Because it is so easy and very effective.

The JS community has streamlined and simplified pulling packages from a remote repo and automatically incorporating them into your build.
The community has also encouraged a strong reliance on using libraries as the first answer to solving a problem (see left-pad).

There is no review or verification process for these remote packages. NPM provides no quality feedback mechanisms like an issue count or comment facility, just a report malware button.

From the outside, the management of NPM has historically been bad. Such as the kik/left-pad issue.

This management doesn't seem to have improved. During the acquisition one of the few things Github said that they wanted to do was introduce 2FA to NPM.
Their response to these security issues eighteen months later is that they intend to introduce 2FA.

This isn't unique to Javascript/NPM, Python has many of the same issues but to a lesser extend. I think the library culture actually started with Perl and CPAN.

China has installed 1/3rd of all the world's solar power capacity, over twice as many solar panels as the US.

Yes, China's emissions continue to rise. They are a rapidly developing country with an incredible number of people moving in to urban societies and shifting towards middle class lifestyles. The US emits twice as much CO2 per capita than China. Saying that China can't increase its emissions while still emitting at twice the rate would be the height of hypocrisy.

All of that said, China has made substantial commitments and has kept to them as well as any other country. They will never ever emit to the same per-capita level as the US.

China has just committed to peaking its emissions by 2030. IF the US meets their goal of halving emissions from 2005 levels by 2030, China will still emit less per capita.

While it would be fantastic to see China doing more, those of us living in industrialized countries who have been pissing significant emissions into the global pool for over a century and continue to do so aren't in a great position to lecture the new guy who just turned up and is trying to do the same thing. Blaming the new guy for the pool being full of piss doesn't really make sense, even if they seem to have a large bladder.

You get a contract from NASA, like SpaceX got, like Blue Origin got through ULA.

For some reason, Blue Origin chose to focus on their carnival ride rather than the BE-4 engine they were paid for.

I don't think anyone here is in a position to do more than speculate why they made that choice. However I can't think of many charitable explanations.

A significant reason for North Korea's ongoing existence is the cost of merging it in with one of it's neighbours.

South Korea is the obvious country to merge it with, however that would decrease the GDP of each South Korean by a third. There would be a huge cost over an entire generation to educate and drag North Koreans into the economy. (As a comparison, East German was 3x poorer than the West, North Korea is 22x poorer than the South.) South Korea has developed an interesting generational split, the older generation who remember family members in the north typically are pro-merger, the younger generations are anti-merger.

The hit to China would be less due to the size of their economy and population, it would probably also be more politically acceptable to maintain the disparity for longer, reducing the required investment. However it would still be a massive undertaking. There are also significant fears that in the North Korean regime collapses there will be a flood of refugees into China, economically depressing a wider area. It is believed that China's plan in the event of a collapse is to line the border with troops and call the UN.

There is also no benefit to acquiring North Korea. There are no significant natural resources, the population is uneducated and heavy industry is obsolete. So China keeps propping it up just enough to survive and leave it as a problem for the future.

Are buffer states still a thing? It's hard to imagine a modern war between two major powers being decided by tanks rolling across a field.

Reversing that IP isn't trivial, viable for large self hosted websites but often it just tells you that it is AWS hosted, or distributed through cloudfare.

Of course this https stuff is easily avoided if you can just monitor DNS queries.

So for privacy reasons we move away from straight DNS.
Privacy is awkward for security people who were snooping DNS queries, so they don't like it.

There were similar arguments when HTTPS was first introduced, companies would force users to install their own certificate and then man in the middle bank websites.

And much like with HTTPS, the companies will lose.

Really?

* Solarwinds was in March, discovered after the election but obviously unrelated.
* United Nations is clearly a pentesting team drumming up business.
* NZ Central Bank is real, but the timeline hasn't been disclosed.

Nobody is attacking the NZ Central Bank because of the US' exercise in self flagellation.

A computer with the power off sitting in a safe is super secure from hacking. It's also kinda useless.

The 9/11 commission report went into extensive detail around the lack of intelligence sharing between and within government agencies.

For the 17 members of the US intelligence community with offices around the world to work together you need a large interlinked network. It is no longer viable for this to be air-gapped and entirely contained within secure locked rooms. They can and do tightly control links between these networks and the internet at large, but the links have to be there and the solarwinds attack was very clever in disguising the traffic flows.

Once an attacker achieves Domain Administrator access, and every Solarwinds Orion customer must assume this has happened, the attacker can generate what is known as a golden ticket.

The golden ticket gets them full uncontrolled domain administrator level access to every computer in the domain.

