When I was designing circuits boards for a living, I had a rock solid estimation algorithm for a board from concept to deliverable product.

6 months. Regardless of the size and complexity of the board.

This takes into account that most of the time will be spent waiting on manufacturing for prototype turnaround.

You can do it quicker if you don't have a customer or certifications or need a production quality product, but we were a consulting design house.

The killer app was Visicalc, not Excel.
Excel just copied it.

Look back to past back door behaviour (Dual EC DRBG for instance) - they attack the RNGs through standards first.

For the 140-2 era, look at the CRNGT
For the 140-3 era (I.E. Today) look the frankly odd and highly suspect SP800-90A DFs. The guy at NIST in pure political speech said "there were too many cooks making that broth" meaning the NSA were all over it.
For entropy extraction, look how the 90B non IID tests over-estimate the entropy when there is very low entropy from the source. Cross correlate that with the very low entropy claimed in Apples ESV submissions for the RNG in all their current products.
Watch as the government stood back and made no attempts to address the brain dead approach to entropy extraction and entropy estimation in the Linux kernel, following the well known principle of not trying to stop the enemy when they are making a mistake.

The back doors are there to be seen if you care to look. They go for the RNGs first, because if they can bork the RNG, the rest of the cryptosystem fails.

One rule for Google. Another for the rest of us?

Read my comment further up. Count the references from each site and always download from each site the first time you visit it regardless of whether or not you have it. So the side channel is muted.

I want one that is the phone equivalent to my framework laptop.

Easily repairable.
Options on the battery size/Thickness tradoff.
A choice of interfaces - audio, sd, etc
An open programming environment.

Why would you filter with a Ring Oscillator? How does that even work?

The content is not irrelevant if it's executable and not signed.
The mitigation of side channels is best done with quantization and trace synchronization prevention. But those might be not in the skill set of the average web programmer.

The blasted wasteland approach is to not cache. The googles will whine about the wasted bandwidth, but then they shouldn't have spent decades putting insecure constructs into web technologies.

If the excess bandwidth is the downloading on first visit of a file you previously downloaded, then that's the cost of security.
You could mitigate by first sharing hashes of the code you are linking so the browser can make a choice about downloading or not. A filename is not a secure hash.
If it's say a common jquery library, then there's very little information leaked by not downloading it.
If it's something more specific to singular websites, then go ahead and download it.

>These payload files go back decades,

There's the hole. If it's decades old, the cryptography will be bad and all it will take is some enterprising hardware hackers to work with some farmers to reverse engineer it and recover the signing keys.

If it's a local cache and the two things contain the same data, store it once and reference count it. You have to retrieve the second copy once to know it's the same so unless I'm visualizing the problem wrong, the information leakage is not happening.

Like my new movie "Javascript" about an author stuck on the island of Java and he needs to write a best seller to get the money to leave.

>Is there any benefit to migrating this codebase to a more modern PHP framework, like Laravel?
No
>And is there an easy and minimally intrusive way this can be done en-masse, across dozens of applications and websites?
No
>Or at this point should I just stick with vi?
Hell yes

Frameworks are a pox on coding, forcing many layers of stuff between your code and what it does. HTTP is not complicated. It doesn't need a complicated framework.

There are plenty of people who don't understand VPNs. If you don't understand VPNs, you won't understand why or why not it would make any sense to have a browser extension doing VPN stuff.

Pat kept is religiosity in a bag for his time as ceo. He let it slip a few times before he was ceo, particularly when he was running the labs. Now he's out he can let his freak flag fly.