It has, but there's more to it than that. A fairly large subset of the new wave of malware is OS-agnostic: not because it's targeting more general x86 flaws (though those are exploitable) but because it's targeting common userspace like Chrome. There are multiple "universal payload" viruses/etc that run on OSX and Linux as well as Windows, with only the delivery mechanism changing, which as you say wouldn't have been worth the effort ten years ago but will be a majority within two years at most. It's not because Linux has value as a server target though: it's just because "why wouldn't you?", when it's trivial to do so.

I've seen a few people argue that it's because Windows has become hugely more secure in the last 10 years (which it has, but it was starting from zero) but that misses the point just as much as the "Mac/Linux doesn't get viruses" arrogance does. Nobody cares about your drivers, because they don't have to: people tell programs to *record* their credit card details, then leave those programs running 24x7 executing arbitrary code. Cryptards download the first result on Google and give it full access to their imaginary money, which then becomes even more imaginary. :P
I don't have to leave a RAT on your machine to read your manifesto insulting Glorious Leader or whatever: because you're logged in as you, and all the valuable data on that machine *belongs* to you in the first place. All I have to do is get you to run something.

It's the same with the simpletons who brag about having an encrypted /home. It makes them *more* vulnerable, because not only are they exactly as "secure" once logged in - i.e. not at all - but now they're deluding themselves that they *are* secure because they "have 4096-bit RSA encryption" and they read a blog post once that said that's uncrackable. They just don't understand the problem.

While it does have its moments of schadenfreude, it's mostly just painful to watch. I've seen Boomers be taught that if an email from "Alice" is from "[email protected]", that means it's really from her. Meanwhile, Gen Z has the same grip on technology that a 1950's housewife does on how a TV works - but at least the housewife *knew* she didn't understand it.
Mozilla, to this day, refuses to do anything about аррӏе.com , because "something, something, racism". (No, seriously). MS just *re*-enabled Office (?silently?) running embedded macros, because "convenience". It's no wonder people are getting fleeced left and right - but they would be anyway even without all the help tech companies give them, because that's what they've been trained to do.

Against that background, the value of an academic information leak is exactly that: academic. It's like a Heath Robinson mousetrap - a thousand times slower, more likely to fail, more complicated, and more expensive than a piece of wood and metal that costs 30c, to arrive at the same result. Unless you actually *are* trying to overthrow the gubbermint, why should I bother with that, when I can have 1000x the success for the same amount of effort through straightforward means. It's a business. It's not like FedEx delivers packages by launching them halfway into space then parachuting them onto my porch after modeling the exact time and trajectory to drop them adjusted for the wind.

You are overestimating the cost and complexity of these types of attacks, they are now as easy as copy-pasting some code that has already been written. The same barrier to entry as script-kids hacking their friends for the lols. Software engineering is much more easily reproducible than mechanical engineering (which is also easy to reproduce. After something is invented, quickly everyone has access to it. That's how humanity goes).

Ultimately, you're doing the same thing you're criticizing. Focusing on one attack vector only, and choosing to completely ignore another obvious one, because you believe you've got the RIGHT one. You'd close the door and leave the window wide open because you think no one would climb to your second floor window, except, there's a ladder right underneath it.

You're also missing the point of side-channel attacks, they're to be used not instead, but complementary to the other types of attacks you mentioned. They cross privilege boundaries, which would be a tough ask of social engineering, since tricking two people is ridiculously harder (impracticable) than tricking one. They also have the potential to overcome software and hardware protections that should greatly reduce the risk of humans leaking secrets, because they don't even need to know the full secret. Side-channel attacks bring us back to humans knowing too much. A whole evolutionary step is now conditioned on solving this problem.

Sorry I didn't get this bit about Apple and Mozilla, please care to clarify?
Thanks

No, there are no windows like viruses on Linux. Even if there were they died quickly - thanks to Linux position on 'stable API nonsense' and much smarter design. Furthermore, on windows it was enough to connect to internet or LAN to get a virus. That's all.

I'm not talking about malware. It's irrelevant here.

P.S. windows seems more secure today thanks to dozens of Linux servers scanning all the net for Windows viruses. Imagine replacing Linux servers to Windows ones. It would be M$ disaster.

The link in the previous post is not to apple.com - it's to a visually-identical (homographic, if you want the fancy term) impersonating site constructed from Unicode glyphs instead.

Possibly, though obviously I doubt it. Either way though, for it to matter to people so naive that they believe simply Not Running Windows is the only defense they need - which is the group I was trying to inform - it starts with having portability: that's what the "within two years at most" part is. If you think that timeframe is optimistic that's a different matter, but it's the least important part of the entire post.

> Ultimately, you're doing the same thing you're criticizing. Focusing on one attack vector only
​
No, I'm highlighting that people whole believe there IS only one, and it doesn't affect them, are mistaken. We agree on that much at least.

> They cross privilege boundaries

Which is irrelevant. That's the whole point. All the user data on a machine is (generally) accessible by that user *without* escalation, and without any further steps, and it's the user data that has value. You can disagree with that if you want (though I have no idea how you could even try to with a straight face), but if your objection to it is "but, root!" then you haven't even understood it in the first place.

> because they don't even need to know the full secret. Side-channel attacks bring us back to humans knowing too much. A whole evolutionary step is now conditioned on solving this problem.

I'm going to need a translation for that, I think. "Evolution" of *what* would be a good start.

I don't even know how to respond to that other than to suggest you spend a few seconds with your search engine of choice becoming better informed. After all, if you're right it'll be either no results at all or nothing but confirmation of your position, so it'll be very quick.

> Furthermore, on windows it was enough to connect to internet or LAN to get a virus.

That's certainly true (and at one point, the interval was *insane* - under 5 minutes on average!). So yeah: technically you're right that it counts as "not comparable", as long as you're talking about 15+ years ago - but we aren't.