“Anti-Security” | Save a Bug, Save a Life :)

I could not start this category except with the old and wise anti.security.is home page statement and some Q&A.

This is what it was writ-ed once upon a time….

The purpose of this movement is to encourage a new policy of anti-disclosure among the computer and network security communities. The goal is not to ultimately discourage the publication of all security-related news and developments, but rather, to stop the disclosure of all unknown or non-public exploits and vulnerabilities. In essence, this would put a stop to the publication of all private materials that could allow script kiddies from compromising systems via unknown methods.

The open-source movement has been an invaluable tool in the computer world, and we are all indebted to it. Open-source is a wonderful concept which should and will exist forever, as educational, scientific, and end-user software should be free and available to everybody.

Exploits, on the other hand, do not fall into this broad category. Just like munitions, which span from cryptographic algorithms to hand guns to missiles, and may not be spread without the control of export restrictions, exploits should not be released to a mass public of millions of Internet users. A digital holocaust occurs each time an exploit appears on Bugtraq, and kids across the world download it and target unprepared system administrators. Quite frankly, the integrity of systems world wide will be ensured to a much greater extent when exploits are kept private, and not published.

A common misconception is that if groups or individuals keep exploits and security secrets to themselves, they will become the dominators of the “illegal scene”, as countless insecure systems will be solely at their mercy. This is far from the truth. Forums for information trade, such as Bugtraq, Packetstorm, www.hack.co.za, and vuln-dev have done much more to harm the underground and net than they have done to help them.

What casual browsers of these sites and mailing lists fail to realize is that some of the more prominent groups do not publish their findings immediately, but only as a last resort in the case that their code is leaked or has become obsolete. This is why production dates in header files often precede release dates by a matter of months or even years.

Another false conclusion by the same manner is that if these groups haven’t released anything in a matter of months, it must be because they haven’t found anything new. The regular reader must be made aware of these things.

We are not trying to discourage exploit development or source auditing. We are merely trying to stop the results of these efforts from seeing the light. Please join us if you would like to see a stop to the commercialization, media, and general abuse of infosec.

Thank you.

Quoting from some Q&A :


 (this is free-speach copyright, mean like i told that to you freely in personal/public talk, so you can do anything to it)
Q: Why security is bad thing?
A: In short – hell is totally secure. Do we want live in hell?.. If people follow security at first everywhere – probably we will still live in den.

Q: What is nature of security?
A: Nature of security is restriction, destruction and antagonism to freedom. That thing is balance freedom. Wrong is – in current situation – process of security – grow much faster then freedom. And that speed is not accident – that is artifically stimulated by technology of war. We are now stand on fork and choosing between totalitarism or freedom. And governemt always glad to help us choose first.

Q: Technology of war in security? What do you mean?
A: When people improve weapon to beat other people. Other people, of course, improving own weapon too. Keyword is “people vs. people”.

Q: Who profits from the infosec war?
A: Security companies do (this is their line of employment). They need to use scare tactics to motivate more people and companies into thinking their services are not only desirable, but necessary. It’s simple Capitalism. These corporations make security popular and fashionable, and turn it into a consumer pastime. Why can’t they carry out their jobs with less glamour?

Q: How do scriptkiddies help security?
A: This is an easy answer. The term was coined as a whip fashioned by various “security experts” with which to flog the public. They show us depictions of these lawless, rabid, savage kids who are out of control, so they can impress upon us the demographic from which they defend us.

Q: Can I sleep safely at night while Bugtraq is around?
A: Absolutely not.

Q: How does Bugtraq help security?
A: Bugtraq serves as a front for an underground cabal through which electronic weapons of mass destruction disseminate amongst scriptkiddies. It is also an addictive substance which has hooked admins trying to preserve their systems’ security without getting owned by the “early bird” defacer who grabs the exploit before their local ISP has been notified of the vulnerability. However, even Bugtraq publicizes a false concept of “full disclosure,” since information about competitors or friends (like @stake) is tossed in the trash. Full disclosure simply serves to sate the scriptkid’s addiction to power, and this addiction is very hard to break. antiSecurity aims to help stop that addiction.

Q: What’s wrong with full disclosure?
A: Full disclosure attempts to contradict the saying “two wrongs don’t make a right” in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example:
An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn’t end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure!

Q: We should fix all bugs! How could it be otherwise?
A: Imagine terrorist control nuclear bomb from box on internet, and nobody can terminate bomb controlling process to stop countdown. Or your house is absolutely secure but you lost key by accident – how you will return in your own home? In real world security is always limited – nobody make safe doors everywhere and lock them. In case of emergency you will need access w/o keys. Absolute security is nonsense. People forgot about that for computers and trying to reach it..

