Software Is Really Vulnerable

Quinn Norton on Medium writing about how everything is broken:

Look at it this way — every time you get a security update (seems almost daily on my Linux box), whatever is getting updated has been broken, lying there vulnerable, for who-knows-how-long. Sometimes days, sometimes years. Nobody really advertises that part of updates. People say “You should apply this, it’s a critical patch!” and leave off the “…because the developers [screwed] up so badly your children’s identities are probably being sold to the Estonian Mafia by smack addicted script kiddies right now.”

This article is long, and will come off a bit as a “tin foil hat” kind of piece, but it’s really a good look at how vulnerable computers are without getting too technical. The reality is that most people don’t understand how messed up most computer systems really are. From their personal computers, to their work networks to their banks systems, it’s one big mess. A lot of it has to do with money, and a lack of understanding.

Many companies, especially those with tight margins, which is probably most companies, don’t want to invest money on things that will not directly increase revenue. Spending the million of dollars to update antiquated computer security doesn’t rank high on the list of most CEOs or stockholders. Even software companies themselves suffer from the same ailment. If it doesn’t increase revenue, it’s a hard sell to decision makers. And the result is disasters like Target suffered in 2013.

And it can almost all be chocked up to naiveté. Companies increase physical security all the time. They get better cameras and most secure entry systems. How many companies use regular old keys anymore? Keys can be easily duplicated, and when they are lost they can’t be remotely disabled. A new lock has to be installed and everyone needs a new key. Why is it that people understand modern physical security but completely ignore the virtual equivalent?

Unfortunately this will almost surely get worse before it gets better. The Target incident was a nice wake-up call, but it’s probably going to take something much more impacting to really get everyone to change.