I think it's the very fact that you can(and probably should; at least to some degree) do more or less exactly that is what makes this report seem so hysterical.

It's not like it's false that some Yandex software dude will probably cooperate if the FSB tap him on the shoulder and suggest that it's exciting and mandatory; while John Smith, corn-fed American patriot, is at least going to require some sweet-talking; but if you are just blindly grabbing 'package that some dude put on NPM' your problems are far deeper, and much less exciting, than nation-state sabotage. Even when doing their absolute best; programmers make mistakes all the time; so if the project is basically one dude who maybe debugs his own code if it's too broken you have basically no reason to suspect that innocent vulnerabilities are getting caught; along with the risks posed by the relatively frequent compromises of dev credentials on the various repositories, and the risk that you'll be left unsupported if the random guy gets hit by a bus or finds a new hobby and just walks away.

It's fun to pretend that tedious, labor-intensive, problems don't exist by focusing on sexy threats instead; so I'm not surprised that a 'security' vendor would be working this angle; but, fundamentally, if you are just grabbing random garbage off a repository every time one of your junior devs even thinks too hard about docker you are doing it wrong.

It also seems a bit silly because, if your real problem is nation state adversaries rather than nobody actually looking because it seems like it works and why try harder it would likely be relatively trivial for the trojan horse project to add 'legitimacy'. You want multiple maintainers because we can't trust Sinister Yuri to police himself? Ok, it doesn't take a terribly impressive intelligence agency to conjure up a few additional contributors who make changes to the project from North American or western European IPs and time zones and have a thin but plausible trail of assorted tidbits that suggest that they are consultants or employees of random little companies in friendly nations. You call that a security check?

"Request a demo of Entercept, the first and only platform designed to identify and track foreign influence in your software."

I do love a good disinterested vendor writeup...

"As a whole, the open source community should be paying more attention to this risk and mitigating it."

So, if I'm understanding this right, the solution is for more people to work for free so I can just blindly grab whatever; not for the people already getting their software for nothing to care even slightly about their dependencies?

Obviously the originalist interpretation of freedom of speech is "so long as congressional republicans claim it's 'neutral'". Very subtle constitutional law, that.

I think there are (at least) two different distinctions at work; rather than a direct opposition between 'buzzwords' and 'jargon' at the level you describe.

Both are jargons for the purposes of being nonstandard or very locally standardized usages within a particular group; but when people say 'buzzwords' there's a specific pejorative implication, while 'jargon' is usually implied to be legitimate and useful at least within its subject area.

Obviously legitimacy claims, rather than linguistic ones, make the boundary a bit fuzzy; but there are some tells. A jargon term(in the positive/legitimate sense) tends to go places: if someone doing analog signal processing says 'bandwidth' it may confuse ribbon enthusiasts; but it touches on a whole bunch of related concepts: bands have widths and 'wideband' and 'narrowband' are what they sound like they would be; bandpass and bandgap filters do frequency dependent attenuation in ways that either allow a particular band through or heavily attenuate a particular band. When a project manager says 'bandwidth' they mostly just mean ability to do work, with a slight extension available to say you are too busy if you don't want to say you are too busy "I don't have the bandwidth/the team doesn't have the bandwidth". If you try to extend the concept; by, say, combining the 'bandwidth' of two people you end up with The Mythical Man-Month rather than the link aggregation or NIC teaming that you'd get if you told the networking guy that you needed to eliminate a bottleneck. That's what really marks the example phrase as 'buzzword'. You've got a metaphor drawn from baseball that barely even makes sense in the context of the sport(people only 'touch base' if the timings on opposing teams are particularly tight); then 'offline' is at least meaningful in the context that it is drawn from; but actually kind of confusing in context(are you taking it offline because it doesn't need to be handled synchronously or by everyone in the meeting? Because you don't want it on the record? Because it doesn't require drawing on the connected resources it would have if it were online?), then you've got 'align', which is vague at best misleading at worst(is 'aligning your bandwidth' working on the same things, specifically avoiding overlap? some of both?).

