No, the government is not supposed to patch it. That responsibility belongs to the organization using the software. What I'm trying to say is that "reasonable steps to protect consumer data" is NOT the same as patching. Yes, patching could be one of the options but many times organizations just mitigate things with varying degrees of success. Once you tell the government you put a mitigator in, I bet they'll just back down and say oh well. Plus, we haven't even gotten into the part where most organizations likely don't know the applications running within their environment much less generate a software bill of materials or equivalent to identify libraries within those applications that may or may not be vulnerable. What's to say the organization doesn't just say, we can only take reasonable actions when we're notified.

You can't force a third-party application that your company uses to patch/mitigate Log4j. I get the not prescribing a course of action but some companies are going to use the software anyway, even if log4j has not been mitigated. And yes, you can alter your Java runtime and other things but that's not the point. Remove log4j from the equation and replace it with any other library and you get a giant mess. All I'm saying is it doesn't seem enforceable because companies will always say they took reasonable action and there really isn't anything to argue that. But the title of this post was regarding failing to patch which is not the same thing. As a side, mitigations should not be considered a replacement for patching. But that's a whole different story.

Sadly, the language from the article states that reasonable action must be taken and that doesn't necessarily mean patch:

What I hate about language like this is that reasonable action could be as simple as saying "we don't allow external user inputs into our systems that aren't processed for invalid values." Or it could be something like "this app is used internally only by authorized users." While it's true that those are valid risk mitigators (though the effectiveness can easily be challenged) it's not the same thing as patching. So in my opinion, it may sound a bit threatening at first but I don't think it will do much.

I suppose it would be immature if I could afford to build a ground to space missile successfully acquire and target an orbiting object likely travelling at high speed and then demolish it. But I don't, so sorry if my maturity is based on watching all the rich people and countries of the world screw it up and then finding humor in it.

I'm perfectly ok with crushing the billionaire dream of space fun. Force them to stick it out here and clean things up! :)

Not when compared to the area of space that's needed to surveil and provide services to Earth.

What if the future of space warfare was just blowing up your own, old satellites and letting everyone else deal with debris avoidance? Essentially exhausting fuel during emergency maneuvering and/or degradation by impact. I suppose you don't always need to just blow things up to win, you just need to make it unprofitable for others.

I tried to read the patent but I'll admit that's a tough read so I gave up. But I did get a kind of overall picture that makes this more complicated than just a simple leaderboard. For example, the patent specifically focuses on sensor data collection during live sessions and then playback of this saved data during on-demand sessions to emulate a live class despite it being on-demand. Basically it seemed to focus on making on-demand classes feel like live classes. Or at least that's how I interpreted it.

I'm not really sure what to make of it but I agree with your statement that it's "not blatantly obvious" from reading the patent.

Thanks for the clarification but I'm confused with the contents of the article. In it, it says:
"Basically, EdgeDeflector, as well as third-party browsers like Mozilla Firefox and Brave, intercept OS-level URL requests that force you to use Microsoft Edge even when you have gone through the incredibly ponderous steps to make a non-Edge browser the default in Windows 11."

I can't confirm this as I'm on a Mac, but I read that as there are multiple events that bypass the default browser settings and force you to use Microsoft Edge.

I think it's a different scenario where a browser has been replaced with a malicious/vulnerable one. The point here is that Microsoft is forcibly denying choice. What if the malicious/vulnerable browser you're referring to really is just Edge and Firefox isn't? What if Edge isn't more vulnerable but acts maliciously by including more and more spy processes? Or, and I know this is a really long stretch for everyone, Edge started enforcing non-browser standards which left developers having to specifically write websites around this browser?

There is a bit of similarity here in how Edge is enforced and Apple enforces WebKit within iOS. I think it's a dangerous precedent.

Absolutely not! And wait until they find out that all of the devices still on the approved list are just assembled in China with tons of Chinese parts.

I order from Amazon and have a prime subscription. But I don't freak out if something isn't delivered immediately, I just asked that it be delivered when Amazon says it will be delivered. Oftentimes they give unrealistic delivery dates. Sometimes as soon as the next day despite me ordering the item late at night. I don't really need the items that soon. Normally if I do, I just try and find it locally and not bother with Amazon.

There might be some truth that consumers demand things instantly but perhaps the bigger problem is Amazon's overly aggressive scheduling strategies.

I wasn't able to read the article due to the paywall but this is an interesting perspective. It does seem as though Amazon has an extensive amount of control when phrased as it is in the summary. Was the whole point for Amazon spinning off it's delivery service to this new contractor model really an effort just to avoid legal liabilities? I guess it shouldn't come as a surprise given all the press regarding Amazon's treatment of workers.

And where do you see the word require when talking about reporting to the network product provider? You don't. It only requires it be reported to the Chinese government. It absolutely does not say it's required to be reported to the network product provider. You really need to read it again, that's why I quoted the full thing.

Soft language such as this can allow for any research firm or other to simply perform the required piece, let the government make a choice about whether it truly should be reported or whatever action they feel necessary. There is a reason why the word requirement was not utilized when referring to reporting to the provider.

So who is the one that can't read now? Instead of being a prick, try having a conversation.

Well, to be fair, MoviePass was bought out, and a new CEO put in place. They burned through tons of money and Stacy Spikes (the guy who just bought it out of bankruptcy) was fired at some point for raising concerns. I agree with you to some degree and would very much treat this new version with a grain of salt; however, I still think it's at least positive that the individual who was forced out for raising concerns is the one bringing it back. But I suppose only time will tell.