{"id":2267,"date":"2017-12-04T10:38:26","date_gmt":"2017-12-04T08:38:26","guid":{"rendered":"https:\/\/www.ofcourseimright.com\/?p=2267"},"modified":"2017-12-04T10:39:48","modified_gmt":"2017-12-04T08:39:48","slug":"where-a-bad-review-really-makes-for-poor-security","status":"publish","type":"post","link":"https:\/\/ofcourseimright.com\/?p=2267","title":{"rendered":"Where a bad review really makes for poor security"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-26\" src=\"https:\/\/www.ofcourseimright.com\/blog\/wp-content\/uploads\/2008\/06\/cybercrime.jpg\" alt=\"\" width=\"96\" height=\"132\" \/>Most consumers do not take the time to upgrade their devices simply because vendors want them to: there has to be something in it for me.\u00a0 <a href=\"https:\/\/apple.com\">Apple<\/a>, on the other hand, has been an exception.\u00a0 Studies have repeatedly shown that Apple users do regularly upgrade their phones.\u00a0 Just one month after release, their latest version was installed on <a href=\"https:\/\/developer.apple.com\/support\/app-store\/\">52% of their devices<\/a>.\u00a0 By comparison, summing <strong>all<\/strong> <a href=\"https:\/\/developer.android.com\/about\/dashboards\/index.html\">Android releases from 2015 to present gets you that same number, with the latest releases coming in around 20% of the total.<\/a><\/p>\n<p>This becomes a Big Deal when we start talking about vulnerabilities, and zero-day exploits.\u00a0 If there is a bug in your device and it is running an older version of the code, and you do not update, then that device can be used to attack you or someone else.\u00a0 This is something that Microsoft learned the hard way in the last decade when it snuck in extra software in a security update, losing trust and confidence and willingness of their users.<\/p>\n<p>In his <a href=\"https:\/\/www.forbes.com\/sites\/gordonkelly\/2017\/12\/03\/apple-ios-11-2-release-should-you-upgrade\/#83f848d1d02e\">review<\/a>, Gordon Kelly has told his Forbes readers <strong>not<\/strong> to upgrade to the latest Apple iOS release precisely because it may be too risky, that the release itself was rushed.\u00a0 When considering release timing, any vendor always has to balance stability and testing against other feature availability and security.\u00a0 Apple may well have gotten the balance wrong this time.\u00a0 The review in and of itself harms cybersecurity, not because the reviewer is wrong, but because the result will be that fewer people will have corrected whatever vulnerabilities exist in the release (as of this writing information about what is fixed <a href=\"https:\/\/support.apple.com\/en-us\/HT201222\">hasn\u2019t been disclosed<\/a>).\u00a0 Moreover, such reviews reinforce a bad behavior- to delay upgrading.\u00a0 I call it a bad behavior because it puts others at risk.<\/p>\n<p>This isn\u2019t something that can be fixed with a magic wand.\u00a0 We certainly cannot fault Mr. Kelly for publishing his analysis and recommendations.\u00a0 If we wait for perfect security, we will never see another feature release.\u00a0 On the other hand, if things get too rushed, we see such bad reviews.\u00a0 Perhaps this argues that O\/S vendors like Apple and Google should continue to provide security-only releases that overlap their major releases, at least until they are stable, which is what other vendors such as <a href=\"https:\/\/www.microsoft.com\">Microsoft<\/a> and <a href=\"https:\/\/www.cisco.com\">Cisco<\/a> do.\u00a0 It costs money and people to support multiple releases, but it might be the right thing to do for the billions of devices that are each and every one a point of attack.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Releasing unstable software harms cybersecurity for everyone, not just those who install the product.<\/p>\n","protected":false},"author":172,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[87,9],"tags":[362,574,575],"class_list":["post-2267","post","type-post","status-publish","format-standard","hentry","category-internet","category-security","tag-cybersecurity","tag-patches","tag-stability"],"_links":{"self":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2267"}],"version-history":[{"count":4,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions"}],"predecessor-version":[{"id":2271,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=\/wp\/v2\/posts\/2267\/revisions\/2271"}],"wp:attachment":[{"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ofcourseimright.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}