Although to be more precise: I saw enough about LastPass years ago. This is the N'th security incident that they've publicly admitted. No doubt the number of incidents they're aware of is higher, and no doubt the number of incidents they're not aware of is still higher.

I think at this point it's safe to presume that any information shared with LastPass has been compromised or will be compromised shortly. Part of that is because they're incompetent, but most of it is because there's no way for any operation to do what they've set out to do: the threat model is completely against them. What they've built is one-stop shopping for attackers, so it's worth much more time, money, attention, and risk than many other operations. Obviously attackers know this and have planned/executed accordingly.

The right thing to do -- which won't happen because almost nobody does the right thing -- is to admit failure, issue refunds, and shut down.

About 25 years ago, I began to take a serious interest in climatology. I started buying textbooks and reading them - and for the most part, that went smoothly, because I could easily understand the math and physics. (I struggled a bit with some of the organic chemistry, and had to spend a couple of years coming up to speed on that.) After a while, I could read all the reports and some of the papers being published, so I made my way through things like the IPCC reports -- which are thousands of pages. Eventually, I got to the point where I could read almost anything published in the field -- but admittedly, some of the material still takes me a long time to get through.

And the single biggest takeaway from all that work is: climatologists, as a field, have been consistently underestimating how bad things are and how bad they're going to get. This is because they're scientists, and all scientists are trained to be conservative in their assessments. Whereas a non-scientist might write "X proves Y", a good scientist will write something like "X suggests that Y may be happening" or the equivalent. This approach implicitly acknowledges uncertainty and the possibility that future work will yield different results: it's how science self-corrects over time.

This mindset is commendable: it shows intellectual honestly. But unfortunately in this particular discipline, at this particular time, it doesn't ring the alarm bells loudly enough. We need a Samuel L. Jackson moment: "The world is on fire, mXXXXrfXXXXXrs" We need radical changes, e.g. all fossil fuel production and consumption must end. We need vast reductions in energy consumption. We need sweeping societal changes, e.g., an end to daily commuting as the norm, it should be an exception. And even if we do all of that, it may still not be enough, because this is an exponential process with a huge amount of momentum -- in other words, we're going to keep sliding up the curve for some period of time even if we do everything that we should have done decades ago.

I've said, for all these years, that I'm not going to live to see the hellscape that's coming - the mass starvation, the killer megastorms, the wars over water, the refugee crises, the political, economic, and societal chaos. Now I'm not so sure.

"[...] Sanger invited his 91,000 followers on X to influence that discussion."

should read:

"Sanger invited 91,000 racists, misogynists, bigots, homophobes, xenophobes, and fascists from a well-known Nazi bar to influence the discussion."

All true - but also a young arrogant engineer who completely failed to read and learn from people who have entire closets full of computing awards (including Turing Awards) for a reason.

There are only two valid use cases for systemd: first, as an interview question. I use it as a fast and easy way of classifying candidates; anyone who thinks systemd is in any way, shape, or form a good idea may safely be dismissed from any further consideration. Second, as a security wedge: there is so much new, poorly-written code in systemd -- with more being shoveled in all the time by Poettering's submissive kneeling fanboys -- that it provides all kinds of opportunities. (I'm being snarky but also serious: read the damn code. It's absolute crap, so much so that one could argue that the number of security holes exceeds the corpus of useful code.)

Every single person involved in Polymarket is a scumbag -- to the bone. They should be shown no pity or mercy when the scam they're orchestrating turns on them -- and it will.

How would it have damaged Google to (a) give credit where it's due and (b) cut a $50,000 check?

Answer: not at all.

In fact, it would help them, because it'd go a little way toward repairing the reputation they've spent the past several years damaging. And it'd be a far better choice -- in every possible way -- than trying to weasel out of it as they've done in this case.

What Google (and Microsoft, and others) have done by abusing the good faith and trust of security researchers has convinced a lot of them that they're better off just selling information to anyone who can/will pay. It's less aggravating and it has a higher payout. This isn't good for anyone, and 100% of the blame lies with these enormously wealthy corporations -- who could easily afford the expense, but are too greedy and too short-sighted to understand the damage they're doing.

This isn't the first, or the tenth, or the hundredth time this has happened to some security researcher dealing with some company. And even when their research is properly acknowledged and credited, the payouts are pitifully small. The entire concept of "responsible disclosure" is to guilt people who don't work for companies into free labor for them, donating it, and then receiving neither credit nor fair compensation.

