I'm not sure how this distant memory popped into my head but I figured it would be worth writing about before I forget it again.
I was maybe 11 or 12 years old visiting family in Arizona when my cousin introduced me to an anonymous online chat service called Omegle. These days most people probably remember Omegle as a cesspool of middle-aged predators and teenagers chatting anonymously about R-rated topics – and rightly so. Any online service that pairs you with other anonymous people in a one-on-one chat online is bound to lead to inappropriate conversations, but as a stupid kid it was fun as hell. We spent hours on that chat laughing at the ridiculous conversations we had. But this isn't about that. Rather, it's about one particular interaction I had with a hacker on that platform one night in Arizona that sparked my interest in computers.
The story itself is pretty short. In one chat, there was suddenly a third party that popped in. This person was secretly lurking on the conversation for however long before sending a message and giving themselves away. I don't remember much save from being amazed that they were able to completely highjack the chat. I didn't believe they had actually hacked it until they booted the original person out of the room. I recall having a conversation with the hacker afterwards and them bragging about how easy it was to hack (typical hacker, right?).
Looking back I can only imagine how easy it must have been to break into online systems back then. We're talking over a decade ago, 2007 or 2008, only a handful of years into the grand "Web 2.0" (remember that term?).
We've come a long way when it comes to online security. SQL injection, CSRF, XSS, and the myriad of other common attacks are well-known with protection baked into the frameworks and packages we use to build even the most basic of systems. It makes me wonder if even the larger platforms like Twitter and Facebook were prone to attacks that these days even a 15 year old building some new platform would know to protect against. It also makes me wonder what recent advancements in software development are susceptible to new forms of attacks that are less known.
The internet is a much more complex place today than it ever was. Fat web apps interact with complex backends. Everything is in the cloud. The cloud is complex. VPCs, security groups, proxies, micro services, deployment infrastructure. What about the code that runs the cloud? Thousands of engineers work across dozens or hundreds of teams in some of our largest and most important systems. Is it that systems really are more secure? Or are they strung together without much thought? Many of today's online computer systems feel like 500 pound steel safes strung together by some thread. Perhaps complexity has become our security.