Announcing Arti, a pure-Rust Tor implementation (Tor blog)

This is a very interesting presentation, thanks for sharing it! I enjoyed it because you really don't need to be a security expert to make the most of it, you "only" need to be a software engineer.

Among others it explains why attacks rely less often on vulnerabilities and more on other techniques like social engineering. It's not because there was much coding and quality progress, in fact it rather depressingly states that developers keep making the same mistakes as before. The main reason is because Microsoft fixes them much faster than ever and made it very difficult to turn off auto updates. This gives a very strong incentive to minimize usage of vulnerabilities and reserve them for discrete, targeted attacks. Auto-updates have basically changed the market of vulnerabilities, their value has increased to the point where only nation states or very rich actors can afford them. I'm over simplifying of course, open the PDF if you're interested in the actual numbers.

So I stand corrected: the connection between ransomware and memory safety is probably tenuous... _if_ you use aggressively auto-updated software exclusively!

https://www.theverge.com/2021/1/6/22217052/microsoft-wind...
(Windows 7 is still running on at least 100 million PCs)

As long as you're not a high profile target or you don't mind getting spied on by any government or other powerful actor, keep using software written in a memory corruption language. Just make sure there's a billion dollars company constantly racing to keep it up to date.

Also keep in mind this analysis is based on Microsoft's data only.

Another interesting point is how effective but still limited mitigations like CFG, CET,... are and how the only way to make them 100% effective "decomposes to needing to solve memory safety".