, 14 tweets, 3 min read Read on Twitter
1/ Matt Blaze is really smart and worth listening to, in general. This take isn't, it's wrong in every way something can be wrong.
2/ It doesn't make a cost-benefit analysis. It pretends there are not costs, no downsides to updating, only benefits. It makes no argument based on the quality of an argument, instead, it's a just an "argument from authority" fallacy, 'cause he's a computer science professor.
3/ When people don't update it's not because they are morally weak, lazy, greedy, or stupid. It's because there are costs associated with updating, and they are making rational decisions.
4/ If vendors only shipped well-tested bug-fixes, then the costs would be minimal. Instead, vendors slip in new features and ill-tested changed, causing things to break, or at least, change, which for users is often the same thing.
5/ Microsoft, Apple, Google, and Amazon do a great job of updating/patching. It's why most iPhone, Alexa, and Chrome users have the latest software. Most other product vendors do a poor job of patching, which is why they are never patched.
6/ It's not just the costs Blaze is ignoring, but the benefits. When things are exposed to hackers, like your web browser, it needs to be patched often. When things aren't exposed, then they don't. There are other ways of mitigating hacker threats than just patching.
7/ Cybersec telling people what to do is the most foul aspect of the cybersec community. It's not our job, and people shouldn't listen to us when we do that. Instead, we should spend more of our time fixing the technical problems that make people want not to patch.
8/ This undo obsession with patching has floated up to Washington D.C. policy circles, and this is a bad thing. Lawmakers want to push automatic updating/patching on IoT devices.
9/ They are looking at the 10-billion new IoT devices being attached to the Internet in the next year and fear another Mirai style worm, and listen to the supposed cybersecurity experts that tell us that patching can prevent such a problem.
10/ The reality is that virtually all those 10-billion new IoT devices are being put behind firewalls. Mirai only infected machines that weren't protected by firewalls. Thus, the risk they imagine doesn't exist.
11/ On the other hand, the risk of subverted updates, as in the ASUS example, is huge. The number of infected machines in the ASUS incident was much larger than Mirai.
12/ Even small IoT vendors can ship a million devices, creating an Internet-threatening event when their update/patching mechanism gets compromised. Lawmakers need to worry about that more than Mirai.
13/ As a cybersecurity expert, my advice is this: "Updates usually fix the latest things hackers have discovered that may allow them to hack your computer". Stopping hackers is why these updates exist.
14/ But I make no judgement for you. Patch, don't patch, it's up to you. It's ultimately your responsibility to measure the costs and benefits of such an action, to gauge the risks. I can't make that decision for you.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!