Go do LWN's search page, uncheck all the boxes except for "security vulnerabilities", and then search for "KVM". Or Qemu, or Linux or Xen.
You'll find that all hypervisors have privilege escalation bugs discovered. However, this is the first one discovered in the Xen PV interface in a long time.
...an unrelated bug causes the vulnerable FDC code to remain active and exploitable by attackers.
Which is why the PV mode in Xen is such a killer security feature -- the more stuff you have just lying around, even if unused in theory, the higher the probability that there will be a bug somewhere that can be exploited.
What if someone who privately knows about the vulnerability gets the idea to exploit various installations of competitors (or even common users!) during the embargo period? Do you trust large enterprises not to misuse their knowledge to their own advantage?
Of course that's a risk. But again, is it worse to have a handful of people who are trying to be secretive know about the vulnerability while vendors update and carefully test their software, or for for the entire world to know about the vulnerability while vendors scramble to get something out the door as soon as possible?
Since Open Source projects communicate in the open (even if just version control commits), I find it quite likely that all major security-related projects are monitored by black hat hackers. The few weeks waiting period gives them ample time to use the security hole.
That's why the Xen Project doesn't put the fix into version control until after the embargo period is over. Only people on the predisclosure list (or those able to listen in) would be able to learn about the vulnerability without doing their own audit of the code to find the bug themselves (which is very expensive).
There's basically a balance to be struck. All users not on the predisclosure list (and thus who cannot update their systems until the embargo period is over) will continue to be privately vulnerable during the embargo period: anyone who happens to have dug deep enough and found the bug can still exploit it. But as soon as the announcement is made, everyone who hasn't yet updated is publicly vulnerable: Nobody has to search to find the bug, they just have to write an exploit for it. Being privately vulnerable is certainly bad, but being publicly vulnerable is far worse. The goal of the embargo period is to try to reduce the time that users are publicly vulnerable by extending the time they are privately vulnerable. Two weeks has been found to be a reasonable cost/benefit trade-off in our experience.
"It's not you, it's me."
"It" here still isn't (or shouldn't be) referring to a human. Normally it means, "The problem in our relationship isn't you; the problem is me."
nrén = woman
Hmm, Slashdot seems to have eaten the characters it wasn't familiar with. That should be nuren and nuhaizi (tone 3).
Regarding "they", English speakers have been using "they" as an ungendered third person singular for hundreds of years.
Language is defined by its speakers, not by some committee somewhere; each of us gets a vote. In some cases I persistently vote against change if I think it's a bad idea (for example, I will make fun of people who use the word "literally" when speaking figuratively as long as I can get away with it); but in this case, I think it's a perfectly reasonable thing to do, and I have purposely chosen to use "they" in this way.
English is perhaps the most gender neutral language currently in use.
I cannot tell you how ignorant that sounds to me. Of the four languages I know to various degrees (English, French, Turkish, Mandarin), two of them are far less gendered than English. In both Turkish and Chinese, there is no "he/she" distinction -- there is a single pronoun which can be used for any person. Additionally, in the base for "person" and for "child" is ungendered, and to specify "man/woman" or "boy/girl" you have to add a gender tag. Chinese: rén = person, nánrén = man, nrén = woman. háizi = child, nánháizi = boy, nháizi = girl. (Turkish was too long ago for me to remember the actual words.) Turkish is the same for brother/sister. (Chinese have cutesy reduplicatives for sibling relationships -- gge, dìdi, mèimei, jijie -- so the "add a gender" thing wouldn't fit.) I never got to actor/actress, waiter/waitress, &c in Turkish, but in Chinese they're all ungendered as well. (And nouns are genderless in both languages too.)
Seriously dude -- if you don't know Chinese or Turkish, that's fine; but then don't make a claim about all languages "currently in use".
Indeed: if you look at m-w or any other dictionary then you may notice that the modern use have two opposite meanings. That belongs to the richness and sophistication of modern language.
No, that's because most dictionaries are descriptive rather than prescriptive: they're trying to help people understand what someone might be saying, not trying to tell you what the right answer is. And in general, I agree with them -- language is defined by its speakers and develops over time.
But the fact is that using "literally" when you actually mean "figuratively" is stupid. It's not only evidence of sloppy thinking, but it actively degrades the language. The fact that it's in M-W reflects the fact that a significant minority of people use it this way; but the fact remains that the majority of speakers oppose this change and think that it's stupid and wrong. By making fun of people who use the word "literally", I am "voting" to keep the old definition and keep the new definition from becoming accepted, and I will do so as long as it is practical.
There were two answers common to all of us: project management and English writing. We are all in management now, not practical engineering, and need words more than we need numbers and formulae. An English writing course should be required for all pure and applied science majors, in my opinion.
I represented computer science at an elementary-school tech fair a few months ago. Many of the students had been given papers they were supposed to fill out by asking us questions; one of the questions was, "How often do you use writing in your job?" And they were all surprised when I answered, "Every day". I need to discuss design, bugs, performance, releases, strategy, &c &c, and all over e-mail. Writing (and typing) is a core skill for me.
Note that the studies do not say multivitamins are worthless, nor does it address any other health areas except those three. That is just the headline sensationalism.
Did you miss the part where the TFA's title said "Stop wasting money on supplements"? The article itself is trying to make the argument that it's a waste for most people to take multivitamins. But the reason given is that it doesn't prevent death, heart attacks, cancer, or dementia.
Guess what? Hiring policemen don't prevent natural death, heart attacks, cancer or dementia either. Neither does wearing a seatbelt. Neither do all those safety regulations on cars and aircraft. Are they going to write an editorial next saying that we should "Stop wasting money on police, seatbelts, safety regulation", and cite studies showing that they don't prevent natural death, heart attacks, cancer, or dementia?
Vitamin deficiency causes all kinds of random problems that are often not quickly diagnosed. Do a cost-benefits analisys. It's a low probability that I'll have a vitamin deficiency, but if I do, vitamins will help a lot. Given how little they cost, it seems like a no-brainer.