My fourth month of unemployment. I'm fresh off an interview with a senior technical role advertised with a decent compensation range whose upper end would let me make median rent, and whose lower range would not. At the end of an excellent interview, I am informed that said compensation range, contrary to the Base Compensation tag in the job description, is in fact all inclusive, and that the role actually tops out below the living wage threshold for a three adult household for its base compensation.

I feel it's highly relevant to note that this was a role where I would own the entire technology estate for an employer. Every switch, every firewall, every database, every server, every phone, every laptop, every cloud, every badge system. All data, everywhere, at any time.

Everything.

For an employer in the public safety industry.

This is not the first time that compensation has been mismatched to the role, but it is the first time it's happened with a role so critically important to a company playing such an outsized role in as critical an area as public safety.

Which got me thinking: have employers just lost the plot on what compensation is actually for? What its intended function is? Because it seems to me that everyone thinks compensation is merely payment for labor and nothing more, a number to be driven down by any means necessary in order to keep more for those at the top.

And oh my god it is so much more than that.

We live in a society. This society has been arranged around using currency to purchase necessities, because some people decided that necessities are not guaranteed. You acquire currency by either investing currency you already have to compound it through the labor of others, or you labor in order to earn less currency than investors do.

Is that a gross oversimplification? You betcha, but I'm really trying to stay on topic and not fill this with reaction GIFs.

Author's Note: I failed.

Anyway, everyone needs currency to afford everything. Rent costs currency, food costs currency, electricity costs currency, water and sewage and garbage and healthcare and childcare and education all cost currency. Only after your essentials have been paid for, can you use excess currency to save for tomorrow - buying a home, or a car, or a retirement if you're really lucky.

Now at some point, the humans involved in handing out currency decided that too many people were living too nicely. The thinking was simple: trading time for currency in the form of labor was a sucker's game, and those with currency deserve more currency because they already had currency. Companies in particular deserved more money than the people who worked for the company, at least according to Powell.

Thus labor was reframed into those terms: wages were merely a payment to those who did labor, and labor was only to be paid the minimal amount possible in the marketplace for said labor, and not one cent more, regardless of external forces (like the cost of living). Minimum wages are bad, because wages should only ever go down relative to inflation and productivity, never up. Only those who own business deserve more currency, because they're the real workers.

Again, a gross oversimplification coming from an openly biased dinosaur. That's not the point.

The point is that wages aren't meant to merely compensate labor; they're also meant to protect the company.

I'll just be blunt: wages are also protection money. They're not just compensation for doing your job, they're compensation for not burning down warehouses, not going on strike, not sabotaging workloads, and not unionizing in the first place. It's the longest unspoken social contract dating back to pre-history: you pay me to live, or else.

Occasionally, employers will call labor's bluff. If twenty-thousand years of history is any indication, their temporary wins are always undone by the sheer ratio of workers to wealthy owners, though not before employers provoke and employ violence first. We are going through such a phase right now, if the above links are any indication.

Employers haven't paid their dues to labor in decades. Labor, kind as we are, have cut back on our lives as much as we're able to. We've given up homeownership, we're dropping out of healthcare, we're begging from food pantries, we're taking on gig work, and we've seen none of the wage gains from productivity our elders enjoyed. It's gotten so bad that, with workers having sacrificed our very ability to move up the socioeconomic ladder, the economy has gone K-shaped.

Despite this, employers seem to think there's more room for workers to yield. I say this because despite median wages being unable to afford median homes, I'm still finding employers offering lower and lower pay for work on their job descriptions. This isn't just economics anymore, this is a security risk, and employers are playing with fire.

Take your CPA, for instance, median pay of $81,680 a year and at moderate exposure to AI displacement according to Anthropic. These are people who know your books better than you. Where every penny goes, and where every penny can be silently swindled. They also audit your fancy new AI financial workflows, making corrections when it goes off the rails, and know where all your financial skeletons are buried.

Do you really want to pay your accountant so little that they can't make rent or buy a home? Do you really want them going to a food bank instead of a grocery store? They're excellent at judging risk, and know exactly what that pay gap is worth to them if the timing is right. Maybe it's blowing the whistle before you can fix an issue and leading to a costly investigation, maybe it's sharing your supply chain costs with a competitor for a higher paying job, or maybe it's committing outright embezzlement that they're sure your fancy AI tooling will miss.

Tech work, the last bastion of Middle Class employment, isn't doing any better. Take Computer and Network Architects, with a median pay of $130,390 per year; or the Computer Systems Analysts, median pay of $103,790 per year; or the Systems Administrators, with a median pay of $96,800 per year. These groups have the keys to your systems, your data, your endpoints, your real estate. They can see and do anything with a keystroke, including destroying billion-dollar businesses. The reason for the comparatively high wages was their comparatively high degree of trust.

