Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> The only option is to buy a whole new kit which is a stupid waste of money.

...and running unsecured operating systems is what?

Let's say your front doors stopped locking one day. Is it a waste of money to solve the problem, even if that meant replacing the entire door?



In a lab that does clinical work, replacing a single instrument could mean having to re-validate all the tests the lab does, update protocols, get inspections from regulatory bodies, etc... it requires people to spend large amounts of time not doing their "regular" jobs.


Designing a system that is secure is part of the job. Accurately estimating the total cost of ownership is also part of the job.

Ultimately project management and ownership is responsible, but they won't be interested if we don't make our expectations clear.

Downvoting these sort of opinions is just saying it's too expensive to secure some things. To me that means we can't​ afford to computerize some things in the first place, at least not with the chosen tech stacks.


It depends on how you use the machine and how cautious you are. I ran an un-updated XP machine for 10 years and was never infected by anything.

OTOH, the people in the other departments (running up-to-date machines) fell multiple time for malicious email attachments while our developers department was never infected despite the fact we download stuff from the Internet on a regular basis (be it for libraries or tools) - stuff that doesn't even need sneaky means to get executed. Yet we are in theory subject to the "no software installation without permission from IT dept." internal rule.

So if those machines in that lab don't run an email client and are not used to browse the Internet, they are actually quite safe. The only threats that remain are worms spawning from local infected machines or infected USB pen drives.

The thing is, security can quickly become an unhealthy topic. It's so damn easy to FUD people.

My "new" Win7 machine has this "security advisory" that pops every time I copy a file from/to a network drive that say "this file can damage the computer" even when it's a freaking text file - and I do that all the time (BTW imagine what mental model of security it generates in the mind of non technical people - it's not protection or education, it's fearmongering).

So I went to disable this warning but I then paused for a moment, thinking - what if one day I make an actual mistake and get infected? Will I be blamed for disabling it?

It's so damn easy to say, "if you don't follow this PITA security measure, you will be held responsible for the consequences". I admit that like many I would submit to that. There's no point in gambling my job on this after all, and I have better things to do.

I think that the cyber-security topic needs to be sanitized. And the first thing to do would be to tell week-end security consultants, who don't understand a thing about security contexts and threat assessment, to keep quiet a little so that people that are actually in charge of cyber-security can listen and learn from actual experts.


You seem to be reading way more into my comment than was intended.

I'm just saying it's not cheaper to ignore technical debt. It's actually a bug somewhere in the operational budget or business plan.

If the system should run for thirty years on without an OS upgrade, design and budget for that up front. I promise that no one considered that when they configured a Windows XP box and threw it in a lab somewhere. And, hey, maybe that's OK in the short run. But there was no budget or business plan to replace those systems down the line either.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: