The problem is low level bugs have a tendency to have their tendrils in far more places than it appears.

Fixing a bug in 14 days? That may be reasonable if it's an application like Microsoft Word, but even then it likely isn't enough to be realistic. Even Google's 30 days was unrealistic.

The problem comes down to how central the component is - there are things where you need to do full regression testing because it's such a critical component that any change could break something.

If you demand a fix in 14 days, the easiest and quickest fix is likely the one that harms security for all - disable BitLocker. The option already exists and can be deployed with minimal testing in days.

But if it's deep down within BitLocker, then 14 days likely isn't enough - if it's a simple fix, it might take a day to go through the basic builds and sanity tests, but then you need to run through a ton of other tests because it impacts user data and you need to make sure the change doesn't introduce an edge case where users might lose their data.

Even small chances become big with big numbers - a 0.01% chance is still 100 incidences per million users.

Even in Linux the issue happened - Dirty Frag is easily mitigated, unless you happen to be using those modules where it can be exploited. And even then the fix isn't validated, there have been more similar issues found. While Copy.Fail was reasonably self-contained - it was just reverting a patch, and Dirty Frag was a simple check, who knows what the real fix is? It might result in a fix that blows up in people's faces because the patch had to come out and there was not enough time to test it.

At the same time, it isn't unheard of for patches to not fix the issue so a patch came out, then two weeks later a new one comes out as it wasn't properly patched in the first place Rushing never solves any problems, only makes new ones.

When my car gets broken into the cops shrug. Once I was told I can fill out a report but it's "not going to be a priority"

That's because for the most part, insurance will cover the loss. So filing the report is merely a formality for the insurance company to pay you out.

And chances are, the dollar value of what was stolen wasn't enough to put much manpower into it. You aren't going to do more than accept the report if the most valuable thing stolen was a $1000 laptop. How much effort and cost are you willing to dedicate to looking for that? Because even a couple of hours of investigation and maybe forensics and you've probably hit around $400 in costs

Drivers are still not isolated on Windows - they're still kernel mode blobs.

Microsoft has however done a lot of work trying to improve driver quality - WHQL and driver signing. The only reason Windows doesn't blue screen so much is basically that Microsoft has managed to raise the quality of drivers to the point where drivers just aren't so buggy.

Another reason is well, Microsoft took over a lot of the driver development, things like USB and such have class drivers so many drivers don't have to be written to begin with. And many drivers are simply pass through devices where most of the work happens in userspace and the driver only exists to pass data back and forth between the userspace service and the hardware. Many of those services are standardized, like WinUSB/libusb.

This basically got rid of most of the drivers for weird peripherals - about the only drivers you have left are the GPU drivers and chipset drivers, both of which are sufficiently constrained that Microsoft works closely with Intel, AMD and Nvidia which handles the vast majority of drivers people actually need.

It's grading on a curve that goes both ways.

Usually when people grade on a curve, if a midterm was particularly nasty, the grades would be curved upwards. This happened because the average grade on a midterm was a fail (about 40%)

And it's possible to go the other way - if lots of people score 90%, they could curve the grades downwards so instead of everyone getting an A or A+, everyone gets redistributed.

The most important thing though is grade might impact your GPA, and now your GPA is dependent on your classmates. If you get into a class full of lazy people then you might get a 4.0. But if you get into a class full of self-starters then you might get a 2.0 for doing the exact same thing.

I've heard it both ways - Kee-cad is a popular one, but Keye-kad (short i - think aye, or the "ki" from "kite")

So far that's the only two pronunciations I've heard

What's the bat and spider population like near you? Bats and spiders consume tons of mosquitoes. Relying only on birds is insufficient, you need bats and spiders as well, and if you've been chasing those away, then there are no predators.

They actually said other tools are regularly used and have been known to find hundreds of issues. So, no, their awesome code is not the reason. Mythos just sucks at finding vulnerabilities.

Or maybe Mythos works and eliminated the the vulnerabilities that aren't. Just because a tool reports 100 errors and another tool reports 5 doesn't mean the latter tool sucks. It could be the latter tool filtered out the pointless issues and returned just the ones that were interesting.

Even cURL had the problem where they kept getting the same hundreds of AI slop bugs over and over again. I'm sure if they got 5 that could be followed up with it would help.

If I had known it wasn't checked, I absolutely would have lied.

Yes, it's something of a really bad secret in Canada. In the US, they did check - usually just making sure you used a .edu address and sending them a copy of your student ID.

In Canada, they couldn't do any of that (privacy laws prevent the school from disclosing your student status, and there's no .edu in Canada, so many schools just use a regular .ca ccTLD or a regular TLD).

So you literally can lie - I've done it a few times after I graduated to get cheaper Apple products - they "asked" your school and student ID number, but you could enter in anything as it wasn't checked (like I said, they couldn't verify).

Oh well, it was fun while it lasted.

I like their products. I just want printing without fuss and without having to learn every detail about leveling, etc. Their product works for me and I do not care about its openness, it is about as important for what I need it as my headphones being open sourced (not at all). So this product is for my use case, not for people who want to control every aspect of their printer and every software feature.

IF they decide to make it prohibitively expensive to operate their hardware, then I will go back to a less capable hardware kit.

