Cory Doctorow started pointing out that there is incentivized decay of major internet platforms. While he is referring mostly from the end user perspective, the repercussions of these are also seen in the information security domain. Before proceeding, let’s set up our assumptions first:
- Proper software security is an inherent sign of quality.
- Quality is one of the metrics of engineering excellence (you do not actually believe that security is part of QA, do you? If you do, can I get a ride in your time machine please?).
- Excellent technology does not always win and this can be OK. However, it used to win way more often than not.
- Deliberately downgrading existing technology is a major regression and the very definition of wasted productivity.
- For security, there is a significant and proven body of research work in all relevant domains so the knowledge is already existing (and should be expanding).
- Security artifacts (the term artifact used in an analogy to the audio engineering world) can appear at any SDLC stage.
- The earlier security artifacts are detected, the cheaper, easier and less stressful are the efforts to neutralize or, at the very least, mitigate them.
- The lifetime of security artifacts, even for those that a “patch” is available can greatly exceed the expected one.
The points above have been discussed to death for years. Each point above probably is worth a separate blog post and yes, there are exceptions to the rule, especially if you factor in economics but again, they hold true way more often than not.
A few days ago, CVE-2026-24061 came up on one of my sources of online information. What grabbed was the -froot. I actually had to pause and stare in disbelief as it brought back memories. In a (overly simplified) nutshell, this vulnerability exploits telnetd (a by definition insecure but resource light protocol) owing to the daemon accepting unsanitized authn/authz input from the remote user. CA-1994-09 anyone? So, a conceptually similar vulnerability appears at least 32 years after official acknowledgement, and it is not the only one. I am assuming that a few folks reading this article are younger than CA-1994-09 – which empirical evidence suggests it survived at least before the onset of the 21st century. Add in that one of the most likely places for telnetd to appear are IoT devices that might be easy to “patch”.
Another recent choice item is that folks that self-host ClawdBot, a personal AI assistant can end up giving remote access to the rest of the Internet. This is not a fault of the project per se, after all, they do provide dedicated security documentation (which could have been more prominent but at least it is there and quite usable) but again not everyone RTFMs the official docs, some folks prefer compressed instruction that might not apply to their execution environment or even watching the click-baity YouTube vide, this is a problem easily solvable even with just a stateless firewall, which exist from the dawn of the Internet (to clarify: network layer only access controls do not neutralize or mitigate all possible attacks but they do just fine for this scenario). Again, technologically trivial problems do appear, do have an impact and we have been having the solutions from a tech perspective for decades.
This thematic arc will have at least one more follow up (the pt.I is a dead giveaway)Since it looks like 90s retromania is all the rage now (and for all the bad reasons), if you will excuse me, my friend Costas is waiting downstairs, I am going to grab my BMX and we will go to Levon’s apartment to check the latest Amiga warez party like it is 1999! Stay tuned!
Athanasios Kostopoulos 