At the point where you're deciding the level of risk for someone else. Which is what you're doing when you decide to expose other people to diseases that can kill or cripple for life because you don't want to be vaccinated. Your want to be free to choose on that matter without me having any say in it? Figure out how to avoid spreading measles to anyone else if you catch them, then we'll talk.

As for your proposal, I do consider it unworkable, but that's irrelevant. Your "solution" doesn't address the problem you presented. It doesn't stop the child from being born, it doesn't keep him from being raised by a poor single mother in the inner city, and it won't prevent his possibly becoming a criminal because of it. If anything, your proposed solution makes the problem worse. Even if it were sane and workable, it should be rejected on that basis alone. Vaccination, meanwhile, has not only a massive amount of evidence but many decades of practical experience demonstrating that it does in fact decrease the problem.

1. Because vaccines don't provide 100% immunity. Nothing can. The more unvaccinated people there are, the more we're all exposed to the disease and the higher the risk of catching it despite being vaccinated. Also, there are people who for medical reasons (allergic reactions, compromised immune systems, still too young) can't be vaccinated. Every unvaccinated person poses a risk to them.

2. Yes.

3. This is true. However the risks from those side-effects are far less common and less severe than the risks from the disease when you're not vaccinated. Arguing that having a 1-in-100,000 chance of being crippled for life is better than having a 1-in-1,000,000 chance of needing a week in the hospital is... not a winning argument, I'm afraid.

4. As long as it's just you or your children, fine. But it's not, you're exposing everybody else to the consequences of your decision. You want the right to control what goes in your children's bodies, yet in the same breath you say we should have no right to control what goes in our children's bodies when it comes to the infections originating from your unvaccinated children. That doesn't fly. Note that the CA bill doesn't prevent you from refusing vaccinations. It simply means you can't send your children to public schools and subject everybody else's children to involuntary exposure to your children's infections if you won't get them vaccinated. You're free to send them to a private school that doesn't require vaccinations if you want.

5. How about the family who sees the same thing happen to their kids because before they were old enough to be vaccinated they caught something from your unvaccinated kids? Are you going to take responsibility for your actions there? If so, how exactly do you propose to compensate that family for the loss of their children?

In an ideal world you'd notify the vendor, the problem would get fixed and the world would move on. Alas, we don't live in ideal world. Vendors fail to fix problems. Users don't upgrade software, or can't upgrade it or are unaware they're even using it, and the vendor doesn't publicly announce the fix and the need to apply it. The threat of disclosure, and the eventual disclosure even if the vendor doesn't say anything, is the only leverage we have to make sure vendors really do fix problems and users know what they need to know to assess the risks and mitigate the problem if they can't apply the fix. I'd love not to need to use that leverage, but we've seen how well that works already and we see repeated examples showing that vendors haven't changed their ways. Realistically the best we can manage is to notify the vendor (with full details, so they can verify the flaw is real and can't believably claim they couldn't replicate it) and give a deadline for either fixing the problem or providing mitigation measures, and then follow through with complete disclosure (so others can verify the problem's real without having to take our word for it) if the deadline passes without the vendor having disclosed the details themselves.

Unfortunately too many vendors have made it unsafe to do even that much. They don't just ignore problem reports and deny the problem exists, they actively try to silence the person reporting it through lawsuits and criminal prosecution and smear campaigns. When dealing with vendors like that you can't safely notify the vendor of a problem. I don't like it, but when dealing with a vendor like that all you can do is dump all the details into one or more suitable disclosure forums and make sure you've covered your tracks thoroughly so the vendor can't trace the disclosure back to you. Then clam up on the subject and don't say a single word anywhere to give anyone the idea that you were at all involved, lest you give the vendor a reason to suspect you. It's not a polite, civilized way of dealing with the matter, but I figure if the vendor's made it's bed it's just going to have to lay in it.

A year behind is typical for corporate users. Selected security patches get applied after thorough testing, but unlike a home user a corporate IT department can't simply apply any update Microsoft sends down. They have to insure that every bit of software they run, which is overwhelmingly not from Microsoft, is compatible and runs correctly with the updates applied to Windows, and is supported by the vendors. That's the major reason why corporate systems were running Windows XP for so long after Win7 came out, they had a lot of software that wasn't certified for or flat-out wouldn't run on Win7. It's why Win8 and 8.1 have so little adoption in the corporate world. Hardware is typically on a 3-5 year lease term, and other than security patches the OS typically doesn't change until at least it's time to replace all the hardware. Corporate IT departments can't and don't run their systems the same way a casual home user does.