Q: Isn’t all hackers is a bad people?
A: No! People are different, but probabilty of bad person in 10 or in 1000000 is different… (hint about script-kids). And i tell you if compare hard working person who know cost of own work and idling kid or newbie – who will do shit very likely?

Q: All admins are good/bad people?
A: No! Think! So don’t attack EVERYBODY, and don’t protect EVERYBODY! If you pretect bastards you are on bastard’s side. Do you know BOFH admins are exists?

Q: Why worry about security? Vulnerabilities will always exist and there is no absolute protection against them.
A: Exactly correct. But if problem can’t besolved in dumb way, this is don’t mean it is can’t be solved indirect. This is why many of us have safeguarded ourselves with security measures such as encrypted or steganographized filesystems in the case that our sensitive information is accessed in an unauthorized manner. Security will never be absolute, but technological developments will continue to be made to push possible system security as close to absolute system security as possible.

I can’t disallow people come to my computer, but I can make another restriction so even if them come they can’t access data. I put encrypted disk. Side efect is i need always enter password myself and id slower disk operation.
We can fight spam. But we can disable relaying email thru our system for unknown.
Can’t stop DDOS attack but can make global tracking system over internet.
We can’t restrict access for one, so we restrict for everybody. This is cost of security. More and more progressive restrictions.
Q: I just love finding bugs, though. What’s wrong with that?
A: Air Force pilots loving flying planes, too. Sometimes they even find themselves flying missions over Hiroshima and Nagasaki.

Q: What are “grayhats” and how are they different from whitehats and blackhats?
A: Grayhats are indecisive people who consider themselves to be neither blackhats nor whitehats, or both blackhat and whitehat. However, being a grayhat, is not synonymous to existing in a “healthy medium.” Rather, these individuals do not pledge allegiance to either side of the controversy, and in not doing so, commit blunders that hurt supporters of both viewpoints.

Q: Is antiSecurity motivated in any part by personal profit?
A: Can true freedom be reduced to the sole notion of economy? What seems odd in all of this is that many of Bugtraq and Packetstorm’s followers are aficionados of free, open-sourced operating systems which have been provided as efficient and stable alternatives to highly commercialized and unduly popular OS’es such as Windows. But when it comes to security, they can’t understand that measures they take towards “freeing information”, such as full disclosure actually serves to fuel commercialism in the security market. How can we bring this to popular attention?

Q: Is antiSecurity trying to change the world? Isn’t that a bit radical?
A: Everything is going to sound a bit ambitious at first. But it’s got to start somewhere. So far, we have had manifestos published on the net concerning the ethics of hacking, defacement, and the definition of a “hacker”, but we have yet to see a comprehensive document or set of documents that defines the parameters of anti-disclosure policies. The discussion has, up until this point, been an imbalanced one. Generally, disclosure is discussed on forums such as Bugtraq, which obviously have a predominant pro-disclosure following. Supporters of non-disclosure very rarely make similar postings for obvious reasons: they avoid the glare of the public limelight. The antiSecurity site is the perfect non-threatening environment in which open intellectual discussion relevant to this topic can take place. (So in answering the question, yes, we are :)

Q: What does antiSecurity suggest we do about people who siphon their reputations off the hard work and creativity of others (ie Aleph1, route) ?
A: This is probably the simplest answer of them all: don’t support them. Don’t subscribe to their mailing lists, don’t read their ‘zines, don’t use their software. Who said boycotts won’t work on the Internet?

Q: Is there anything I can do to help?
A: Yes! We would greatly appreciate any assistance. Please email any proposals or suggestions you might have, including essays or rants to (mail-down). Whatever happens, don’t post to Bugtraq! If you still can’t stop yourself from doing this, try posting fake exploits and advisories, or trojaned code :) Remember that anybody who consciously decides to fire a loaded gun at somebody has already decided to accept the consequences.

Q: Give me your root password, or i don’t believe you!
A: Obviously, you have failed to either read or comprehend any of the contents of this document. You might want to read this FAQ again, but there’s a chance that won’t do you much good.

End,

now the main concept of this movement, as you (I hope) understand is stop publishing exploit, this could be mis-understead as “don’t find exploits” but this is not the message.
In deed finding exploits, help security, helps quality code writing and improve the technology.
The problem is that with publishing this exploits and make them available online for all with an mini how-to DESTROY attached to the exploit we are just selling weapons of mass-destruction at the corner.

WHY? , lol I’m just asking my self when milw0rm whent down how many web-sites and servers where saved from the rutine defacement, and how many admins was saved?

Until the programmer are humans, in the code will be always a bug, trying to find them improve security and improve technology, publishing them helps destruction and help the Security Industry make his money.

PS, I’m not a hacker, I’m only interested in publishing this information so many people should understand what’s right and what’s wrong.
What is in reality security and what is understood this days with “security”.

Revisions

Tags: ,

No comments yet.

Leave a Reply