Hacker group declares war on the security industry

An earlier example:

Full Disclosure: SSANZ - Server Systems Administration NZ.
http://seclists.org/fulldisclosure/2009/Jul/0028.html

----
rich

 

In many ways, Anti-sec is right. Full disclosure is responsible for a lot of the spreading of malicious code. The security industry condemns botnets for spreading malicious code while full disclosure makes much of that code available to anyone.

This is definitely true, but is not limited to scare tactics. By publishing the code, they're making the internet more dangerous for everyone while they create demand for their products.

I don't completely agree with their methods but I can understand why they've chosen this tactic. The industry is wrong and is not listening. "Responsible disclosure" does nothing but force users to update. It's nothing more than another tool used by those profiting from planned obsolescense. The security industry isn't helping users. They're helping themselves by making the problem worse.

 

I agree with you.

There was an example, not so long ago - Conficker. There was even a small interview with a Symantec's spokesperson in one of the the news channel, here.

Did they advise people on how to protect themselves, as in to patch their systems, prevent auto-run, etc? No. What did they do? Hurry-up! Go buy Norton!

Security industry spreads fear. It's in their best interest to do it so. Without this fear, people wouldn't buy their products. Would they?

Why did they start to say that Microsoft Security Essentials only provides basic protection (as far as I know, it offer anti-virus, anti-spyware, anti-rootkit, etc protection... so, it is not that basic, is it? )? Red alert on their side: People will be getting a full free anti-virus (anti-malware, since it covers all kind of threats). MSE is a threat to their business (read profit).

I could go on, but it all would resume to one simple word, which I already mentioned - FEAR. They have the need to spread it.

 

It's not just the security-ware industry. All of the computer industry relies on that tactic. MS uses much the same tactic with operating systems. "This can't (or won't) be patched. You need to upgrade." That new OS needs new hardware to run it. That's followed by new software. When it's over, the whole industry profits at the users expense. They're all creating demand for each other. Publishing vulnerabilities and spreading the code to exploit them is just one of their tools.

 

Not all successful attacks and botnets are the result of full disclosure. Both the Storm and Conficker attacks had no prior warning. The Storm attack code changed hourly during its initial release. Conficker code wasn't analyzed right away, and even it changed as different variants emerged.

This is not to ignore or justify full disclosure, but just to keep it into perspective.

As far as it being responsible for selling security software: That phenomenon has been present since the security industry began. Two preventative measures suggested in most articles on computer security are:

• Keep patches up to date.
  
  
• Keep AV up to date.

Not much help for the 0-day, so-called, stuff.

0-day, of course, implies no proactive prevention, rather, relying on reactive measures. This fits in with the marketing model: keep the consumer always having to catch up. But there is more involved here than just the full disclosure scenario. An ignorant (non-aware) consumer can't make informed decisions about security products.

So, while it's fashionable to bash full disclosure, the real solution is consumer education, which begins with one-on-one: whenever someone with some knowledge of computer security helps another become aware of what is going on and helps them to understand the nature of malware exploits.

"If you can keep your head when all about you Are losing theirs..."

-- Kipling​

----
rich

 

I totally agree. In my case, I'm totally free from the vicious cycle of updates and upgrades which only increase surface areas for vectors of attacks and add complexities opening up more holes to be patched. I use oldversion softwares like multimedia, office, web browsers and firewalls with published exploits and vulnerabilities and yet never had any malwares or any attacks. Abandonware HIPS, bufferoverflow protections and oldversion firewalls is all I need.

 

Didn't see your edit before answering.

No proactive protection when the applications overly permissive settings aren't changed.

That's basically what I said. Keep the user playing catch up. Always paying for something newer. The "market model" has taken priority over users security. You and I both know that Windows can be secured very well for no cost. Remember this one regarding the WMF exploit?

They used the threat of a zero day that won't be patched to coerce users to update 98/ME wasn't vulnerable to start with.

