This has been typical behavior for large companies when dealing with vulnerability reports for decades. Report one, they treat you as the problem. They'll try to ignore it, consider it "not exploitable", delay and deflect as long as they can get away with it, anything but address the vulnerability. And they'll never tell anyone the vulnerability exists. This only changes when they have no choice but to admit to the problem and fix it, usually when the vulnerability is being publicly exploited. They push "responsible disclosure" because it includes the reporter not making the vulnerability public until the company has a fix, which allows them to stall disclosure as long as they want.

It used to be enough to just include a reasonable deadline when reporting it, after which the reporter would make it public if the company hadn't taken some action on it. Then companies started threatening and then taking legal action against the reporter as soon as they reported the problem, playing the deadline up as "blackmail".

So, what do you do when faced with this? The only reasonable response is to skip the company entirely and make the details public immediately. You're going to be facing retaliation from the company either way, this way the public isn't vulnerable for an extended time. And yes you include details on how to exploit the vulnerability, ideally via working code, so researchers other than the company can confirm it's a real vulnerability that's actually exploitable without having to take your word for it. No, that doesn't give the bad guys anything because remember the working assumption for vulnerabilities: if a good guy has found it, the bad guys already know about it and are using it. Remember that when the company whines.

My house is a relatively normal size (1800 square feet), and it still takes more than three full minutes for water in my shower to reach full temperature when I run it straight hot. If I also turn on both faucets in my bathroom, I can get that down to about twenty or thirty seconds, which is barely tolerable.

At my mom's house in Tennessee, the distance the water has to travel is comparable, but it takes only ten seconds or so.

It's a huge downside to all the water-saving showerheads and faucets that were forced upon us here in California decades ago. We waste a lot of time and energy to make up for a water shortage that exists only because of decades of politicians being short-sighted and kicking the desalination can down the road over and over so that the money doesn't get spent on their watch.

Translation: A company that has the potential to benefit from regulation by squeezing out competitors wants more regulation.

I'm not saying they're not right, just that it seems awfully convenient for a company specializing in pumps that recirculate data center water to want efficiency regulations that would push customers towards their most efficient (and thus presumably most high-margin) pumps.

Instead of having your hot water fan out in a tree, you wire it like a token ring with a return pipe, where each faucet only has a short bit of pipe between it and the ring. Then, you have a pump to circulate hot water through the ring-shaped pipe network. That way, it takes half a second to get hot water instead of half a minute or more.

Sure. I'd imagine most hardware vendors will want it. I'm just saying that the wording, at least as described in the summary, is... problematic at best.

Not really. It's more like requiring all vendors who sell cash registers used in restaurants to support checking photo IDs because some restaurants also serve alcohol.

There's no safe way to prove your age to a website. Any scheme requires trusting some arbitrary third party that could secretly be the government doing timing comparisons between the verification and DNS queries and stuff to unmask anonymous users. At least with operating system or browser vendors, they presumably have a strong commitment to minimizing the risk of someone publicly posting "John Doe just visited sexwithseaturtles.com" or whatever.

It's not really that terrible. If you're going to do age verification, you have two choices: browser or operating system. All else is all but guaranteed to be either a privacy disaster, a usability disaster, or both. And either way, every operating system needs to support multiple users, or the "I used dad's iPad to browse porn and buy firearms" problem makes the verification useless.

And major operating system or browser vendors that cater to the general public should make it available by default, because doing so prevents the "You downloaded the AdultCheck module, so you must be a pervert" logic that some people might use to attack people.

What's terrible is the idea of mandating that it be performed at the OS level, rather than just mandating that the OS doesn't get in the way. Browser-level verification is actually far preferable, because there's no need to bake that into an authentication framework when you can just send it out to a browser window. Leave that tiny bit of integration complexity to the companies that actually require it. But this only works if the OS supports multiple users, so that the browser's cookies and storage are not shared across multiple users.

For devices that don't have multiple users, baking it in at the OS level really is the only way, but it could just as easily be solved by baking it in at the browser level and changing the OS to allow multiple users per device. Unfortunately, such technical details are way too subtle a point for most lawmakers to understand, so obviously they did it in the most wrong way possible.

Wait 'til they realize that Android is distributed under a license that allows people to copy, redistribute, and modify it.

As usual, a law created by people who didn't think of the consequences then got modified to fix some of the worst consequences, but because they still did not think of the consequences, the modification created different consequences. And this is why we need better lawmakers.

Correct, as anyone can see by looking at who they rounded up.

"Then they came for the Socialists
And I did not speak out
Because I was not a Socialist

Then they came for the trade unionists
And I did not speak out
Because I was not a trade unionist "

But in the next state over, the next company will also treat you as badly as they can get away with.

The natural model for a programmer's union is the Screen Actor's Guild. That's another field with a wide range of talent. SAG members can get the best pay their agents can negotiate, lots for stars. But everyone is protected from exploitation.

This isn't unusual for a cloud environment where services are distributed across multiple servers for performance and resilience. For read/write data the propagation window necessarily has to be short, but for read-only or read-mostly data like authentication tokens the architecture usually favors speed of authentication and resistance to infrastructure failures over fast propagation of changes. Eg., using a pull-based "changes since the last time I checked" process instead of setting up everything for a real-time event-driven process.

The main thing everyone needs to remember about cloud systems is that they are operating in a distributed environment and changes do not propagate instantly to the entire system. The question is whether the propagation delay is acceptably small or not.

Also, do not depend on "we can revoke the credentials" as your primary defense against compromise. That won't help you against use of the credentials in the span between when they're compromised and when you revoke them, if that's acceptable for you then extending that span by a bit isn't an existential crisis. Design your authentication so credentials can't be compromised in the first place, and are as difficult as possible to use from any system other than the one they were issued to if they are compromised. Hardware tokens (Yubikey etc.) have been a thing for a decade now, it boggles me that they aren't the minimum standard yet.

Maybe, but the problem is that the electronics have to run at those temperatures and not have solder joints start popping, or other fun failures.

As far as I know, it is just real-time. And it didn't even slow down at the flashing red light. So either it recognized that someone was waving it on or it didn't see the flashing light at all.

I *think* that number actually is counting them, though it's hard to be certain. I'm pretty sure servers are outnumbered by PCs by a large margin.