My post about the definition of the word hacker has generated some interesting debate in the security forum at broadbandreports.

Link: Debate About The Word Hacker

“In any case, I don’t think outsourcing per se is much of a threat. I bet much of the time it’s just a symptom of using a language that’s not abstract enough. In effect you’re using the programmers in India or wherever as human compilers.” — Paul Graham

If I’m reading this right, he’s saying exactly what my friends and I have been talking about for a couple of years now. Essentially, before too long, the idea is going to be what’s valuable — not the ability to implement it.

This is a major development in any field, really, and it certainly is in information technology. What it means is that like 75% of the IT work force is going to made obsolete. I’m making up those numbers, obviously, but it’ll be a lot.

Think about how many IT workers you know. How many are creating things vs. implementing them and doing common, repetitive tasks. Being in information security I am in the upper crust of standard IT workers, but the vast majority of my time is still spent implementing and doing common things. This will all be going away before too long, though.

The only thing that’s going to be useful, really, is hacking. Anything other than hacking is simply implementation of said creativity, and that’s going to get increasingly easy as languages improve and/or AI becomes more powerful.

As AI does get more…intelligent, it’ll essentially be every hacker’s familiar — sitting there ready to help implement whatever cool idea the hacker comes up with. Either that or the languages/IDEs will be so advanced (using AI, no doubt) that ideas will be written (spoken?) by the creator in pseudo-code, at which point the program itself will do the work necessary to make the idea usable to a computer.

Anyway, more ramblings from me. Let me know what you guys think…

I’ve been studying web security again recently and decided to do a POC of CSRF (Sea Surf) (Cross Site Request Forgery). It’s been done/covered many times before but is worth discussing given how few know about the issue.

The link below is a page on my website that logs you out of dslreports.com (my favorite security forum) without you doing anything but viewing the page. It works by my having an image on the page that points to the logout URL, which your browser automatically loads upon visiting the page.

The problem? If you’ve been to DSLR recently it sends your cookie along with the request to logout. So YOU did it, not me. What else can someone make you do using your own credentials?

So here’s the link. Don’t click it unless you don’t mind me logging you out of DSLR. (Or, more accurately, me making you log yourself out of DSLR. :) )

[ CSRF POC: CSRF is Wicked ]