ImageShack Hacked, Security Groups Threatened 288
revjtanton writes "Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."
related to openssh rumors? (Score:2, Interesting)
These are the same people who say they've found an exploit in some versions of openssh. Any connection?
http://seclists.org/fulldisclosure/2009/Jul/0028.html
http://news.ycombinator.com/item?id=692036
http://lwn.net/Articles/340483/
wow what an awesome idea! (Score:5, Interesting)
Re:Astalavista (Score:3, Interesting)
Hardly, given that they're anti-disclosure.
Re:Help for the unfamiliar (Score:5, Interesting)
Re:What is their motivation? (Score:3, Interesting)
If you discover another zero-day root exploit in the Linux kernel on your own, and you have the means to sell it to the highest bidder for a nice pile of cash, then neither you nor the winner have a motivation to pass on that secret to the underground.
If there are fewer active vulnerabilities floating in the underground - accounting for accidental or the occasional intentional leak - then how is that more chaotic than what we have now?
I'm curious - I'm not an expert in this stuff by any means.
Oh wait, this reminds me a little of the Linux-development policy change with regards no longer enumerating the fixes and vulnerabilities which comprise each release version -- do you similarly believe that policy will lead to more chaos?
Re:Wow (Score:1, Interesting)
If their message is clear, concise and not disagreeable, why can't they convince us with a logical argument?
Silly rabbit, their trix aren't for you. Their plan is to help grease the path for the fuckers in Congress trying to get this POS Cybersecurity Act of 2009 [opencongress.org]bill passed. Once a good portion of the Internet structure becomes nationalized, any full disclosure of vulnerabilities could be considered as posing a national security threat and thus would have to be kept secret. What this means, of course, is that any software vendor providing a product that constitutes a major portion of the federal government information infrastructure as well an the internet commerce and banking, will be protected from full disclosure of vulnerabilities in their product by the federal government based on national security policy.
As this relates to "anti-sec", they want to build the impression that will be amplified by a scaremongering media that the Internet is being besieged by warring factions of evil hackers. There will even be some useful idiots pointing to the ramblings of these assholes as proof that even the sec community is divided on issue of FD. Which it is, but mostly debate revolves around the timing of disclosure and not whether to disclose at all. This is a sham war designed to put pressure on Congress members to pass a really, really, bad bill.
I think the timing of this incident, along with recent botnet attacks and other media grabbing "cyber" events within the few months just before this bill was introduced, couldn't be more perfect to create a campaign to justify the takeover of the Internet infrastructure by the federal government. http://www.eff.org/deeplinks/2009/04/cybersecurity-act [eff.org]
Re:What is their motivation? (Score:3, Interesting)
What would happen, is that the prevalence of unskilled script kiddies would massively decrease, and the background scans taking place constantly would decrease... Because the perceived threats would have abated, people wouldn't bother installing updates or taking any measures to protect themselves. Also without public disclosure and/or active exploitation, software vendors would downplay the seriousness of their vulnerabilities and delay providing patches for them.
The end result of this, is that the smaller number of people who can acquire exploits, and this includes paid criminal gangs, would have a lot more power because they would no longer have to compete against the script kiddies for control of drone systems.
Incidentally, i am also against the *free* disclosure of vulnerabilities in non free software... Commercial vendors charge you a lot of money for their software, and can often be hostile or uncommunicative towards people who find bugs in their software... These people finding bugs are effectively doing their jobs for them and get nothing but grief in return, so it's no wonder that so many bug hunters are now working for criminal gangs.
A lot of these vendors want you to do their beta testing for them for free, and then report the bugs privately to them so they can silently fix them not even giving you credit for the find and often not disclosing any details to the public other than perhaps providing a black box patch.
Excellent use of irony (Score:3, Interesting)
I think they are pro full-disclosure, and this action is just a pun.
The message they are trying to get across is: "If you close your eyes, the world doesn't disappear. Here's an example of a hack, just to show you that vulnerabilities will continue to exist even if you don't make them public. Not only that, but there will also be people who will find them and use them, regardless of your will to make them public or not".
The message is worded well, others noticed it too; I think the author is too intelligent to be so ignorant of the truth.