Being busy means I cannot keep regular posts or post on the code topics cluttering my drafts box, many of which just need a piece of code here or there. However, theory is easy and I cannot really do much with my code
reaching out in an interactive way to the internet while everything is updated, again.
Why is this happening yet again, why is ShellShock allowed to exist in 2014, almost two decades since the world discovered it could do things like cookie SQL Injection or just flat out cookie manipulation? Why is this a problem when so many algorithms exist to put an end to this deviant nonsense? Why is every attempt at some sort of web security half-crocked?
I have a simple proposal. Track IP addresses and other headers, monitor behavior, use statistical patterns, and implement a graph attached to those IP addresses representing the valid path of pages from the current page to stop everything from scraping to manipulation. Furthermore, implement a system of permissions that make this more feasible and ensure that trusted IP addresses and identifiers really are who they say they are. Deviants are deviants through and through and we put them in a programmer controlled environment. While we cannot protect against every attack, there is a better attempt than we make today to stop these people from accessing our systems. They probably have somewhat unusual patterns of behavior. While we cannot stop everyone, we can make a better attempt and be safer.
This may require separating the web and test environment entirely but that is not a bad thing, right? It is easy to implement this. Any CS I student worth half a penny can implement a de-duplicated graph in under a second with hash maps and some code magic (it has been a while since I had to search 1,000,000 nodes in less than 60 seconds). Combine this with the fact that today’s machines can have over 100 gb of RAM and terabytes or more of disk memory, not to mention the processors, and current security mechanisms start to look like David v. Goliath. Does the saying good enough for government work apply to hacking or should the NSA teach Congress how to work?