Let me try again. Built before bad actors that were the state, or someone smarter then hackers on the outside, were a thing. SS7 once you are on net with it is pretty wide open.
It made sense at one point in the past when everyone was worried about keyloggers and nobody was thinking about credential stuffing. Information security has come a long way in the past 20 years.
What is now a common practice was nonexistent a few years ago.
20 years ago you could bypass Windows login with a few clicks.
15 years ago CORS was nonexistent. 15 years ago it was common to send sensitive data unencrypted..and so on.
Ex Facebook people told me that until around 2010 FB management turned a blind eye on its employees digging around their databases. Then they released a warning that people should stop and started locking prod data down. A few months later those who still peeked around prod data were let go.
It's hard for me to take seriously the idea that we're in the midst of a security disaster today; I got started professionally in the mid-1990s, during an era when virtually every computer system on the entire Internet was riddled with stack overflows. It was so easy to exploit memory corruption in 1995 that you could sometimes write a code execution exploit blind.
> FWIW IOS backdoors were already being researched by 2003 [...]
I recall there was a Swede (the grue?) on the Pull the Plug IRC network who was cross-compiling and linking in backdoored object code in Cisco IOS images already back in 2000.
Good to see that the technique is still viable after two decades.
On a related note, this sort of issue (difficulty researching the origins of techniques, and hacking history in general) is a problem that will only get worse. As a community we haven’t created an institutional memory beyond “the oldest hacker you know.”
I personally remember witnessing the exploit of reused credentials as far back as the 80s in the days of modems and personal BBSes. Here we are almost 40 years later and seeing the same problem, except with high speed live video streams from in and around a user's home. WOW!
Also F5 or Citrix: some of their core security products had 90s-style C exploits and other signs of development practices well behind the times - roughly at the level of going to surgery and seeing your surgeon not washing their hands in the bathroom.
Wild. I guess the NSA black bag job at Google was 2013, which led to SSL everywhere. I guess most folks still had the hard and crunchy on the outside, soft and chewy model on the inside mindset. Time flies.
reply