I'm a little confused by who is supposed to be caving to the threat here. It's a paid database, so I assume that Thompson-Reuters/Refinitiv aren't thrilled; but it was apparently stolen from one of their customers, not directly from them, so their reputation for security competence isn't really affected; and I suspect that most of the people paying for access to this sort of database need something authoritative that ticks the "I'm really trying to know my customer, really" box when feds or auditors come around; so even a reasonably fresh and reasonably large leak is still of limited value("So, you decided to reduce costs by basing your compliance efforts on data of unknown completeness, potentially subject to unknown modifications, sourced from unknown criminals? Very interesting...") as an alternative to continuing to subscribe.

If anything, it seems like its release would be largely positive: probably lots of interesting leads to be followed up, both with regard to what the creepy data broker types know and the things they know about the people they consider relevant, by people who are in no position to afford access normally(if it's even something you can just purchase if your money is green enough; rather than being offered specifically to potential customers known to be in financial services; not just anyone with a checkbook).

Heâ(TM)s arguably not wrong that VMwareâ(TM)s offerings outside of their core product are kind of inchoate(though, in fairness, itâ(TM)s not like the âhyperscale cloudâ(TM) guys donâ(TM)t all have a stable of shit thrown at the wall to see what sticks that surrounds the core of services that people actually care about or trust); but that seems like a pretty shabby excuse in this context; where it would have been trivial to just not fuck with what people were using and liked while making the alleged investments in glorious future VMware; then letting the value proposition of that help sell it.

As it is, itâ(TM)s hard to read this as anything other than an awkward(and almost certainly temporary, nobody ever genuinely stops trying to boil the frog once they start); climbdown after recklessly spooking more customers, harder, than intended.

If you are trying to explain why we haven't detected any aliens, how is "they were massacred by even more advanced aliens" a remotely adequate answer? That just leaves you with "why haven't we detected the even more advanced aliens?". The question was never "why do we detect so many deathbots and so few little green men?"

If anything, superintelligences are presumably more capable of doing high-visibility things(if they want to) by virtue of being more advanced; and, while they could all be carefully hiding because they're paranoid that same explanation would hold for standard aliens as well.

Seems like an awful lot of hypothesis to explain nothing.

They also aren't cheap even if the knowledge problem is solved. Something like a roomba lives in a special case where being more or less a toy RC car is enough robotics to actually attack a real-world cleaning problem(on reasonably uncluttered flat floors).

If you want "look for missing items, get things out of the refrigerator, scrub the kitchen floor, clean the toilets, and vacuum" you are suddenly talking about a *lot* more robot. Not necessarily 'call Boston Dynamics for their most humanoid biped', you might be able to get away with some sort of wheeled platform with robot arms since the arms count for more than the legs(as long as you can reach things that are a meter plus away from the floor); but you are definitely talking a much more involved piece of hardware with considerably more fiddly moving parts; especially if you don't want to overhaul your entire house.

âoeDonâ(TM)t just read the slide deckâ is more or less rule #1 of not completely ruining a presentation. Is there any room for optimism about the results of a tool that generates video of you reading the slide deck? Even if itâ(TM)s a goddamn miracle on a technical level it seems like a fundamentally mal-suited tool for the job. If anything, the better it works the worse it will likely be, since it will just be doing the wrong thing more attractively and easily.

I'd agree that a production system that actually relies on actual floppies would be rolling the dice in a deeply uncomfortable way at this point; but I'm a little puzzled by the extent of the fuss given that(admittedly, more for hobbyist and niche stuff, retrocomputers and synths from the floppy era, that sort of thing) the practice of emulating floppy drives is quite well established and, thanks to the age and (low) speed of the busses in question, pretty technically undemanding.

If I had a floppy-dependent system I'd have wanted people evaluating commercially available floppy emulators starting 10 years ago; potentially trying to push specific developments if my system requires things that the retrocomputing guys don't(whether in terms of features or in terms of not being hand-built in small runs by hobbyists); but, barring some especially esoteric complication I'm not thinking of, slapping floppy emulators into a floppy-based system and bringing it right up to the present day in terms of media seems like it would be both a relatively simple project and much, much cheaper, lower risk, and more predictable than a full 'upgrade' that promises to rip out the old system and replace it with a full new glorious IoT something something.