Instead, employers outsourced to MSPs, then offshored overseas, then on-shored to underpaid and exploited H1Bs shackled to their employer's temporary sponsorship, then briefly hired North Korean spies, and are now attempting to replace the technical workers outright with AI that routinely drops production systems. All the while they lay off workers by the tens of thousands, over and over again.

I feel like there's an example of the consequences of not treating your technical experts with respect in popular media...

I'm not Dennis Nedry, but I've worked with folks like them before. Brilliant minds who can debug complex architectures and systems, who pour their lives quite literally into the work because they have a passion for it...and increasingly are all too willing to burn it to the ground when they feel slighted. Spend time around actual engineers and the like in most orgs, and you'll see patterns of ill-health: smokers, drinkers, chewers, vapers, over-eaters, out-of-shapers, poor posture, bags under eyes, thinning and greying hair, high amounts of stress, messy desks. All signs of humans sacrificing their own health for their employers, prioritizing work over life, overworked to an early grave.

Most folks aren't as egalitarian as I am, and as someone who has sacrificed physical, mental, emotional, and psychological health to the field for over fifteen years, I sympathize with where my peers are coming from. Most people aren't wired to "do no harm" no matter what, which means most people are a huge security risk if they're undercompensated.

Thing is, undercompensation isn't limited merely to your specialists and senior workers. Fast food workers will slow down lines to give themselves breathing room due to understaffing, and retail workers won't put in the added effort of store maintenance when they can't even maintain a roof over their heads. Office workers doing more menial tasks aren't going to follow through on security best practices if they're more worried about how to pay the electric bill this month while also affording insulin. Your contracted-out security staff aren't likely to pay close attention to camera feeds since they know they'll be replaced in three months before benefits kick in. Your MSP or offshored technical staff won't be invested in your long-term success when their KPIs only cover ticket counts and response times, and their competitors are already preparing to underbid at renewal anyhow.

The workers have been incredibly clear about their problems for twenty years, now, especially the younger cohorts. Employers haven't wanted to listen, believing one more technical control or one more AI system will finally give them the permanent, unassailable leverage they need to keep all the money and fire all the workers.

I don't really have a positive way to end this. This is a warning, another canary in an increasingly smoke-choked mine. We're at the point that workers are quite literally burning down infrastructure and engaging in violence against leadership, and the response from those who can change things - our politicians, our corporate leaders, the investor class that's richer than ever in human history - don't really seem to give a fuck. There's this thick tension in the air between workers scrambling to survive, and monied classes who feel the demands of the workers are wholly unreasonable.

History paints a pretty clear picture of how this ultimately ends, but for what it's worth, I still feel like I should at least try to warn folks about the consequences of undercompensation.

Failing to pay your workers the money they need to live is breaking the social contract. It's the single biggest security vulnerability in your organization, and I promise you that there is not, and never will be, a technological control that can protect against it.

You gotta pay up, or you're going to get burned down.

An addendum.

AI is making it faster and easier to brute-force security vulnerabilities at a time when open source is falling apart due to lack of funding and successors. Major companies are firing engineers to replace them with AI tooling, then hiring them back at lower pay packages when the AI fails, but still holding the AI Sword of Damocles over their heads. Software is expanding rapidly at a time when employers seek to eliminate the technical professionals who ensure their safety and prosperity, who can translate institutional processes and knowledge into cost-effective infrastructure.

Housing prices are up. Rent is up. Utilities are up because of AI datacenter builds. Food costs are rising due to global conflicts instigated by America. So too are energy prices, tariffs, inflation, and interest rates.

You, the employer, have a decision to make: do you start raising wages, working with policymakers to immediately address affordability, cease arbitrary layoffs, invest in worker futures, and promote regulatory schemes that reign in the worst myopic excesses of your peers for society's collective benefit?

Or do you take up smoking cigarettes while sitting inside a warehouse of loose gunpowder and dynamite, with a mob of torches and pitchforks right outside?

Apple's Mac mini and Mac Studio desktops have been increasingly difficult to buy over the course of the year—multiple configurations are listed on Apple's site as "currently unavailable," which almost never happens, and others will take weeks or months to ship if you order them today. A top-end version of the Mac Studio with 512GB of RAM was delisted from Apple's store entirely.

Current Apple CEO Tim Cook addressed the situation on Apple's Q2 earnings call yesterday as part of a larger conversation about how Apple is navigating component shortages, and he partly blamed the shortage on the popularity of those desktops among users looking to run AI agents and other tools locally.

"Both [the Mac mini and the Mac Studio] are amazing platforms for AI and agentic tools, and the customer recognition of that is happening faster than what we had predicted, and so we saw higher-than-expected demand," said Cook. "We think looking forward that the Mac mini and the Mac Studio may take several months to reach supply-demand balance."

