People think that finding vulnerabilities is about finding holes in code.
But at some level it's not really about that. It's about understanding that
the code itself is a hole in the swirling chaos of the world and just
letting a little bit of that chaos in allows you to illuminate the whole
thing.
Spending time in Seattle is a little bit like buying a pair of high-powered
binoculars to look down the train tracks at that weird light that's heading
towards you. Seattle is a city perpetually timeless and jet lagged - as far
away as a giraffe's head from the country's dual beating hearts of New York
City and DC.
The city rests on an absolute bedrock of code. Code that feeds on lives
everywhere as voraciously and implacably as a blue whale gulping krill. In
that sense, the inhabitants of Seattle are those who have realized it's
better to be on top of the whale than inside it. It is perhaps why all the
architecture is as boxy as an early software package. If you pulled the lid
of any of the buildings next to the water you might see the packaging for a
Windows 95 CD ROM, or a bunch of floppies with a forgotten database.
When you go running past all these horribly efficient buildings down to the
water on the lone sunny day, you will be surprised with a bunch of naked
people, stripping down next to an old industrial park turned into a
playground, covering themselves in body paint before some eldritch
streaking ritual for the parade over the hill. Around them buzz
photographers immortalizing the moment. Memes infecting other memes like an
endless series of smaller wasp larvae.
Flying back to Miami, amongst the bridal parties and vacationers, over an
endless survey of drying rivers and lakes, the ravages of unchecked climate
change exposing raw pale edges the exact beige color of army pants. The
whole country - a patchwork tinderbox of exposed nerves.
With the right kind of eyes you can see a little bit of chaos being let in.
-dave
If you've walked through the Underworld long enough, you've run into
demons. Or maybe it's the other way around - by running into enough demons,
you might realize you are walking through the Underworld. And by making
friends with them, if you are lucky, you might realize you are a demon
yourself.
[image: image.png]
My brother in Zeus - this is just tempting the Fates.
Every so often an exploit from the Underworld is found. Maybe one or two a
year is dragged screaming curses in a long-dead language out into the
sunlight, pinned against a Kaspersky GReaT blogpost, and vivasected for the
world.
Sometimes these are simple bugs, with complex exploitation chains.
Sometimes these are complex bugs, but with reliable simple exploit chains.
Occasionally you see a host of bugs, all linked together like fire ants
fording a stream. If you've walked through the Underworld enough you'll
simply nod in recognition of them, perhaps stop to admire the artwork of
the Runes carved into their skins by some unknown spellcrafter.
My point is this: it doesn't matter what the real-world utility is for an
exploit, because demons don't care. They operate partially in the future,
perhaps. Or maybe ignoring real-world utility evolved as a sense of
necessity of staying ahead of the eyes hunting for them. I'm not sure. But
my rule - a core axiom of persistent engagement - is that if it can be
done, it is being done already.
-dave