In the spirit of the precautionary principle, I will proceed with this paradox of being a system administrator, which, if you're familiar with that term, and that's your life, then you will know exactly what I'm talking about.
If you haven't heard that term, then you should go watch the original Tron, and then you will have sympathy for the art of system administration and all of the nuance and politics within that.
It's very well laid out in the characters, in the roles played in that film.
The paradox that I'm referring to is very present in the recent news cycle, because a major catastrophic extinction level event of open source software just occurred.
You could say that almost every day, almost every hour, there is always an existential list of threats that are looming at all times in cyber security. That's not fiction. That's the truth.
It's a miracle that we avoid total meltdown catastrophe day by day.
And a lot of people get hit by all kinds of different accidental and and malicious cyber catastrophes.
But it's bigger than cyber security which reveals so much about human nature.
If you're as a system administrator, you have this dilemma, this paradoxical dilemma that you live within at all times, which is you're at war with the past, and you're at war with the future because you can't stand still with the software stack that you use to operate whatever system it is that you administer.
Whether it's an IOT, internet connected device that has hard coded default passwords and no ability to update the firmware, and so you're stuck adrift with whatever cyber security or lack thereof, protocols went into the design of that device.
So it's basically got a "kick me" sign on it for the entire Internet to abuse.
Or you could be the most locked down, hardened, firewalled security operation center, monitored, pen tested, red teamed, purple teamed, blue teamed, whatever it is, all the above.
And you're always just one update away from being back doored, trojanized, compromised, owned, poned. They got all these terms for it now.
You're damned if you do, you're damned your don't if you don't.
What is it that we're talking about? We're talking about updating software.
You're damned if you do. And you're damned if you don't.
You're damned if you do. Because every time you update, you are praying that there is no accidental or malicious code in that update.
Imagine if you had God offering you to update and upgrade and patch and add features to and fix bugs and do security fixes on your DNA.
God came and said, I've got a new update for your entire phenotype, your entire expression of all of your genes in your body.
I can optimize all these things. I can add features, this can make you do this better, and can fix that defect and all those things.
I'm getting better and better. You don't have to wait to be reborn into a new body.
I can update your DNA right now. Would you like to click yes and go ahead and click through and download the updates?
What's the offer? I'm gonna have all these new features and, oh, you're gonna fix previous vulnerabilities and bugs that I wasn't even aware of.
Okay, well, what choice do I have? And that's where you get to the other side of the paradox, the dilemma.
What happens if you don't update? Oh, well, then, of course, all of those security vulnerabilities that are ostensibly going to be patched in the new update, they're just left out there in the open for the entire Internet to see.
So if anyone anywhere in the world, anywhere in the universe, who's connected to the Internet, they can poke around from a safe, encrypted distance in the dark Web.
They can scan you, they can find your weak vulnerabilities that you haven't patched from the update, and they can take advantage of them, and they can basically take full control in a lot of circumstances. There's no limit to the malice.
So there are very few circumstances where that paradox is inapplicable, no pun intended.
It goes to that the joke that cybersecurity professionals use, the only thing that's secure is to turn it off.
Other than that, there is no security. Security is a moving target.
Good luck luxuriating in any sense of security for more than a nanosecond if you are Internet connected, because there's so many millions of lines of code in the stacks that we use and the dependencies that get pulled in and the open source code repositories that build the modern world that we take for granted.
One malicious actor who can either by social hacking or social engineering is what it's often called.
But for the sake of this moment, I'll say you can hack people, or you can hack computers, or you can hack both.
But where there's a will, there's a way, and there are some smart people, way smarter than me out there and they're determined. There is no obstacle that they cannot surmount with their intelligence, the way that we've set up this world to be vulnerable by design, and to be at the mercy of this paradox of if you patch, you you have to pray, that you can trust the author of the patch.
If you don't patch, you have to pray that the gaping hole that's unpatched doesn't get exploited, even though it's glaring across the Internet.
The updates get faster and more frequent, because, well, obviously you would want them to. But then every time that happens, you risk what they might call a breaking change, or in the parlance of the cyber security community, you brick your device because the update failed.
That's why they say, plug in your phone before you do the update and the install, because if it quits, if it cuts out, powers lost halfway through, god knows where it's gonna try to start from again, if you boot up, and it was somewhere in between fixing the old system and installing the new one.
You could end up with a brick, a paperweight, an electronic technological marvel that is only able to be a paperweight at that point because it's completely at the software, even the firmware level.
It can happen really throughout. You can break a device and it can never be turned on again.
It can never be used again.
So if there is any respite from this paradoxical dilemma that we're all in, and some the defenders, those who whose job it is to respond to the incidents that occur as a result of this paradoxical dilemma of paradoxes, that they understand it in a very acute way, and I'm gaining an appreciation of it for myself as I move forward cautiously into the future.
Going back to what I said earlier, the only secure state is to turn something off.
Well, for most people, in most circumstances, who are not high level targets of advanced persistent threat actors, the next best thing to shutting it off is to not shut it off, but turn it on with the Internet disconnected.
The attack surface of an Internet connected device while it's connected to the Internet is infinite. A device that could potentially be connected to the internet but is only very strategically connected to the internet for certain tasks, that device could be said to have a reduced attack surface and what I would call a reduced temporal attack surface.
All the software and all of its code presents an array of attack surfaces that are pretty much always vulnerable while the machine is connected to the Internet.
But if you limit the duration of time that the device and all of its exposed attack surfaces are online, then you have a temporal lever, a temporal dial that you can work with.
So for me, there are devices that are Internet connected more often than others that are less Internet connected in terms of the duration.
I do more sensitive operations on the devices that are, if not fully air gapped, partially air gapped, in the sense that they're almost never online, it's impossible for them to be online.
There's a continuum, and we all probably have enough devices spanning a lifetime where, even if you were to pull an old laptop out of a closet and say, I'm going to journal on this, never go online, only use floppy disks or old zip disks, or a dedicated USB drive that I never do anything but backup files to.
Unless you're air gapped, if you go online, you either invite the vampire in by doing the update that you're prompted to do, or give the vampire the skeleton key to everything that you hold dear in your digital life.
Because that's what software does. It just gives away skeleton keys to everything that's precious to you. It just gives them away. Even the most secure software.
There's no barrier to entry in devices that were encrypted with short passwords or simple passwords or passwords that are made of one dictionary word.
Now, what used to be that moving target of security a difficult wall to scale, now it can be knocked over by stepping on it. I don't know where the cyber security arms race is gonna end.
At this rate, all of the stars in the universe, their energy will be consumed to attack and secure your cat pictures.
It's disgusting. It's pathetic. It's absurd.
I'm laughing about it now, but it is really tragic.
You got quantum computing threatening to crack all the encryption to everything, from e commerce to our email to our files to everything.
So if there was ever a time to practice voluntary simplicity, you don't have to go out on the offensive and be a Luddite or be the Unabomber, but you might just not take my word for it or take my advice. But just ponder, like the sound of one hand clapping, like a meditation.
Is it even possible to resolve this paradox, to patch or not to patch? That is the question that's on my mind.
But the only way I can be comfortable and sleep at night running software that isn't patched is to run it offline.
So that is something to ponder for your own cyber security lifestyle, whatever extent to which you choose to make it a priority in your life.