[kyberias]

Why would a connection to internet need security updates?

[gizmo686]

Because as an industry, we are bad at our jobs. The network facing software has critical security vulnerabilities. Even security folks accept that as the way of the world.

At the point the software is released it has (hopefully) no known security vulnerabilities, which is a reasonably secure situation to be in.

However, eventually some of them will become known, and that is not safe.

[reaperducer]

People like to shout "cryptobotnet!" every time someone questions the need for absolute security with devices connected to the internet.

You might get 2¢ in about 40 years mining with my IoT light bulb. Good luck with that.

[margalabargala]

There are plenty of reasons not to want your IOT bulb to be insecure that are unrelated to people mining crypto.

A pwned IOT lightbulb can be used to help DDOS sites. It can relay DDOS traffic, eating your own bandwidth. It can be constantly probing the other devices on your network looking for vulnerabilities, until it pwns something else and is able to slurp down your passwords and credit card numbers.

Are you seriously suggesting that having an actively malicious computing device inside your home network is no big deal?

[elabajaba]

If it has a camera, it can be used to steal your security keys if it can see the power LED on your device (or potentially even just if something connected to your device has a power LED).

https://www.nassiben.com/video-based-crypta

[reaperducer]

Fortunately, none of my computers have power LEDs. Also, I don't live in a nuclear weapons facility where I need "security keys."

[two_handfuls]

Security keys are a software thing, not a physical thing like in movies. They are used everywhere, like in ssh or OAUTH.

[VyseofArcadia]

But a "critical security vulnerability " depends on the use. My daily driver? Yes, I want all of the security updates. A raspberry pi for playing arcade games that I occasionally scp a ROM over to? I really don't care if someone hacks in.

We, as an industry, are bad about pushing "every device that is on the internet needs to be as up to date as possible all the time" when it reality there is a lot of unimportant stuff on the internet.

It's like locks. I wouldn't secure my house with a bike lock, but it's fine for my bike. My bike is less full of important stuff.

[yjftsjthsd-h]

> I really don't care if someone hacks in.

At best, that means you're externalizing the costs, i.e. now your device is part of a botnet and becomes a problem for other people. But of course that assumes that it doesn't become a problem for you as well; a compromised device on your network is a great launching point for local attacks and a way to send illegal traffic out through your internet connection.

[HankB99]

I'm reminded of the aquarium thermometer used to launch an attach on a casino. <https://mashable.com/article/casino-smart-thermometer-hacked>

I have a couple Raspberry Pi Zeroes that monitor aquarium temperature. I keep them updated.

[pxmpxm]

Ah yeah, I need to stop working at random notice, because some CVE bros have to immediately update all my things to hedge the risk of organized crime targeting my $0 value data like I'm that casino.

Meanwhile in reality, no one gives a f about the rPi you use for your Guinea pig feeder.

[userbinator]

The "security" industry is unfortunately full of corpo-authoritarians. Once they realised a lot of the population can be forced to do anything if they can be convinced it's for "security", they've been doubling down on that.

[dotnet00]

Well, a common thing with open computing resources these days is cryptominers. Sure, you don't care about updates, until someone puts a miner on it and you have to go in and try to fix it. It wouldn't matter that your single device doesn't have enough processing power when there are tens of thousands of similarly vulnerable devices to hijack.

[bee_rider]

This question doesn’t really make sense, did you forget a couple words?