Skip to main content

Really Unhelpful Advice...


A quick summary of the following article - http://www.neowin.net/news/from-my-cold-dead-hands-living-without-updates - would be: Updates are bad, don't do updates.

That unhelpful advice isn't from me and is not recommended by me, nor endorsed by me. You should run from the advice this author posits.
It is is really unhelpful and a disservice to many. As such I was compelled to comment. 
To wit:
I'm sorry, but I think this article and the point of view it puts forward are irresponsible.
As a software engineer, I know (and hate to admit) there are bugs in every released piece of software. Updates to patch these problems (whether or not they are problems visible to users or IT) need to take place. An un-patched bug translates to a vulnerability. Why would you promote vulnerable systems? For instance, would you recommend leaving an Android system un-patched that is vulnerable to the StageFright security hole?
I have used known vulnerabilities in Windows XP (missing some up-to-date patches) and easy to find tools, to crack an administrator's password and create my own administrators account. Or in other words to own the system. The weak spots are where you hack and you count on people and systems having some weak spot, somewhere. You look for the easy ones first. Just because you don't know about it happening, doesn't mean it hasn't, can't or won't.
Many of the me-too comments assume threats will be on the other-side of the network, or there are Antivirus & malware protections in place on targets, or that other security measures will protect them. Defense in depth should be mantra, a guiding principle for anyone responsible for the care and feeding of a system that runs software. Why give away any level of defense?
I'll give the author "the out" to separate updates that fix problems from updates that include additional functionality. Additional functionality is usually adding bugs and is mostly related to revenue generation or market share and competitiveness. I would call the former "patches" and the later "upgrades" and I would say that they should be separate.
But a blanket "no updates"? No thanks.
Labels:

Comments

Unknown said…
I totally agree, but this requires reading on the users part and some understanding of the nomenclature used by the vendors.
10:41 AM
Post a Comment

Popular posts from this blog

You don't really know who you're talking to online...

The following is a story that I think highlights the assumptions that get you into trouble online... https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media This is particularly scary since we found so much utility in online connections during the pandemic and out of necessity, started trusting more online. Please note the timeline for this breach - it was a long, slow process, a key factor in many 'cons'. "Build trust" is a key first step, once someone has identified you as a party. You think...you're convinced you know who your talking to, but if you don't triangulate the identity with some non-online, ideally in-person information, you shouldn't trust. And even if you do get what seems like real-life confirmations of identity, you must look at questioning motives, needs, and keeping danger at arms-length. Online includes email, texting (sms), application chatbots, voice communicati...
Post a Comment
Read more

Threat Modeling Manifesto

Secure Your Code with Threat Modeling As a software developer, security should be a top priority. By proactively identifying and addressing potential vulnerabilities, you can significantly reduce the risk of breaches and data loss. What is Threat Modeling?   Threat modeling is a systematic approach to identifying, assessing, and mitigating security threats. It involves looking at your system from a hacker's perspective to uncover weaknesses and devise strategies to protect against attacks. See the  OWASP Cheat Sheet   Why is Threat Modeling Important? Proactive Security: By anticipating potential threats, you can take steps to prevent them. Risk Mitigation: Identify and address vulnerabilities before they can be exploited. Regulatory Compliance: Adhere to industry standards and regulations. Enhanced Security Posture: Strengthen your overall security posture. How to Get Started with Threat Modeling   The Threat Modeling Manifesto provides a valuable framewor...
Post a Comment
Read more

RACI, Cybersecurity and NICE Framework

The NICE framework from a RACI point of view The NICE framework ( NIST SP 800-181 rev. 1) established a standard approach for describing cybersecurity work, in order to help stakeholders share a common language and ideally improve how to identify, recruit, develop and retain talent. It breaks down cybersecurity work role categories into: Oversight and Governance; Design and Development; Implementation and Operation; Protection and Defense; Investigation.  Which is very cybersecurity-centric and not related to common tools for project management within companies. Especially smaller enterprises that do not have dedicated people to mange and coordinate cybersecurity needs. A  RACI chart  is   a project management tool used to define and clarify roles and responsibilities within a project team.   It stands for Responsible, Accountable, Consulted, and Informed, and visually represents who is responsible for what, who is accountable for the outcome, who needs to be c...
Post a Comment
Read more