So... it's compiled... like literally every other program every made?

What exactly makes compiled code special? EXEs are compiled code. The term "run-only" is stupid. You have to be able to read the thing to run it, and the computer can read bytes just fine, so... where's the problem?

"Tragedy of the commons".

Building a walled garden can be bad, but allowing free and unfettered access to an open field for everybody's use can too.

Hey now, don't be raging on the white hat for doing white hat things. Not all of us have the meme darkness in our souls.

Had to Google to find out that they actually meant a trolley system at street level.

For everybody in the US: "tram" = trolleys on rails in the street. Just so you know.

Why are you touching all those paper towels? Grab one, throw in the cart, get on with your damn day.

Most people do not take that kind of time to comparison shop. If they can just deliver me the damn towels, then that's fine, I do not have brand loyalty toward most household products, nor do I need to molest my items in order to determine that it's a paper towel.

As in, have they figured out how to make their burger taste like a burger? Or the fish taste like a fish?

Because the burger is straight garbage. I don't understand the hype here, those things do not taste like real meat in the slightest. Texture isn't bad, but the flavor is just wrong.

This is like if Google just suddenly started calling Hell's Kitchen something else. Or renamed SOHO for no reason.

Except that as the article notes, the name was actually created a few years ago by a neighborhood nonprofit steering group that residents voted for: The East Cut name originated from a neighborhood nonprofit group in San Francisco that residents voted to create in 2015 to clean and secure the area.

Google didn't just suddenly rename it for no reason. The issue is more subtle than that; in previous times, the neighborhood council decision would either be ignored or take a long time to spread and catch on. With Google's ubiquity, changing it on Google maps has an immediate effect. Whether that's bad and jarring or good and avoids ambiguity, it's certainly new and different.

1. None of these were in “the early days of PC gaming”; they were a decade plus after PC gaming exploded during the Commodore 64/Applie II/etc era. Games like Catacomb, Ultima Underworld, and early ID entries like Hovertank 3D and Wolfenstein 3D had already birthed the FPS genre. Doom was a huge deal and certainly catalyzed things for the mid-90s and established FPSes as a prestige genre (as well as helping the popularity of online play).

2. Duke Nukem and Duke Nukem 2 (the latter of which came out the same year as Doom) were side-scrolling 2D platformers. The “2.5D” version was Duke Nukem 3D, which came out like 3 years later than Doom during the explosion of post-Doom FPSes. It was closer to the Quake era than the Doom era. Claiming that it's part of some “big 3” is really weird; it's better grouped in with the rest of the 2.5D-era post-Doom games like Marathon, Heretic, Hexen, Star Wars: Dark Forces, etc.

I mostly agree, though if the license on the generated audio is liberal enough I could see using this to create audio books of public domain texts in a crowd-sourced project. Feed the texts through (which, if distributed reasonably, shouldn't really be a significant privacy intrusion; the information's all out there already) and then save it for future use so it's still available even if the cloud service goes down.

Fuzzing is great, but he doesn't seem to understand what a language flaw is.

In the case of Python, he's found 2 methods in libraries that can call shell commands. Leaving aside that this would be a library issue rather than a language issue, there's no evidence that it's even that.

Python explicitly doesn't have sandboxing. Like most languages (including C, C++, etc), the documented behavior is that if you control the program and environment then you're fully allowed to import subprocess or os and run whatever you want. You don't need to find "hidden" ways to run a subprocess, you can directly "import subprocess" and run stuff.

This is doubly true because of the nature of the modules investigated. The first "flaw" is that mimetools has a deprecated "pipeto" method that lets you pipe to arbitrary commands. But mimetools is already well-known to expose os access in millions of ways (most obviously, it imports and exposes os, so if for some bizarre reason you want to avoid importing os yourself, you can simply run "mimetools.os.popen" directly); no competent programmer would expect otherwise.

