The headline came from Critical “Same Origin Policy” Bypass Flaw Found in Samsung Android Browser by Mohit Kumar, the last paragraph which reads:
…
Since the Metasploit exploit code for the SOP bypass vulnerability in the Samsung Internet Browser is now publicly available, anyone with less technical knowledge can use and exploit the flaw on a large number of Samsung devices, most of which are still using the old Android Stock browser.
… (emphasis added)
Kumar tosses off the … anyone with less technical knowledge … line like that’s a bad thing.
I wonder if Kumar can:
- Design and create a CPU chip?
- Design and create a memory chip?
- Design and create from scratch a digital computer?
- Design and implement an operating system?
- Design and create a programming language?
- Design and create a compiler for creation of binaries?
- Design and create the application he now uses for editing?
I’m guessing that Kumar strikes out on one or more of those questions, making him one of those anyone with less technical knowledge types.
I don’t doubt Kumar has a wide range of deep technical skills but lacking some particular technical skill doesn’t diminish your value as a person or even as a technical geek.
Moreover, security failures should be made as easy to use as possible.
No corporation or government is going to voluntarily engage in behavior changing transparency. The NSA was outed for illegal surveillance, Congress then passes a law making that illegal surveillance retroactively legal and when that authorization expired, the NSA continued its originally illegal surveillance.
Every security vulnerability is one potential step towards behavior changing transparency. People with “…less technical knowledge…” aren’t going to find those but with assistance, they can make the best use of the ones that are found.
Security researchers should take pride in their work. But there’s no reflected glory in dissing people who are good at other things.
Transparency, behavior changing transparency, will only result from discovery and widespread use of security flaws. (Voluntary transparency being a contradiction in terms.)