The RSV vaccine is even being used in the wild! Certain high risk demographics can get it during RSV season. And not rare high risk either, women beyond a certain point in pregnancy and older people.

I hate to break it to you, but you chose it, you bought it, and you keep choosing it.

The “we” that you speak of is clearly not as sick of it as you think.

An object will always follow the shortest path between two points in spacetime.

When it’s sitting alone in the universe, the shortest path is to move through time from A to B.

When other things are present to also curve spacetime the shortest path can entail accelerating in space and slowing in time (from the viewpoint of us, the omniscient massless observer floating nearby pointedly not having any casual interactions).

So, you’re correct that active emergencies take priority.

That being said, in essentially every place that has 911, both numbers connect to the same place and the only real difference is pick-up order and default response.
It’s the emergency number not simply because it’s only for emergencies but because it’s the number that’s the same everywhere that you need to know in the event of an emergency.

It should be used in any situation where it should be dealt with by someone now, and that someone isn’t you. Finding a serious crime has occurred is an emergency, even if the perpetrator is gone and the situation is stable.
A dead person, particularly a potential murder, generally needs to be handled quickly.

It’s also usually better to err on the side of 911, just in case it is an emergency that really needs the fancy features 911 often gives, like location lookups.

I’m not sure I’m hearing anyone saying diversity is a bad thing.

People used “diversity hire” as an attack on Harris, but no one is using it as an attack on Walz, even though everyone basically immediately knew that the VP pick was going to be an older white man if only to make the ticket less of a “leap”.

That an all woman ticket, a ticket with two not-white people, or anything else not “default American politician” would face issue is kinda OPs point that we still have a long way to go to overcome those institutional barriers you mention.

Needing to consider diversity or representation when picking people is a sign that something has already gone wrong.
If the system were just and those barriers didn’t exist, people wouldn’t consider diversity, they’d just pick the best person and the diversity would just be there as consequence of demographics. (In a fair system, the top N% of the population will have a comparable demographic breakdown to the population at large).

It’s a sign of a cultural hangup that we definitely consider diversity, and need to in order to have decent representation, when making these choices, and even more sad that it’s only used as a cudgel against minorities , even when they were the first pick and others are being used to offset their “riskiness”.

That’s called a timeshare, and they’re not a good idea. Very sketchy, almost impossible to get rid of if you don’t want it.

You have to sign up because although you bought the apartment, you’re not the only one who bought the apartment.

You buy it and then get to sign up to use it, and then you pay a fee to use it every year even if you don’t end up using it.

You don’t get to live there.

Google analytics is loaded by JavaScript. There are also other things like Google analytics that are also loaded by JavaScript.

Updating a website can take time, and usually involves someone with at least a passing knowledge of development.

Google tag manager is a service that lets you embed one JavaScript thing in your page, and then it will handle loading the others. This lets marketing or analytics people add and manage such things without needing to make a full code deployment.
It also lets you make choices about when and how different tracking events for different services are triggered.

It’s intended usage is garbage tracking metrics and advertising. Some sites are built more by marketing than developers, and they’ll jam functional stuff in there which causes breakage if you block it. These sites are usually garbage though, so nothing of value was lost.

I wasn’t mocking your argument, I was agreeing with you and clarifying that my feeling was about who I’m most “irritated” with, not about responsibility or legal culpability.

My example was for simplicity, not mockery.
The power going out is the power companies fault, so I’m most mad at them. The store didn’t have a generator because they trusted the power company, so my cake got ruined. I’m still mad at them but less so because they weren’t the cause of the problem, even though they could have done more to prevent this from impacting me.
Culpability wise, I can only make demands of the store and hope that enough other people do so that they in turn demand answers from the power company.

There are actually a fair number of certifications, including ones from government agencies, relating to software development, deployment, and related practices. That so many organizations didn’t have the ones relating to protection from supply chain issues is distressing, to say nothing of it slipping through quality control in the first place.

Please, if you think we’re in a place in this thread where I’d be mocking you, re-read it with the understanding that I agree with you entirely on legal and structural issues, and at most just have a different opinion about where the balance of "fuck you"s go. I think I put more scorn towards the vendor because doing the thing is worse than failing to prevent the thing. Also, I work at a parallel company and so I’m more familiar with exactly how much you have to be fucking up for this to happen because I spent the last three days dealing with the more minor controls that prevent this from happening. Everyone has outages because you can’t prevent 100% of errors, but it’s on the vendor to build to the spec of their most sensitive customer and ensure that outages don’t keep a doctor from patient records.

