Chapter 4 — Bad Programs and Broken Locks
You trust your supply line. So does the enemy.
Part One taught you the ground — the domains, the terrain, the operator’s posture. Part Two is about the threats. We start with the one you carry in your pocket and invite in yourself, a dozen times a day, without ever once thinking about it.
Your software.
The principle
Every program on your device is something you trusted without inspecting it. That makes your software a supply line — and a supply line is exactly what an enemy poisons.
The supply line
A soldier in the field does not test every round of ammunition before he loads it. He does not chemically analyze the water or x-ray the rations. He cannot — he would never get anything done. He trusts the supply chain that put those things in his hands. That trust is not a weakness. It is the only way the work gets done at all. (You heard that already, in the chapter on trust. It keeps being true.)
But an enemy who cannot beat you in a straight fight has another option. He does not have to face your rifle. He can poison the well upstream — reach the supply line before it ever gets to you, and let you carry the harm in with your own two hands.
That is what “bad programs” and “broken locks” are: two ways your own supply line turns on you. Take them one at a time.
Bad programs — the poisoned well
A bad program is software that was hostile before you ever installed it. A fake app wearing a real one’s name and logo. A real app that was quietly tampered with. A poisoned update.
Here is the honest — and frankly reassuring — part. There is a gate. The official app stores guard it hard. In 2024 alone, Google blocked more than two million policy-violating apps from ever reaching its store; Apple rejected nearly two million submissions and pulled tens of thousands more for fraud. That is the gate, working, at enormous scale.
So the lesson is not “the gate is perfect.” It is this: there is a gate — and the moment you go around it, you have walked your supply line outside the wire. When something asks you to install an app from a text message, a link, a pop-up, a QR code — anything that is not the official store — that is the sound of someone inviting you around the gate. That is the moment to stop.
But there is one kind of bad program you cannot stop by being careful, and you need to know it exists so the next part makes sense. In 2020, a company called SolarWinds shipped a routine update to its own customers. The update was real. It was signed. It came from the actual company. And it had been poisoned far upstream — a hidden backdoor sewn into it by an intelligence service. Around eighteen thousand organizations installed that update themselves, with their own hands, including the United States Treasury. No amount of personal carefulness catches that. Hold that thought.
Broken locks — the patch gap
Now the other half, and it is different. A broken lock is not hostile software. It is just flawed software — and all software is flawed. Every program ever written has weaknesses in it that nobody noticed at the time. Over months and years, those weaknesses get found — sometimes by the good guys, sometimes by the bad ones. A discovered weakness is a broken lock on a door into your life.
When the good guys find one, the company builds a fix and sends it to you. That fix has a boring name. It is called an update.
This is the reframe that matters: an update is not a nag. It is a locksmith. It is someone showing up to fix a lock that is, right now, known to be broken.
And the timing is merciless. The moment a broken lock becomes public knowledge, the clock starts — and attackers are fast. These days they often have a working break-in built within days of a flaw being announced. Meanwhile, about four in ten people admit they put their updates off. So there is a gap — between the day the lock is known to be broken and the day you actually fix it — and that gap is simply the window you are standing there exposed. It is not a small problem. By one major yearly study, roughly one in five break-ins begins with an attacker walking straight through a software flaw — many of them flaws a fix had already been written for. The lock was repaired. The owner just had not installed it yet.
Which is it — update, or don’t?
So now you hold two facts that seem to fight each other. Poisoned updates exist — SolarWinds. And skipping updates is dangerous — the patch gap. So which is it?
You already know the answer, because it is the same answer as the trust chapter. You cannot inspect your whole supply line; nobody can. And refusing to trust it at all — never updating, to be “safe” — is not the safe choice. It is the worse one. It leaves every known broken lock in your house standing wide open, forever. The poisoned update is rare, and it usually aims at big targets. The unpatched lock is common, and it is aimed at everyone.
The move is the one you already learned: deliberate trust. Use the gate. Then patch fast.
Make it actionable
DRILL — THE LOCKSMITH STANDS READY
Make updates automatic, so the decision is never yours to forget:
Turn on automatic updates for your phone’s operating system, your apps, your computer — and the one almost everyone misses, your home router.
Install apps from the official store only. If a link, text, pop-up, or QR code wants to install something, that is a walk around the gate. Don’t take it.
Once a month, run a 60-second lock check: open the settings on your phone and your computer and confirm there is no update sitting there, waiting.
Where this goes
That is your supply line — the programs themselves. Next we look at the two things those programs ride on: the device in your hand, and the pipe it talks through. Both of them can be tapped.