|
How many are asking: what's security?
|
|
|
|
|
We are happy to announce that we just published an early preview of support for testing Native AOT with MSTest, and we welcome all of you to try it. Because it's always a good idea to test your code ahead of time
|
|
|
|
|
You'd think they'd AOT the definition of AOT rather than after the 5th use of the term in 2 paragraphs.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
I’m begging you for the benefit of everyone, don’t be STUPID.
|
|
|
|
|
Amazon Fresh is moving away from a feature of its grocery stores where customers could skip checkout altogether. You apparently can't check out any time you want
"Though it seemed completely automated, Just Walk Out relied on more than 1,000 people in India watching and labeling videos to ensure accurate checkouts. The cashiers were simply moved off-site, and they watched you as you shopped." <-- corporate "brilliance" at its worst
|
|
|
|
|
What the absolute flying fracklebunnies!? Here I was thinking it was fully automated, clever AI, image recognition, etc. But no, it was Indian people watching every single item that every single customer picked up! That is utterly, utterly barking mad.
If they were supposed to be training AI then it would seem that it didn't learn.
And they are keeping 'Just Walk Out' in some locations. So do they still have some Indian guys watching those ones?
|
|
|
|
|
This make me think of the open line(s) of this tune.
Max Webster - Check - YouTube[^]
"the debugger doesn't tell me anything because this code compiles just fine" - random QA comment
"Facebook is where you tell lies to your friends. Twitter is where you tell the truth to strangers." - chriselst
"I don't drink any more... then again, I don't drink any less." - Mike Mullikins uncle
|
|
|
|
|
And the CEO will get a bonus worth more than all of those Indians were paid in a year 🤬...
|
|
|
|
|
Kroger/Smith's tried their new idea--check out as you go--and dropped it. Almost nobody used it (aside from us nerds.)
|
|
|
|
|
The girls at Dollar General told me they are ditching self checkouts.
It may not be chain-wide but more regional, like locking up deodorant or whatever. These stores around here don't tend to do the stupid locking stuff up because people don't tend to steal. But that stereotype was challenged by self-checkouts. This is "interesting"... because why? They didn't steal before (evidenced by the typical stuff not being locked up).
Do self-checkouts make people so angry they forsake a bit of morality in acts of retail theft vengeance?
Did "just walk out" make people who'd otherwise not steal want to find ways to "get away with it"?
|
|
|
|
|
We are all part of something bigger and our best selves pass through those that support us. Help me come up with a good blurb?
|
|
|
|
|
Even John, Paul, George and Ringo knew that.
I’ve given up trying to be calm. However, I am open to feeling slightly less agitated.
I’m begging you for the benefit of everyone, don’t be STUPID.
|
|
|
|
|
"Hey Siri! How can my best self pass through those that support me? That seems a little ... um ... awkward?"
|
|
|
|
|
<those that support us>: Is it in yet?
|
|
|
|
|
The Extended Security Updates program was first introduced for Windows 7 Present arm and leg for billing purposes
|
|
|
|
|
pinkie on finger: ONE MILLION DOLLARS
oh, maybe we should be asking for more
|
|
|
|
|
I sure would like to see a graph displaying the frequency of new vulnerabilities over their lifetime for all Windows versions (with timeline marks for end of support and end of extended support).
It must be thirty years since I last heard of a new boot sector virus. 20 years since the last Win98 virus. 10 years since the last XP virus. How many new Win7 viruses were detected five years ago? How may new Win10 viruses are detected per week, or month, today? What can we expect a year and a half from now? What can we expect at the end of the three year long Extended Security Updates, four and and half years from now?
That graph should display, for all Windows versions, not only frequency of new viruses, but also the frequency of observations of those viruses in the wild. (For unknown reasons, boot sector viruses are never observed today ). Also, the graph should show the number of known but not (yet) fixed vulnerabilities over time. How many fixes were made during the Extended Security Updates period, for each Windows version? How many known vulnerabilities were never fixed?
Is paying the annual fee for new virus signature files for my old XP machine worth the money? Do I use that XP machine for surfing dubious web sites where it could pick up new infections? No, and no. How about my Win 10 machine after 2025-10-14 - worth the money?
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
That would be an interesting graph!
I would think that the two times a Windows version would be most vulnerable are when it’s active, and immediately after it goes off support. That’s when people would dig out the vulnerabilities they were saving for a while.
Probably a year after support ends, the attacks drop off sharply.
TTFN - Kent
|
|
|
|
|
trønderen wrote: for surfing dubious web sites where it could pick up new infections? I would say, that's what VMs are for.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
trønderen wrote: for surfing dubious web sites where it could pick up new infections?
I would say, that's what VMs are for. Or the extended version:
trønderen wrote: for surfing dubious web sites where it could pick up new infections? No, and no.
I would say, that's what VMs are for.
So VMs are for not surfing dubious web sites where it could pick up new infections
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Programming languages currently offer few defences against supply chain attacks where a malicious third-party library compromises a program. I think they're called, "write everything yourself"
|
|
|
|
|
Which is exactly what's done in any safety relevant industry.
Also, getting any OSS library to pass A-SPICE and MISRA is a pain in the ass, even worse if you must write them with built-in code path validation.
GCS/GE d--(d) s-/+ a C+++ U+++ P-- L+@ E-- W+++ N+ o+ K- w+++ O? M-- V? PS+ PE Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
The shortest horror story: On Error Resume Next
|
|
|
|
|
MSFT has made some subtle improvements to VS here.
One thing is now in the nuget management where you can explicitly source packages. So you can specify exactly where each nuget package should come from so that you lean on internal corporate nuget feeds instead of nuget.org.
You vet/add stuff to the corporate feed as needed. I think there will be more than few bigger orgs pushing to insulate their supply chains like this and keep internal vetted copies of the dependencies that go into their builds. It should've always been that way.
Ancillary to this is protection in VS from source controlled repos being tampered with. Some supply chain attacks have happened because an attacker swapped the code in on the developer's machine so that the developer then committed the malicious code themselves.
You might notice the newish "confirm this repo is legit" dialog. There are a few different "triggers" mostly to do with domains, vpns, and windows security (like if you clone a repo under one account and then try to use it VS with another account).
This doesn't prevent an ever-malicious/compromised pkg from use. It just prevents you from sucking a newly compromised dependency into your build chain by sourcing things from yourself (even if they aren't your things - because you previously grabbed and cached a good copy).
|
|
|
|
|
I must say that I've never understood why people thought it was a good idea to drag in code from libraries (potentially buried multiple levels deep) without validating them. As someone said not too long ago: Do you know what's in your code?
It's exploits all the way down.
The whole thing of automated library imports that some language tooling pretty much seems to demand is beyond bizarre to my mind.
|
|
|
|
|
You mean we can’t trust that hyper-valuable is-odd library forever and ever? (1.7 million downloads/month, 108 depending libraries)
TTFN - Kent
|
|
|
|
|
You'd need a 122-key terminal keyboard to invoke the right keyboard combo. Because what else are you going to use it for?
|
|
|
|