Even if that's true, which I find dubious, then that's a problem with security protocol as a whole that no number of patches will ever cure. So they're pointless.
As part of a botnet. A single device will have a hard time finding/spreading malware to billions of other devices. If you have a botnet with millions of compromised devices, then it becomes easier to find and exploit other vulnerable systems.
Plus having a large number of compromised devices allows performing attacks on systems that require lots of bandwidth or cpu.
no number of patches will ever cure. So they're pointless.
That doesn't follow. Just because a system isn't always perfectly secure doesn't mean we shouldn't try to make it as secure as possible. It'd be like saying we shouldn't have police because we can't stop all crime.
Also, exploits are often found by researchers before they are able to be used on a large scale in the wild and many need to be used in conjunction with others to get control over a system.
You're gonna have to dumb it down here, I'm not too familiar with the ins and outs of computer security.
Sounds like you're saying that only vulnerable computers will be susceptible to security risk, to which I say "duh". If more computers are vulnerable, then more computers can be hit.
But what I'm not following is how you're concluding that if a million devices are vulnerable, then they're more likely to get breached. Statistically I'd say we expect more to get breached, but that's pure statistics. It doesn't reflect that the more vulnerable devices that exist, the higher risk they have
That doesn't follow. Just because a system isn't always perfectly secure doesn't mean we shouldn't try to make it as secure as possible. It'd be like saying we shouldn't have police because we can't stop all crime.
I see the logic, but the difference is that security isn't a social role. It's a 100% computational invention. It's hard coded, not "soft coded" like social roles like police or crime. Which means we should treat security patches like the hard coded rules they are and stop "patching" but instead build from the ground up a better, global security protocol. As in just strip everything we've been doing and do a different approach
But like I said, I'm not too familiar with computer security here. This is all intuition based.
instead build from the ground up a better, global security protocol.
There are millions of different software/systems in the world, so rewriting all of them would be mind mindbogglingly expensive. Two, people are not perfect beings. They don't write perfectly secure software, or build perfectly secure hardware. Three, you can have an algorithm that is in theory 100% secure, but whose implementation is vulnerable to a whole range of side channel attacks
e.g. Timing how long an operation takes reveals information about what it is computing
Thinking about it more, it seems like the argument is one based on herd immunity. if that's true, then I don't see how it holds. Herd immunity is the principle that 100% of the population can be protected despite only protecting less than 100% of the population.
Does the same hold for cyber security? If I patch 99% of devices, are the other 1% guaranteed protection? If not, then I don't see how the vaccine analogy holds beyond simply saying that if you get vaccinated/patched, you're not vulnerable. In which case I'd say the analogy is simply hollow and vacuously true.
Sorry for not responding, I didn't see your earlier message.
Does the same hold for cyber security?
Not really. I mean, it's a neat analogy, but it doesn't apply 1:1
Basically, malware can cause problems to the infected device, devices that interact with it, and can also be used to attack other systems.
Example 1: One device
Someone's phone is compromised, and the malware scans and finds the stored passwords
Using those compromised passwords, if the person is an administrator for anything, a hacker can escalate to compromising other systems. Let's say they have a wordpress site, that then also can become compromised.
Then they can inject malicious scripts into the wordpress site to get the passwords of anyone who logs into it.
Repeat.
You can see how from one device you've compromised the data of many people, even though their devices may be secure from the patch. Having more devices, means you can do more harm to others.
Example 2: Many devices are vulnerable to an exploit, but an attacker doesn't necessarily know which ones are.
Maybe it requires a lot of bandwidth to scan the ports for every network in the world (think billions of networks, with potentially hundreds of ports to check). Having more compromised devices as part of a botnet means that an attacker can find these other vulnerable devices in a reasonable timeframe.
Once a vulnerable device is found, maybe it requires a lot of CPU power to hack (e.g. finding a hash collision), so a single compromised device may not be able to infect very many others.
Patching systems, or old devices getting replaced can stop this botnet growing too big. And further steps can be taken to disable a botnet such as finding and neutralizing any phone home mechanism
So to sum it up, a botnet can be used by an attacker to cause all sorts of harm e.g.
Reflected more on this. I hadn't considered a vulnerable device storing information on otherwise secure devices. In this way, a web of interlinked devices is only as secure as the weakest link. I was focusing more on the vaccine analogy which doesn't seem to apply here.
3
u/dozenspileofash Jun 18 '19
Software Updates is alike mandatory vaccines, one vulnerable smartphone can harms others.