If your CTO thinks that Legal can solve his problems you are either Oracle or in exceptionally deep trouble.

I'd be curious if there is some asymmetry in their systems because of the enthusiasm of retail type outfits for trying to keep potential damage from basically untrusted employees to a minimum.

You see it a lot in grocery stores, and big box/department store setups where there are either certain POS operations that lock up and require manager approval(seems most common if they need to void a mis-scan over a certain value or multiple mis-scans or customer-decides-they-don't-want-it changes of order; or if something is being returned); and in the fast foot setups where there are displays over the various prep stations telling people what needs to be made for a specific order number there often either aren't controls or the controls are not intended to be interacted with(which is sensible design if you've got french fry grease and food safety concerns in the mix; but likely means that the guy at the soda fountain being able to void a screen full of orders is either unsupported or intended to be a very infrequent case).

I could see that going poorly if you just grafted the bot on in place of either the human operator(who will just not take your 18,000 water cup order, so it will never exist as far as the system and its constraints are concerned) or the app(which has no common sense but is both tied to someone's account information and vastly simpler to constrain with boring, ancient, form validation logic) and immediately started dumping its interpretations of orders into the system as valid.

Probably not flood-the-store material; but plausibly quite disruptive if it's intended to be fairly uncommon for orders to need to just be disappeared once they are in.

What seems frankly depressing is that a C-level would think(and quite possibly have reason to think) that that sort of aw-shucks-lessons-are-being-learned-about-things-nobody-could-have-predicted tone is exonerating outside of a fairly tiny, low stakes, test program somewhere.

It's not like having somebody take a poke at connecting a system that is supposed to be pretty OK-ish at natural language processing and text-to-speech to an ordering system is particularly unreasonable; at the scale they are operating probably more unreasonable not to; but "well, it's live in 500 locations and we've learned that a technology synonymous with prompt injections and a lack of common sense so profound it's almost a category error to suggest it could have any isn't super robust..." makes you sound unbelievably dumb and risk insensitive.

I realize that 'generative' is all the rage; but did nobody at Redmond HQ have the nerve to speak up and say "perhaps less like a blob of semen..." before that design went out?

The specific regulatory formulation probably wouldn't fly in the US; but a municipal regulation that has no enforcement, no penalties and "is merely a guideline... to encourage citizens" is basically just a public service announcement; which is something that's reasonably common and not especially controversial or legally fraught.

PSAs do tend to be treated as a bit of a punchline; but they are common enough; both outright state-sponsored ones and nominally-charitable private sector initiatives to make unsold ad impressions look like community service.

This seems like the least of our problems when the difference between this incident and TransUnion's entire business model is that they didn't get paid to provide the records this time.

I think it's the very fact that you can(and probably should; at least to some degree) do more or less exactly that is what makes this report seem so hysterical.

It's not like it's false that some Yandex software dude will probably cooperate if the FSB tap him on the shoulder and suggest that it's exciting and mandatory; while John Smith, corn-fed American patriot, is at least going to require some sweet-talking; but if you are just blindly grabbing 'package that some dude put on NPM' your problems are far deeper, and much less exciting, than nation-state sabotage. Even when doing their absolute best; programmers make mistakes all the time; so if the project is basically one dude who maybe debugs his own code if it's too broken you have basically no reason to suspect that innocent vulnerabilities are getting caught; along with the risks posed by the relatively frequent compromises of dev credentials on the various repositories, and the risk that you'll be left unsupported if the random guy gets hit by a bus or finds a new hobby and just walks away.

It's fun to pretend that tedious, labor-intensive, problems don't exist by focusing on sexy threats instead; so I'm not surprised that a 'security' vendor would be working this angle; but, fundamentally, if you are just grabbing random garbage off a repository every time one of your junior devs even thinks too hard about docker you are doing it wrong.

It also seems a bit silly because, if your real problem is nation state adversaries rather than nobody actually looking because it seems like it works and why try harder it would likely be relatively trivial for the trojan horse project to add 'legitimacy'. You want multiple maintainers because we can't trust Sinister Yuri to police himself? Ok, it doesn't take a terribly impressive intelligence agency to conjure up a few additional contributors who make changes to the project from North American or western European IPs and time zones and have a thin but plausible trail of assorted tidbits that suggest that they are consultants or employees of random little companies in friendly nations. You call that a security check?

"Request a demo of Entercept, the first and only platform designed to identify and track foreign influence in your software."

I do love a good disinterested vendor writeup...

"As a whole, the open source community should be paying more attention to this risk and mitigating it."

So, if I'm understanding this right, the solution is for more people to work for free so I can just blindly grab whatever; not for the people already getting their software for nothing to care even slightly about their dependencies?

Obviously the originalist interpretation of freedom of speech is "so long as congressional republicans claim it's 'neutral'". Very subtle constitutional law, that.

I think there are (at least) two different distinctions at work; rather than a direct opposition between 'buzzwords' and 'jargon' at the level you describe.