Can’t fault you for feeling that way. I definitely don’t think anyone should be exempt from responsibility, I meant blame in the more emotional “ugh, you jerk” sense.

If someone can’t fulfill their responsibilities because someone they depended on failed them, they’re still responsible for that failure to me, but I’m not blaming them if that makes any sense.

Power outage or not, the store owes me an ice cream cake and they need to make things even between us, but I’m not upset with them for the power outage.

I’d love to know how you plan to do user mode packet filtering. Keep in mind that on Linux, the designated API is inherently kernel mode. https://netfilter.org/

This isn’t one of the cases where we’re talking about Linux being superior to windows. Any OS will be fucked if you give it a mangled kernel module. In this case, it’s just that only one got one.

Your perception that anything that touches the kernel is an intrinsic security risk is unfounded.

I mean, sure. But typically operating systems don’t expose that type of information to user space, instead providing a kernel interface with user mode configuration.

It’s why they use the same basic approach on mac and Linux.

The kernel is responsible for managing hardware and general low-level system operations. Anything that wants to do those things needs to get itself into kernel mode one way or another.

The typical way you do this is called a “driver” and no one thinks about them as being kernel code. Things like graphics cards and the like.

Things that want to do actions like monitor network traffic or filesystem activity system wide or in a lower level capacity than the normal tools provide also need to be kernel level.
In a security context, that specifically would include things that want to monitor raw packets rather than the parsed content that assumes the packet is well formed in a way that a malicious one might not be.

Cloudstrike does the same thing on Linux, and the typical tools for network management or advanced security are also either compiled in or loadable kernel modules.
It’s easy to forget that ip/ebtables and selinux and friends are kernel level software frequently distributed as kernel modules, in the case of the firewalls, or compiled in with a special framework and not just user mode software.

Also, it’s less about “their” drivers and more about what a kernel module can do.
Saying “there’s no way to know” doesn’t fit, because we do know that a malformed kernel module can destabilize a linux or mac system.

“Malformed file” isn’t a programming defect or something you can fix by having a better API.

Security operations being one of the things that is often best done at the kernel level because of the need to monitor network and file operations in a way you can’t in user mode.

That’s totally fair. :)

I work at a different company in the same security space as cloudstrike, and we spend a lot of time considering stuff like “if this goes sideways, we need to make sure the hospitals can still get patient information”.

I’m a little more generous giving the downstream entities slack for trusting that their expensive upstream security vendor isn’t shipping them something entirely fucking broken.
Like, I can’t even imagine the procedureal fuck up that results in a bsod getting shipped like that. Even if you have auto updates enabled for our stuff, we’re still slow rolling it and making sure we see things being normal before we make it available to more customers. That’s after our testing and internal deployments.

I can’t put too much blame on our customers for trusting us when we spend a huge amount of energy convincing them we can be trusted to literally protect all their infrastructure and data.

you cannot pull a Boeing and let people die

You say that, but have you considered the savings?

Nope, because they only shipped a corrupted windows kernel module.

It’s dumb luck that whatever process resulted in them shipping a broken build didn’t impact the other platforms.

Typically auto-applying updates to your security software is considered a good IT practice.

Ideally you’d like, stagger the updates and cancel the rollout when things stopped coming back online, but who actually does it completely correctly?

Yeah, it’s a crowd strike issue. The software is essentially a kernel module, and a borked kernel module will have a lot of opportunities to ruin stuff, regardless of the OS.

Ideally, you want your failure mode to be configurable, since things like hospitals would often rather a failure with the security system keep the medical record access available. :/. If they’re to the point of touching system files, you’re pretty close to “game over” for most security contexts unfortunately. Some fun things you can do with hardware encryption modules for some cases, but at that point you’re limiting damage more than preventing a breach.

Architecture wise, the windows hybrid kernel model is potentially more stable in the face of the “bad kernel module” sort of thing since a driver or module can fail without taking out the rest of the system. In practice… Not usually since your video card shiting the bed is gonna ruin your day regardless.

Sure, but they weren’t patching a windows vulnerability, windows software, or a security issue, they were updating their software.

I’m all for blaming Microsoft for shit, but “third party software update causes boot problem” isn’t exactly anything they caused or did.

You also missed that the same software is deployed on Mac and Linux hosts.

Hell, they specifically call out their redhat partnership: https://www.crowdstrike.com/partners/falcon-for-red-hat/