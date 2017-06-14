Oil Changes, Safety Recalls, and Software Patches (daemonology.net) 12
An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
When you have companies who ignorantly and gleefully outsource their IT staff to cheaper alternatives, thinking they'll magically get the best of both worlds, more money for them, and same level of service, you should expect this.
You get what you pay for. Literally. If it's cheaper, there is a reason. When you have competent, experienced IT staff who care about their work and take pride in security and performance, they cost more. Why? Because they know they can get it, and it will save companies money. Ev
The analogy is great, until you go to the end of the life of the given software. Like XP for example, it has reached end of life, so no patches are available for it any more. Many android devices are instantly end of life, without any patches being released for them.
The security issues are not solved until you remove all deployments of software and hardware that have reached end of life. The only way to get this done is enforcement by law. In order to make actual comparison of products possible, manufacture
but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
No. As an industry you have to think about a company like Microsoft who willfully waited over a DECADE to patch a KNOWN vulnerability which it was TOLD about a long time ago, but CHOSE to ignore - cos, security by obscurity at best, or intentional back door at worst. This should not be about "the patch has been out 2 months why haven't people patched" it should be about "Why did Microsoft wait until news of the vulnerability leaked before bothering to issue a patch".
That interval seems like a total waste of oil. I have an old vehicle for hauling stuff that gets driven about 1000km/year, and I might change the oil every five years. I know that's probably "bad", but the engine hasn't broken yet. In fact, I think that the only work I've ever had done on the engine over almost 20 years is change out the timing belt (at twice the recommended age, but still below the mileage limit). I do keep it in a garage and always run it until it's thoroughly warmed up.
I had no problem letting Windows 7 update itself automatically until Microsoft started incessantly nagging me about changing to Windows 10, and news of their telemetry patches came out. Oh, and the whole installing patches for 5-10 mins while you're trying to shut your computer down (always seemed to be before I needed to go somewhere) was pretty dumb as well.
Microsoft took security updates and started abusing them for their own nefarious purposes. This, combined with their propensity to produce rubbish sof