It's time to discard not just the practice, but the entire concept, because the industry has proven that it concocted this nonsense as a one-sided deal, and that it will screw anyone/everyone at every possible opportunity. It's time for researchers to abandon any attempt to collaborate with companies, because it doesn't work.

What should they do instead? Just drop the vulnerabilites and let the companies deal with the fallout. They're too cheap, too lazy, and in too much of a hurry to make sure their products/services are secure before they start selling them, so they deserve what they get. Let them burn.

1. The list of "1 million fraudulent domains". I'd like to drop that list into the appropriate configuration files. I'd also like to see which registrar(s) are involved and who's providing DNS services for them.

2. The list of "9,000 fake websites". Same for these, and I'd like to see who's providing hosting for them.

This is a pet peeve of mine: reports like this come out, but the original source (Google in this case) doesn't publish the fundamental factual information that everyone needs to defend themselves AND to gain some understanding of how the threat works, so that everyone can defend themselves against the inevitable copycats. Instead we get a bunch of corporate PR-speak, which is utterly useless. So if you're reading this, Google: pony up.

The person(s) behind this series of disclosures are clearly highly intelligent, knowledgeable, and industrious. Microsoft should be paying them the minimal acceptable bug bounty -- per bug, which is this case is $1M USD. (Anything less than that is an insult.) But of course Microsoft is far too accustomed to lying, cheating, and screwing other people, it's so embedded in their corporate culture, that it has never occurred to them to even try to do the right thing.

Now to turn my attention to the Subject of this posting. Surely nobody thinks that the person(s) behind this particular effort are the only ones conducting such research. And it is importable that they are the most intelligent, most knowledgeable, and most industrious -- in other words, there are probably people out there somewhere who are even better. And, rather ominously, who aren't doing the world the enormous favor of making these known publicly.

That's an easy speculation to make, of course, but it's also congruent with history. "There's always someone cleverer than yourself" is a wise maxim because in all but a very, very cases it's accurate. So unless this one of those cases -- and I very much doubt that -- then there are one or more other person(s) out there discovering bugs of similar severity and consequences, and doing....well, we don't know what they're doing with them. If they're working for national intelligence agencies, then likely stockpiling them for future exploitation. If they're working for themselves, perhaps packaging and seller them on the open market. There are all kinds of possibilities and none of them bode well.

TL;DR: we have reached the point where it has become painfully obvious that Microsoft can't secure its own operating system for any even minimally acceptable value of "secure"; every day it becomes more obvious that they're losing.

Researchers have been trying to solve this problem for a very, very long time -- using the same approach. Nobody's cracked it yet, and throwing a huge pile of money at a bunch of researchers seems unlikely to crack it in the kind of short timeframe amenable to investors.

I cited the 1940's in the Subject because that's when Hebbian learning was hypothesized. It's only one of the waypoints in the history of neural networks, and one could easily argue for any of the others, but in my view it's the one that marks the transition from systems that couldn't learn to systems that could. Of course current researchers have the advantage of all previous research and superior tools, and that will certainly help. but this is still largely unknown scientific territory.

There's also a major ethical question here: is this a good idea? That is, suppose they succeed: is that going to be good for humanity? What happens to every one of us if all of our labor, all of creativity, all of everything we do with our minds can be replaced? Particularly if it can be replaced with something that never gets tired, never gets sick, never grows old? How is this good for anyone except the billionaires - the same people building their climate-catastrophe bunkers, the same people funding life extension research, the same people funding cloning research, the same people exacerbating global warming? Are all of us just supposed to...die?

(One of my degrees is in physics, but string theory is not my lane: I deal with electromagnetic field theory.)

If the scientists are wrong, they will eventually figure out that they're wrong and fix it: that's how science works. For example: Abberation (astronomy). That article contains a paragraph that explains how stellar aberration was observed, explained incorrectly, explained better - but still incorrectly, and eventually explained correctly. Science is designed to be self-correcting, and while sometimes those corrections are difficult and contentious, they inexorably happen.

The assumptions you list are made by physicists because (a) we have no experimental evidence that they're wrong and (b) we have a mountain of experimental evidence demonstrating that they're right. If that changes, if even a single bit of experimental evidence shows that they're wrong then (1) someone will win a Nobel Prize and (2) science will apply the correction. But I strongly doubt this will happen.

