There are always some power-hungry fuckups that do it. At least these here are obvious about it, unlike the NSA, the GCHQ and other groups of no ethics whatsoever.
So you think that, for example, cars, planes, backhoes, factory machinery, etc. should all be thrown away after 10 years? But you are missing the point: Win7 has support until 2020. MS just cut that short for some relevant user group and without warning and _that_ is the problem.
Indeed. They should have uses a proper embedded OS, like a hardened and customized Linux, for example, or one of the other options. Windows is the least suitable option, and not only for its lack of long-term support.
The anti-Linux faction is stupid. They do not understand your argument. The drivers would come from the people designing the hardware anyways, so the problem is irrelevant. Multimedia-capabilities are irrelevant as well, as everything would be custom-build anyways. The whole thing is a straw man, because they actually do not have any arguments besides "Linux is not a good gaming OS".
a) The drivers would be provided from the people providing the hardware. Writing Linux drivers is not any harder than writing Windows drivers. b) You don't run games on an MRI machine.
Sure. But that mistake is made in practice because it needs to be cheap (i.e. cheap coders and they can only do Windows) and a screw-up like this does not legally count as negligence or violation of best practices.
Not importance-wise. Likely applications that will be networked is medical imaging, display boards, some measurement equipment, SCADA system front-ends, etc. This is a real fail on their part and, if I were up to me, they would be liable for any and all damage they cause.
Sure, most people do not run Win7 on computers that old. But there are embedded systems like displays, measurement equipment, medical equipment, etc. that will be affected by this and MS was fine doing this deceptively and without warning and without giving people time do make arrangements. They also did it _while_ these systems are officially compliant with the Win7 minimum requirements. That is just completely unacceptable, but so very much like MS. No honor, no care for the customer, just always after the biggest profit they can get for cheap.
First, fuzzing timers is difficult to do securely. If an attacker can figure out the fuzzing sequence, they can use fuzzed timers without problems. If an attacker can measure the fuzzing in parallel, the same applies. And second, it usually just means measurements take longer, unless you actually quantify time coarse-grain for everything (again, difficult to do and even more difficult to do securely).
Basically, preventing precise time measurements is a dead end as a security measure. Sure, may take a little longer to generate exploit code, but it will still be possible. The only sane stance is that attackers will have precise time measurement available.
1. WebAssembly is a compressed and simplified version of JavaScript. Anything you can do in WebAssembly, you can do in JavaScript.
While theoretically true, it may not be in practice. For example, if taking the time precisely enough takes a few seconds in Web Assembly, but a few months in JavaScript, then one attack is valid and a threat, while the other is not in most circumstances. Efficiency does matter to security.
If your security is dependent on preventing precise time measurements, it is broken anyways. You can always measure time precisely in some fashion, may just take a little longer. But thanks for the info. I suspected as much, but now I can do without reading the article.
Yeah, probably. Or maybe some religion did suffer by people doing something they actually enjoy instead of compulsively praying to some irrational fantasy. Follow the money. There are enough "experts" that are up for sale to justify anything if the price is right.
There is no doubt some experts were involved. There is extreme doubt these experts were actually qualified experts for the question at hand. The whole thing sound like political decision-making by committee, not by anything even remotely resembling a valid scientific process.
Simple: Not many people do actually suffer it and the low numbers are not enough to support a nice, self-aggrandizing panic. Hence the criteria had to be specially hand-crafted to identify more "sick" people.
If you ever audit the IT infrastructure for a large hospital, you will learn a few really bad things. I am under NDA, though.
Inventory. Some companies stock spare parts for decades.
No. It could, but these are not tied together.
There are always some power-hungry fuckups that do it. At least these here are obvious about it, unlike the NSA, the GCHQ and other groups of no ethics whatsoever.
You think there is no malware and there are no attacks in LANs?
Not all of them, no. Development cycles can easily force use of a CPU already a few years old.
Don't ask me, I most definitely would not do that. But these devices are out there and in use.
So you think that, for example, cars, planes, backhoes, factory machinery, etc. should all be thrown away after 10 years? But you are missing the point: Win7 has support until 2020. MS just cut that short for some relevant user group and without warning and _that_ is the problem.
"Should" does not help when the reality is different and already established.
Indeed. They should have uses a proper embedded OS, like a hardened and customized Linux, for example, or one of the other options. Windows is the least suitable option, and not only for its lack of long-term support.
The anti-Linux faction is stupid. They do not understand your argument. The drivers would come from the people designing the hardware anyways, so the problem is irrelevant. Multimedia-capabilities are irrelevant as well, as everything would be custom-build anyways. The whole thing is a straw man, because they actually do not have any arguments besides "Linux is not a good gaming OS".
a) The drivers would be provided from the people providing the hardware. Writing Linux drivers is not any harder than writing Windows drivers.
b) You don't run games on an MRI machine.
Sure. But that mistake is made in practice because it needs to be cheap (i.e. cheap coders and they can only do Windows) and a screw-up like this does not legally count as negligence or violation of best practices.
Not importance-wise. Likely applications that will be networked is medical imaging, display boards, some measurement equipment, SCADA system front-ends, etc. This is a real fail on their part and, if I were up to me, they would be liable for any and all damage they cause.
You are forgetting about embedded systems. An MRI-machine, for example, has a lifetime of > 20 years.
Embedded systems like medical equipment, displays, measurement equipment, etc.
Sure, most people do not run Win7 on computers that old. But there are embedded systems like displays, measurement equipment, medical equipment, etc. that will be affected by this and MS was fine doing this deceptively and without warning and without giving people time do make arrangements. They also did it _while_ these systems are officially compliant with the Win7 minimum requirements. That is just completely unacceptable, but so very much like MS. No honor, no care for the customer, just always after the biggest profit they can get for cheap.
First, fuzzing timers is difficult to do securely. If an attacker can figure out the fuzzing sequence, they can use fuzzed timers without problems. If an attacker can measure the fuzzing in parallel, the same applies. And second, it usually just means measurements take longer, unless you actually quantify time coarse-grain for everything (again, difficult to do and even more difficult to do securely).
Basically, preventing precise time measurements is a dead end as a security measure. Sure, may take a little longer to generate exploit code, but it will still be possible. The only sane stance is that attackers will have precise time measurement available.
1. WebAssembly is a compressed and simplified version of JavaScript. Anything you can do in WebAssembly, you can do in JavaScript.
While theoretically true, it may not be in practice. For example, if taking the time precisely enough takes a few seconds in Web Assembly, but a few months in JavaScript, then one attack is valid and a threat, while the other is not in most circumstances. Efficiency does matter to security.
Engineers call it a bad fuckup, probably caused by marketing demanding speed over everything else.
If your security is dependent on preventing precise time measurements, it is broken anyways. You can always measure time precisely in some fashion, may just take a little longer. But thanks for the info. I suspected as much, but now I can do without reading the article.
Not here, not before it runs fvwm on X on Linux.
Yeah, probably. Or maybe some religion did suffer by people doing something they actually enjoy instead of compulsively praying to some irrational fantasy.
Follow the money. There are enough "experts" that are up for sale to justify anything if the price is right.
There is no doubt some experts were involved. There is extreme doubt these experts were actually qualified experts for the question at hand. The whole thing sound like political decision-making by committee, not by anything even remotely resembling a valid scientific process.
Simple: Not many people do actually suffer it and the low numbers are not enough to support a nice, self-aggrandizing panic. Hence the criteria had to be specially hand-crafted to identify more "sick" people.