Earlier today, the popular image hosting site ImageShack appears to have been compromised by a group calling itself Anti-Sec. The exploit was also posted to the Full Disclosure mailing list, eliciting some interesting responses. This is the same group that attacked the website of astalavista.com in June of this year.
The effect of the attack was to replace many of the hosted images with a single (amusingly titled) image containing the Anti-Sec manifesto. ImageShack was a particularly effective site to target as so many third-party sites use images that are actually hosted on ImageShack.
It is Anti-Sec’s belief, it seems, that the security industry supports full disclosure (of things like vulnerabilities that lead to zero-day exploits, for example) because it allows the industry in general to “develop scare tactics” aimed at generating profits. No mention then of the security industry designing proactive protection mechanisms to help people and businesses avoid serious financial and personal damage? No mention of full-disclosure allowing security organisations to mitigate against attacks before they are exploited in the wild? No mention of organised crime profiting from undisclosed vulnerabilities?
Supporting Anti-Sec’s stated aim of “eliminating the security industry in its present form“ they have declared all security blogs, exploit publications or security websites as fair-game and promise that “everyone and everything is getting pwned“.
This event looks like it is closely related to this page containing blog articles published back in 2006. In the article “Stop aiding an industry which just hurts humanity“. this text in particular stood out:
“It is time for the last stand. Our mission is to retain the right to freely think, code, and communicate. Stop helping the industry, stop publishing your 0day, start working to make a real difference. Save your arms for the time very soon in which we will need them. Have faith in your self and your God and good works will come. We need not be slaves to a master that despises us!
Non-disclosure is a heroic endeavor. Be a hero.”
Evn though I’m usually a sucker for a manifesto, this just made me think of the wacky end of the survivalist spectrum, heading for the hills with their tins of beans and their AK-47s (and now SQLi).
I realise this blog entry is affording someone the oxygen of publicity they obviously crave, and personally I don’t feel I should dignify their stance with a response, but equally I am keen to open the issue up for wider discussion. What do you think?