The article makes those guys' cause sound waaay more legitimate than it really is. If their homepage and articles are to be believed, it seems like their real cause is to stop exploit publication so that only the "real" hackers will know how to breach machines. They're basically children that are whining because someone took away their favorite toy. Paying them any attention does us a disservice.
Also, the analogy is faulty. Trying to stop exploit publication so that we won't need to buy security products is like trying to stop us from knowing about germs so we won't need to buy antibiotics.
I agree with most of what you say, but it's important to remember that antibiotics actually work. Antivirus is pretty much on the same level as leaches and bleeding, if we want to keep going with the medical analogy. In fact, I don't think anti-sec is angry about the fact that AV exists, just that they think talentless people make millions off of selling a bad product (via fear and misinformation).
John Viega (worked on McAfee's AV for many years) has written plenty about why AV is so bad. His most recent book, The Myths of Security is a decent read, but probably not work paying more than $10 dollars for.
They also rail against firewalls, though, which do work.
Also, antivirii may be a poor solution, but they don't do nothing; the antibiotic analogy is apt because they are not a preventative solution, and because they don't work on everything (you can't, for example, use antibiotics against the flu), BUT they can help every once in awhile.
Personal firewalls actually don't work, and the reason is usability. iTunes has 6-12 different executables with different names that require approval. How is your average personal going to tell whether a program with a strange name is part of iTunes or malware? Existing solutions do not address this problem. Also, users get asked to approve applications so much that they start to ignore the popups.
One possible solution to this problem is to crowd source program analysis. The firewall popup would contain a rating system and user comments, and the user could make a decision from there. Security companies are making too much money off of crappy solutions at the moment to switch to this though.
> How is your average personal going to tell whether a program with a strange name is part of iTunes or malware?
Personally, I think the OS should stop asking the user to authorize programs, and start asking to authorize companies (i.e. master per-company application signing certificates). You would get asked once that "Apple Corp." or "Adobe Inc." or "The GNU Foundation" would like to install something on your computer, and then it would be okay from then on. It would be alright to accept further products from the same company without confirmation because, if you stopped trusting the company, you'd stop trusting all their programs, and would thus uninstall everything by that company (i.e. under that signing cert) at once.
Even firewalls in the enterprise corporate environment have the same problem. Network architects (well the bad ones anyway) know what they need to do to the firewall to achieve connectivity but dont know what security side effects those changes have thus rendering the firewall put in place to have no effect at all. This equates to 1000's upon 1000's of dollars spent simply to be rendered useless by silly decisions. I guess having said this the fault is more heavily placed on the user and not the equipment in this case.
I think if you look at the plight of anti-sec the equipment and the software is as much to blame as the user controlling them in many of the cases
Firewalls work in some situations. Saying firewalls do work, without qualifying when and how they work is problematic, I think. Just like anti-virus; they perform a useful service in a very specific set of circumstances.
We see a lot of superstition about firewalls (and AV, for that matter) on world-facing servers in our support forums. Folks seem to believe that just having a firewall running on a world-facing server will somehow protect from random attacks...but, the reality is that every service you provide to the world is one that cannot be firewalled. And if you aren't providing that service, why even run something on the port? So, the majority of firewalls I've seen configured on web, mail, DNS, etc. servers are effectively a no-op. They block ports that aren't listening and leave the listening ports wide open. You can, of course, make use of stateful features to provide some protection against some types of attack (brute force, in particular; DDoS, as long as it isn't too widely distributed; etc.) Even more disconcerting is when I meet "system administrators" who believe that having more than one firewall makes them even safer, even though they don't understand enough about either of them to have them actually doing anything. This superstition is good for Cisco and the host or ISP that is renting the user the device, but really bad for security.
It's worth railing against firewalls because there are firewall products being pushed by the same snake-oil industry that pushes AV and other band-aids and using the same misleading tactics, furthering the level of ignorance in the population at large about what a secure network actually looks like.
So, yes, put a firewall and a router performing NAT between your local network and the world. It will dramatically reduce the number of attacks on those machines and dramatically improve the security of that network as a whole. But, don't believe that a firewall is a solution to all security problems (or even a majority of them); just like anti-virus, it's got a time and place, and the way it is often pushed by the industry as a generic security "solution" is a problem.
Speaking of superstition, I've met folks running insecure PHP scripts on a Linux box that got hacked (user-level access, spambot running, etc.) who believed that it happened either because they didn't have the right firewall or the right anti-virus configuration; and they'd spent a bunch of time already on trying to figure out why those tools "didn't work"; and their questions to me were in the form of "Can you help me fix my firewall|anti-virus because we got hacked?". This is the kind of superstition I think is really harmful. Folks spend so much time fiddling with things that aren't even related to the actual security of their systems, and ignore the important stuff (don't run old crap, use strong passwords, don't run things you don't need).
I'm completely in agreement with everything you're saying, but I don't see how your argument really has much in common with the "anti-sec" BS.
There's a lot of snake oil security in the world, and the AV publishers and firewall vendors are a big part of it. But there are people doing real security research, actually working on hardening various pieces of software, finding vulnerabilities, etc.
It seems like the "anti-sec" people want to shut down real security research, the kind that finds vulnerabilities in software and forces vendors to fix them, with the result that most users would have nothing but snake oil between themselves and the criminals.
Of course I think the real motivation behind the "anti-sec" "movement" is transparently obvious: it's less-than-talented black hats who are pissed that usable exploits are being disclosed, meaning they're far less useful for nefarious purposes and get plugged more quickly. They would, I'm sure, prefer a no-disclosure environment where vulnerabilities stayed open for years, and were only known to the crooks.
I'm completely in agreement with everything you're saying, but I don't see how your argument really has much in common with the "anti-sec" BS.
It doesn't. I just wanted to point out that the security industry truly is full of shysters, and I suspect that's why the "anti-sec" rhetoric has a strong resonance for some people. They sound like elitist children to me, but there is definitely an underlying bit of truth in the arguments they make.
Hacker "wars" have been going on for a long time. Within that community there is a lot of status and class battles going on. Anti-sec is just another one of these. It's a group that's trying to look cool with high-profile hacks, and veil themselves in secrecy so as to elevate themselves above others.
They're probably little different other than their defacement banners.
If the anti-sec group is for keeping exploits private, won't this _increase_ demand for add-on security band-aids like firewalls and virus scanners? More undisclosed vulnerabilities means one should increase the layers of security solutions for less chance of all of them being privately exploitable at any given time.
.. Or are they implying that script kiddies are the only problem, and the el8 crackers can never be stopped, so don't even try? (but don't worry, they have 'ethics' !)
(side note: "And who knows what new crimes the hackers will dream up next?". The actual question is what new crimes will the government will dream up next! Silly lawlyers.)
The weird thing is that full disclosure is not really a money grab. It's about compelling vendors to patch their products so that we don't have millions and millions of machines with an exploitable vulnerability.
Also, the analogy is faulty. Trying to stop exploit publication so that we won't need to buy security products is like trying to stop us from knowing about germs so we won't need to buy antibiotics.