Even if the history of Russian 'import substitution' weren't littered with farces where someone gets a gold star for domestically producing tractors...from imported Polish kits with the serial numbers filed off...or the like; "game console" seems like a strikingly hard target, especially relative to its value.

It's a consumer product, rather than the state or state owned or heavily influenced companies being the customer, so there's a lot less leverage in terms of just making 'domestically produced' patriotic and mandatory; and it's a toy that only some people are even interested in, so it's even more difficult to distinguish between people who don't buy Super Motherland 3 because they just don't play video games and ones who don't buy it because they are playing Genshin Impact on something imported from China or a cracked copy of CoD on the wintel they say they use for work. Obviously possible, if you wanted to divert even more statesec guys from keeping an eye on planned terrorist attacks in order to do traffic analysis to look for game pirates; but not obviously worth the trouble.

It's also a pretty demanding category: customers tend to be pretty cost-sensitive and tend to expect frankly remarkable levels of hardware and software punch that are deliverable only thanks to mass production at all levels(whether you are talking ICs, game engines, asset packs, or very large numbers of sales of the final product). This isn't some military thing where you'd like more; but it's workable, and arguably worth it, to be able to reliably deliver domestic clones of some 20-year-old TI DSP even at twice the market price. Unless you are running a crackdown on the alternatives that would make North Korea blink that's not going to work on the gaming side: expectations are high and prices are low; and 'good enough' is defined in large part relative to what other people have, rather than to specific requirements.

At least on initial inspection "bespoke teams" and "long-term collaboration" sounds like they will be at odds with one another:

I'm curious whether the assumption is just that people who aren't the author are fungible cogs to be picked up and discarded with as much 'agility' as possible; or if they believe that first-time authors getting decent sized advances is an inefficiency and they seek to rectify that by ensuring that authors who don't sell can be discarded at minimal cost; just with a less-depressing focus on the part where authors who do sell do get paid.

ERP systems typically don't fail because of their databases or frontends(and, when they do, they tend to be big, huge, must-talk-to-all-the-legacy-systems-and-support-analysis-and-reporting-at-nontrivial-scale situations that isn't a trivial matter to handle with just some basic web experience). They fail because the process of capturing(and where necessary taking a hard look at and changing) all the business processes so that the dev side can implement them or make sure that they are handled by the product they've chosen is ugly and complex.

Similarly; nobody picks excel because of confusion about its power and capabilities: overwrought-but-inadequate excel is what happens when there is no effort, or no successful one, to get business practices codified into requirements that can be shoved over to the devs and implemented; so you get ad-hoc development of local bandaid tools; typically bolted together by a fair amount of manual copy-paste and futzing; implemented in whatever the people who are familiar with the processes are familiar with. Not uncommonly excel ends up being that; as it's at a pretty favorable intersection between "power" and "number of basically nontechnical users at least partially qualified to work with it".

The techbros can obviously buy their way in to the party readily enough(realistically, unless you are talking grungy underground scene events in disused warehouses, it's probably not art-for-art's-sake money that is even throwing the party; though it may be the entertainment industry side sponsoring the artistic side because that's prestigious for the sector as a whole, the way a certain number of Oscar-bait movies that are expected to be critical successes and commercially middling is accepted practice); but that's significantly different from being able to buy the regard of people who they've been more or less directly threatening.

Are they just high on their own supply and didn't realize how it would go over? Is forcing the soon-to-be-replaced labor units to watch videos with you rambling about how brilliant their obsolescence is part of the fun?

It wouldn't be surprising if there will be some demand for bite-sized physical machines from people who think that they can't assume hypervisors will be security boundaries; but I suspect that getting actual improvement will be harder than it looks; especially if you aren't willing to sacrifice convenience:

VMs are, certainly, in no small part about utilization and economies of scale: until you get to the point of systems 'big' enough that they seriously restrict your choice of vendors(eg. basically everybody sells 1-2 socket systems; 4-8 means Xeon, and only certain more expensive Xeons, more than 8 sockets means some fancy custom interconnect) it's basically always cheaper to slice a bigger system in half than it is to buy two smaller ones: much less redundant hardware that way.

