Is Security Just Busywork?

Question

How many devices with computers (i.e., embedded systems) need regular updates? My microwave oven, dishwasher, and coffee machine don&rsquo;t need an (firmware) update. Why can&rsquo;t we just write software like firmware once and run it indefinitely like we do with embedded systems? Why can&rsquo;t I connect a Windows XP computer to the internet? I mean because it gets malware, yes. But why is an internet connection such a threat to software like operating systems? Everything connected to the internet seems to require constant &bdquo;security&ldquo; updates. Once those security updates come to a stop, you suddenly cannot safely use your device on an internet connection.Why is it not possible to have software written without constantly updating its &bdquo;security&ldquo;?Is &bdquo;security&ldquo; just a form of collective busywork, or is it really justified and necessary?The internet seems to make every computer insecure. Is it by (inherit) design or by choice? Is the culprit indirection (i.e, abstraction)? Are CPUs inherently insecure? Does it mean that layers of indirection are inherently harmful? What is ultimately causing this? Please don&rsquo;t say anything along the lines of &bdquo;policemen need criminals to justify their jobs&ldquo;.Is there even a computer system that can be connected to the internet that does not require any updates? Don&rsquo;t say mechanical computers, or a calculator please, or a Turing machine, please.What is the ultimate reason for the constant need of security updates when it comes to computers connected to the internet?I mean, I am aware that you can inject malware with a USB pen drive or any external device that can be connected to the computer. But why are computers so fragile when connected in any shape or form to the &bdquo;outside world&ldquo;?Why so fragile?

al_borland · Accepted Answer

My microwave and dishwasher don&rsquo;t need updates because they don&rsquo;t connect to the internet and they are also very simple machines. They essentially run pre-programmed processes centered around a timer.Internet connected computers have complexity that is several orders of magnitude greater than those simple appliances. This is much harder to get right and test every possibility. The internet allows access for people to exploit those untested or unhandled possibilities.On top of that, the very ability to update remotely lets companies prioritize release dates over completeness, because they can ship it and update it later if anything is found. It becomes a cost benefit analysis. How much will a security incident cost vs the cost of delaying the product? What are the odds a vulnerability gets exploited before they can find and patch it?Internet connected appliances create busywork, imo. They don&rsquo;t need those features, so the initial design takes more time, adds complexity, and then creates perpetual maintenance to keep things secure and working with the supporting backend services. All of this feels like needless theater to give customers something most don&rsquo;t even want. I&rsquo;ve never seen anyone excited about their biweekly TV update prompt.

Bender · Answer

Is Security Just Busywork?No. They build a thing and expect money. Customers do not have a binding contract with most of these vendors and there is no expectation that they will make any effort to protect you or your family thus it is currently on the consumer to protect themselves from their internet connected devices. Strict legislation in every country with serious consequences would be required to change this. That or cutting on trade with countries that harm consumers and that is a high bar to meet. Not likely to happen.