Cook wasn't specific about what components were driving the Mac mini and Studio shortages, though he did say that generally, "availability of the advanced [manufacturing] nodes our SoCs are produced on" was constrained, and "we have less flexibility in the supply chain than we normally would." In other words, it has become harder for Apple to go to TSMC and ask for more chips because TSMC doesn't have the spare manufacturing capacity. Cook said these constraints "primarily" affected the iPhone, though, and only affected the Mac "to a lesser extent."

As we wrote last month, the extent of the shipping delays can probably be blamed on multiple factors. AI-related demand for the desktops and chip shortages are probably factors, but Apple is also said to be planning replacements for both systems with Apple M5-series chips later this year, and it's common for models to see their ship times slip when replacements are imminent. Cook's "several months" estimate could easily include the introduction of new models, plus whatever time Apple needs to catch up to pent-up demand afterward.

Cook also noted that "customer response to MacBook Neo has been off the charts, with higher-than-expected demand" and that Apple "set a March record for customers new to the Mac, partly due to the Neo." (Note that "a March record" is not the same thing as "an all-time record," but regardless, it seems that demand for the Neo has been healthy.)

But MacBook Neo availability has been much better than for the Mac mini or Studio. A Neo ordered directly from Apple will usually arrive in two or three weeks, but this time window has stayed roughly the same since early March. The Neo also remains widely available for same-day shipping or pickup at third-party retailers like Amazon, Walmart, and Best Buy, which is not true of most Mac mini or Studio models.

Supply constraints aside, Apple's Q2 2026 was a successful one for the company. Apple made $111.2 billion in revenue, a 17 percent increase over Q2 of 2025, thanks to strong growth from iPhone 17 sales and its Services division. The Mac also grew 6 percent year over year despite the shortages affecting the Mac mini, Mac Studio, and MacBook Neo. But Apple isn't immune to the industry-wide RAM shortage: Cook said that Apple expected "significantly higher memory costs" for Q3 than it paid in Q2 and that "memory costs will drive an increasing impact on our business" going forward.

Read full article

Comments

Several times in the last couple of decades, Microsoft has released source code for the original MS-DOS operating system that kicked off its decades-long dominance of consumer PCs. This week, the company has reached further back than ever, releasing "the earliest DOS source code discovered to date" along with other documentation and notes from its developer.

Today's source release is so old that it predates the MS-DOS branding, and it includes "sources to the 86-DOS 1.00 kernel, several development snapshots of the PC-DOS 1.00 kernel, and some well-known utilities such as CHKDSK," write Microsoft's Stacey Haffner and Scott Hanselman in their co-authored post about the release.

To understand the context, here's a very brief history of what would become MS-DOS: Programmer Tim Paterson originally created 86-DOS (previously known as QDOS, for "quick and dirty operating system") for an Intel 8086-based computer kit sold by Seattle Computer Products. Microsoft, on the hook to provide an operating system for the still-in-development IBM PC 5150, licensed 86-DOS and hired Paterson to continue developing it, later buying the rights to 86-DOS outright. Microsoft then licensed this operating system to IBM as PC-DOS while retaining the ability to sell the operating system to other companies. The version sold by Microsoft was called MS-DOS, and the proliferation of third-party IBM PC clones over the '80s and '90s made it the version of the operating system that most people ended up using.

This source code is old enough that it hadn't been stored digitally. "A dedicated team of historians and preservationists led by Yufeng Gao and Rich Cini," calling itself the "DOS Disassembly Group," painstakingly transcribed and scanned in code from paper printouts provided by Paterson. This process was made even more difficult because modern OCR software struggled with the quality of the decades-old printout.

Microsoft has also open-sourced several of its other early software projects. In 2014 (and again in 2018), the company open-sourced MS-DOS versions 1.25 and 2.0. It followed that up in 2024 with the oddball MS-DOS 4.0 release. Those versions are all available in the same GitHub repo. Other open-sourced projects include the game Zork and its sequels and 1995's Microsoft 3D Movie Maker (plans to modernize this app and add new features have largely gone nowhere). The open source remake of the old MS-DOS Editor isn't actually the same app as the old EDIT.COM, but its heart is in the right place.

For students of early PC history, this isn't even the first piece of 86-DOS history that has been newly rediscovered this decade. Just two years ago, the earliest known version of 86-DOS was rediscovered and uploaded to the Internet Archive.

Read full article

Comments

The Resident Evil film franchise has grossed over $1.2 billion worldwide since the first film debuted in 2002, but an attempt to reboot it a few years ago floundered. Sony Pictures is trying again, this time tapping Zach Cregger—who wrote, produced, and directed last year's Oscar-winning horror hit Weapons—for the project. The studio showed the first teaser for Cregger's Resident Evil during CinemaCon and just released it to the wider public.