However, they are also about management convenience that you can't really get out of a physical server without adding a (potentially dangerously) capable BMC or similar computer-inside-the-computer(like the "nitro" controllers that AWS uses): and the history of BMC vulnerabilities(both against their network interfaces and against the components they expose to the OS running on the system) is not entirely cheery; with the situation probably looking worse if you want a BMC that can do all the various management things vsphere can do to an ESX VM.

There's also the question of OS driver vulnerabilities and hardware/firmware vulnerabilities: this VM escape relies on ESX's virtual USB device being buggy; it's not as though you would necessarily have greater confidence in the virtual USB device the BMC uses to interact with the OS; or even the firmware of some of the physical devices on the motherboard.

If anything, while they clearly aren't perfect and can't be trusted enough to avoid much greater attention to how to keep guests from interfering with one another; my suspicion would be that the complexity, and thus bug potential, of real peripherals is considerably higher than that of VM peripherals; especially the newer ones that are explicitly abstractions designed to be convenient for virtualization; rather than close imitations of common physical hardware intended for compatibility with OSes that don't expect to be running in a VM.

There are some 'usb devices over IP' software offerings that add a virtual USB root and can be used to connect USB devices that are physically connected to other hosts(obviously this works better with relatively low-bandwidth and latency-insensitive things; it's more about license dongles and USB to serial converters than video capture devices); so you do have options(and those offerings also tend to have explicit support for relatively easy switching of the USB devices being redirected between multiple hosts, if that's required); but it seems pretty unlikely that their virtual USB devices have gotten the same amount of probing that the vmware ones have, since they are relatively niche offerings vs. being the de-facto on-prem virtualization option(at least until Broadcom showed up).

Potentially still worth it, if you've got some absolutely unpatchable ESX host running at least one guest that must have USB, since the vulnerability on the vmware side is now a known one; but quite likely to not be a net gain in security vs. a patchable host; just given the relative amount of attention given.

There was a somewhat similar(also a bug in the virtual USB device allowing manipulation of the VM host from inside a guest with virtual USB a few years ago. There have also been a couple(CVE-2015-3456 and CVE-2021-3507) targeting the virtual floppy drive device.

They seem to be relatively rare; though tend to be pretty alarming when they do come up because their relative rarity means that people often treat a hypervisor as a reliable security boundary so there isn't necessarily a lot of backup built in to handle cases where that assumption is invalidated.

I don't know whether they'll be able to get past the requirement that Apple have sufficient market power in at least one of the tied products; but it seems like a pretty straightforward argument that iCloud is tied to iDevices in a number of ways that typically aren't wholly without justification(eg. having iCloud be the only thing you can restore from reduces the complexity of the first-run restore option because it can just assume iCloud; rather than Apple having to define an interface that 3rd party restore providers would offer or add a pre-restore app install section so that the relevant 3rd party app could be installed to provide the restore interface(the way 3rd party apps can snap into the "Files" app); but which are...awfully convenient...given Apple's margins on both cloud storage and higher storage phone models.

It probably doesn't help(if Apple seeks to make some sort of "we do it for the security of the people!" argument) that iOS historically(and still does, though it is much de-emphasized) supported either unencrypted or encrypted backups and restores over USB when directly connected to a computer; so clearly it was possible to design a backup mechanism for an untrusted storage medium back when cabled syncs were still general practice; and they specifically didn't bother to do that for networked backup and restore.

This seems like a pretty tenuous theory. There's a reasonably solid suspicion when businesses with clear connections to the cube farms, like restaurants and coffee places whose main draw is proximity to offices(and, typically, because of the way the zoning shakes down, significantly less proximity to things that aren't offices) are involved that people no longer seeing them as convenient, because they aren't in the office, or requiring their convenience, because it's a lot easier to make your own coffee when you don't have a commute.

This is a department store though: furniture, clothing, cosmetics, jewelry, housewares of various sorts. Am I claiming that literally nobody has ever popped over in an emergency after spilling coffee on their pants; or that it has never benefitted from being more convenient because it's on the way home from work? No, that sort of thing must happen at least occasionally. Do I buy that people drawn to the area by the fact that they work there are the primary audience for those sorts of (more typically) planned purchases? That seems like a hard sell.