That's really, beyond more or less subjective judgements that engineering and science are more respectable than suit stuff, what makes 'buzzwords' feel slimy. Unlike 'jargon', which can be obscure to the layman but tends to have lots of internal connections that are consistent and enlightening; 'buzzwords' tend to be a lot of relatively surface-level borrowings that lack internal implications and which range from merely not-illuminating to actively obfuscating.

Linguistically both are jargons in the sense of being specialized local vocabularies; but 'buzzword' tends to imply little or no useful internal consistency; more or less ad-hoc borrowing of shiny-sounding words from random places; while 'jargons' in the 'respectable' sense are quite often cryptic on the surface; but have relatively massive bodies of internal consistency within the jargon. "Touch base" is practically plain english compared to what a mathematician or a physicist means when they say "field" vs. what a farmer or someone with a lawn in the suburbs means; but it's also shallow: there's nothing illuminating about the implied analogy to baseball, there aren't any additional things to be inferred from the idea that the people touching base are members of opposing teams trying to reach the base first(indeed, that's probably actively misleading); while 'field' as the set with specific operators defined is a little esoteric; but there are large areas of math that use, and in some cases flow from, that definition.

Just for the sake of technical correctness; paying for foreign expertise with imperial extraction is a technology. It's over in the pointy section of political science; and going by the number of people who end up dead or in exile after a failed implementation, it's not a trivial matter.

One of the tricky bits, potentially one that they've had trouble with of late, is that pulling it off effectively usually means pretending that that isn't what you are doing, for the legitimacy and prestige, while keeping in mind that that is what you are doing, for realistic planning purposes. It's all well and good for foreigners and low-level patriots to think of 'Russia' and 'the USSR' as essentially synonyms; significantly less helpful if your military or economic planners even periodically lose sight of the fact that that's a handy aspirational position rather than a truth.

Do I really need to point out how hysterical you sound? Applying the burden of proof and standards of evidence of criminal court to a free association question? Really?

That's basically treating the possibility that someone might not want to go on a date with you as in the same category as the state laying criminal charges against you; which is lunatic tier.

Obviously, anyone treating internet hearsay as particularly reliable is about as sensible as someone who believes online product reviews; but both of those groups are an order of magnitude, or more, less wrong than someone who thinks that internet hearsay or online product reviews need to be on a beyond reasonable doubt basis with FRE and an appeals process and stuff.

You actually make a reasonably convincing argument for the idea that the republican party does have principles; they just overlap pretty weakly with the ones they pretend at.

The most striking break with history is the bit where Nixon-level criminality used to be politically problematic.

You probably don't have to imagine 25% tax; that's right around the "government revenue (% of GDP)" value for the US; though it does seem kind of wild to see something as regressive as what's basically a sales tax cranked that high unless the product in question is specifically being discouraged; which is clearly not the intent here or we wouldn't be commenting on this article.

You'd be hard-pressed to find me in favor of just about any of the current administration's policies; but it's worth noting that the big deal with demographic crunches is the extent to which they don't play by the normal rules of what having savings or having debts means

There's already a lot of wiggly behavior with sovereign debt vs. household; since you get into what currency the debt is denominated in and all kinds of hairy macroeconomics rather than a nice, simple, "assume that the economy is more more or less arbitrarily large vs. your net worth and what you'll be buying; your ability to buy stuff varies directly with your assets or available credit"; but a problem with labor supply more directly hoses the supply of goods and services that are actually available.

It's still not unlikely that people who have cash in hand will be ahead in line vs. people who are offering IOUs; but the fundamental problem is that there are now more wrinkly asses to wipe and fewer geriatrics specialists to wipe them; rather than just you not being able to afford a nursing home because you've got debt. With that sort of supply constraint having money is still probably a betters strategy than not having it; but, since there's a genuine supply constraint, having more money mostly makes the price go up; rather than increasing the amount you can buy.

I realize that 'mainframe' is supposed to imply 'old, busted, and overpriced' in this analogy; but it seems perhaps unintentionally honest to describe how your spit, chewing gum, and apparent upfront savings solution will be replacing the Just Works solution that people keep coming back to when reliability and predictability are what counts.

I don't know if they will succeed; but that's why I suspect that one major entry attempt will be the "empower paraprofessionals" line; and specifically avoiding being construed as a 'medical device'.

