Full Disclosure (the concept, not just the mailing list): apparently, it's all the fault of the security industry. Well, most things are. Still, this is a bizarre little story. (Tip of the hat to the entirely normal Rob Slade for calling my attention to it.)
Apparently an individual or group calling itself The Anti-sec Movement replaced every image it could get hold of on ImageShack with one of its own, apparently representing its own manifesto "dedicated to the eradication of full-disclosure." I say apparently because I can't get proper access to the ImageShack site at the moment, and the bits I can reach don't mention the incident at all. However, Pete Cashmore's blog at mashable.com does have a copy of the image. (That's one of the slowest-loading web pages I've seen in my life, by the way, guys. I eventually downloaded the image to my desktop so that I could read it in realtime..)
I hear you ask: "Anti-sec: isn't that something to do with 1984?" :-D
Well, it's interesting that there are so many echoes of Orwell's novel in this incident. In the novel, Winston Smith, the protagonist, works in the "Ministry of Truth", revising official documents (including the retouching of images) so that they are in accordance with current propaganda: in particular, removing all trace of "unpersons" whose existence is no longer to be recognized. So the replacement of images by a manifesto has a resonance that may not be accidental. And indeed, one of the pivotal plotlines in the book concerns Winston's affair with Julia, despite the fact that she's a member of the "Junior Anti-Sex League". The really interesting aspect, though, is that "The Anti-sec Movement" seems to have a command of doublethink, thoughtcrime and general propaganda that could have come straight out of Orwell's Oceania superstate.
According to the "manifesto", full disclosure is the "disclosure of exploits publicly - anywhere" and we use it scare people into buying security software. In the real world, though, the software industry, security vendors included, tend to favour "responsible disclosure". What's the difference?
Full disclosure is generally seen as the opposite to "security through obscurity" (STO). STO basically means that where a vulnerability might exist, you live in hope that no-one will notice or mention it. Full disclosure means that when you happen across a vulnerability (or, more likely, find one after pulling an application to pieces in the hope of find such a vulnerability), you publish it immediately, with the intention of scaring the vendors responsible into fixing it right away (and getting kudos for the discovery). Responsible disclosure means notifying the vendor and perhaps other parties such as CERTs (Computer Emergency Response Teams) or AV vendors, in order to give the vendor time to fix it properly (which can be a time-consuming job) and give them, and other parties, the chance to put together advisories and information on workarounds. Full, unlimited disclosure works more to the advantage of the discloser than it does to the vendor or the security industry.
Still, let's leave that aside for the moment and assume that Full Disclosure is Evil, Security Through Obscurity is Good, and there is no such thing as Responsible Disclosure. Has the Anti-sec Movement acted in accordance with its own declared principles?
Well, it may want to abandon full-disclosure, but Anti-sec have disrupted a legitimate service and denied the rights of legitimate users of that service, in order to publicise their own poorly-thought-out manifesto. That seem to me indistinguishable from the actions of the "script kiddies" who "copy and paste these exploits...to strike..vulnerable servers". Still, it appears that the Anti-sec group intends to reform the security industry through "maygem [sic] and the destruction of all exploitative and detrimental communities", so that's all right then.
I'm not sure that the security industry and the vulnerability research community are the same thing (which doesn't mean there isn't a place for vulnerability research), but I guess someone who's against security hates us all equally.
So anyway, what's going to happen when Anti-sec has eliminated "all supporters of full-disclosure and the security industry in its present form?" Apparently "It's about money." I'm not sure if this is a hit at those vulnerability researchers who complain that the security industry should be paying them some sort of bounty, or whether it's aimed at all of us who think that money is"very important" because we can't rely on our mummies and daddies to give us pocket money, and actually have to earn our living.
I'm looking forward to seeing how this Brave New World (did you see what I did there? :-)) will work, when no-one needs to think about money. In fact, given the number of Internet users who take for granted the morality of stealing practically anything from intellectual property to bank card information, perhaps it's already here, and I just need to work out how to get my food parcels from the collective. On the other hand, it could just be that this is yet another rant by someone who cares passionately about his own rights and views but has no respect whatsoever for the rights of others. But I may not be able to pursue that thought. Apparently security bloggers, like exploit publication sites and exploit distributors, are targeted for deletion. (Right: no wonder other posters to the full disclosure list are so impressed.)
Still, if I disappear from the official records in the near future, would the last one out please turn off the lights?
David Harley
Director of Malware Intelligence
