, 15 tweets, 3 min read Read on Twitter
This is an example why "anti-vax" is almost never a good analogy. Vaccines are largely harmless, not causing autism. Updates/patches, however, are frequently harmful, as anybody who has ever installed updates/patches knows.
The infosec/cybersec community is a bunch of corrupt fascists who believe "security" is some sort of moral imperative that overcomes all other considerations, like whether your computer still works after you apply a patch.
"I'm sorry you lost all your data and bricked your computer, but know that you are safer for having installed that update, and that's the important thing. If you hadn't installed that patch, a hacker could've installed ransomware causing you to lose all your data."
We recognize the military is a bit fascist when they insist we give up freedom in the name of security.
We recognize the police are a bit fascist when they insist we give up freedom in the name of security.
We should also recognize infosec is a bit fascist.
This tweet is a good argument. Like for vaccines, let's measure the "externalities" of not patching/vaccinating. With vaccines, the externalities are things like the recent Rockland measles outbreak. What about patching?
For patchable "vulns", the "externalities" are nearly non-existent. That's because "vulns" are rarely exploited, and "externalities" largely don't exist: security problems are almost "internalities" (sic).
Verizon has been doing their DBIR reports annually for over a decade, and they show consistently that data breaches are almost always something else other than exploiting vulnerabilities. Yes, vulns do get exploited, but rarely.
enterprise.verizon.com/resources/repo…
Infosec spends too much time thinking about vulns, 0days, and patches. If somehow we solved that problem 100%, it would make an insignificant change in infosec. The world of infosec would largely be unchanged.
Now let's look at "externalities". It means a cost (or benefit too!) experienced by somebody who is not the seller/buyer of something. Except for DDoS, there are pretty much no externalities in infosec. Patching is about solving your own security, not securing somebody else.
Even with DDoS, very little of it comes from patchable vulnerabilities. Very little malware gets installed via vulnerabilities that can be patched.
To be fair, that's mostly because Chrome auto-patches, forcing patches upon users. But Chrome is the most exposed thing to the Internet, where patching becomes more urgent, whereas most other things really aren't all that exposed.
If you want to argue that all web browsers need auto-patching, then I'm pretty sure I'd agree with you, because it's a cost/benefit tradeoff. Most other things aren't as exposed, so the benefits are orders of magnitude less.
So this tweet is a good example of how when people say "externalities" they don't mean "externalities" but something else, like consumer protection. But "consumer protection" is an externality, imposing costs on consumers by taking away choice.
When you believe cybersecurity is all beneifts and no costs, then of course consumer protection seems a no brainer. But security comes at a cost, a cost that most consumers don't want. In this case, "consumer protection" means giving consumers what they don't want.
That's the point of this thread: infosec/cybersec is a corrupt industry that believes "security" is a moral imperative, and that anything more "secure" is automatically better. It's not, just like police-states aren't better for people.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!