The openness isn't the thing, though it's important. The thing is you're reliant on Bambu Labs to keep your printer working. They could easily decide tomorrow that their cloud slicer will no longer support your printer. And now you're left with a worthless hunk of junk - the software still works, but the cloud software stops supporting your hardware.

Or perhaps your internet goes out - and now you can't print. Again, you're dependent on cloud services.

The whole point was that it works locally without needing an internet connection which is how it did with OrcaSlicer-bambu.

Because right now your 3D printer is basically like all the other app-driven pieces of hardware out there you can get - vulnerable to the app breaking or the vendor no longer wanting to support your printer and wanting to encourage you to buy their newest latest and greatest generation of printers.

They could also close up shop tomorrow, and boom, all printers disabled. Go buy a new printer from someone else.

None of that has anything to do with open-source or freedom. That part comes later, where maybe the slicer can work in a different way to produce better prints, but you're stuck with their software that doesn't do that. Maybe they'll offer a subscription that lets you enable new functionality.

This is further proof that plants are sentient beings with feeling. You vegetarians ought to be ashamed of yourselves!

Time to start eating trees. Most of a tree is dead - it's just the stuff under the bark and the leaves that are still actually living. The rest of the tree is dead cells.

Insider information or insider power. Both work just as well.

Insider information is when you exploit information that isn't public. Insider power is when you influence the outcome to your favor.

Many early sports bets used insider power - the player would get a cut of the profits if they tilted the game like faking an injury.

Anyways, news like this is good. If people know these markets are rigged against them, they'd likely avoid using these platforms. It's why regulations exist - the SEC doesn't go after insider trading because it wants a fair market, it does it because a fair market means more people will participate.

Kerberos implementations often used MD5 in the early days. It was only earlier this year that Microsoft deprecated using MD5 for password hash storage for various parts of Active Directory because a lot of legacy equipment still used the old protocol.

It's not an easy transition since legacy equipment might only implement MD5, and updating passwords from MD5 requires the user to change their password

The problem is, the tariffs weren't always paid by consumers.

About 50% of the tariffs collected were absorbed by suppliers cutting their prices - are you saying those suppliers should be repaid? Or that they should jack up the prices they now charge customers to make up for the losses they incurred?

About 25% were absorbed by the business themselves - they were not passed on.

The remaining 25% were passed on.

Now, it's likely easy if it was a product manufactured in China and sold as is, but if it's a more complex supply chain - say, raw steel from Canada, imported into the US (tariffs), then made into products down the line it gets more complex - the importer paid tariffs, then they need to rebate people down the line and by the time it gets to you, who knows how the price was affected - someone might have absorbed the price increase, someone else jacked it up because "tariffs" to make more profit, etc.

Now take it as a car part - raw steel from Canada, cast in Canada, machined into parts in the US, assembled into an engine in Canada, and put into a vehicle made in the US. It crosses the border multiple times, incurred tariffs and reciprocal tariffs And now things are twisted so tightly a forensic accountant will take years to untangle the effect.

In the end, just like the whole trade disruption, it's a huge mess. Lots of price jumps were due to people simply blaming tariffs as an excuse to raise prices rather than tariffs themselves. Others choose to absorb the increased cost at lowered margins.

Jeff Bezos wanted to show how much tariffs would add to the price. We thought he chickened out due to Trump - but maybe it was also because refunds are going to be much more opaque - if people knew they spent $100 on tariffs in total, that becomes a paper trail where they would want that $100 back.

Or maybe that's with projections? They have been in the game for decades, so they know what the expected sales are and they know given the first quarter results, what the second quarter results might be.

Sure there's a chance they're wrong and suddenly a bunch of unexpected orders are going to come in late may or june, but given their current sales funnel it's likely only 5 million for the first half.

Knowing the sales funnel and knowing how the market has behaved in the past helps plan out the supply chain which needs to be prepped months in advance. It's likely the middle of the year will be slow so unless there's a sudden run on motherboards, they're predicting a pretty light summer.

That consumer connection is going to be a problem.

The whole point of AI datacenters is because you have these massive racks of AI servers and they need the ability to talk to one another really quickly. It's not just a server you can have in a homelab, it's 42U of GPUs as part of Nvidia's next-generation compute rack. And they need to talk to other such units quickly because you're going to be using dozens of racks in the training process.

And home consumer power is there because while the home will rarely use it all at once, they will be peaks. If you have 200A coming in, you add up all your breakers and you'll probably have 600A worth of loads. But some loads aren't used at the same time - your dryer might be 50A and your AC 40A, but they rarely go at the same time. Same with the stove which has a 40A plug. It's only becoming an issue because the next big load people are having are EVs and now people are starting to need some sort of power scheduling - usually in the form of a switch between the dryer and EV charger. (This is an issue because 200A is the practical maximum for the residential infrastructure - it's the highest you can get with a direct-measurement electric meter without having to upgrade to a whole new panel involving CTs to remotely measure current).

But it all works because even though we can draw 200A max, very few are doing it all the time, and with the exception of AC and stoves, most loads are run at random times so it even outs. Though even with AC there are plans on scheduling them so they don't all kick in at once - if you can have compressors going on in sequence or in a controlled manner, you can steady the load a bit.