Hacker News new | ask | show | jobs
by mnau 841 days ago
CVE DOS - aka denial of service through legislative/regulatory requirements instead of technical attack is going to be fun.

Edit: by that I mean filing bogus report or just non-security related CVEs. That is also reason why a lot of projects are trying to register themselves as CNA (see curl etc).
1 comments
Avamander 841 days ago
It's going to be fun when companies pick Windows instead of Linux because it doesn't cause an awful to handle patch cycle in contexts where things have to work within some regulatory bounds (that make pointless updates cost a lot of time, effort and money, maybe even cause risk to human life).
link
eqvinox 841 days ago
> It's going to be fun when companies pick Windows instead of Linux […] work within some regulatory bounds

You can get FuSa (functional safety) certified Linux; to my knowledge this just does not exist for Windows. There may be other situations where the choice does exist, but considering Windows and Linux widely equivalent in this context is not possible.

> maybe even cause risk to human life

Neither Windows nor Linux are, to my knowledge, certified for SoL (safety-of-life) applications. And to no surprise considering this is close to (but not quite) a mathematical proof your system can't hang/crash/starve, which is pretty much impossible for anything beyond an RTOS with current tooling.

link
Avamander 841 days ago
> You can get FuSa (functional safety) certified Linux;

And they're going to ask how much for the recertification for each CVE fixed? I doubt that'd be cheap.

> Neither Windows nor Linux are, to my knowledge, certified for SoL (safety-of-life) applications.

I didn't have exactly SoL applications in mind, there are plenty of other situations where the stability of a system could cause a risk. Be it just an emergency call center server or a field laptop for looking up license plates - can't leave them unpatched (especially with some of the new legislation) but also downtime from poor updates could be really bad.

link
eqvinox 841 days ago
> And they're going to ask how much for the recertification for each CVE fixed? I doubt that'd be cheap.

FIPS has created an off-kilter perception about "recertification" because they require essentially the entire process when you change a single bit somewhere. Most certifications are not that harebrained.

Also if you need "certified" Linux, you are either already spending resources on it yourself, or paying someone else to do it. This might need adjusting for this new CVE practice, but it's going to be an adjustment and not a reset.

> […] can't leave them unpatched (especially with some of the new legislation) but also downtime from poor updates could be really bad.

Then pay someone to test and deliver.

link
Avamander 841 days ago
> Then pay someone to test and deliver.

That's the thing, resources aren't infinite. Linux offloading that work elsewhere will not have a net positive effect.

The path of least resistance will be taken, which is going to be proportionally less QA, if there was any to begin with.

link