Removing an attacker at this point is nightmarishly hard, there are companies that specialise in it. The standard technique is to completely isolate the system, cycle all kerberos creds to try and expire the golden ticket, which typically takes ten hours. This must be coupled with monitoring to ensure no new golden tickets are created during this time process. Once the golden ticket is removed this just leaves identifying any persistence left in any domain joined computer.

To reliably remove an attacker you are looking at rebuilding the entire domain. Wiping out and rebuilding every server, every PC.

The ability to obtain an active directory golden ticket is a security nightmare, one that the world and Microsoft has been aware of since 2014, without any meaningful fix or mitigation being produced.

Setting aside that you can entangle photons.

The "teleportation" quantum entanglement communication concept is to realise that you can separate the transmission of the medium and the transmission of the data.

Essentially you entangle and send two constant streams of photons, one stream goes to the destination, one stream goes into an equal sized buffer. This transmission has all the classical constraints around time. This transmission also doesn't contain any data.

You then encode the data onto the buffer stream by forcing the quantum state. Due to the magic of entanglement this sets the state of the destination stream which can now be read. This data "transmission" is instantaneous, faster than the speed of light.

Essentially the classical physics costs of energy and time are paid for by establishing the medium, the tunnel. Quantum entanglement teleportation is then free, no cost of energy or time.

> no country has weaponized its cyber capabilities as maliciously and irresponsibly as Russia

Most of the individuals are charged due to their involvement with the development of the NotPetya malware. Most of the financial damage was caused by the NotPetya malware attacks.

NotPetya used the EternalBlue, EternalRomance and Mimikatz exploits to to perform the attacks.

EternalBlue and EternalRomance having been identified, developed, weaponised and irresponsibly leaked by the United States' own NSA.

The most damaging malware attacks are widely seen as being WannaCry and NotPetya. Both driven by EternalBlue. A vulnerability that the USA government discovered and sat on for five years, weaponizing it only to have the weapon fall into the hands of North Korea and Russia.

The hypocrisy of describing other countries as irresponsible!

> Xplora takes privacy and any potential security flaw extremely seriously

I love the company treating this deliberate included feature as a security flaw. "One of our developer's buffers overflowed and a bunch of spyware was magically inserted into the firmware." /s

I assume the real flaw they are talking about was that somebody managed to dump the firmware image.

Really? Every single case around the world has held the GPL up.

The mark of a strong licence isn't large numbers of public lawsuits. It is the fact that companies comply or settle to avoid an inevitable loss in a public trial.

I'm not a fan of SUVs, awful ugly vehicles, and the US has weird laws around trucks, but your comment is just incorrect.

The Volvo V60 is a classic station wagon shape, and comes in at 27MPG.

The Subaru Forester is has classic SUV lines, and provides 29MPG.

As a more direct comparison, the Subaru Outback is a slightly SUVy station wagon. It has the same mileage as the Forester.

The SUV is big and ugly but tends to be rather curvy compared to a station wagon, especially on the tail. They are actually relatively aerodynamic and capable of hitting the same of better fuel efficiency.

I'm a product development engineer, and this quote shows that you don't understand how engineering progress is made. Fundamentally, we develop technology to solve problems. By setting up a problem, "You much achieve 30 MPG", it sets the stage for teams of engineers to develop solutions. The target is set well in advance to allow for sufficient time for research and development.

You can see that these targets work, mileage has risen from 12MPG to 30MPG. Vehicle safety has improved year on year.

The recent noise around CAFE paints the US car industry into an interesting corner. The Europeans aren't backing down from their fuel standards push, nor the Japanese, Chinese, Indians or any other sizable car market. If the CAFE system ends and US car manufacturers choose to stop improving efficiency they will cripple their international position.

This works beautifully for a fully controlled system.

Once you add non-controlled elements, such as a four year old, it all breaks down. Suddenly you need stopping vision distance and stopping distance, this reduces your maximum speeds and capacity reduces to something similar to what we currently have. It also doesn't work if you have a single non-automated vehicle.

Another catch is that these scenarios also assume full cooperation. Every car provides honest information and behaves in the manner which is best for the collective. I would not suggest assumptions like this for the design of a multi-user network.

Microchip are running with RISC-V via their Microsemi brand, as a direct replacement for the ARM cores used in previous generation chips.

They are founding members of RISC-V and have a staff member on the board.

I think it is safe to expect more RISC-V cores to emerge in time, it is particularly compelling for the low cost end of the market that many of their products target.

On the tooling and support side. SiFive, who are big players in the RISC-V ecosystem and designed the cores that Microchip are using, recently hired Chris Lattner of Clang/LLVM fame.
I expect we will see improvements in the tooling and library side coming from them.

It is complicated somewhat by the openness however. ARM can openly release libraries and tools because they will get paid for the chip or licence in the end, a RISC-V core company can't make that assertion.