Steve Smith talks about proof of concept code, methodology, and consequences.
Episode #8-16 released on December 10, 2017
In terms of Technology, when PoC (Proof of Concept) code or methodology is applied to electronics, computers, hardware and software, it is usually a physical add-on, a code implementation, or a mix of both, that has the potential of being a proven means at obtaining a desired and reproducible result.
Proof of concept experimentation is important, it is how we determine if anything we use, or may use has security issues, health issues, etc. Without these tests, we wouldn't know that Pacemakers could be exploited, that programs like TeamViewer could be gamed, etc. If you have TeamViewer, update now, that issue has been apparently resolved. And, finally, we wouldn't have a means of testing if a problem has been resolved, correctly.
One of the easiest proof of concept methods we can use is SQL injection against web-sites. It is one of the many ways of gaming a web-site, and yet a lot of programmers don't protect their code against this. In this case, proof of concept code could be used to see if a programmer has done the job, has failed to secure code, or has in fact done his job.
Proof of concepts are, also, repeatable, meaning that they work every single time. Therefore, errors in some video games can be considered a fluke, or a predictable bug. When the bug is repeatable, that action leading to the bug being caused is what developers look for, and then code a fix for. In a sense, you experience an issue, then find a means of reproducing the effect, that being a proof of concept methodology take leads to a potentially exploitable bug.
Now, there is something important to note about proof of concepts, ethics and morality. While, the argument can be made that the public should be aware of any issues related to software or hardware exploitation, an effort should be made to notify the manufacture of the product before releasing proof of concept code or methodology used to exploit the software and or hardware. The issue isn't that the public shouldn't know there is a problem, the issue is that bad actors, also known as malicious hacker groups, in the public learning of potential issues can decide to exploit the problem immediately, and computers, software, or other hardware may or can become vulnerable. This can lead to very dangerous or harmful outcomes. The only legitimate cause for public notification is when developers absolutely refuse to acknowledge and patch issues of reproducible flaws that can be exploited, but only once the developer has completed failed in its due diligence in solving those problems.
And, finally, the only reason a developer would agree to fix the issue, is reproducibility. Nothing can be considered a proof of concept, if it only works once. This makes reproducibility the only means of being able to get a developer to both analyze the given issue, and decide if the issue you, or others, may have found, is a bug or a feature.
A feature? A Proof of Concept code, being able to exploit a given device, hardware, and or software, does not prove a security flaw necessarily exists. It is possible, in some circumstances that the outcome of a proof of concept only demonstrates that other features of code, hardware, and or software exist. The developer should probably find a way to isolate this feature until launch, then again, it may exist because an API exists that does use it. In those cases, be happy that the developer was already aware that the feature existed. Provided there is no unsecured data leakage.
Sponsored by PureVPN
And speaking of unsecured data leakage, if you are looking for a VPN service that is easy to use, works as an in browser addon, on android, apple devices, etc. then look no further than PureVPN, a service that does not log your traffic, and offers a 7-day money back guarantee. Pricing starts at $2.45 a month and you can check them out by heading over to https://tqaweekly.com/purevpn.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net