Software should be more secure. However I don't think it's realistic to expect bug-free perfectly secure software. There is no field of engineering where 100% perfect tolerances are possible, and when you start getting past 99% the resource requirements to get to the next fraction of a % quickly go non-linear.
This is why 1) Security patches will pretty much always be necessary and 2) relying on perfect software alone is insufficient. Other precautions also need to be taken to prevent or mitigate attacks. In this case, it appears the My Book attack requires the IP address of the device. That indicates that people impacted may have been running these networked in a way that exposed them or the relevant ports to the world, which is very bad security.
> There is no field of engineering where 100% perfect tolerances are possible
This is a false proposition.
All actual engineering professions I know of have processes, checks and balances to avert disasters and premature failures. No one expects all of the shingles to be perfectly straight or have the same color, occasionally a roof may have a bit of a leak, yet I think even a single 4y old roof developing a massive leak would be a big deal. Imagine the consequences if all 4-11y old red roofs from a large construction company collapsed or developed massive leaks overnight.
Neither bridges nor roofs keep standing because they are built perfectly, nor are all bugs security issues. Yet a single fatal flaw can bring a bridge down and a single off-by-one can be a root exploit.
We shouldn't expect perfect software, yet we also shouldn't need security updates (at least not often and on everything). WD SW was fatally flawed, shouldn't have been released, WD should be responsible. SW "engineers" should be ashamed to be associated with such practices. I know I am.
Roof/building/bridge construction are things that have been around thousands of years. And they still get things extremely wrong sometimes: look up the footbridge in London as an example, it needed the equivalent of a security patch. On the issue of roofs, it's also often recommended that you do annual roof inspections and maintenance, looking for potential issues.
Regardless, we're talking about security, so let's go to the actual real-world equivalent. Physical security. Is perfection possible there? Nope. Anything even remotely capable of surviving a sustained attack is going to cost an amount of money reserved for corporations and nations, not everyday consumers.
If you think the current quality of physical engineering is something we should hold up as a comparison to the security quality expected of software, let's compare notes in a few hundred years when programming reaches the same level of maturity.
Maybe I should have used electrical installations as an example?
> real-world equivalent. Physical security
Physical security isn't a good analogue, because you don't have a line of hackers, trying to get into your cupboard and magically also millions of other cupboards, closets and storage rooms with near 0 marginal cost and incomparably easy way to avoid getting caught.
Unlike physical security, perfect SW security is pretty much attainable (shocking, isn't it), with 0 marginal cost (no cost to duplicate). Physical access, social manipulation etc is physical security.
> footbridge in London
One bridge in 100, caught before it failed? Compared to all SW with network access and weekly updates.
We know how to engineer things so they are reasonably safe, we actually do it.
We also know many ways to make software much, much safer with only moderate investment, and some ways to make provably correct SW, and we do not care.
Exposing IoT to the world is (going to be) common with IPv6, not sure how much SLAAC privacy extensions and "temporary" (hours to days ?) addresses help ?
This is why 1) Security patches will pretty much always be necessary and 2) relying on perfect software alone is insufficient. Other precautions also need to be taken to prevent or mitigate attacks. In this case, it appears the My Book attack requires the IP address of the device. That indicates that people impacted may have been running these networked in a way that exposed them or the relevant ports to the world, which is very bad security.