,
14 tweets,
3 min read
Read on Twitter
1/ Matt Blaze is really smart and worth listening to, in general. This take isn't, it's wrong in every way something can be wrong.
2/ It doesn't make a cost-benefit analysis. It pretends there are not costs, no downsides to updating, only benefits. It makes no argument based on the quality of an argument, instead, it's a just an "argument from authority" fallacy, 'cause he's a computer science professor.
3/ When people don't update it's not because they are morally weak, lazy, greedy, or stupid. It's because there are costs associated with updating, and they are making rational decisions.
4/ If vendors only shipped well-tested bug-fixes, then the costs would be minimal. Instead, vendors slip in new features and ill-tested changed, causing things to break, or at least, change, which for users is often the same thing.
5/ Microsoft, Apple, Google, and Amazon do a great job of updating/patching. It's why most iPhone, Alexa, and Chrome users have the latest software. Most other product vendors do a poor job of patching, which is why they are never patched.
6/ It's not just the costs Blaze is ignoring, but the benefits. When things are exposed to hackers, like your web browser, it needs to be patched often. When things aren't exposed, then they don't. There are other ways of mitigating hacker threats than just patching.
7/ Cybersec telling people what to do is the most foul aspect of the cybersec community. It's not our job, and people shouldn't listen to us when we do that. Instead, we should spend more of our time fixing the technical problems that make people want not to patch.
8/ This undo obsession with patching has floated up to Washington D.C. policy circles, and this is a bad thing. Lawmakers want to push automatic updating/patching on IoT devices.
9/ They are looking at the 10-billion new IoT devices being attached to the Internet in the next year and fear another Mirai style worm, and listen to the supposed cybersecurity experts that tell us that patching can prevent such a problem.
10/ The reality is that virtually all those 10-billion new IoT devices are being put behind firewalls. Mirai only infected machines that weren't protected by firewalls. Thus, the risk they imagine doesn't exist.
11/ On the other hand, the risk of subverted updates, as in the ASUS example, is huge. The number of infected machines in the ASUS incident was much larger than Mirai.
12/ Even small IoT vendors can ship a million devices, creating an Internet-threatening event when their update/patching mechanism gets compromised. Lawmakers need to worry about that more than Mirai.
13/ As a cybersecurity expert, my advice is this: "Updates usually fix the latest things hackers have discovered that may allow them to hack your computer". Stopping hackers is why these updates exist.
14/ But I make no judgement for you. Patch, don't patch, it's up to you. It's ultimately your responsibility to measure the costs and benefits of such an action, to gauge the risks. I can't make that decision for you.
