,
15 tweets,
3 min read
Read on Twitter
This is an example why "anti-vax" is almost never a good analogy. Vaccines are largely harmless, not causing autism. Updates/patches, however, are frequently harmful, as anybody who has ever installed updates/patches knows.
The infosec/cybersec community is a bunch of corrupt fascists who believe "security" is some sort of moral imperative that overcomes all other considerations, like whether your computer still works after you apply a patch.
"I'm sorry you lost all your data and bricked your computer, but know that you are safer for having installed that update, and that's the important thing. If you hadn't installed that patch, a hacker could've installed ransomware causing you to lose all your data."
We recognize the military is a bit fascist when they insist we give up freedom in the name of security.
We recognize the police are a bit fascist when they insist we give up freedom in the name of security.
We should also recognize infosec is a bit fascist.
We recognize the police are a bit fascist when they insist we give up freedom in the name of security.
We should also recognize infosec is a bit fascist.
This tweet is a good argument. Like for vaccines, let's measure the "externalities" of not patching/vaccinating. With vaccines, the externalities are things like the recent Rockland measles outbreak. What about patching?
For patchable "vulns", the "externalities" are nearly non-existent. That's because "vulns" are rarely exploited, and "externalities" largely don't exist: security problems are almost "internalities" (sic).
Verizon has been doing their DBIR reports annually for over a decade, and they show consistently that data breaches are almost always something else other than exploiting vulnerabilities. Yes, vulns do get exploited, but rarely.
enterprise.verizon.com/resources/repo…
enterprise.verizon.com/resources/repo…
Infosec spends too much time thinking about vulns, 0days, and patches. If somehow we solved that problem 100%, it would make an insignificant change in infosec. The world of infosec would largely be unchanged.
Now let's look at "externalities". It means a cost (or benefit too!) experienced by somebody who is not the seller/buyer of something. Except for DDoS, there are pretty much no externalities in infosec. Patching is about solving your own security, not securing somebody else.
Even with DDoS, very little of it comes from patchable vulnerabilities. Very little malware gets installed via vulnerabilities that can be patched.
To be fair, that's mostly because Chrome auto-patches, forcing patches upon users. But Chrome is the most exposed thing to the Internet, where patching becomes more urgent, whereas most other things really aren't all that exposed.
If you want to argue that all web browsers need auto-patching, then I'm pretty sure I'd agree with you, because it's a cost/benefit tradeoff. Most other things aren't as exposed, so the benefits are orders of magnitude less.
So this tweet is a good example of how when people say "externalities" they don't mean "externalities" but something else, like consumer protection. But "consumer protection" is an externality, imposing costs on consumers by taking away choice.
When you believe cybersecurity is all beneifts and no costs, then of course consumer protection seems a no brainer. But security comes at a cost, a cost that most consumers don't want. In this case, "consumer protection" means giving consumers what they don't want.
That's the point of this thread: infosec/cybersec is a corrupt industry that believes "security" is a moral imperative, and that anything more "secure" is automatically better. It's not, just like police-states aren't better for people.
