Win11 with the tpm requirement is part of their control ratchet. Microsofts gameplan is not new, nor is it super secret. They've been ratcheting up signing control. Meanwhile all their competitors fully own the app install process and earn those juicy 30% fees.
Put another way, if I sounds like a duck and walks like a duck: do you really think Microsoft isn't envious of the appstore?
The security arguments are dubious at best. Seems more closer to direct vendor/platform lock-in.
Games like Valorant now require a TPM 2.0 chip to run. Why? It's a videogame? Why does it need to be locked down to Windows only. How long before all sorts of software get vendor locked in like this? Same kind of bs that happens on Android, safetynet and root. How is this not a ratchet for vendor control?
Also screw security if it means planned obsolescence. Microsoft has basically declared that every machine before 8th gen Intel and Zen 2 as obsolete in 5 years time. Why? Those machines are perfectly usable and fast.
Would this be the same cost if it were a point release (or service pack, what's the proper terminology in MS world?) rather than a major version release?
Unfortunately not. Judging security is actually really hard! But CVSS is essentially a useless number in every sense, and number of CVEs is not directly useful because different OSes get different amounts of attention. My hobby OS is not infinitely more secure than Linux just because it has no CVEs, for example. On might thing that "mitigations" or "vendor approachability" could be used, but they are only part of the story and have their own problems: some software (not saying which…) is known to just glom on "mitigations" without abandon that don't actually help. And, while rarer, there are vendors who respond appropriately to bug reports but fail to ever actually meaningfully improve security.
Really, the best way to judge security is to ask security researchers: they break the software, they're at the forefront of what it takes to do this and what kinds of things the software is doing to keep them out. They'll tell you which things work and which don't, and how "serious" a vulnerability is (assuming it's not one they found, because they're not immune to bragging :P). In general, across the modern OSes, there is no "one" OS that is more security on every front. Windows has its own issues in subsystem X, Linux is broken in responding to Y, etc.
Practically speaking, it's impossible to compare these metrics between open and closed systems for various reasons. In open systems, bug reporting is a part of the culture. Moreover, as you are closer to the vendor, you can actually count on it being fixed, in trivial cases overnight. You have public bug tracking systems where the bug is almost like your baby: you talk to others about it, you argue in favor if it being fixed. Moreover, a good number of users actually fixes the bugs. Sometimes it's enough a bug report is published that you patch your own system without asking anyone. As source code is available, for some people it's a kind of a hobby to go through and find bugs. Some do it for sport, some for learning/as a part of their curriculum, some as a part of their product development or audits.
With closed systems, many of these points above are not true. Users are not accustomed to reporting bugs, and even if they report a bug sometimes, they become put off as they don't know what happens with it later. They don't actively analyze the source code to find bugs. If a bug is found, they pray the patch is released soon. It is very rare someone has enough low-level skills to manually patch a binary based on a CVE description.
Given these differences, I think the only viable metric is the response time, i.e. the time between the bug being disclosed and fixed.
There is no such thing as an open or closed CVE. Conflating "description is public" with "has been patched" would be wrong, but claiming that all existing CVEs ever are "open vulnerabilities" is nonsensical.
However, the downside of publicly reporting vulnerabilities is that everyone has this knowledge and does not need a team of pen testers to find these vuln's, correct?
Is there any public info on linux/macos/win desktop patch rates?
I have personally been screwed by Ubuntu patching. I am not a total idiot and I assume I can't be the only one.
edit: I realize that I have foot in mouth syndrome in this thread, but does anyone have real world patch rates on desktop OSes?
Also, am I way off in the thought that publicly posting CVEs allows less technical adversaries to attack you? I believe in the benefits of OSS, but everything has positives and negatives.
If desktop linux has lower patch rates, as is my experience, then maybe we shouldn't be recommending desktop linux to everyone?
These are honest questions in the hope of learning.
It's generally accepted that open published CVEs push vendors to actually patch their software, instead of covering up and ignoring bugs. It also gives you a heads up that the software your running has an issue and you need to update. It's tempting to think that making this knowledge publicly available gives the bad guys a roadmap, but in security you really can't just assume that because a vulnerability isn't public knowledge the bad guys won't know about it.
Frankly with the proliferation of the vulnerability black market, lack of public disclosure of CVEs would mean that only the black hats know it.
They probably did that because otherwise people would not accept that they had to buy new hardware in order to run it.
Honestly it's better with a version number. That way you could stay behind if you really want to. I am switching to Linux (finally) since I will simply use a remote desktop configuration for the only program I need to use for work that doesn't work on any other platform than windows.
You know, this is probably the most straightforward way to raise the hardware floor. Would anyone really prefer Fall Creators Update 2021 as the patch that killed Windows support for their machine, or a clean break with a new OS?
I installed Windows 11 to try it out. I figure, Windows 10 telemetry is bad already, Windows 11 probably won't change that. It isn't that much different than Windows 10. The most noticeable difference is the location of the start icon, but other than that it feels almost exactly like Windows 10. It has been stable so far, more stable in fact.
I had a weird issue with my graphics card on Windows 10 where it would crash. I think I determined at some point that my graphics card wasn't getting enough power, although my power supply should have been sufficient. I recently moved, so the improvement could be due in part to that. My last place, anytime I'd run the microwave and have a space heater on it would flip the circuit breaker.
Anyhow, haven't had any issues with Windows 11. Don't know if they have better power management or what, but seems resolved now and no more random crashes when playing games which to me is a huge improvement.
> Note, Windows isn't my primary OS.. I just use it for my kids gaming computer. I run Linux on my personal computer.
They painted themselves into a marketing corner, the article makes the salient point that it's fairly unattractive to sell a new laptop with "Windows 10 21H2". What they should have done is ditch the version numbering altogether.