... Long live the version number. We saw it with Windows 95/98, XP and Vista, despite the names they still had nice conventional version numbers just like earlier versions. You just had to know where to look for them. MS may remove visible version numbers from Windows, but they'll still keep adding functionality and making backwards-incompatible changes which means software will still need some way of telling whether the system it's installed/running on supports the functionality it needs. Application developers being too lazy to write the large chunks of code needed to probe every single API they want to use and test for which specific variation is present, and the Windows team not having the time/resources let alone the inclination to go back and retrofit everything in Windows with individual version numbers or feature/variant flags, that means a version number that can be incremented to indicate the point at which a particular API or variation became available that app devs can easily test. And of course corporations are going to demand some way to make sure that the Windows 10 machines they buy in 2017 will run the Windows 10 image from 2016 and that the 2017 "written for Windows 10" software will actually run on machines using that image.

Where's the "three strikes" policy now?

Let me answer that with a question: where are the three strikes? Can you cite me the court case(s) where a judge has ruled that infringement has occurred?

People who know stuff don't cause me any stress. It's people who think they know stuff but don't that cause the most stress, and I haven't found Millenials to be much worse in that regard than any other age group. More often it's that they do know and what they're asking is entirely reasonable, it's just prohibited for silly reasons. Eg., they come in wanting their phone to just work with the Exchange server. Yes, it should just work. Exchange supports all the protocols needed for it to just work. I've argued repeatedly in favor of that but upper management thinks they know better and won't permit POP3/IMAP4 to be turned on, after all they're open protocols and anything open has to be an open invitation to hackers to walk into our network (grumblegriemutterstupidsuits tiesmustcutoffbloodtothebraingrowlgnashgrumble).

There seems to be a required step missing: filing a lawsuit against the infringing publisher. If they're selling the books (as opposed to giving them away free), the kind of volume described should amount to enough money to make a lawsuit feasible. And once you have a John Doe lawsuit filed, based on the initial evidence (as described it should be trivial to provide in the complaint a list of books you hold the copyright on that this publisher is publishing without authorization) you can justifiably ask Google in a subpoena for information pointing to the real identity of the publisher. If money's involved Google has some sort of real financial information about the defendant, otherwise they couldn't send the defendant their money. Google may blow off demands that just make a claim, but they won't just ignore a subpoena that lays out Play store items from this publisher matched to your copyright registrations for those items.

Consider a regular bookstore. If you walked in and said "I hold the copyrights to those titles over there, and that publisher is pirating them.", what do you think the reaction of the bookstore would be? My guess is it'd be along the lines of "The publisher claims they're not. If you want us to stop doing business with that publisher, come back with a court order.". Your claims, however well-founded, aren't a legal determination, and the bookstore or even the distributor aren't the ones in our system charged with making that legal determination. It may suck, but consider the flip side: the publisher replies with a claim that they do have a contract with you and you're just trying to weasel out of it. Which would you rather do: argue the point once in front of a judge, or try to prove the absence of a contract to every single bookstore and distributor out there?

It's not the Millenials. They're a bit more demanding, yes, but not significantly so compared to all the other groups of clueless users I've dealt with over the last 3 decades. Mostly they can be dealt with by telling them that I'd love to be able to do what they want but management's refused to allow it so they need to go talk to $AppropriateExecutive and convince him to change the policies on it. That gets them out of my hair.

Mostly the stress comes from management wanting more and more from fewer people with fewer resources, less funding and lower salaries. Instead of being skeptical, they buy into the salespeople's lies completely and then yell at IT when what was delivered doesn't do what was promised and never will. And gods help you if you do manage to prove the salesperson lied, because then it's your fault management bought into it. This from management's not a new thing, I've watched it growing since the early 90s.

