Ask HN: Is Security Just Busywork?

2•YukiBits•1w ago

How many devices with computers (i.e., embedded systems) need regular updates? My microwave oven, dishwasher, and coffee machine don’t need an (firmware) update. Why can’t we just write software like firmware once and run it indefinitely like we do with embedded systems? Why can’t I connect a Windows XP computer to the internet? I mean because it gets malware, yes. But why is an internet connection such a threat to software like operating systems? Everything connected to the internet seems to require constant „security“ updates. Once those security updates come to a stop, you suddenly cannot safely use your device on an internet connection.

Why is it not possible to have software written without constantly updating its „security“?

Is „security“ just a form of collective busywork, or is it really justified and necessary?

The internet seems to make every computer insecure. Is it by (inherit) design or by choice? Is the culprit indirection (i.e, abstraction)? Are CPUs inherently insecure? Does it mean that layers of indirection are inherently harmful? What is ultimately causing this? Please don’t say anything along the lines of „policemen need criminals to justify their jobs“.

Is there even a computer system that can be connected to the internet that does not require any updates? Don’t say mechanical computers, or a calculator please, or a Turing machine, please.

What is the ultimate reason for the constant need of security updates when it comes to computers connected to the internet?

I mean, I am aware that you can inject malware with a USB pen drive or any external device that can be connected to the computer. But why are computers so fragile when connected in any shape or form to the „outside world“?

Why so fragile?

Comments

Bender•1w ago

Is Security Just Busywork?

No. They build a thing and expect money. Customers do not have a binding contract with most of these vendors and there is no expectation that they will make any effort to protect you or your family thus it is currently on the consumer to protect themselves from their internet connected devices. Strict legislation in every country with serious consequences would be required to change this. That or cutting on trade with countries that harm consumers and that is a high bar to meet. Not likely to happen.

al_borland•1w ago

My microwave and dishwasher don’t need updates because they don’t connect to the internet and they are also very simple machines. They essentially run pre-programmed processes centered around a timer.

Internet connected computers have complexity that is several orders of magnitude greater than those simple appliances. This is much harder to get right and test every possibility. The internet allows access for people to exploit those untested or unhandled possibilities.

On top of that, the very ability to update remotely lets companies prioritize release dates over completeness, because they can ship it and update it later if anything is found. It becomes a cost benefit analysis. How much will a security incident cost vs the cost of delaying the product? What are the odds a vulnerability gets exploited before they can find and patch it?

Internet connected appliances create busywork, imo. They don’t need those features, so the initial design takes more time, adds complexity, and then creates perpetual maintenance to keep things secure and working with the supporting backend services. All of this feels like needless theater to give customers something most don’t even want. I’ve never seen anyone excited about their biweekly TV update prompt.

YukiBits•1w ago

So in other words, it is pretty much hopeless to make secure software for computers connected to the internet or outside world that lasts long enough (and takes little maintenance). The reason being, because we cannot deal with complexity against all eventualities? Even if we have relatively simple abstractions and tools in place?

I can see that you may point to other areas of human engineering such as bridges, buildings, vehicles. All can fail given the right circumstances. I am not asking for an unbreakable engineering product. That seems to be rather impossible.

But I would still argue that the „security updates“ for engineering artifacts like bridges don’t need frequent „updates“ (i.e., maintenance, inspections).

Computers seem to be relatively more fragile unlike any analog engineering artifact in existence. Some soldiers still need to know how to navigate with a sextant, because computer systems seem inherently fragile.

I can think of software dependencies that break constantly (e.g., Scala, Python). Are you going to tell me that a bridge is more fragile than some Ruby package?

So in other words, how is it possible that anything having to do with computers is seemingly more prone to fail than a building, a bridge, a Cessna 172? Yes all those classic engineering artifacts need constant maintenance, but I would argue that it is unlike (modern) software.

So my point is the fragility of software seems to require more maintenance (i.e., security updates) than any other human engineering artifact.

That seems unfortunate. Software shall be rather something like a building (withstanding wind, earthquakes, …) and taking relatively low maintenance.

I just don’t understand why it requires frequent maintenance and „fixes“ within a given year. Your smartphone does, your Windows 11 computer does, your Samsung TV does. Your „smart“ vehicle does.

What is the ultimate reason that computer software cannot be like the other avenues of engineering?

Economic interests cannot be the sole culprit. Free software like Debian needs fixes too.

al_borland•1w ago

I don’t think you can dismiss the maintenance required on buildings and bridges so easily. Bridges must be continuously repainted to avoid corrosion, for example. Nature will overtake buildings, bridges, and anything we make. Concrete cracks and plants grow through it. Our entire infrastructure is a never ending battle to control nature’s relentless push to expand.

Software, on the other hand, is durable. I can download and run software that was written 40 years ago and it still works exactly the same, with 0 maintenance. Leave a bridge or building alone for 40 years and see what happens.

With software, the battle isn’t against nature, it’s against humans with bad intent. Once something is no longer popular, it tends to not be much of a target anymore.

The constant updates are in part for security, as it’s a cat and mouse game. The updates are also to keep this feeling fresh and relevant, so people don’t move on to something new that seems to be getting better support… much like painting the bridge and changing the landscaping outside a building. This shows the people using it that it is cared for and keeps it feeling useful.

I maintained a simple website at work for 15 years. Had I not made little tweaks over time, people would have filled the gaps with other tools and it would have fallen into irrelevance. Because I made these little updates to keep it relevant, people kept using it and didn’t seek out other solutions to fill the gaps.

Some may see some of this as busy work, but it only truly becomes busy work if the system is perfect and they keep working on it to the point of making it worse, just to have something to do.

Maple Mono: Smooth your coding flow

Sid Meier's System for Real-Time Music Composition and Synthesis

Show HN: Slop News – HN front page now, but it's all slop

Show HN: Empusa – Visual debugger to catch and resume AI agent retry loops

Show HN: Bitcoin wallet on NXP SE050 secure element, Tor-only open source

White House Explores Opening Antitrust Probe on Homebuilders

Show HN: MindDraft – AI task app with smart actions and auto expense tracking

How do you estimate AI app development costs accurately?

Going Through Snowden Documents, Part 5

Show HN: MCP Server for TradeStation

Canada unveils auto industry plan in latest pivot away from US

The essential Reinhold Niebuhr: selected essays and addresses

Rentahuman.ai Turns Humans into On-Demand Labor for AI Agents

StovexGlobal – Compliance Gaps to Note

Show HN: Afelyon – Turns Jira tickets into production-ready PRs (multi-repo)

Trump says America should move on from Epstein – it may not be that easy

Tiny Clippy – A native Office Assistant built in Rust and egui

LegalArgumentException: From Courtrooms to Clojure – Sen [video]

US moves to deport 5-year-old detained in Minnesota

If you lose your passport in Austria, head for McDonald's Golden Arches

Show HN: Mermaid Formatter – CLI and library to auto-format Mermaid diagrams

RFCs vs. READMEs: The Evolution of Protocols

Kanchipuram Saris and Thinking Machines

Chinese chemical supplier causes global baby formula recall

I've used AI to write 100% of my code for a year as an engineer

Looking for 4 Autistic Co-Founders for AI Startup (Equity-Based)

AI-native capabilities, a new API Catalog, and updated plans and pricing

What changed in tech from 2010 to 2020?

From Human Ergonomics to Agent Ergonomics

Advanced Inertial Reference Sphere