 

Same here. I'm running an unsupported OS (98FE) protected by an unsupported firewall (Kerio 2.1.5), an unsupported HIPS (SSM free), and an unsupported web content filter (Proxomitron). They're all configured to enforce a very old and effective security policy, default-deny. Everything we need to secure Windows has been available for years, but their use damages the industry's planned obsolescence policy. They don't want the users to be secure. They want them to keep paying. Educating users works to an extent on a one-to-one basis, but the computer industry doesn't want educated users who might figure out that they don't need to stay on that treadmill. MS could really help with user education if they'd quit shipping systems with default-permit setups and make users learn how to do it correctly from the start.

 

Knowledge is Power but a little knowledge is a dangerous thing. This applies also to this "full disclosure".
Considering the universal polarity rules of good and evil, active and passive, light and shadow, each knowledge can serve good as well as bad purposes. Let us take the example of a knife, an object that virtually ought to be used for cutting bread only, which, however, can become a dangerous weapon in the hands of a murderer. All depends on the character of the individual. Likewise for the knowledge of those exploits and vulnerabilities.

 

Knives, guns, etc can be used for good or evil, but I can't think of any other uses for malicious code. I has one purpose for existing, compromising applications or operating systems. It's not useful to anyone except those who want to hack a computer. Full disclosure only makes it easier for those individuals to get that code.

 

Yes, you're right.

When I mentioned Conficker, I didn't have in mind the

Truth is, security industry plays only 1 game, and that game is named Fear. Be it with full disclosure and the publication of exploits or not.

I mentioned that a Symantec's spokesperson gave an interview in one of the news channel here, back then. But, did he (and the news channel) took the chance to explain how people could avoid becoming infected, by telling to them the simple things they could to protect themselves, as preventing auto-run, patching their systems, etc? No, he didn't. All he said was to buy an anti-virus solution (theirs, most obviously) and keep it up to date. Otherwise, people would be in deep ****.

That's playing the game Fear. People fall for it, because as you well say, people lack education.

 

You are right that those codes would make it easier for a malicious individual to do his nasty deeds. What I meant was knowledge how the attack works would make you formulate your own tailored preventive measure as a form of self-defense.

For e.g. an exploit on how to bypass firewalls or HIPS, would help me in choosing HIPS that will not be bypassable and formulate courses of actions like layered defenses etc. Greater understanding would allay any fears or paranoia.

"There is always two sides of the same coin."

 

Here is an example showing discovery of a vulnerability -- Java in this case -- leading to an exploit in the wild:

PUBLIC ADVISORY: 12.04.08
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=760

Make sure you update that Java
http://isc.sans.org/diary.html?storyid=6805

----
rich

 

For all of the excellent work that ISC does, I've complained to them over the years that they are short-sighted when it comes to recommending protection, which is usually: keep patches and AV uptodate -- not much help in this case, which was easily prevented by at least 5 solutions (paid and free, including SRP) at the time, and I sent them a screenshot of the unionseek.com WMF exploit site which they were the first to alert to:

​

In the java exploit Diary I referenced above, here is the complete quote:

Translation: If your AV is missing this detection, you are just out of luck until an update or your AV signature comes along.

Over the years, several ISC Handlers have indicated to me that White Listing (Default-Deny) is just too restrictive for most people, especially in Organizations.

And so it goes...

----
rich

 

Agree nothing then deception.

 

Hackers keep us on our toes.

Every evil deed created hundreds of benefits.

After 911 our military hardware got tested and it failed!!!

Now we are shipping radios that actually work to our troops and Air Force one can communicate with the White House as it was supposed to do ( but was unable).

 

I'm inclined to disagree with the majority of the posts in this thread.

I do believe that full disclosure is a good idea. Possibly giving the vendor a chance to create a patch first. Arguing against full disclosure is a bit like being in favor of 'security through obscurity'.

The 'bad guys' may find a vulnerability sooner or later. It's better to fix the problem than to stick your head in the sand.

Technically, there would be less need for security software if people would have fully patched systems/software.