*NIXEDBLOG 3.0

Thomas Holbrook II | *NIXEDBLOG 3.0

I was in the Boycott Novell chat room when Roy Schestowitz pointed out an article from Heise Online.  It turns out that a group calling themselves Anti-Sec is against full disclosure in regards to security vulnerabilities and exploits.  Their manifest can be read here.  An image was also made available on Image Shack, which shall be shown here as well:

First of all, I can personally understand animosity towards so called security vendors, such as Symantec, McAfee, and others.  They enable the likes of Microsoft to be so dominant over the majority of computer users in the United States and other areas.  In the #libervis channel on Freenode, Danijel Orsolic said that, "Anti-Sec are basically just arrogantly taking the matter in their own hands and essentially violently trying to change things to their way."  He also added that there was, "no persuasion, no peaceful campaigning, just acting like cyber gangsters."  The arguments being posed by Anti-Sec is also a blatant violation of The Hacker Ethic:

Access to computers—and anything which might teach you something about the way the world works—should be unlimited and total. Always yield to the Hands-On Imperative!

The Hands-On Imperative has been an important factor in developing software such as Linux, GNU, and others.  To not publicly disclose security vulnerabilities at all would be a violation of said imperative and also disrupt the free flow of information, another piece of The Hacker Ethic.  Even Anonymous learned to resort to legal tactics after being warned that the wrong people could be blamed for denial of service attacks on Scientology websites.

This response on the same mailing list linked to earlier perfectly illustrates the problem that this group (assuming it has more than one person) is going to face:

Dear Antisec,

We regret to inform you that your movement will be short lived. You see,
while you have stated that you would "rm everything", we can do much worse,
and have. You seem to think that all of us are corporate people, but the
security industry encompasses many, many fine folk, from the largest
corporations, to the blackest of the black operation. We have seen things
and done things in our careers that we can never say. We have used time on
supercomputers that you have never, ever seen, much less heard of. In some
of our worlds, the term "contractor" doesn’t mean what you think it means.
And we have subpoenas and guns.

Gone are the days of rehabilitating criminals to lead a productive life. In
the early days, we needed people like you. We needed talent, and we didn’t
care where we found it. Getting caught wasn’t a "game over" moment for many,
simply because those people taught us things. And we learned rapidly. The
Internet is no longer a pet project, but essential to many folk’s way of
life. And we use it for communication, for business, and yes, even to
protect little snots like yourselves.

We no longer need you. We now have the skills in our ranks to perform the
same magic that you do. We teach these skills to our military. The concepts
of electronic warfare forged by you in the 1990s are now our Standard
Operating Procedure, only 1000 times more in depth. We can exploit
vulnerabilities in the name of this country, and we do. We protect what we
were sworn to protect.

This is your notice, antisec. You thought that you could get away with your
little imagehack escapade. You think that hiding in a hushmail account will
save you… who do you think owns hushmail? You think your friends are
trustworthy. Look around you, and look again, and tell us who is now
missing. This was not an accident. And it is sad that such talent had to go
to waste, but you insisted.

Your encryption will not help you, and your little phone calls have not gone
unnoticed. Disposables don’t work. We don’t need warrants anymore, haven’t
you heard? Let’s not even talk about your harddisk… it’s not clean at
all.  Even secure wiping of your files is no longer viable because we can
get it all back now. We can prove your deeds, and we can put you where
wastes of talent belong. And don’t think that private TOR will save you, and
don’t think that stashing your toys works, we KNOW where they are. We KNOW
where you are.

And the best part? We didn’t need to bring the might of the Republic down on
you to know these things… one of your own told us all that we needed to
know. Heed the words, "Look! and Look again!".

Armed response teams are standing by. We will come get you when it’s
convienent for us. Some of us are early risers… and we get more done
before 6AM than you could ever understand.

One last thing… We can promise you won’t end up being dubbed a
"terrorist", because that is too easy for you. There is nothing more brutal
in this country than a nice American prison, especially for skinny
longhairs, and bookworms. We can promise that you live a nice long life in
there, because we spend the money to keep you healthy. In the name of your
debt to society, there is no way out.

Your days are over. Remove everything, it only adds to the mountain of
evidence we have already. And leave these folks alone, they are doing their
jobs… instead of robbing hardworking Americans.

The problem is that there is a shadow of sorts in the United States.  This shadow consists of people from many fields who are quite talented.  These people do play, and they play for keeps.  This isn’t a joke.  This is very serious.  We’re not just talking about businesses here.  We’re also talking military and intelligence agencies.  In a time when the Bill of Rights isn’t what it used to be, the decision to declare that sites and blogs who are all for full disclosure will be targeted is not a wise decision.

Would I be surprised if the group in question contained some very talented people?  Not really.  What if the group had some well known people?  I still wouldn’t be surprised.  However, I disagree with the message and the tactics to convey said message.  Defacing websites is not an effective way to argue the point of not releasing security vulnerabilities and exploits.  In terms of software that has source code openly available, it would defeat the purpose of the authors of said software to allow the source code and the software itself to be shared.  Thanks to a comment on Dan Fuhry’s blog, I ran across a more eloquent argument.  There is an inevitable problem though.

When a corporation knows about an exploit for a year, that’s pretty bad.  When they decide that in addition to not talking about it, they do nothing about it, that shows the problem that we face: Corporate apathy towards the individual and everyone else smaller than they.  Microsoft and other companies are notorious for such things.  It is also understandable that script kiddies create problems for unprepared administrators.  My solution: have said sysadmins step up their game.  I know being in IT can be brutal, but if preparation for security breaches is very poor, then the people who are sysadmins either need to improve their skill set or seek another career.  As for script kiddies, let me explain what happened to one I personally knew.

I went to a vocational technical school in addition to high school.  The first year I went, I chose computer programming.  I had little patience for it, but I didn’t want to be stuck at high school all day long.  The person I knew had even less patience.  Through a fellow student, he discovered a website that published exploits for Novell Netware.  Ah yes, wonderful Netware.  So easy to set up, yet so easy to crash into a brick wall.  One of the exploits sent messages to other computers that had nothing but gibberish in the message body.  It disrupted the computers briefly since we were all able to clear the messages and close the window.  They then ran the exploit at the local high school.  Bad move.

The school staff had to shut down one of their servers and cold boot it in order to get the message exploit to stop.  Rebooting machines wasn’t working since DOS versions of the exploit prevented the loading of Windows 98.  Not only did the person in question get in trouble at the high school in question, but people from the closest air force base wanted to "talk to him" as well.  I kept asking them all sorts of question, and they finally responded, "Did it ever occur to you that I didn’t know what I was doing?"  Script kiddies often have very little skill of their own, but know enough to do damage.  They are also easily caught.

As for disclosure of security holes, what about the holes that companies do not wish to address?  What about holes that project leaders refuse to address?  Disclosure can easily force said hole to be patched as quickly as possible.  What about those who feel that security holes are bugs that need to be fixed and a patch is submitted?  Isn’t that disclosure in a sense?  Now if a company or entity does not wish to disclose a vulnerability, especially if they don’t fully understand it themselves, that’s their business and their right.  Nobody has the right to tell anybody else what to do with the software they are working on.  To "own everyone" because of things being done that they disagree with is not only juvenile, but is utterly wrong.  Forcing a point of view onto other people by defacing websites is not the answer.

Aruging the point effectively is.  How so?  Create a blog or website explaining the points of view.  Write to the editors of news sites stating why you disagree with full disclosure.  Create pamphlets that explain why full disclosure is not always a good idea.  Those are just a few suggestions from a humble blogger.  Those are great alternatives to violating the freedom of speech of other people.