Re: Food for thought (resurfacing)

On Tue, Jul 29, 2014 at 5:37 PM, Larry Masinter <masinter@adobe.com> wrote:

>  Forget the financial industry, it’s the cost of web access.
>
> Auto update is more expensive than no auto-update, by a great deal.
>
> Devices that auto-update are more expensive than those that don’t.
>

This is true. But the counter-factual is broken: what's the cost of an
insecure/pwn'd device?

There was a time when we didn't have numbers on this...but that was a long
time ago.

Today, we know that TCO on a non-auto-updating windows computer managed by
a central administrator is many times that of an equivalently spec'd
auto-updating ChromeOS device. Or even iOS device.

The cost of insecurity manifests itself in administrative overhead,
licensing fees for IDS/IPS/AV software, and the relatively high price for
remediating incidents on these platforms and devices. These costs *swamp* the
incremental BOM price increase needed to account for the space to keep a
second system image (e.g., a $35 ChromeCast device has auto-update...so can
you).


>  If web architecture presumes auto-update, if you encourage content
> authors to create content that presumes auto-update, then there are
> categories of users you disconnect.
>
>
>
> “root of all security evil”: no, auto-update itself admits its own kind of
> evil
>
> “root of all developer-pain”: no, it eliminates some pains and introduces
> others
>
>
>
> Larry
>
> --
>
> http://larry.masinter.net
>
>
>
> *From:* Marc Fawzi [mailto:marc.fawzi@gmail.com]
> *Sent:* Monday, July 28, 2014 10:39 PM
> *To:* Alex Russell
> *Cc:* Larry Masinter; Noah Mendelsohn; Marcos Caceres; www-tag@w3.org List
> *Subject:* Re: Food for thought (resurfacing)
>
>
>
> <<
>
> Antiquated systems without the ability to auto-update are the root of all
> security and developer-pain evil. They should either be forcibly
> disconnected from the network for everyone's good (a requirement which
> special configuration environments are often aligned with) or upgraded.
>
> >>
>
>
>
> Tell that to our high-recurring-revenue customers in the financial
> industry who have just upgraded from IE6 to IE8 and don't feel like
> upgrading again for as long as Windows 7 lives
>
>
>
> The web standards process is too slow and too imperfect for tomorrow's
> world, which as we know is always approaching. Efforts like NiDIUM prove
> that innovation cannot be dictated by any one group of people (in this case
> W3C, TAG and the major vendors who lead them) and disasters like DRM on the
> Web (EME) are going to countered by a new breed of browser vendors who
> don't believe in sticking to outdated paradigms like HTM/CSS which were
> designed for the world of hypertext documents not for serious application
> development. There will be a time when major browser vendors will have to
> play catch up with the new emerging paradigms while carrying the burden of
> supporting the web's legacy technologies Guess who's gonna win that race
> long term?
>
>
>
> The web does. Not the W3C, TAG et al. All these organizations are
> temporary constructs that have to find a niche place in the complex reality
> of tomorrow.
>
>
>
> Just a verbalized prediction. That's all.
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Mon, Jul 28, 2014 at 10:02 PM, Alex Russell <slightlyoff@google.com>
> wrote:
>
>   On Mon, Jul 28, 2014 at 5:21 PM, Larry Masinter <masinter@adobe.com>
> wrote:
>
>  > We're not to a fully auto-updating world yet, but are closer than ever
> before and the trend lines are good.
>
> I think the issue (about dynamically loading engines) isn't the number of
> players (one, three, or fifty) but the variety.
>
> Reality check please:
> Is that actually the real world, are the trend lines really that way?
>
>
>
> Yes it is.
>
>
>
> Or is it only if you are only looking at the auto-updating subset?
>
>
>
> Nope. Legacy clients are being replaced with auto-updating clients in
> general.
>
>
>
> And if it's true the whole world is really trending toward auto-update
> everything, is it unreservedly "good"?
>
>
>
> Yes. Yes it is. Old code is pwn'd code.
>
>
>
> Software updates tend to target (and is tested against) recent hardware
> and platforms.
> Software updates are disruptive. Updates fix old bugs but can introduce
> new ones.
> Software updates can be impractical in small-memory embedded systems or
> those with special configurations and requirements.
>
>
>
> Antiquated systems without the ability to auto-update are the root of all
> security and developer-pain evil. They should either be forcibly
> disconnected from the network for everyone's good (a requirement which
> special configuration environments are often aligned with) or upgraded.
>
>
>
> A fully auto-updating world, or one in which engines are dynamically
> loaded, is good for fully auto-updating / dynamically loading browser
> vendors (whether one or many), but not so good for end users of other
> applications.
>
>
>
> Given the last 10 years of web (in)security, we absolutely, positively,
> 100% know better. This might have been a reasonable argument in another
> age, but not today. The jury is no longer out.
>
>
>
>
>