(this is free-speach copyright, mean like i told that to you freely in personal/public talk, so you can do anything to it) Q: Why security is bad thing? A: In short - hell is totally secure. Do we want live in hell?.. If people follow security at first everywhere - probably we will still live in den. Q: What is nature of security? A: Nature of security is restriction, destruction and antagonism to freedom. That thing is balance freedom. Wrong is - in current situation - process of security - grow much faster then freedom. And that speed is not accident - that is artifically stimulated by technology of war. We are now stand on fork and choosing between totalitarism or freedom. And governemt always glad to help us choose first. Q: Technology of war in security? What do you mean? A: When people improve weapon to beat other people. Other people, of course, improving own weapon too. Keyword is "people vs. people". Q: Who profits from the infosec war? A: Security companies do (this is their line of employment). They need to use scare tactics to motivate more people and companies into thinking their services are not only desirable, but necessary. It's simple Capitalism. These corporations make security popular and fashionable, and turn it into a consumer pastime. Why can't they carry out their jobs with less glamour? Q: How do scriptkiddies help security? A: This is an easy answer. The term was coined as a whip fashioned by various "security experts" with which to flog the public. They show us depictions of these lawless, rabid, savage kids who are out of control, so they can impress upon us the demographic from which they defend us. Q: Can I sleep safely at night while Bugtraq is around? A: Absolutely not. Q: How does Bugtraq help security? A: Bugtraq serves as a front for an underground cabal through which electronic weapons of mass destruction disseminate amongst scriptkiddies. It is also an addictive substance which has hooked admins trying to preserve their systems' security without getting owned by the "early bird" defacer who grabs the exploit before their local ISP has been notified of the vulnerability. However, even Bugtraq publicizes a false concept of "full disclosure," since information about competitors or friends (like @stake) is tossed in the trash. Full disclosure simply serves to sate the scriptkid's addiction to power, and this addiction is very hard to break. antiSecurity aims to help stop that addiction. Q: What's wrong with full disclosure? A: Full disclosure attempts to contradict the saying "two wrongs don't make a right" in the sense that it stimulates criminal activities in order to catalyze security awareness. Take the following example: An unrestricted maniac runs around the streets, shooting people in the name of improving security because he aims to increase the public use of bullet-proof vests. And who makes these vests? After everybody is protected by vest v1, the public is complacent, and sales of vest v2 must be stimulated by inventing a shotgun which penetrates the first vest. There is competition in the vest manufacturing business, so they all profit from the development of higher powered munitions. Manufacturers get money, and also lobby for pro-homicidal laws in other countries to spread the market, while innocent people suffer at their expense. The cycle still doesn't end with vest v666, because a newer armor-piercing bullet is in the works. How do you end the rat race? Stop full disclosure! Q: We should fix all bugs! How could it be otherwise? A: Imagine terrorist control nuclear bomb from box on internet, and nobody can terminate bomb controlling process to stop countdown. Or your house is absolutely secure but you lost key by accident - how you will return in your own home? In real world security is always limited - nobody make safe doors everywhere and lock them. In case of emergency you will need access w/o keys. Absolute security is nonsense. People forgot about that for computers and trying to reach it.. Q: Isn't all hackers is a bad people? A: No! People are different, but probabilty of bad person in 10 or in 1000000 is different... (hint about script-kids). And i tell you if compare hard working person who know cost of own work and idling kid or newbie - who will do shit very likely? Q: All admins are good/bad people? A: No! Think! So don't attack EVERYBODY, and don't protect EVERYBODY! If you pretect bastards you are on bastard's side. Do you know BOFH admins are exists? Q: Why worry about security? Vulnerabilities will always exist and there is no absolute protection against them. A: Exactly correct. But if problem can't be solved in dumb way, this is don't mean it is can't be solved indirect. This is why many of us have safeguarded ourselves with security measures such as encrypted or steganographized filesystems in the case that our sensitive information is accessed in an unauthorized manner. Security will never be absolute, but technological developments will continue to be made to push possible system security as close to absolute system security as possible. I can't disallow people come to my computer, but I can make another restriction so even if them come they can't access data. I put encrypted disk. Side efect is i need always enter password myself and id slower disk operation. We can fight spam. But we can disable relaying email thru our system for unknown. Can't stop DDOS attack but can make global tracking system over internet. We can't restrict access for one, so we restrict for everybody. This is cost of security. More and more progressive restrictions. Q: I just love finding bugs, though. What's wrong with that? A: Air Force pilots loving flying planes, too. Sometimes they even find themselves flying missions over Hiroshima and Nagasaki. Q: What are "grayhats" and how are they different from whitehats and blackhats? A: Grayhats are indecisive people who consider themselves to be neither blackhats nor whitehats, or both blackhat and whitehat. However, being a grayhat, is not synonymous to existing in a "healthy medium." Rather, these individuals do not pledge allegiance to either side of the controversy, and in not doing so, commit blunders that hurt supporters of both viewpoints. Q: Is antiSecurity motivated in any part by personal profit? A: Can true freedom be reduced to the sole notion of economy? What seems odd in all of this is that many of Bugtraq and Packetstorm's followers are aficionados of free, open-sourced operating systems which have been provided as efficient and stable alternatives to highly commercialized and unduly popular OS'es such as Windows. But when it comes to security, they can't understand that measures they take towards "freeing information", such as full disclosure actually serves to fuel commercialism in the security market. How can we bring this to popular attention? Q: Is antiSecurity trying to change the world? Isn't that a bit radical? A: Everything is going to sound a bit ambitious at first. But it's got to start somewhere. So far, we have had manifestos published on the net concerning the ethics of hacking, defacement, and the definition of a "hacker", but we have yet to see a comprehensive document or set of documents that defines the parameters of anti-disclosure policies. The discussion has, up until this point, been an imbalanced one. Generally, disclosure is discussed on forums such as Bugtraq, which obviously have a predominant pro-disclosure following. Supporters of non-disclosure very rarely make similar postings for obvious reasons: they avoid the glare of the public limelight. The antiSecurity site is the perfect non-threatening environment in which open intellectual discussion relevant to this topic can take place. (So in answering the question, yes, we are :) Q: What does antiSecurity suggest we do about people who siphon their reputations off the hard work and creativity of others (ie Aleph1, route) ? A: This is probably the simplest answer of them all: don't support them. Don't subscribe to their mailing lists, don't read their 'zines, don't use their software. Who said boycotts won't work on the Internet? Q: Is there anything I can do to help? A: Yes! We would greatly appreciate any assistance. Please email any proposals or suggestions you might have, including essays or rants to [1]anti@security.is. Whatever happens, don't post to Bugtraq! If you still can't stop yourself from doing this, try posting fake exploits and advisories, or trojaned code :) Remember that anybody who consciously decides to fire a loaded gun at somebody has already decided to accept the consequences. Q: Give me your root password, or i don't believe you! A: Obviously, you have failed to either read or comprehend any of the contents of this document. You might want to read this FAQ again, but there's a chance that won't do you much good. [This page was written by the staff of anti.security.is(RIP). All credit to them.]