|
The Extended Security Updates program was first introduced for Windows 7 Present arm and leg for billing purposes
|
|
|
|
|
pinkie on finger: ONE MILLION DOLLARS
oh, maybe we should be asking for more
|
|
|
|
|
I sure would like to see a graph displaying the frequency of new vulnerabilities over their lifetime for all Windows versions (with timeline marks for end of support and end of extended support).
It must be thirty years since I last heard of a new boot sector virus. 20 years since the last Win98 virus. 10 years since the last XP virus. How many new Win7 viruses were detected five years ago? How may new Win10 viruses are detected per week, or month, today? What can we expect a year and a half from now? What can we expect at the end of the three year long Extended Security Updates, four and and half years from now?
That graph should display, for all Windows versions, not only frequency of new viruses, but also the frequency of observations of those viruses in the wild. (For unknown reasons, boot sector viruses are never observed today ). Also, the graph should show the number of known but not (yet) fixed vulnerabilities over time. How many fixes were made during the Extended Security Updates period, for each Windows version? How many known vulnerabilities were never fixed?
Is paying the annual fee for new virus signature files for my old XP machine worth the money? Do I use that XP machine for surfing dubious web sites where it could pick up new infections? No, and no. How about my Win 10 machine after 2025-10-14 - worth the money?
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
That would be an interesting graph!
I would think that the two times a Windows version would be most vulnerable are when it’s active, and immediately after it goes off support. That’s when people would dig out the vulnerabilities they were saving for a while.
Probably a year after support ends, the attacks drop off sharply.
TTFN - Kent
|
|
|
|
|
trønderen wrote: for surfing dubious web sites where it could pick up new infections? I would say, that's what VMs are for.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
trønderen wrote: for surfing dubious web sites where it could pick up new infections?
I would say, that's what VMs are for. Or the extended version:
trønderen wrote: for surfing dubious web sites where it could pick up new infections? No, and no.
I would say, that's what VMs are for.
So VMs are for not surfing dubious web sites where it could pick up new infections
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Programming languages currently offer few defences against supply chain attacks where a malicious third-party library compromises a program. I think they're called, "write everything yourself"
|
|
|
|
|
Which is exactly what's done in any safety relevant industry.
Also, getting any OSS library to pass A-SPICE and MISRA is a pain in the ass, even worse if you must write them with built-in code path validation.
GCS/GE d--(d) s-/+ a C+++ U+++ P-- L+@ E-- W+++ N+ o+ K- w+++ O? M-- V? PS+ PE Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
The shortest horror story: On Error Resume Next
|
|
|
|
|
MSFT has made some subtle improvements to VS here.
One thing is now in the nuget management where you can explicitly source packages. So you can specify exactly where each nuget package should come from so that you lean on internal corporate nuget feeds instead of nuget.org.
You vet/add stuff to the corporate feed as needed. I think there will be more than few bigger orgs pushing to insulate their supply chains like this and keep internal vetted copies of the dependencies that go into their builds. It should've always been that way.
Ancillary to this is protection in VS from source controlled repos being tampered with. Some supply chain attacks have happened because an attacker swapped the code in on the developer's machine so that the developer then committed the malicious code themselves.
You might notice the newish "confirm this repo is legit" dialog. There are a few different "triggers" mostly to do with domains, vpns, and windows security (like if you clone a repo under one account and then try to use it VS with another account).
This doesn't prevent an ever-malicious/compromised pkg from use. It just prevents you from sucking a newly compromised dependency into your build chain by sourcing things from yourself (even if they aren't your things - because you previously grabbed and cached a good copy).
|
|
|
|
|
I must say that I've never understood why people thought it was a good idea to drag in code from libraries (potentially buried multiple levels deep) without validating them. As someone said not too long ago: Do you know what's in your code?
It's exploits all the way down.
The whole thing of automated library imports that some language tooling pretty much seems to demand is beyond bizarre to my mind.
|
|
|
|
|
You mean we can’t trust that hyper-valuable is-odd library forever and ever? (1.7 million downloads/month, 108 depending libraries)
TTFN - Kent
|
|
|
|
|
You'd need a 122-key terminal keyboard to invoke the right keyboard combo. Because what else are you going to use it for?
|
|
|
|
|
As NASA noted on its 2017 eclipse website, the myth that eclipses will poison "any food that is prepared during the event" is prolific enough to require debunking. Why we need to go extinct. An argument in one headline.
|
|
|
|
|
If there is a total eclipse during Lent / Ramadan / Fast / ..., and your religion allows you to eat after sunset, are you then allowed to eat during a total eclipse? Are you safe against the anger of your god if you choose to eat?
To eat, or not to eat, that is the question.
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
The Sun hasn't set; it's simply been hidden by another object.
It would make just as much sense to ask "if one is in the shade of a building during Lent / Ramadan / Fast ...".
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Or if you are in the shade of the Earth? I do believe that the Earth count as 'another object', although a large one.
Religious freedom is the freedom to say that two plus two make five.
|
|
|
|
|
Then they can simply not eat. I think the only creatures who think they'll starve during an eclipse are domestic cats.
|
|
|
|
|
Does this superstitious nonsense also apply to crops growing during an eclipse? How do I know that the food that I bought is Eclipse-free?
/s
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
I thought that Eclipse[^] was particularly poisonous to certain types of coffee[^].
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Maybe the dropoff in gamma radiation causes a sort of radiological vacuum which flips the molecules of banana bread to their other chiral forms and suddenly you're better off eating yellowcake.
|
|
|
|
|
The scathing report concludes that Microsoft’s security culture needs an overhaul. Coulda, woulda, shoulda
But in their defense: AI!
When in doubt, AI!
|
|
|
|
|
Microsoft and Quantinuum correct problems when entangling pairs of qubits. Uhm...good? Time to break out the gold stars and participation awards
|
|
|
|
|
|
Each of the six floors of Building 41 is themed after a stage in the development of computing. They'll have to add a new floor for AI
I know I'm obtuse, but I never did notice that about the walls
|
|
|
|
|
Kent Sharkey wrote: They'll have to add a new floor for AI They should make it build itself.
|
|
|
|