An open letter to the "anti-sec" movement.
Dear anti-sec,
I read your manifesto today, and can only feel irritation at your antics and your attacks on the practice of Full Disclosure. While some may be applauding the supposed altruism of your actions, I... question your motives, to say the least.
You claim that if white hats were truly about security, they wouldn't release the information they gained to the world. I say, if the white hats didn't, who would? This is the primary reason I question your motives here; if exploits were found and never disclosed -- which no black hat would, and if there were no full disclosure, white hats wouldn't either -- then they would simply be left in the software, allowing for maximum time of exposure until some independent entity finds and reports it.
And, without question, exploits left in software are extremely beneficial to criminals who would seek to use them to steal or vandalize. The less disclosure the exploit itself receives, the more a criminal can use it to their illicit ends, with the victims all the while having a false sense of immunity and security. Full disclosure, at least, lets those who might be on the receiving end know that there is a threat to their business and customers (or site and visitors, as the case may be). Obviously, a black hat would want as little of that as possible.
You further say that full disclosure is bad because it allows the security industry -- no doubt you mean Symantec et. al. -- to profit off of its consequences; the script kiddies using the published exploits on any vulnerable site. Once again, though, common sense bears this out; just because you don't talk about the gaping hole in the wall doesn't mean it isn't there. All the obliteration of full disclosure would do is make security companies (and software vendors and developers) work harder to find an exploit they know nothing about. This is a double-edged sword in itself; they may find and fix a slew of other bugs, but still miss the original exploit used. Full disclosure would allow them to find and fix the bug quickly and get the patches rushed out for the user before any more damage can be done. Whereas, again, without full disclosure, even the patch is at-risk.
Your means of achieving this goal are also completely unnecessary. Rather than engage in discourse or do a thousand things more productive, you choose to seek the destruction of anyone who supports full disclosure and "the security industry in its present form." So, once again, what are your real motives? Because you're sounding very criminally black-hat to me, disguising your intent with altruism.
In short, I hope you guys get caught and your ridiculous anti-disclosure movement to keep the world insecure for your own unsavory ends fails miserably.
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
fxchip) wrote,
mreh
