jimjones@low-level.net Q: Who started antiSecurity and why? A: The antiSecurity movement was founded by a join (and somewhat overlapping) consensus of two groups, ADM and security.is. The founding was a reaction sparked primarily by recent leaks of several exploits and the rise of several notable figures who have littered the Bugtraq mailing list with the publication of many exploits and vulnerabilities, often which were not their own to begin with. Q: How can I join antiSecurity? A: A cliche is in order, but "Practice what you preach". Simply put, be content doing your own thing, and hold your exploits personally or within a closed and trusted group of individuals. In other words, DO NOT POST! If you follow by this creed, you are already a true member of antiSecurity. If you would like to show your support in a more formalized manner, you can send an EMAIL directed to the contact point on this page, stating your desires, philosophies, and policies towards the closed exploit development. Q: What is the meaning of the blacklist? A: The blacklist is a list of groups and individuals in the security community who have engaged in policies that have served to harm mutual developers, network administrators, and security researchers through reckless postings or leaks. Note that there is no implication of a lack of skill among these list members, as several are highly advanced in their respective security niches. Nor is there any suggestion that these are bad or amoral people. It just means that they have engaged in activities contrary to the antiSecurity creed (or anti antiSecurity). Please note here that many members of the blacklist are notable "whitehat" figures in the sec world. The subtle point here is that many whitehats inadvertently serve as blackhats when they release weapons of electronic destruction. Q: Exactly whats wrong with open security again? A: 1. Would you give handguns to toddlers? Then why give 0day to angry teens? 2. Many postings are done for political reasons which aim at corporate embarrassment. 3. Many recent works that end up being published were not released by their authors. Many of these exploits have standard copyrights and disclaimers which state that the exploits may not be retransmitted or published without the consent of the author. Why are these wishes not honored? In any other form of information exchange, whether it be artwork, poetry, or literature, outrage would be expressed by authors who have their personal and private hard-earned works published. But nobody cares if this is an exploit. Packetstorm and www.hack.co.za are sitting pretty on stock piles of exploits which could be ticking time bombs for legal action such as lawsuits from enraged authors who have taken necessary and proper (and yet ignored) actions to protect the confidentiality of their works. Q: Doesn't it seem a bit contradictory that the two main founding groups of the antiSecurity movement (ADM and security.is) both have published exploits on their websites/ftp sites? A: Absolutely not. The exploits which are present could be there for a number of reasons. One is because of leaks. If the exploit leaked to the public, it was most likely published on the main site after it was archived on various security sites. Another reason is that vendors discovered some of these flaws, fixed them, and notified the public, thus rendering the information insensitive. Thirdly, exploits could be several years old and may have been released simply because they were archaic or obsolete. Finally, the exploit could be a rather useless one, such as a vulnerability in very uncommon server or client based software. In all of the cases, the nature of release was very harmless - they did not negatively impact the security community. Remember, nobody has the right to criticize others for the privitization of personal code. Just like any other artistic creators, coders have the natural right to keep findings secret and personal. Often many hard hours, days, and even weeks go into the development of a viable and correctly functioning exploit. This task is not always trivial or swift. Despite trite sayings, exploiting a particular problem is harder than fixing it, as the patch or difference is usually only a matter of a line or two of code. If you are not a developer, then you can not possibly mount a reasonable attack on others who often unwillingly sustain the progress of the Underground.