The second "flaw" is that pydoc runs a pager program which lets you run an arbitrary command if you control the program environment. Of course, the documentation states explicitly that the specified pager program will be used. It's unclear what part of the behavior here he thinks even surprising. And, again, the pydoc module imports and exposes "os" in exactly the same way that mimetools does.

Earlier this week security-hardened Android build CopperheadOS temporarily blocked Nexus updates on its servers after finding out that other companies have been flashing the ROM onto Nexus phones and selling them commercially in violation of the CopperheadOS licensing terms. The incident highlights an inherent problem in getting open source to be used by the masses

This is FUD. If CopperheadOS prohibits selling it commercially, then they are not using an open-source license. By definition, open-source licenses cannot prevent others from selling the software commercially or otherwise prohibit redistribution or discriminate against fields of endeavor (including business use).

And, indeed, most sources (e.g. https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2F...) call the Copperhead license "source available" rather than "open source" because of these non-open-source restrictions.

See https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fopensource.org%2Fosd

1. Free Redistribution
The license shall not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources. The license shall not require a royalty or other fee for such sale. ...
2. 6. No Discrimination Against Fields of Endeavor
The license must not restrict anyone from making use of the program in a specific field of endeavor. For example, it may not restrict the program from being used in a business, or from being used for genetic research.

And flashing it onto a ROM would constitute a derived work covered under section 3 of the OSD.

Unlike the others, DAP's numbers come from billions of visits over the past 90 days to over 400 US executive branch government domains

This strikes me as being a very poor source to use if you're interested in overall desktop statistics. People visit government domains much more often from work than from home, and government workers visit government sites more often than non-government workers do. Alternative OSes are less common in government jobs than non-government positions, and there's probably a skew one way or the other in generic home vs. work statistics.

I'm not disputing that the recent stats cited are wrong, just objecting to advocating what seems to be an inherently statistically biased source as the "most accurate" for this statistic.

"The new version tests another change to notifications in which apps can only make a notification sound alert once per second."

This is definitely a minor thing, but once you've started looking at it should be a lot more limited. A configurable time would be ideal, but if you want to make it a sensible default it should be more like one sound alert every 10 minutes unless you've looked at a notification in between--if you're actually checking messages as they come in you'll still get all the defaults, but you won't have to silence 5 in a row if you're busy or don't care about them.

Yes. The real problem is that Microsoft is advocating for slow-rolling disclosure of security vulnerabilities by hiding patches until the stable release comes out. That's fine, it's not an insane stance, but they're presenting it as though that's obvious and noncontroversial and that there are no drawbacks to their methodology and no advantages to Google's full disclosure policy. That's where they're being disingenuous--full disclosure vs. slow disclosure is one of the more hotly debated topics in security circles, and Microsoft knows it (or should).

If they want to advocate for slow disclosure, they should at least acknowledge that they're taking one side of a controversial topic about which a lot of serious security people disagree, not pretend that Google is just doing something recklessly idiotic and should clearly do things the Microsoft way.

Bruce Schneier summarizes the counterargument here: https://ancillary-proxy.atarimworker.io?url=https%3A%2F%2Fwww.schneier.com%2Fessay...

On the surface slow-rolling things seems like a good idea--why show the attackers the breach before you've repaired the wall? The problem with that line of thinking is that it presumes that you're the only one who's found the breach, and that attackers aren't already exploiting it. That's generally naÃve, you have no way of knowing whether a vulnerability is being actively exploited or not.

By disclosing fully, you make it possible for people to protect themselves or to make judgements about how serious the issue is for them. You also make companies take security more seriously in the future, which hopefully leads to greater global security even if the local impact is muddier.

There are obvious trade-offs the other way, as well. But Microsoft
pretending that full disclosure is inherently bad for security is duplicitous.

The Fire has a fine battery life for a tablet, but it's still horrible compared to e-ink readers, which usually last a month or two between charges if you average an hour of reading a day. E-ink displays only draw current for screen updates, so the majority of the time when you're reading (as opposed to flipping the page) the device draws very little power.