|| (this is public domain, meaning you
can do anything to it)
Q: Why is security bad thing?
A: In short - hell is totally secure. Do we want live in hell?. If people follow security at first everywhere - probably we will still live in den.
Q: What is the nature of security?
A: The nature of security is restriction, destruction and antagonism to freedom. The right thing is to balance freedom. The wrong, how it currently is, is for the process of security to grow much faster then freedom. That speed is not accidental. It is artifically stimulated by the technology of war. We are now standing on a fork in the road and choosing between totalitarism or freedom. Governemt always glad to help us choose first.
Q: Technology of war in security? What do you mean?
A: When people improve weapons to destroy other people. Other people improve their own weapons too. The key word here is "people vs. people".
Q: Who profits from the infosec war?
A: Security companies do (this is their line of employment). They need to use scare tactics to motivate more people and companies into thinking their services are not only desirable, but necessary. It's simple Capitalism. These corporations make security popular and fashionable, and turn it into a consumer pastime. Why can't they carry out their jobs with less glamour?
Q: How do script-kiddies help security?
A: This is an easy answer. The term was used as a whip fashioned by various "security experts" with which to flog the public. They show us depictions of these lawless, rabid, savage kids who are out of control so that they can impress upon us the demographic from which they defend us.
Q: Can I sleep safely at night while Bugtraq is around?
A: Absolutely not.
Q: How does Bugtraq help security?
A: Bugtraq serves as a front for an underground cabal through which electronic weapons of mass destruction disseminate amongst script-kiddies. It is also an addictive substance which has hooked admins trying to preserve their systems' security without getting owned by the "early bird" defacer who grabs the exploit before their local ISP has been notified of the vulnerability. However, even Bugtraq publicizes a false concept of "full disclosure," since information about competitors or friends (like @stake) is tossed in the trash. Full disclosure simply serves to sate the scriptkid's addiction to power, and this addiction is very hard to break. antiSecurity aims to help stop that addiction.
Q: What's wrong with full disclosure?
A: Full disclosure attempts to contradict the saying "two wrongs don't make a right" in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example: An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn't end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure!
Q: We should fix all bugs! How could it be otherwise?
A: Imagine that terrorists control a nuclear bomb from a box on the Internet, and that nobody can terminate the bomb control process to stop the countdown. Or that your house is absolutely secure, and you lost key by accident. How you will return to your own home? In the real world security is always limited - nobody makes safe doors everywhere and nobody always locks them. In case of an emergency you will need access without keys. Absolute security is nonsense. People forgot about that for computers and try to reach it.
Q: Arn't all hackers is a bad people?
A: No! People are different, but the probabilty of a bad person in 10 or in 1000000 is different... (hint about script-kids). I tell you, if you compare a hard working person who knows cost of their own work and an idling kid or a newbie - who is likely to do shit?
Q: All admins are good/bad people?
A: No! Think! So don't attack EVERYBODY, and don't protect EVERYBODY! If you pretect bastards you are on the bastard's side. Do you know BOFH admins who exist?
Q: Why worry about security? Vulnerabilities will always exist and there is no absolute protection against them.
A: Exactly correct. But if the problem can't be solved in a dumb way, that doesn't mean it is can't be solved indirectly. This is why many of us have safeguarded ourselves with security measures such as encrypted or steganographized filesystems in the case that our sensitive information could be accessed in an unauthorized manner. Security will never be absolute, but technological developments will continue to be made that push possible system security as close to absolute system security as is possible. I can't disallow people to come to my computer, but I can make another restriction so that even if they do come, they can't access data. I use an encrypted disk. The side effect is that i always need to enter a password and that there is slower disk operation. We can't fight spam, but we can disable relaying email through our system for unknown. We can't stop DDOS attacks, but we can make global tracking systems over the Internet. We can't restrict access for one, but we can restrict access for everybody. This is the cost of security. More and more restrictions.
Addition(27jul2001): remember about increasing complicacy of the world. Terrorizing strategy of fixing bugs day by day causing more and more destruction then in past.
Q: I just love finding bugs, though. What's wrong with that?
A: Air Force pilots loving flying planes, too. Sometimes they even find themselves flying missions over Hiroshima and Nagasaki.
Q: What are "grayhats" and how are they different from whitehats and blackhats?
A: Grayhats are indecisive people who consider themselves to be neither blackhats nor whitehats, or both blackhat and whitehat. However, being a grayhat is not synonymous to existing in a "healthy medium". Rather, these individuals do not pledge allegiance to either side of the controversy, and in not doing so, commit blunders that hurt supporters of both viewpoints.
Q: Is antiSecurity motivated in any part by personal profit?
A: Can true freedom be reduced to the sole notion of economics? What seems odd in all of this is that many of Bugtraq and Packetstorm's followers are afficionados of free, open-sourced operating systems which have been provided as efficient and stable alternatives to highly commercialized and unduly popular OS'es such as Windows. Yet, when it comes to security, they can't understand that the measures they take towards "freeing information," such as full disclosure, actually serve to fuel commercialism in the security market. How can we bring this to populace's attention?
Q: Is antiSecurity trying to change the world? Isn't that a bit radical?
A: Everything is going to sound a bit ambitious at first, but it's got to start somewhere. So far, we have had manifestos published on the 'net concerning the ethics of hacking, defacement, and the definition of a "hacker". However, we have yet to see a comprehensive document, or set of documents, that defines the parameters of good anti-disclosure policy. The discussion has, up until this point, been an unbalanced one. Generally, disclosure is discussed on forums such as Bugtraq, which obviously have a predominant pro-disclosure following. Supporters of non-disclosure can very rarely make similar postings for a obvious reason: they try to avoid the glare of the public limelight. The antiSecurity site is the perfect non-threatening environment in which open intellectual discussion relevant to this topic can take place. (So in answering the question, yes, we are :)
Q: What does antiSecurity suggest we do about people who siphon their reputations off the hard work and creativity of others (ie Aleph1, route) ?
A: This is probably the simplest answer of all: Don't support them. Don't subscribe to their mailing lists, don't read their 'zines, don't use their software. Who said boycotts don't work on the Internet?
Q: Is there anything I can do to help?
A: Yes! We would greatly appreciate any assistance. Please email any proposals or suggestions you might have, including essays or rants to email@example.com. Whatever happens, don't post to Bugtraq! If you still can't stop yourself from doing this, try posting fake exploits and advisories, or trojaned code :). Remember that anybody who consciously decides to fire a loaded gun at somebody has already decided to accept the consequences.
Q: Give me your root password, or I won't believe you!
A: Obviously, you have failed to either read or comprehend any of the contents of this document. You might want to read this FAQ again, but there's a very good chance that won't do you much good.
Have ideas, or maybe your own antisecurity FAQ? mail us: firstname.lastname@example.org