Both are jargons for the purposes of being nonstandard or very locally standardized usages within a particular group; but when people say 'buzzwords' there's a specific pejorative implication, while 'jargon' is usually implied to be legitimate and useful at least within its subject area.

Obviously legitimacy claims, rather than linguistic ones, make the boundary a bit fuzzy; but there are some tells. A jargon term(in the positive/legitimate sense) tends to go places: if someone doing analog signal processing says 'bandwidth' it may confuse ribbon enthusiasts; but it touches on a whole bunch of related concepts: bands have widths and 'wideband' and 'narrowband' are what they sound like they would be; bandpass and bandgap filters do frequency dependent attenuation in ways that either allow a particular band through or heavily attenuate a particular band. When a project manager says 'bandwidth' they mostly just mean ability to do work, with a slight extension available to say you are too busy if you don't want to say you are too busy "I don't have the bandwidth/the team doesn't have the bandwidth". If you try to extend the concept; by, say, combining the 'bandwidth' of two people you end up with The Mythical Man-Month rather than the link aggregation or NIC teaming that you'd get if you told the networking guy that you needed to eliminate a bottleneck. That's what really marks the example phrase as 'buzzword'. You've got a metaphor drawn from baseball that barely even makes sense in the context of the sport(people only 'touch base' if the timings on opposing teams are particularly tight); then 'offline' is at least meaningful in the context that it is drawn from; but actually kind of confusing in context(are you taking it offline because it doesn't need to be handled synchronously or by everyone in the meeting? Because you don't want it on the record? Because it doesn't require drawing on the connected resources it would have if it were online?), then you've got 'align', which is vague at best misleading at worst(is 'aligning your bandwidth' working on the same things, specifically avoiding overlap? some of both?).

That's really, beyond more or less subjective judgements that engineering and science are more respectable than suit stuff, what makes 'buzzwords' feel slimy. Unlike 'jargon', which can be obscure to the layman but tends to have lots of internal connections that are consistent and enlightening; 'buzzwords' tend to be a lot of relatively surface-level borrowings that lack internal implications and which range from merely not-illuminating to actively obfuscating.

Linguistically both are jargons in the sense of being specialized local vocabularies; but 'buzzword' tends to imply little or no useful internal consistency; more or less ad-hoc borrowing of shiny-sounding words from random places; while 'jargons' in the 'respectable' sense are quite often cryptic on the surface; but have relatively massive bodies of internal consistency within the jargon. "Touch base" is practically plain english compared to what a mathematician or a physicist means when they say "field" vs. what a farmer or someone with a lawn in the suburbs means; but it's also shallow: there's nothing illuminating about the implied analogy to baseball, there aren't any additional things to be inferred from the idea that the people touching base are members of opposing teams trying to reach the base first(indeed, that's probably actively misleading); while 'field' as the set with specific operators defined is a little esoteric; but there are large areas of math that use, and in some cases flow from, that definition.

Judas Priest was sued in 1990 because the parents claimed the band had planted suicidal messages in one of their songs that led to a suicide pact.

Angry grieving parents will often lash out at a convenient external cause, in part so that they don't have to face the reality that the odds are more likely they were an agent in the suicide.

Just for the sake of technical correctness; paying for foreign expertise with imperial extraction is a technology. It's over in the pointy section of political science; and going by the number of people who end up dead or in exile after a failed implementation, it's not a trivial matter.

One of the tricky bits, potentially one that they've had trouble with of late, is that pulling it off effectively usually means pretending that that isn't what you are doing, for the legitimacy and prestige, while keeping in mind that that is what you are doing, for realistic planning purposes. It's all well and good for foreigners and low-level patriots to think of 'Russia' and 'the USSR' as essentially synonyms; significantly less helpful if your military or economic planners even periodically lose sight of the fact that that's a handy aspirational position rather than a truth.

When will people marry his declarations and musings with the fact that he's marching Federally-controlled troops into cities to "fight crime". What the hell does everyone think is going to happen in next year's mid-terms when armed forces loyal specifically to Trump with little or no objection from Congress or the Supreme Court starting "guarantee" a "fair vote".

Everything he and the Republicans have been working towards since the claims of Obama's ineligibility has been preparing for the moment when they move in to seize control of state voting apparatus. He'll do what he's done with everything else and claim it's a "national emergency."

And MAGA will cheer while the Democrats put on their sackcloths and roll around in the dust crying about how they were impotent. The American people have chosen, they want tyrants who rule by fiat, engineer and weaponize crises to entrench their power.

The political system the Framers came up with was always a steaming pile of crap. Bagehot pulled apart deftly in the 1860s, explaining that the only thing that made it work was the "American genius for politics". Well, that's done. The Democrats are frozen in place, the Republicans, ruled by oil barons and sociopathic billionaires, intend on building a dictatorship with the shape of the American republic, but where checks and balances once existed, will be impotent paper tigers.

It's too much money and too much privilege. The billionaires really do think they're superior lifeforms that should receive automatic deference, and when they collide with reality, they show their true nature; emotionally stunted children.