A brief note inspired by yesterday's unsolicitied penetration testing:
Given sufficient exposure, particularly to strangers, anything that can be exploited for some purpose will be.
All the moreso if cost-effective.
When I built websites in the mid-2010s, I'd get pings from Google and other web crawlers, some hits from Russian IPs, etc... But yesterday was the first time I detected someone systematically scanning my system for holes.
I'm quite capable of handling this tier of attempts. And I have good enough infrastructure hygiene not to leave credentials around too naively. But this raises a point:
The more exploitation a system endures, the more expertise a practictioner of that system must have to avoid getting pwned.
Sure, I'm immune from a canvas of wordpress-targetted endpoints, because I'm not using wordpress. But I am using some off-the-shelf webserver (currently), so presumably a more advanced script could deduce which one I am using and target that server's specific vulnerabilities. And if I handrolled a server, then a sufficiently dedicated and bored and cheap engineer could study the behavior of my server and crack it. But what engineer is cheap enough to crack every random handrolled server out there?
Perhaps an LLM!?
Uh oh...