Metanet Forums

This is why you don't fucking use fucking imageshack or fucking photobucket in the fucking administration of Goddamn forums.

It's working quite well for me.

Yeah i also just checked it and it seems fine for me. What does it matter anyway; we are on these forums now.

I'm struggling to understand what it is that these people are trying to do...

Wooooooooow. This isn't why I always us Tinypic, but I'm damn glad I do now.

Idiots.

Transparency of operation gets things done.

The only people to benefit from a lack of full disclosure are hackers who keep getting foiled by the usually-slow-to-follow defensive programmers.

I dunno, I side with the anti-full-disclosure kids here. Telling you that there is a problem and that there is a means to fix it, here, is fine. Telling people how to exploit the problem (which is what they basically do, by full disclosure) means that everybody needs to get the latest x in order to block it, and those that don't? Well, they just became more susceptible.

Basically, initially, there are some hackers and some regular users who are unprotected. Some of those users will be hacked. Full disclosure means that there are going to be more "hackers" (scripters) and fewer regular users who are unprotected, which means that the population that does not want to pay for the latest fix are almost definitely going to be exploited. (Assuming it is something you need to pay for to fix, of course.)

Telling the developer about the vulnerability and giving them some time to fix it is preferable to immediately releasing details of the vulnerability to the public, but if the option of full disclosure isn't there at all—which would be the case if these guys successfully take down everyone who does publish these things—there's far less incentive for developers to fix the vulnerabilities at all, which is bad for everyone.

Presumably, they'll be going after sites that try to stay bleeding-edge on reporting exploits?
I hope they're really good at what they do...

Anti-Sec is crap. Here's why:

1) Immediate disclosure is not the standard in the security. The standard is delayed disclosure, in which the manufacturer of the hardware/software and trusted security professionals are informed first. The public is informed a period of time after this which is set, but sufficient for manufacturers to correct the problem (often this is 30 days).
2) There is a reason that public disclosure exists. Manufacturers have shown an enormous tendency to deal with security issues by sweeping them under the rug. In short, if manufacturers are not forced to fix something, they won't. Public disclosure makes it in to a looming issue and gives the manufacturer a bad name, resulting in the manufacturer fixing the problem. Now manufacturers continue to try to obscure problems by blaming security professionals for finding the vulnerabilities, rather than themselves for the vulnerabilities existing. Anti-Sec seems to have wholly fallen for this ploy.

When security vulnerabilities are not publicly disclosed, they do not get fix. This has been clearly demonstrated by time. The current system of delayed disclosure is the best known way to ensure that security vulnerabilities are detected and corrected before they are exploited.