XPost: alt.comp.os.windows-10   
   From: Newyana2@invalid.nospam   
      
   "Carlos E.R."  wrote   
      
   | >    That's addressing how to develop software. But then there's   
   | > the point at which the software is done, thoroughly tested,   
   | > and put to use. It needs to be well designed and stable. It   
   | > needs to do what people need. Then it needs to stay put.   
   |   
   | Software is never done.   
   |   
      
     The normalization of that view is what's led to the acceptance   
   of a seat-of-the-pants rolling beta approach. Your statement   
   has no context. A lot of software is more than done. If the   
   software does what you need and it's stable, why would you   
   dump it for something else? The software I use is done. Much   
   of it is 25 years old. It works dependably. It doesn't need   
   security patches.   
      
    J.O. makes a valid case for security with software that goes online.   
   OK. (Even though that's rather ironic in this particular thread.)   
   But security isn't just a matter of putting fingers in the dike once   
   a week. It's about making a solid product in the first place and   
   then dealing with risk.   
      
     For instance, Firefox updates about every 10 days. Why?   
   They're trying to keep up with Chrome. They have developers   
   who need to get paid. They need to justify spending $500   
   million/year. And, yes, there are security patches. So, many of   
   the reasons for updates are not legit. The result is a wildly   
   bloated mess with settings like musical chairs and a prefs   
   file that hasn't been properly cleaned up since Netscape. It   
   just keeps growing, full of indecipherable and largely   
   undocumented settings. That's rolling beta.   
      
       At the same time, Mozilla can't be held fully accountable for   
   online security. It's not just about making sure they patch the   
   latest 0-day. The entire medium of networking and online   
   functionality is faulty.   
      We're accepting high-risk script and remote communication   
   for frictionless shopping and datamining. A lot of pages I visit now   
   show me a message that "javascript is required for this app." Yes.   
   Javascript from a dozen sources. That's not a webpage. It's   
   a medium-sized, obfuscated, executable software program that   
   I'm expected to download and run... Pretending that it's about   
   getting the latest patch is not being willing to face the problem.   
      
     Today at Slashdot there's an article about how 73 million   
   AT&T customers have had their account info and personal data   
   posted on the so-called dark web. The data is 5 years old, but   
   most of it is likely still valid. How did it get stolen? They don't   
   know. But AT&T clearly have that database internet-connected,   
   and their "business partners" have access. So how could the   
   data NOT be stolen? These kinds of reports come out almost   
   daily. Then people mutter about more salt and pepper needed.   
   The solution is not technical. It's logistical.   
      
      When will we really look at that? What will it take? What if   
   some teenager manages to cause a 3,700 car pile-up on July   
   4th weekend by hacking into car telematics? Would that make   
   us think twice, or will everyone just talk about how we need   
   to fix the vulnerability that the teenager exploited? What will   
   it take to see that cars should not be network connected and   
   things that are network-connected should not be executing   
   remote code?   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)