We're talking about herd immunity from viruses here. Imagine that there were a new deadly pandemic every few days. Should a human being, at that point, be allowed (by the social norms of their society, by law, whatever) to refuse to receive once-daily "vaccination updates"?
Here’s maybe a less-fraught analogy: say you have an autonomous car. Assume that the car’s autonomous-driving algorithms prevent it from hitting a person or another car no matter who’s driving, but don’t prevent it from, say, knocking down a telephone pole, or colliding with one of the support posts holding up a bridge.
Now, do you have the right to own and drive this autonomous car around on public roads, if you’ve modified the car to be an “open server” where anyone can anonymously connect to it from anywhere on the Internet and drive it around?
And, if not, then what’s the difference between that modification, and knowingly driving the car when it has an unpatched vulnerability allowing people to do the same?
And if you find that there is no difference, then what’s the difference between a vulnerable car that can DDoS physical infrastructure, and a vulnerable PC that can DDoS virtual infrastructure?
The missing part of your analogy is that in a safety-critical scenario like that, there's no way that the update to the car would be delivered alongside a change to make the UI go dark at night or a completely-rewritten version of the entertainment system. The second something went wrong with such a bundled update, the manufacturer would be annihilated by regulators around the world and/or by a collapse in consumer confidence.
MS could deliver security updates separately to feature changes but chooses not to.
The Tragedy of the Commons is that well-publicised incidents like this (and the trend of updates to consumer software, supposedly under the guise of enhancing security, to bring about significant changes in appearance and behaviour) make people less, not more, inclined to defer updates to all software with the result that developers feel the urge to strong-arm users into updating.
This is a completely disingenuous analogy. While both cases do involve a tragedy of the commons, in the autonomous vehicle example there is an additional immediate and severe risk of bodily injury or death to a human.
The only justifiable reason for updates to be forced in the example with the vehicle is the physical danger that could otherwise result, and that simply doesn't exist in the example with the home computer. To my mind, the line of thinking you are engaging in here is a perfect example of the rampant authoritarianism that seems to be so rife in the computer security community these days.
That's a ridiculous analogy. What if vaccines really did have a high probability of causing autism? Would you still argue that they should be mandatory?
How about if there not only was no FDA approval process for the vaccines, but the pharma company itself didn't bother testing them?
Because that's Windows Update in a nutshell. Every couple of months somebody breaks into my house in the middle of the night, even though I locked my doors and windows and posted a no-trespassing sign, and pokes me with a needle... and I'm supposed to just sit there and take it in the name of "security."
Two separate issues: if you first agree that herd immunity from an infinite stream of "zero-day pandemics" would require daily vaccinations, then you would turn around and demand that there be laws about what these vaccinations must be composed of, and how they be tested, to de-risk them as much as possible.
Imagine what the FDA already does, and then imagine that they were verifying a drug that would be given to every person in the country. There'd be a crazy strenuous verification system for that.
Imagine what the FDA already does, and then imagine that they were verifying a drug that would be given to every person in the country. There'd be a crazy strenuous verification system for that.
And that's a big part of the problem. Not only is there no 'FDA' to test these patches -- nor should there be -- but the manufacturer evidently doesn't test them either. They fired their QA personnel a few years ago, so that's now our (unpaid) job as users.
Even worse, there are some indications that this particular bug was discovered and reported by insider program members and actively ignored by the company.
Windows Update is apparently the team where Microsoft employs their B- and C-level players and managers. That's not OK. If you're going to insert yourself forcefully into everyone's critical path, you'd better know what you're doing.
I remember a memorable comment here that went something like "Windows updates are like vaccinations that have a high chance of making you blind, grow an extra ear, or turn your skin green."
Besides, if you look at what sorts of vulnerabilities they're actually patching, the majority of them require local access anyway; remotely-exploitable-by-default ones (fortunately) tend to be few and far between.
The point of herd immunity is to protect people that can't be vaccinated. Even if you would force people to be immunized, it wouldn't be necessary to apply the same to computers. Vulnerable computers can't rely on herd immunity, and you'll have botnets whether or not updates are mandatory.
