ImageShack Hacking Brings Full Disclosure Debate into Focus
ImageShack, one of the best known image hosting web pages out there, has been hacked over the course of the weekend. The people responsible for the attack, who call themselves “Anti-sec Movement,” managed to compromise the ImageShack web page; consequently all visitors to the site were redirected to an image which explains why the group did it all.
It seems that the Anti-sec Movement is not a big fan of the full disclosure practice that goes on in the IT security world. Basically this means that when a security vulnerability is uncovered, its existence and all other details about it are made public (hence the full disclosure term). The Anti-sec Movement does not believe this practice to be beneficial and is an avid supporter of nondisclosure – so avid that it has threatened to hack other sites that publish full details about security exploits.
“We learned that the group had gained control of how images were being displayed. Before 9 p.m. PST, normal functionality had been restored to user images. No user data or content was damaged or lost,” explained ImageShack.
Here is the full text contained in the image ImageShack visitors were re-directed to:
Anti-sec. We are a movement dedicated to the eradication of full-disclosure. We wanted to give everyone an image of what we are all about.
Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.
Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.
As an added bonus, if publication wasn’t enough, these exploits are mirrored and distributed widely across the internet with a nice little advertisement embedded in them for the crew or website which first exposed the vulnerability to the public.
It’s about money. While the world is difficult to change, and money will certainly continue to be very important in the eyes of many, our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit is consequences.
It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.
How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits…”you are a target and you will be rm’d. Only a matter of time.”
This isn’t like before. This time everyone and everything is getting owned.
Signed: The Anti-sec Movement
While I do agree that full-disclosure can be detrimental security-wise, there are times when sharing details about a security hole with the rest of the world needs to be done. Like when you reported the vulnerability to the developer and the developer takes forever to patch it. I’m talking about the Java vulnerability in Mac OS X that Landon Fuller uncovered; vulnerability that Apple knew about for 6 months but rushed to patch it only after Fuller publicly disclosed it.
It seems that the Anti-sec Movement is not a big fan of the full disclosure practice that goes on in the IT security world. Basically this means that when a security vulnerability is uncovered, its existence and all other details about it are made public (hence the full disclosure term). The Anti-sec Movement does not believe this practice to be beneficial and is an avid supporter of nondisclosure – so avid that it has threatened to hack other sites that publish full details about security exploits.
“We learned that the group had gained control of how images were being displayed. Before 9 p.m. PST, normal functionality had been restored to user images. No user data or content was damaged or lost,” explained ImageShack.
Here is the full text contained in the image ImageShack visitors were re-directed to:
Anti-sec. We are a movement dedicated to the eradication of full-disclosure. We wanted to give everyone an image of what we are all about.
Full-disclosure is the disclosure of exploits publicly - anywhere. The security industry uses full-disclosure to profit and develop scare-tactics to convince people into buying their firewalls, anti-virus software, and auditing services.
Meanwhile, script kiddies copy and paste these exploits and compile them, ready to strike any and all vulnerable servers they can get a hold of. If whitehats were truly about security this stuff would not be published, not even exploits with silly edits to make them slightly unusable.
As an added bonus, if publication wasn’t enough, these exploits are mirrored and distributed widely across the internet with a nice little advertisement embedded in them for the crew or website which first exposed the vulnerability to the public.
It’s about money. While the world is difficult to change, and money will certainly continue to be very important in the eyes of many, our battle is that of the removal of full-disclosure for the purpose of making it harder for the security industry to exploit is consequences.
It is our goal that, through mayhem and the destruction of all exploitive and detrimental communities, companies, and individuals, full-disclosure will be abandoned and the security industry will be forced to reform.
How do we plan to achieve this? Through the full and unrelenting, unmerciful elimination of all supporters of full-disclosure and the security industry in its present form. If you own a security blog, an exploit publication website or you distribute any exploits…”you are a target and you will be rm’d. Only a matter of time.”
This isn’t like before. This time everyone and everything is getting owned.
Signed: The Anti-sec Movement
While I do agree that full-disclosure can be detrimental security-wise, there are times when sharing details about a security hole with the rest of the world needs to be done. Like when you reported the vulnerability to the developer and the developer takes forever to patch it. I’m talking about the Java vulnerability in Mac OS X that Landon Fuller uncovered; vulnerability that Apple knew about for 6 months but rushed to patch it only after Fuller publicly disclosed it.
