How anti-sec is Anti-sec?

Some person or organization, calling itself "Anti-sec", is waging war on full disclosure. What exactly does all this mean?

According to Wikipedia, as of 16 July 2009, full disclosure means:

to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity. The concept of full disclosure is controversial, but not new; it has been an issue for locksmiths since the 19th century.

The concept of security through obscurity is a policy whereby it is believed that keeping security practices and policies secret (or "obscure") strengthens security by denying information to security crackers that they might use to aid their attempts to crack security. Strident arguments are offered on both sides of the issue of full disclosure vs. security through obscurity.

Many security researchers practice a "full disclosure" policy to varying degrees, some discovering vulnerabilities and reporting them first to developers then, after a period of time, to the public -- in hopes that imminent disclosure of vulnerabilities will motivate the developers to produce patches for vulnerabilities sooner rather than later. Others simply report vulnerabilities to the world at large, including software vendors and developers, through mailing lists and other public venues, causing a mad scramble amongst developers to produce patches even faster (one hopes).

Anti-sec's ImageShack Message

In a very odd turn of events, some entity calling itself "Anti-sec" -- whether it is a single person or a group of them -- has taken to employing illegal security cracking as a means of combating the full disclosure policy, using disclosed vulnerabilities against those who use the vulnerable software as a means of spreading a message of fear. The intent is apparently to "scare" people away from supporting a full disclosure policy, bullying them into opposing the full disclosure philosophy. The oddest thing about this turn of events is that this entity appears to have sided with Microsoft and other large corporate software vendors, taking up their banner of security through obscurity.

Anti-sec's most well-known action so far was cracking security on ImageShack about a week ago, causing a single image to be displayed everywhere that any other ImageShack hosted image would otherwise appear. The image is text on a black background, and reads in part:

The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.

Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.

As one wit at reddit put it:

Someone introduce this poor soul to Free Software

Whoever is behind "Anti-sec" has clearly not gotten past the most basic, simplistic sense of what constitutes good security practice, and has predicated this whole idea of how security works on the policies of corporate software vendors more interested in protecting a revenue stream than in actually producing secure software. It might be a good idea for Anti-sec to pause a moment, and ponder Shannon's Maxim:

The enemy knows the system.

. . . or Kerckhoffs' principle:

a cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

As Bruce Schneier explains it:

Kerckhoffs' principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility.

These are all very smart luminaries of the theory of security, particularly as it applies to IT security. My own take on it is that security through visibility is a far more effective approach to take than security through obscurity. The problems of security through obscurity, in fact, are the very reason why encryption that doesn't trust the user isn't trustworthy.

Anti-sec says of its intentions:

It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.

How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits... "you are a target and you will be rm'd. Only a matter of time."

These are bold claims -- claims that, frankly, fail to convince me. They fail to convince me not only that keeping all vulnerabilities and exploits secret so that nobody can protect themselves and patches are not produced in a timely fashion will make the world a better place, but also that Anti-sec will have much success. It's possible that just about anyone or anything can be successfully targeted, but it takes a sustained campaign to actually permanently take down most sites, and there are far too many potential targets to reach them all -- especially before getting caught. I expect Anti-sec to get caught, or to simply fade away.

For such an anti-corporate sounding message, though, my mind boggles at the way Anti-sec's goals dovetail so nicely with some of the least security-effective software vendors and developers in the world. Anti-sec has named itself well; it certainly champions the elimination of some of the most effective tools in our arsenal in the fight against security cracking.