As to string theory: my own feeling is that we may be only a few years from being able to conduct experiments that might invalidate it. Please read carefully: I'm not predicting that they will, I'm predicting that they will be capable of doing so. If I'm right about that, and those experiments are run, then either (a) they won't invalidate string theory, leaving the door open for more discussion and research, or (b) they will invalidate string theory. Of course if the latter happens, the people who've invested so much of their lives working on it will be very disappointed -- but because they're scientists, they'll accept it.

Rather than write more about this, I'm going to quote Carl Sagan: "The Cosmos is all that is or was or ever will be. Our feeblest contemplations of the Cosmos stir us -- there is a tingling in the spine, a catch in the voice, a faint sensation, as if a distant memory, of falling from a height. We know we are approaching the greatest of mysteries."

The purpose of the CS department is not to provide vocational training for programmers; it's to teach CS. In turn, CS is far, FAR more than mere programming, and thus requires an understanding of math in multiple areas -- to name a few: graph theory, queueing theory, discrete mathematics, combinatorics, calculus, differential equations, probability, geometry/trigonometry, linear algebra.

Students who are unable or unwilling to learn these things aren't going to be able to learn CS because they lack the foundation(s) required, and thus they're likely to receive low grades. That's how it is, and that's how it should be.

This is not to say that people who only want to learn to program should not do so: they most certainly can. But that's a very different educational path than trying to learn CS. It's roughly the same as someone who wants to learn to be an electrician vs. someone who wants to earn a degree in EE.

The BSA is the sockpuppet of corporations that rely on customers who can't migrate to alternatives because of vendor lock-in. So of course they'll do what they've always done: advocate for expensive, low-quality software with horrible terms and conditions, because that's what keeps the money flowing.

And until the last year, that was mostly working, because the pain/friction involved in changing to something else was too great, and so sticking with bad-but-working crap was preferable to trying to migrate to something else. But that's all over now, baby blue. (Get it?) Now that American companies have repeatedly proven that they'll bend the knee to unhinged orange grandpa and shut off anything/anyone that he wants, the anticipated pain/friction is a much better alternative than risking a complete (and maybe permanent) outage.

The end of American dominance is coming in many ways: Ukraine is now the leader of the free world and arguably has the most advanced military force. China is now the lone economic superpower. Canada is poised to become a raw materials juggernaut. Africa is leading the way on wind and solar power. And it remains to be seen who will become the dominant scientific, engineering, and computing force, but I'm guessing some combination of Europe, Japan, and China.

That's a really good question (with bonus Paula Cole reference). I can offer you a hypothesis that might answer it, and that is: default permit.

Almost everyone still configures their firewalls to be default permit (or mostly default permit) because it's the easiest way to avoid breaking things. That's true even when it's desirable to break things so that the root cause can be identified and fixed, because quite often management doesn't care about this: they just want things to work, and when a sysadmin tries to tell the VP of Sales that their email stopped working this morning because it shouldn't have been working for the last eight years...that sysadmin isn't going to be told "do what you have to do to investigate and put in a permanent fix", they're going to be told "just put it back like it was".

This movie plays out all day every day across corporations, organizations, universities, and so over many years the technical debt piles up, and then something like this happens, and NOW of course management wants it fixed. And this is why, despite years (decades now) of jumping up and down and yelling that default permit is bad, it's still in use almost everywhere.

Republicans figured out, in the 1980's, that their policies were completely incompatible with science. Rather than engage in introspection and rethinking those policies, they decided to double down on them...which meant that science had to go.

Everything they've done since is in furtherance of that goal. They know what the consequences will be -- and they don't care. They're perfectly willing to burn the planet down and watch hundreds of millions of people die from global warming and its effects as long as they can stay in power and be the last ones standing.

The problem is that our system of justice, in fact, our entire philosophy of justice, doesn't recognize two kinds of harm: first, harm that takes a long time to happen. We can deal with a fired bullet that kills someone a fraction of a second later, but when tobacco companies kill people decades after addicting them, we don't really know how to cope with that. Second, harm that is inflicted on a very large population -- e.g. hundreds of millions. We don't have a mechanism for that because until quite recently it wasn't possible: even the richest, most powerful person alive in 1926 couldn't do such a thing even if they spent their entire life working on it. But today? Today it's possible for one person to kill on an almost-unimaginable scale. How do we know? We're watching it in real time.

What was the Republican party is now a death cult. All the posturing about waste and budgets is just that: posturing. The goal is to destroy science, whether it's climatology or immunology or anything else, and thus to kill as many people as possible.