Building on Sand

Every executive in America and tech evangelist believes the internet has matured while every engineer knows it is still held together by browser quirks, unpaid overtime, and prayer.

I make a living in ActionScript building Flash applications, banner ads, splash pages, and all the cruft needed to obfuscate waiting on server responses away from the users tolerance and attention span. If you've shaken a money tree to win a vacation or power clicked a genie's animated flask fix your credit score, you've interacted with my software.

Industry at large embeds this stuff into their "experience." Banks use it. Media companies use it. Universities use it. Internal corporate portals use it because nobody can get JavaScript to behave consistently across browsers, the box model to support IEx is still impossible and nobody wants to hear another speech about standards compliance from a consultant wearing jeans.

So Flash becomes the compromise platform. It's the malware/rootkit delivery system. It is not beloved. It is tolerated. Which is often more profitable.

The public thinks Flash means dancing monkeys in banner ads and games where ninjas throw stars at accountants. That is a big part of my role but, they don't see the insurance dashboard, the learning management portal, the analytics console, the video platform, the sales configurator, and the internal workflow tool whose entire existence depends on a plugin installed by accident three years ago.

I spend my days writing ActionScript and my nights explaining why a website now requires threat modeling.

Because once you place a runtime inside the browser, you inherit runtime problems. Code executes on hostile machines. Data persists locally. Network requests cross domains. Permissions appear in dialogs users click through like cattle crossing a road. .swf on .swf on .swf on .swf

The industry's UX and product experts say we are launching a customer experience. I say we are deploying a distributed attack surface. A malware/rootkit delivery network. They may think me negative. Then they forward the security advisory and I spent hours trying to support numerous runtimes.

Flash today is the symbol of this web and desktop era. It is clever, powerful, widely adopted, and fundamentally unfit to carry the amount of trust society has assigned to it. Naturally, we build everything on top of it.

That is how civilizations end.

Popular posts from this blog

The Fallacy of Cybersecurity by Backlog: Why Counting Patches Will Never Make You Secure

By a Former Engineer Turned Cybersecurity Leader For much of my twenty years as a software and security engineer, and now as a cybersecurity executive, I have watched organizations cling to a deeply flawed belief: that security maturity is reflected in the length of the patch backlog, the volume of vulnerabilities closed, or the number of tickets resolved in a quarter. Entire cultures are built around these metrics. Dashboards glow green when patch counts dip. Leaders celebrate the deletion of Jira, SNOW, etc. tickets as if the act of closing them somehow hardened the enterprise. But this fixation on downstream remediation creates an illusion of control while masking the fundamental problem upstream, there is an innovation pipeline that lacks guardrails, architectural clarity, and secure defaults. The symptom becomes the scorecard, and the root cause remains untouched often under a guise of promoting freedom. Security teams often find themselves in a perpetual treadmill of “forever f...
Read more

IPv6 White Paper I: Primer to Passive Discovery and Topology Inference in IPv6 Networks Using Neighbor Discovery Protocol

Introduction IPv6 drastically reshapes the surface of network reconnaissance, replacing the narrow 32-bit address space and broadcast semantics of IPv4 with expansive subnets and a multicast-centric control architecture. In this new model, Neighbor Discovery Protocol (NDP), Multicast Listener Discovery (MLD), and ICMPv6 signaling collectively define how hosts announce their presence, interact with routers, form addresses, resolve local neighbors, and verify reachability. Although this model was engineered for efficiency and stateless configuration, its reliance on predictable multicast traffic introduces a rich layer of metadata that can be quietly harvested by a passive observer. This paper explores the extent to which NDP, and its associated control protocols, leaks meaningful information about a network’s hosts, topology, addressing structure, and operational state. It also outlines how these behaviors can be transformed into the foundation of a silent IPv6 reconnaissance system cap...
Read more

This is Cybermancy

Image
Preface This document is a manifesto, not a tutorial. It is written for practitioners who live inside systems rather than around them. It is for those who build, test, trace, break, and repair complex machinery at scale. It is not concerned with tools, techniques, or exploits, but with the way of seeing that precedes all of them. The worldview here is neither criminal nor romantic albeit a bit poetic and whimsical in my own way. It is operational. It emerges naturally in those who understand that modern systems fail not because they are attacked, but because they are misunderstood. What follows is a statement of posture, responsibility, and discipline for those who recognize that sight itself is the rarest capability on the Grid. Cybermancers are not defined by exploits, hardware, or street legend. Those tangentials  are the residue and not the essence. A cybermancer is defined by how they see the Grid  not as fortresses, maps, gates, and walls, but as a breathing lattice of...
Read more