…or how almost everybody takes user-end security for granted.
It’s been quite a long time since I haven’t had the chance to play around with any potencially “mainstream” kind of vulnerability and this is due to two main things: I’m pretty busy with consulting and I left the “security” scene years ago (and to be honest, I have never been really into it, except for a few contributions to sourceforge, a linux kernel module, some rootkit and a script to operate massive smurf attacks, highest point of my script-kid career).
Being pretty busy with consultancy makes me often forget the importance of the “lower” layers of the tcp/ip stack, those which makes this whole thing work, from the dialup cables to your ethernet controller up until your browser javascript libraries.
Who holds the knowledge of all this levels would master this whole thing (well robably not) but sometimes I’d like to examinate CEO and digital marketing manager (I become pretty familiar with this very type of human being lately) on their proficiency of the internet. Most of them just jumped on the internet bandwagon without any knowledge of what lies behind their screens, they’re obviously more keen on understanding the end result, since this whole thing turned into a wonderful money making machine and that’s what they are after and, as we all do, we do take this whole thing for granted. We never imagine that there might be a f* huge zero day vulnerability ready to be exploited straitgh out of your browser, messing everything up.
Back in the days ip spoofing was quite a common feature of the most common script kiddie. Still it reaquired some skills, or at least a good list of updated proxies and some scripting.
According to this article from @bilawalhameed, it seems quite an easy thing to exploit, nothing like a buffer overflow with memory handling and all that, its just about a few lines of code. Thanks to himself pointing this out to the community, relevant fixies to major browser and on their way, so this will be soon fixed, no worries, you can keep shopping safe.
Anyway, to me here lies the morale: do ever f* take any of this for granted. It is great and beautiful and shiny and it gets more usable and friendly day by day, but there’s a lot of work behind, lots of code and a complex but logical structure of layers which makes all these wonders happen and this might not work perfectly forever. Please be considerate while using this, and most of all be aware that it is as fragile as complex. I say be aware, because it seems that most people running this nowadays completely ignore its complexity and inner vulnerability.
