[ryandrake]

Automatic updates are terrible and the first thing I do when I get a new device or reinstall an OS is try to figure out how to disable them. Sadly, I am losing this battle and more and more stuff insists on updating behind my back, without me commanding them to update. This should be unacceptable. When I buy something I should be in full control of what it’s doing, not the manufacturer. I dont care if the software is vulnerable to CVE-1234567 or if there are lots of great bug fixes or if the manufacturer simply really really really wants me to see the yet-another big UI update it’s done. Updates should be done when I say they are done (or not), on my schedule, and only after I know what the update changes.

I don’t want to hear the manufacturer’s excuses. I know “most people” are clueless and leave security problems unpatched. “Most people” have also gotten accustomed to being abused by their software products that are out of their control. I’m not “most people” and I won’t tolerate being treated like this by device manufacturers. The product gets returned if I have no control over what it does.

[nonrandomstring]

> I dont care if the software is vulnerable to CVE-1234567

But your neighbour plugged into a life-support machine at the local hospital does, because your machine could be used as a staging point for further attacks.

When we built an "interconnected world" we created interconnected responsibility.

That said, I agree with you that products that assume permission to connect to the internet and update when they feel like it are a menace. They result from disgraceful, lazy, inept software engineering and allow sloppy manufacturers to unload responsibility on to users.

That is unacceptable and it is going to change in Europe with a slew of legislation coming soon.

But that law may actually make things worse because it misunderstands the locus of responsibility and trust models.

Centralising trust in automatic updates with a manufacturer makes security much worse in many regards. Solarwinds is nothing compared to what is coming when billions of connected devices can be owned and turned into a botnet in s single exploit.

Your right to control your device is not to be championed solely because of your property rights, but perhaps ironically, because that is the better security model as the lesser of two evils.

Please don't say "I don't care about CVE-1234567", because at the end of the day, you're the only one whose 'care' actually matters. The manufacturer doesn't care and cannot really be trusted.

[ryandrake]

Yea I should clarify. I do care about CVEs and actively seek out and patch security vulnerabilities in the software I run. What I don’t care about is the manufacturer’s panic over the CVE, and their insistence on usurping my power to control my device, using the CVE as an excuse. Is that more understandable?

[nonrandomstring]

Yes definitely. I feel it's an important distinction to make because otherwise the authoritarians and profiteers of "for your own good" will jump on that and say "See! These stupid users claim not to care about security. We must mandate manufacturers manage that after purchase".

Nobody wants that, least of all manufacturers, unless they can use backdoors to spy on and ransom customers like printer and car makers are starting to.

[cesarb]

> But your neighbour plugged into a life-support machine at the local hospital does, because your machine could be used as a staging point for further attacks.

Unless your machine is in a particularly privileged position (for instance, it's plugged into the hospital non-public network), there's nothing special the attacker can do with your machine that they couldn't do with their own machines. So this is just fear-mongering.

[nonrandomstring]

> there's nothing special the attacker can do with your machine that they couldn't do with their own machines.

Any obtainable CPU power, memory, IP address or storage is an asset, so they could:

  Run processes such as password cracking on your machine while still
  having their own to use.

  Store sensitive or illegal data encrypted on your disks as a dropbox
  for themselves or others.

  Launch recon scans or attacks from your device, using your IP address
  while staying hidden and leading the authorities back to you.

  Set up your machine as a proxy for routing other traffic, leveraging
  your geographical location.

  Set up your machine as a node in a distributed compute farm for
  mining, cracking or other tasks.

  Sell access to your assets to other bad hackers.

  ... we could literally go on for hours with ideas about how using
  *your computer instead of their own* gives an advantage and thus
  presents a motive.

> So this is just fear-mongering.

Two points I'll make:

  Maybe you *should* be afraid of all the ways contemporary
  cybersecurity is an absolute shitshow. Fear is not the best motive,
  but *is* a motive for making changes. There's a reason we have that
  part of our brains and the emotion it provides.

  I'm sorry you feel worried about what I said. Even though the
  threats are real I don't believe in scaring people. I think a better
  way is through education and empowerment.  That's why I produce work
  like the Cybershow [0], where we try to make cybersecurity a little
  bit fun and irreverent. Come and listen to some shows if you care
  about computer security for yourself and people you love.

[0] https://cybershow.uk