Published in News

Patching vulnerabilities is useless

by on25 April 2022

The “Thoughts and Prayers” of the IT industry

Patching of vulnerabilities is the security industry's equivalent of sending “thoughts and prayers” to solve global catastrophes, according to a US security expert.

At recent online conference named Hack At The Harbor, Dave Aitel who used to work with the NSA said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems remained.

Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched.

He said that patches were like orange juice. For many years people had believed that it was the most useful part of one's morning meal. In the end, it had been found to be a source of too much sugar and something that made people obese, he added.

He slammed Microsoft and other big software vendors whom he said had done little to mitigate the problems posed by poor-quality software. He also criticised PHP for its numerous security problems.

Before Open Saucers start to get smug, Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind. The only OS he liked was ChromeOS.

Aitel called for vulnerability management, advocating the government as the best entity to handle this. His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.


Last modified on 25 April 2022
Rate this item
(1 Vote)

Read more about: