't trust the user isn't trustworthy.

Anti-sec says of its intentions:

It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits... "you are a target and you will be rm'd. Only a matter of time."

These are bold claims -- claims that, frankly, fail to convince me. They fail to convince me not only that keeping all vulnerabilities and exploits secret so that nobody can protect themselves and patches are not produced in a timely fashion will make the world a better place, but also that Anti-sec will have much success. It's possible that just about anyone or anything can be successfully targeted, but it takes a sustained campaign to actually permanently take down most sites, and there are far too many potential targets to reach them all -- especially before getting caught. I expect Anti-sec to get caught, or to simply fade away.

For such an anti-corporate sounding message, though, my mind boggles at the way Anti-sec's goals dovetail so nicely with some of the least security-effective software vendors and developers in the world. Anti-sec has named itself well; it certainly champions the elimination of some of the most effective tools in our arsenal in the fight against security cracking.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

17 comments
mikifinaz1
mikifinaz1

One of the clashes that happens here is that between personal and corporate privacy. The security of information is a multi-layered and mutli-faceted process in both concept and practice. when and how does a person's right to keep their information secure conflict with a company's and how is that handled? This gap between public and private is the chasm that has to be defined and dealt with. The government has been dealing with the freedom of information act and its many unintended consequences for years.

pgit
pgit

I agree, Chad.They either get smart and stop it, or they get caught. Either way they'll make no dent, except maybe on the hood of some FBI agent's car some day.

csmith.kaze
csmith.kaze

Anti-Sec's argument doesn't really apply to FLOSS. Most of the time (not all, but most) security holes and exploitable bugs are found and fixed much faster than the same sized closed source project. I am of half a mind that this is a good thing. If a company fully discloses a bug and then doesn't fix that bug, they should be exploited. And if your vendor releases a patch and you don't apply it, it is your fault. Now, I do think that there attacks are childish and immature, but maybe something the closed source world needs.

Deadly Ernest
Deadly Ernest

1. A very old adage, origin unknown, but I read it in an old book back in the 1960s. "When something is known by two people, it is no longer a secret." 2. If software companies wrote and tested their products properly, there would next to no vulnerabilities to be advised about. 3. Anti-sec obviously doesn't want the vulnerabilities fixed. I also wonder if they're employed by Wintel.

apotheon
apotheon

What do you think of this Anti-sec message? Is there anything to it, or is it just another lame image replacement Website attack?

EliSko
EliSko

1. Ben Franklin wrote (as Poor Richard) "Three can keep a secret if two of them are dead." That may be the ultimate source of the adage you were quoting. 2. I disagree you with you about the testing, though. The cost of "thoroughly" testing any serious product in contemporary IT under all possible circumstances would be ridiculously, impossibly high, and would spend huge amounts testing scenarios that probably would never occur in the field. I'm not defending boneheaded bugs and crappy QA, but there will always be room for "testing" under live, end-user conditions, meaning - end-users encountering bugs. Trying to pretend otherwise is ignoring the halting problem and the limits of effective computability. Any CompSci major or symbolic mathematician can explain this to you if you don't believe me - but it is theoretically impossible to test all of the possible combinations of a system without actually putting it through all of those combinations. In other words, "complete" testing has to use the system in every conceivable way that end-users will use it, including any of their configurations of hardware and software and their data sets. For any operating system today, that would take until the universe burns out to run all of the permutations, and then some. It's like the Engineer's version of the Laws of Thermodynamics - "You can't win. You can't break even. You can't get out of the game." So, too, are bugs in software. They will always be there if the software is to do anything meaningful. Whoever tells you differently is smoking something.

Jaqui
Jaqui

since Anti-Sec is promoting the Microsoft line so strongly, they have to be getting PAID to do so.

Screen Gems
Screen Gems

if vunderabilities are fixed than those that exploit them for financial gain, can't. So, if vunderabilities are not made known, then they can't be fixed. While I agree that Anit-sec has some valid points about the security industry advertising practices making people afraid, then selling a product to eliminate the fear, as hacks find out they can make a lot of safe $$ finding and disclosing vunderabilites to the mfgs rather than the risky business of trying to steal it, those that like to steal it have a far more difficult time doing it. Usually those hacks don't get to worked up because they know the obscure vunderabilites. It's when those obscure ones start drying up that they call foul.

TheChosen1
TheChosen1

I have a feeling that all this done by some sweaty teen that cant go out due to having extreme acne! - Got bored and now wants to make a few headlines ... He/she/they wont get far, and will fade away ... as sooner or later "anti-sec" will get cuaght or his mummy will cut his broadband connection off.

Deadly Ernest
Deadly Ernest

original attribution once and being shocked about how old it was as the year figure was in only three digits, and I can't remember if it was AD or BC. testing, I agree you can't test an OS on every type of hardware possible, but you can get a few reasonably common systems and test ALL aspects of the OS itself against common usage things and known attack processes. An applications can be tested for ALL their functions on the range of OSs you expect it to run on with a few different items of hardware. The problem with MS is they seem to do ALL their testing with users and none in house. you can work hard to make tight code and minimise the risk of bugs, and you can certainly ensure known vulnerabilities and bugs are fixed - an area where MS have failed miserably for many years, with the same buffer overflow problems being presented in Betas of new OSs and having to be fixed - again, sorry patched I mean, not fixed.

sysop-dr
sysop-dr

MS is not this dumb. And there is no way MS would be involved with someone doing anything this blatantly illegal. (Too many lawyers) This sounds like someone who has been burnt by someone releasing an exploit, Either their company released the software that was exploited or they were a user who got hit by an exploit. My money is on them being a user who got hit hard and possibly got bought into one of the malware that masquerade as ant-virus. A lot of people a fed up with security problems and who blames them but this guy or group is a little over the top.

SKDTech
SKDTech

I think it is a person or group of wanna-be black hats that want to scare the average consumer into not properly protecting themselves.

Neon Samurai
Neon Samurai

No more Winmodem type hardware; use industry standards. They can't test all hardware combination or usage paths but with less Windows only hardware interfaces, you should end up with less hardware combination anomalies since it's all using already tested industry standard calls. Of course, some hardware manufacturer will call fowl about "releasing our secrets" rather than competing through product design and company creativity outside of the firmware bound drivers.

csmith.kaze
csmith.kaze

I don't know very many users that could do this kind of attack and be hit hard with a security exploit. I think it just kid who can't actually hack, so they just find exploits that have been already released by others to make them feel better about their "1337 h4cking skills".

Sterling chip Camden
Sterling chip Camden

They seem to have this vague quest to defeat corporate exploitation of fear, but as Chad said they're only making themselves an incarnation of the very fear upon which Symantec, Microsoft, et al thrive.

Editor's Picks