This seems to be more a carrier problem than a Google or manufacturer problem. Google has the base OS updates available quickly. The manufacturers have to handle the hardware-related stuff, making sure firmware blobs for their hardware are compatible and such, but that doesn't seem to be that hard a problem what with a lot of phones sharing common hardware. I've commonly seen LG and Samsung have updates available within a week or two. The big delay always seems to be my carrier not letting my phone update because they haven't finished doing all the modifications they do for locked built-in apps, custom apps (eg. LG uses a custom calendar app instead of plain Google Calendar), UI customization/branding and so on.

It seems remarkable similar to Internet access, where ISPs always want to sell you not just Internet access but a whole wrapped-up package that includes them controlling what content you get and how you get it so they can steer you to content they control or get paid for. And as with net neutrality, the cel-phone carriers are going to strongly resist being relegated to the role of mere sellers of a pipe without any control over the device and the "user experience" that goes with it and allows them to steer users towards stuff the carrier gets paid for.

That's an argument for having the browser try HTTPS first, optionally falling back to HTTP if HTTPS isn't available. That's fine by me. It's not an argument for disabling capabilities of HTML/Javascript/etc. just because the transport isn't encrypted. It's also not an argument based on security but on privacy, and there's plenty of privacy problems that exist regardless of whether the connection's encrypted or not (eg. web bugs placed in advertising coming from servers in the site's domain (but not operated by the site and not on the site's network) that then use plain query-string parameters to relay data to off-site servers bypassing browser origin checks).

The problem is that requiring HTTPS doesn't make sites more secure. It prevents an attacker who can't obtain a legitimate SSL certificate for the domain from running a mid-transit MITM attack, nothing more. The biggest problems seem to be a) phishing attacks that convince the user to visit a rogue site eliminating the need for MITM, b) local system compromises (client- or server-side) that have access to the cleartext traffic and don't need an MITM, and c) rogue CAs who issue certificates for domains the recipient isn't authorized for which allows for mid-transit MITM with HTTPS. The first two can't be mitigated by anything other than smarter users (HAH!), and mitigating the third requires massive changes to certificates so it's possible to determine whether a certificate belongs to a given site without depending on anything in the certificate and without depending on the CA having validated the recipient.

Doesn't that depend on the configuration and purpose? If the HTTP server's running on my own machine and the URL is "http://localhost/...", am I automatically insecure because I can't get an SSL certificate for "localhost"? And how would an attacker not already on my machine exploit this?

If I can't test the full capabilities of a Web site because the browser won't let me, I'm going to have to switch browsers and relegate Firefox to testing-only just like IE is currently.

So, how exactly do they propose to recover from a compromise of these kinds of systems where it's impossible to change the authentication data? And these systems will be compromised, history has taught us that. At least with a password or a certificate carried in a two-factor dongle I can change/reissue it and what the crooks have is no longer valid. I don't like systems whose failure mode in the event of a compromise is catastrophic.

The article misses one point in it's analogy to paying for promotion: who's being paid. When I pay a store for special placement, I'm paying the store for special placement of my stuff on it's shelves. That's fine, it's the store's shelves and they're free to handle them however they choose. But suppose that, instead of placement on the store's shelves, I'm paying the store for special placement in the customer's pantry? Once I pay the store they'll send people to customer's homes to put my products front and center in the customer's pantry even if the customer didn't buy them and if that leaves the customer without enough space for what they did buy then tough luck, what the store put there is locked down so only the store can move it and they won't. That's not fine. It's not the stores shelves, and nobody's paying the customer for special placement on their shelves.

Ah, but the argument might be that it's not the customer's line, it belongs to the ISP. If so, then exactly what is that bill the customer's being sent every month for then? We already have situations like this. If I'm renting an apartment the landlord still holds the title to it but it's my apartment as long as I'm paying the rent and the landlord isn't free to just do anything to it he pleases any time he pleases. If I'm making payments on a car loan the bank holds title to the car but it's still my car and as long as I'm making the payments the bank can't just come in and borrow it any time they please or have it repainted to a color they like or anything like that. In the same way, the customer's paying for Internet access and as long as they pay the bill every month it's their Internet access and the ISP doesn't have an unrestricted right to decide how chunks of it must be used (unless, as with the boxes that disable a car if payments aren't made on time, it's made completely clear up front that this is being done and why and it serves a reasonable purpose (use of that box after a payment has been missed is one thing, but if the finance company tries to claim a right to use them when they think a payment might be missed soon (even though payments are still current) the courts would reject that as unreasonable even if the contract tried to allow it).