Ask HN: Is Security Just Busywork?
2 pointsby YukiBits8 hours ago3 comments
  • al_borland8 hours ago
    My microwave and dishwasher don’t need updates because they don’t connect to the internet and they are also very simple machines. They essentially run pre-programmed processes centered around a timer.

    Internet connected computers have complexity that is several orders of magnitude greater than those simple appliances. This is much harder to get right and test every possibility. The internet allows access for people to exploit those untested or unhandled possibilities.

    On top of that, the very ability to update remotely lets companies prioritize release dates over completeness, because they can ship it and update it later if anything is found. It becomes a cost benefit analysis. How much will a security incident cost vs the cost of delaying the product? What are the odds a vulnerability gets exploited before they can find and patch it?

    Internet connected appliances create busywork, imo. They don’t need those features, so the initial design takes more time, adds complexity, and then creates perpetual maintenance to keep things secure and working with the supporting backend services. All of this feels like needless theater to give customers something most don’t even want. I’ve never seen anyone excited about their biweekly TV update prompt.

    • YukiBits7 hours ago
      So in other words, it is pretty much hopeless to make secure software for computers connected to the internet or outside world that lasts long enough (and takes little maintenance). The reason being, because we cannot deal with complexity against all eventualities? Even if we have relatively simple abstractions and tools in place?

      I can see that you may point to other areas of human engineering such as bridges, buildings, vehicles. All can fail given the right circumstances. I am not asking for an unbreakable engineering product. That seems to be rather impossible.

      But I would still argue that the „security updates“ for engineering artifacts like bridges don’t need frequent „updates“ (i.e., maintenance, inspections).

      Computers seem to be relatively more fragile unlike any analog engineering artifact in existence. Some soldiers still need to know how to navigate with a sextant, because computer systems seem inherently fragile.

      I can think of software dependencies that break constantly (e.g., Scala, Python). Are you going to tell me that a bridge is more fragile than some Ruby package?

      So in other words, how is it possible that anything having to do with computers is seemingly more prone to fail than a building, a bridge, a Cessna 172? Yes all those classic engineering artifacts need constant maintenance, but I would argue that it is unlike (modern) software.

      So my point is the fragility of software seems to require more maintenance (i.e., security updates) than any other human engineering artifact.

      That seems unfortunate. Software shall be rather something like a building (withstanding wind, earthquakes, …) and taking relatively low maintenance.

      I just don’t understand why it requires frequent maintenance and „fixes“ within a given year. Your smartphone does, your Windows 11 computer does, your Samsung TV does. Your „smart“ vehicle does.

      What is the ultimate reason that computer software cannot be like the other avenues of engineering?

      Economic interests cannot be the sole culprit. Free software like Debian needs fixes too.

      • al_borland5 hours ago
        I don’t think you can dismiss the maintenance required on buildings and bridges so easily. Bridges must be continuously repainted to avoid corrosion, for example. Nature will overtake buildings, bridges, and anything we make. Concrete cracks and plants grow through it. Our entire infrastructure is a never ending battle to control nature’s relentless push to expand.

        Software, on the other hand, is durable. I can download and run software that was written 40 years ago and it still works exactly the same, with 0 maintenance. Leave a bridge or building alone for 40 years and see what happens.

        With software, the battle isn’t against nature, it’s against humans with bad intent. Once something is no longer popular, it tends to not be much of a target anymore.

        The constant updates are in part for security, as it’s a cat and mouse game. The updates are also to keep this feeling fresh and relevant, so people don’t move on to something new that seems to be getting better support… much like painting the bridge and changing the landscaping outside a building. This shows the people using it that it is cared for and keeps it feeling useful.

        I maintained a simple website at work for 15 years. Had I not made little tweaks over time, people would have filled the gaps with other tools and it would have fallen into irrelevance. Because I made these little updates to keep it relevant, people kept using it and didn’t seek out other solutions to fill the gaps.

        Some may see some of this as busy work, but it only truly becomes busy work if the system is perfect and they keep working on it to the point of making it worse, just to have something to do.

  • Bender8 hours ago
    Is Security Just Busywork?

    No. They build a thing and expect money. Customers do not have a binding contract with most of these vendors and there is no expectation that they will make any effort to protect you or your family thus it is currently on the consumer to protect themselves from their internet connected devices. Strict legislation in every country with serious consequences would be required to change this. That or cutting on trade with countries that harm consumers and that is a high bar to meet. Not likely to happen.

  • borderprepper7 hours ago
    [dead]