Ask HN: Is Security Just Busywork?

2•YukiBits•2h ago

How many devices with computers (i.e., embedded systems) need regular updates? My microwave oven, dishwasher, and coffee machine don’t need an (firmware) update. Why can’t we just write software like firmware once and run it indefinitely like we do with embedded systems? Why can’t I connect a Windows XP computer to the internet? I mean because it gets malware, yes. But why is an internet connection such a threat to software like operating systems? Everything connected to the internet seems to require constant „security“ updates. Once those security updates come to a stop, you suddenly cannot safely use your device on an internet connection.

Why is it not possible to have software written without constantly updating its „security“?

Is „security“ just a form of collective busywork, or is it really justified and necessary?

The internet seems to make every computer insecure. Is it by (inherit) design or by choice? Is the culprit indirection (i.e, abstraction)? Are CPUs inherently insecure? Does it mean that layers of indirection are inherently harmful? What is ultimately causing this? Please don’t say anything along the lines of „policemen need criminals to justify their jobs“.

Is there even a computer system that can be connected to the internet that does not require any updates? Don’t say mechanical computers, or a calculator please, or a Turing machine, please.

What is the ultimate reason for the constant need of security updates when it comes to computers connected to the internet?

I mean, I am aware that you can inject malware with a USB pen drive or any external device that can be connected to the computer. But why are computers so fragile when connected in any shape or form to the „outside world“?

Why so fragile?

Comments

Bender•1h ago

Is Security Just Busywork?

No. They build a thing and expect money. Customers do not have a binding contract with most of these vendors and there is no expectation that they will make any effort to protect you or your family thus it is currently on the consumer to protect themselves from their internet connected devices. Strict legislation in every country with serious consequences would be required to change this. That or cutting on trade with countries that harm consumers and that is a high bar to meet. Not likely to happen.

al_borland•1h ago

My microwave and dishwasher don’t need updates because they don’t connect to the internet and they are also very simple machines. They essentially run pre-programmed processes centered around a timer.

Internet connected computers have complexity that is several orders of magnitude greater than those simple appliances. This is much harder to get right and test every possibility. The internet allows access for people to exploit those untested or unhandled possibilities.

On top of that, the very ability to update remotely lets companies prioritize release dates over completeness, because they can ship it and update it later if anything is found. It becomes a cost benefit analysis. How much will a security incident cost vs the cost of delaying the product? What are the odds a vulnerability gets exploited before they can find and patch it?

Internet connected appliances create busywork, imo. They don’t need those features, so the initial design takes more time, adds complexity, and then creates perpetual maintenance to keep things secure and working with the supporting backend services. All of this feels like needless theater to give customers something most don’t even want. I’ve never seen anyone excited about their biweekly TV update prompt.

YukiBits•1h ago

So in other words, it is pretty much hopeless to make secure software for computers connected to the internet or outside world that lasts long enough (and takes little maintenance). The reason being, because we cannot deal with complexity against all eventualities? Even if we have relatively simple abstractions and tools in place?

I can see that you may point to other areas of human engineering such as bridges, buildings, vehicles. All can fail given the right circumstances. I am not asking for an unbreakable engineering product. That seems to be rather impossible.

But I would still argue that the „security updates“ for engineering artifacts like bridges don’t need frequent „updates“ (i.e., maintenance, inspections).

Computers seem to be relatively more fragile unlike any analog engineering artifact in existence. Some soldiers still need to know how to navigate with a sextant, because computer systems seem inherently fragile.

I can think of software dependencies that break constantly (e.g., Scala, Python). Are you going to tell me that a bridge is more fragile than some Ruby package?

So in other words, how is it possible that anything having to do with computers is seemingly more prone to fail than a building, a bridge, a Cessna 172? Yes all those classic engineering artifacts need constant maintenance, but I would argue that it is unlike (modern) software.

So my point is the fragility of software seems to require more maintenance (i.e., security updates) than any other human engineering artifact.

That seems unfortunate. Software shall be rather something like a building (withstanding wind, earthquakes, …) and taking relatively low maintenance.

I just don’t understand why it requires frequent maintenance and „fixes“ within a given year. Your smartphone does, your Windows 11 computer does, your Samsung TV does. Your „smart“ vehicle does.

What is the ultimate reason that computer software cannot be like the other avenues of engineering?

Economic interests cannot be the sole culprit. Free software like Debian needs fixes too.

One C++ header file retro game engine

Claude Code and core dumps: Finding the radio stream that hosed our servers

Mousefood – Build embedded terminal UIs for microcontrollers

US tobacco brands bypass Instagram rules restricting youth access to content

AutoSP: Unlocking Long-Context LLM Training via Compiler-Based SP (ICLR 2026)

HARMless – ARM64 ELF Packer for Linux Security Research

Software in a Post-Abundance World

Snap spins off smart glasses team into separate company

DanceJump for YouTube – Rhythm Dance Game – v0.3.3 Released

Moderators on Reddit's R/programming are a bunch of wankers

Google settles for $68M after lawsuit claimed it recorded users

The Ipe extensible drawing editor

Taghash launches services layer to streamline fund operations and compliance

How to Build a Copilot Agent

New AI Agent 'Clawdbot' Exposes Users to Remote Hijacking – The Shib Daily

Yarn 6 Preview

A Treatise on AI Chatbots Undermining the Enlightenment

Ask HN: Home Security for Home Owners

Computer History Museum Opens Virtually

Bellingcat supplements local news coverage with forensic analysis in U.S. cities

28th Virginia Battle Flag

Two Cities Under Siege

FOSDEM 2026 Schedule

Favourite well-made apps and sites

From Random Idea (AI) to 600 Users (and Shutdown) in 4 Months

Ask HN: Need for AI usage disclosure system?

Show HN: RFX-Fuse: Breiman and Cutler's Random Forest + Explainable Similarity

All Your Parking Tickets Are Belong to Me

AEV's New Ford FXL Package Will Put Your Super Duty on 40s

Payment processors were against CSAM until Grok started making it