Hahaha, I 100% agree with this. In fact, after looking at most of the attacks, ‘hacks’, etc. in the past 4 years, there really hasn’t been anything new or innovative. The most innovative things have been compromises in actual software, but those compromises are all due to the same sloppy use of validation of acceptable inputs and outputs.
As to the sophistication of attacks, I think the most sophisticated attackers now are those that are interesting in monetary gain, such as account checkers, headless browsers, etc.
Now, the most sophisticated attacks or compromises that I’ve seen involved outsiders penetrating the infrastructure of the client, sitting dormant and learning their very proprietary systems and coordinating a huge global attack to steal millions of dollars. It was very interesting and it was impressive how they coordinated the live attack with thousands of people executing all within a VERY short amount of time.
You know I really loved the movie Foolproof, it was a pretty fun idea to plan out these attacks in excruciating detail as a thought exercise. Maybe I’ll start doing that here.