|
|
|
|
|
|
by coldtea
2586 days ago
|
|
|
>Not a single one of these vulnerabilities has been used to cause any measurable damage anywhere that we know of, whereas the mitigations deployed have significant costs that everyone must pay. That's like saying: "nobody was drowned that we know of, whereas there was a significant cost to building the dam that everyone paid". (And also not dissimilar to arguments about doing no major industry/lifestyle changes regarding climate change). It's exactly because there were mitigations relatively quickly deployed that we didn't have a "hack em all" exploit doing the rounds in hundreds of millions of devices. The difficulty of exploiting also gave some leeway to deploying those mitigations. |
|
|
It is very dissimilar indeed - the sentence you quoted does not constitute an argument by itself. It is an observation regarding the present state of affairs (which you have not disputed), which to me indicates a need to take a breath and do a reasoned cost/benefit analysis as opposed to the hysterical "this must be fixed at any cost, externalities be damned" mindset that is fairly common in many circles.
If you really want a climate change analogy, though, consider this - however many mitigating workarounds you invent, as long as speculative execution exists there will always be side channel attacks, and eventually some of them will probably succeed to some extent. Perhaps, as you noted, some major industry/lifestyle changes are indeed in order - people could stop living in the delusion that a perfect sandbox is possible and realize that arbitrary code execution will always entail risks. Rather than turning every website into a potential security risk, perhaps it is our approach to software (rather than hardware) that needs re-evaluation.