Point taken. I may have reached for too extreme an example, but AFAIK there were other issues with the WEP construction besides just RC4 being weak.
I think the point still stands though. When I read about breaks (and when I saw them back when I did infosec) it was phishing most of the time. Someone would be tricked into running malware. That’s how most organizational compromises happen. The rest were memory errors like buffer overflows in non-security application code and bugs in bespoke code exposed to the Internet.
My point was that people are afraid of the things that are sexy to be afraid of, and tend to ignore the more mundane but more commonly attacked vectors.
The same applies to firewall obsession in netsec. People will obsess over the firewall and then type “npm install” on production systems. It’s not sexy to worry about that.
I think the point still stands though. When I read about breaks (and when I saw them back when I did infosec) it was phishing most of the time. Someone would be tricked into running malware. That’s how most organizational compromises happen. The rest were memory errors like buffer overflows in non-security application code and bugs in bespoke code exposed to the Internet.
My point was that people are afraid of the things that are sexy to be afraid of, and tend to ignore the more mundane but more commonly attacked vectors.
The same applies to firewall obsession in netsec. People will obsess over the firewall and then type “npm install” on production systems. It’s not sexy to worry about that.
Package managers scare the shit out of me…