

Imageshack hacked - arihelgason
http://www.examiner.com/x-12971-Houston-Legal-Issues-Examiner~y2009m7d11-What-is-AntiSec-What-happend-to-ImageShack-overnight-Is-it-coming-to-town

======
noamsml
The article makes those guys' cause sound waaay more legitimate than it really
is. If their homepage and articles are to be believed, it seems like their
real cause is to stop exploit publication so that only the "real" hackers will
know how to breach machines. They're basically children that are whining
because someone took away their favorite toy. Paying them any attention does
us a disservice.

Also, the analogy is faulty. Trying to stop exploit publication so that we
won't need to buy security products is like trying to stop us from knowing
about germs so we won't need to buy antibiotics.

~~~
tsally
I agree with most of what you say, but it's important to remember that
antibiotics actually work. Antivirus is pretty much on the same level as
leaches and bleeding, if we want to keep going with the medical analogy. In
fact, I don't think anti-sec is angry about the fact that AV exists, just that
they think talentless people make millions off of selling a bad product (via
fear and misinformation).

John Viega (worked on McAfee's AV for many years) has written plenty about why
AV is so bad. His most recent book, _The Myths of Security_ is a decent read,
but probably not work paying more than $10 dollars for.

~~~
noamsml
They also rail against firewalls, though, which do work.

Also, antivirii may be a poor solution, but they don't do nothing; the
antibiotic analogy is apt because they are not a preventative solution, and
because they don't work on everything (you can't, for example, use antibiotics
against the flu), BUT they can help every once in awhile.

~~~
tsally
Personal firewalls actually don't work, and the reason is usability. iTunes
has 6-12 different executables with different names that require approval. How
is your average personal going to tell whether a program with a strange name
is part of iTunes or malware? Existing solutions do not address this problem.
Also, users get asked to approve applications so much that they start to
ignore the popups.

One possible solution to this problem is to crowd source program analysis. The
firewall popup would contain a rating system and user comments, and the user
could make a decision from there. Security companies are making too much money
off of crappy solutions at the moment to switch to this though.

~~~
derefr
> How is your average personal going to tell whether a program with a strange
> name is part of iTunes or malware?

Personally, I think the OS should stop asking the user to authorize _programs_
, and start asking to authorize _companies_ (i.e. master per-company
application signing certificates). You would get asked once that "Apple Corp."
or "Adobe Inc." or "The GNU Foundation" would like to install something on
your computer, and then it would be okay from then on. It would be alright to
accept further products from the same company without confirmation because, if
you _stopped_ trusting the company, you'd stop trusting _all_ their programs,
and would thus uninstall _everything_ by that company (i.e. under that signing
cert) at once.

------
mindslight
If the anti-sec group is for keeping exploits private, won't this _increase_
demand for add-on security band-aids like firewalls and virus scanners? More
undisclosed vulnerabilities means one should increase the layers of security
solutions for less chance of all of them being privately exploitable at any
given time.

.. Or are they implying that script kiddies are the only problem, and the el8
crackers can never be stopped, so don't even try? (but don't worry, they have
'ethics' !)

(side note: "And who knows what new crimes the hackers will dream up next?".
The actual question is what new crimes will the _government_ will dream up
next! Silly lawlyers.)

------
omail
Earlier discussion on this event:

<http://news.ycombinator.com/item?id=698744>

------
Bjoern
More information about Anti-sec:

<http://romeo.copyandpaste.info/>

------
tylermenezes
"posted within the last 8 or 9 hours, some with instructions on how to hack
ImageShack"

WHAT?

~~~
noamsml
I know, doesn't that sort of defeat the point?

------
cookiecaper
The weird thing is that full disclosure is not really a money grab. It's about
compelling vendors to patch their products so that we don't have millions and
millions of machines with an exploitable vulnerability.