Obviously medical device vendors aren't going to just ignore the possibilities; there's already a fair amount of signal processing going on in some areas and if 'AI' is either trendy enough to merit a rebrand of what they are doing already or promising enough to be an addition to the processing pipeline they'll certainly do it; but getting tagged as dealing in medical devices has significant regulatory implications that medical device outfits are familiar with but bot generalists are not; and, realistically, a lot of tech 'innovation' is really a mix of enough tech to make it look like 'tech' along with enough regulatory end-run to provide a cost advantage vs. the incumbent.

Ideally(from the perspective of the vendor) you'd essentially pull an Uber or an AirBnB and, when the medical device regulators are in earshot, be selling a product that is merely a humble, and useful, personalized reference and self guided continuing education aid that should be regulated like a pile of flash card(not at all); while, when the haggling over what nursing home stuff you need a nurse for and what you can do with a nurse assistant or patient care technician is being done have a bunch of plucky, heartwarming, paraprofessionals advocating for their right to do more to drive patient outcomes thanks to the glorious future of advanced personalized learning. The less lucrative; but probably softest, target would be the various nurse-staffed telephone and video link telehealth services that do first-line medical questions and 'is it probably fine/should you really get it looked at' type questions; which can presumably be legally replaced with generic call center bots if you strike all references to 'nurse' and put enough disclaimers; but would see greater consumer acceptance if you could still market them as 'nurse' or something that sounds similar.

I assume that some companies will be at least indirectly involved in both; but I suspect that you are really looking at two fairly distinct product 'tracks', so to speak:

People aren't going to ignore medical devices and well formalized specialties like radiology; those are the ones where you'll actually need to put in the work and deal with medical device certifications and ongoing scrutiny of your system's machine vision behavior vs. radiologist readings; but there's absolutely enough money on the table(along with potentially just-plain-unavailable capabilities with keyhole surgery tentacle robots or whatnot); but that is too obviously a 'medical device' to really play fast and loose.

Trying to chip away at nurses vs. paraprofessionals, though, seems like more fruitful ground for what's ultimately a savings-oriented regulatory end run with enough tech to not be too blatantly visible as such.

Not all of them are; but "Devin the AI software engineer" has had me in a weirdly stubborn torrent of ad spend, so I know at least someone is doing it(and the place is rotten with "AI SOC Analysts", including ones that basically just seem to be the same EDR heuristics the company was selling last year dumping text into an LLM that has been told to apply an executive summary tone); and you can't swing a stick without hitting someone describing a service account as a 'virtual employee' in a thought-leadership-for-morons thinkpiece. Definitely some of it going on.

My impression has been that the ones trying to sell to individuals either primarily or as the first move to create demand for business sales the the vocabulary of tools; but the ones trying to skip directly to c-levels looking for a crash project are much more likely to ascribe job descriptions to their bots.

The other reason to be deeply cautious of phishing training is that it tends to (when not just plain trivial either because nobody much cares to lovingly craft it to blend in with their specific environment or because they don't want awful result numbers) focus on the risks that are most amenable to technical solutions and waste the time you could be using for the actually dangerous stuff.

Even fairly middling mail filters get a lot of the really lazy stuff; and if you don't want people clicking on Important.doc.exe you just tell the mailserver not to give it to them; not try to train them out of double extensions. If they keep falling for fake login pages; well, that's what the FIDO2 requirement is for.

It's when an account gets compromised at a supplier and a nice looking email, legitimately coming from their infrastructure, body including knowledge of past interactions with them, asking accounts payable to please make a few updates that you have a problem you hope you actually spent time drilling people on proper procedure. Those ones are, at a technical level, impeccably legitimate; and a great way to send tends of thousands of dollars into the ether really fast.

The difference between medicine and IT is that that the titles are totally non-binding when it comes to IT.

It does add a certain amount of faff and confusion to trying to compare titles between organizations; but there's just not much urgency or cogency to trying to nail down titles when there are no requirements beyond confidence, misplaced or otherwise, to do anything. "Developer" vs. "Software Engineer" can sometimes tell you something about how a person thinks about what they are doing; but it's not like only one of the two can sign off on a production release.