The term “Anti Security Movement” was first introduced in the manifesto document available as an indexed page on the website

The purpose of this movement is to encourage a new policy of anti-disclosure among the computer and network security communities. The goal is not to ultimately discourage the publication of all security-related news and developments, but rather, to stop the disclosure of all unknown or non-public exploits and vulnerabilities. In essence, this would put a stop to the publication of all private materials that could allow script kiddies from compromising systems via unknown methods.


The Security Paradox by The New York Times

This past May, I met with a Microsoft product manager to discuss the impending release of Windows XP Service Pack 2, which I reviewed recently in Circuits.

There was a lot to cover, as you can imagine, but I remember reacting to one of his comments in particular. He said something like, “Not only are viruses and other attacks coming more and more frequently, but the hackers are writing them faster after we patch each security hole.”

I was baffled. “Excuse me, did you say that the attacks are being written AFTER Microsoft patches the hole that they exploit?”

It just made no sense. Once the hole is patched, why would anyone bother writing a virus that exploits it?The Microsoft guy explained that the virus writers aren’t all that smart. They aren’t the ones who discover Windows’s vulnerabilities.

Instead, what usually happens is that some brainiac at a university or security firm usually finds the hole, and then notifies Microsoft. Microsoft then puts together a security patch, which it releases to its millions of customers to protect them.


Only then do the hackers and virus writers learn about the security hole and how it works — by studying Microsoft’s patch. The problem is that it takes weeks or months for Microsoft’s patch to get distributed to all those millions of customers. (Three weeks after Microsoft releases a patch, only half of all PC users have installed it, according to an expert interviewed by PC World.) The hackers simply beat Microsoft’s fix to your PC’s front door.

The painful part is that Windows XP already contains a mechanism for installing Microsoft’s patches the very day they become available. It’s called Automatic Updates, and it’s an icon in your Control Panel. But at least until Service Pack 2 came along, far too few people had Automatic Updates turned on.

In this month’s PC World magazine, a brilliantly conceived article tracks the life cycle of the Sasser worm that caused millions of dollars of damage last May. Sure enough: a well-meaning researcher found a weakness in Windows and told Microsoft about it. Microsoft released a patch, complete with technical details — that allowed an 18-year-old in Hannover, Germany to write a worm that exploited the hole.

But before the masses install that patch, “reports of the worm’s impact fly in: Operations have been disrupted at companies like Goldman Sachs and British Airways. Computers in half of Taiwan’s post offices have been infectedÂ… The magnitude of the worm’s disruption is staggering: 5000 computer systems and associated X-ray equipment at a hospital in Lund, Sweden, stop responding; 1200 PCs at the European Commission headquarters in Brussels cannot get online; and Sun Trust bank and American Express in the United States lose Internet connectivity entirely for several hours.”

The article poses two important questions. First of all, it took Microsoft six months to write the patch that fixed the Sasser hole. Six months!? Man, it wouldn’t have taken six months if Microsoft weren’t a monopoly, I’ll wager.

Second, this may sound slightly insane, but should Microsoft really be fixing these obscure holes at all? Think about it: the virus writers would never even have known about the hole if Microsoft hadn’t patched it! As the PC World article puts it, “You have to wonder whether this cure is worse than the disease.”

So what’s the answer? (It’s probably a bit much to suggest that corporations switch over to, for example, the Macintosh, for which not a single virus or worm has yet surfaced.)

Microsoft has pinned its hopes on Service Pack 2, which closes dozens of holes, reinforces hundreds of weaknesses, turns on the Windows firewall, makes it harder for amateurs to open up e-mail attachments, and waves bright orange flags in front of your face if you don’t have Automatic Updates turned on.

Even that’s not a perfect solution, though; some of my Windows-geek friends actually leave Automatic Updates turned OFF, so that they can research the reliability of each new Microsoft patch before they install it. (For anyone who’s not a computer professional, though, I think that’s too much homework. Leave Automatic Updates turned on, so you don’t wind up forgetting to install a patch and becoming the victim of the next Sasser.)

For now, then, we’ll have to hold our breaths and hope that the Service Pack solution turns out to be successful. But really, now: if the world’s best and brightest minds do indeed work at Microsoft, it’s a little distressing to see them outsmarted by a teenager from Germany.