When the first Resident Evil game debuted in 1996, it was an immediate commercial and critical success, spawning several sequel games, comics, novels, and a very lucrative film franchise directed by Paul W.S. Anderson and starring Milla Jovovich. But those films were only loosely based on the games, keeping a few primary characters and the basic concept, but little else. Reviews were mixed, despite the films' massive box office success.

Work on the first reboot started in 2017, eventually producing 2021's Resident Evil: Welcome to Raccoon City. Director Roberts Johannes wanted to bring a very different tone to his film. He wanted to stay closer to the Resident Evil and Resident Evil 2 games—even employing the same fixed angles of Spencer Mansion in the first game. Alas, Welcome to Raccoon City was critically panned and had a disappointing box office showing, grossing just $42 million globally against its $25 million budget. The studio nixed its plans for a direct sequel, and a 2022 Netflix series was also canceled after a less-than-stellar first season.

But now it's Cregger's turn. According to Cregger, this new film is not a direct game adaptation, but an original story with original characters set in the same fictional universe. He told the audience at CinemaCon that his film will have “no narrative acrobatics, time jumps or disorienting chapter things,” preferring his audience to be “locked in with a protagonist on a foot journey through a world hell-bent on destroying them.” Nor will it be like Weapons; Craggler's Resident Evil vision, he said, is closer to Evil Dead II. But it would, he said, be "true to the spirit of the games."

Per the official logline: "Resident Evil follows Bryan (Austin Abrams), a medical courier who unwittingly finds himself in a nonstop race for survival as one fateful, horrifying night collapses around him in chaos." Joining Abrams (who also appeared in Weapons) in the main cast are Paul Walter Hauser as Carl; Zach Cherry as Dave; Kali Reis as Pauline; and Johnno Wilson as Max.

The new Resident Evil hits theaters on September 18, 2026.

Read full article

Comments

Publicly released exploit code for an effectively unpatched vulnerability that gives root access to virtually all releases of Linux is setting off alarm bells as defenders scramble to ward off severe compromises inside data centers and on personal devices.

The vulnerability and exploit code that exploits it were released Wednesday evening by researchers from security firm Theori, five weeks after privately disclosing it to the Linux kernel security team. The team patched the vulnerability in versions 7.0, 6.19.12, 6.18.12, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254) but few of the Linux distributions had incorporated those fixes at the time the exploit was released.

A single script hacks all distros

The critical flaw, tracked as CVE-2026-31431 and the name CopyFail, is a local privilege escalation, a vulnerability class that allows unprivileged users to elevate themselves to administrators. CopyFail is particularly severe because it can be exploited with a single piece of exploit code—released in Wednesday’s disclosure—that works across all vulnerable distributions with no modification. With that, an attacker can, among other things, hack multi-tenant systems, break out of containers based on Kubernetes or other frameworks, and create malicious pull requests that pipe the exploit code through CI/CD work flows.

"'Local privilege escalation’ sounds dry, so let me unpack it,” researcher Jorijn Schrijvershof wrote Thursday. “It means: an attacker who already has some way to run code on the machine, even as the most boring unprivileged user, can promote themselves to root. From there they can read every file, install backdoors, watch every process, and pivot to other systems.”

Schrijvershof added that the same Python script Theori released works reliably for Ubuntu 22.04, Amazon Linux 2023, SUSE 15.6, and Debian 12. The researcher continued:

Why does that matter on shared infrastructure? Because "local" covers a lot of ground in 2026: every container on a shared Kubernetes node, every tenant on a shared hosting box, every CI/CD job that runs untrusted pull-request code, every WSL2 instance on a Windows laptop, every containerised AI agent given shell access. They all share one Linux kernel with their neighbours. A kernel LPE collapses that boundary.

The realistic threat chain looks like this. An attacker exploits a known WordPress plugin vulnerability and gets shell access as www-data. They run the copy.fail PoC. They are now root on the host. Every other tenant is suddenly reachable, in the way I walked through in this hack post-mortem. The vulnerability does not get the attacker onto the box; it changes what happens in the next ten seconds after they land there.

The vulnerability stems from a "straight-line" logic flaw in the kernel’s crypto API. Many exploits exploiting race conditions and memory corruption flaws don’t consistently succeed across kernel versions or distributions, and sometimes even on the same machine. Because the code released for CopyFail exploits a logic flaw, “reliability isn’t probabilistic, and the same script works across distributions, researchers from Bugcrowd wrote. “No race window, no kernel offset.”

CopyFail gets its name because the authencesn AEAD template process (used for IPsec extended sequence numbers) doesn't actually copy data when it should. Instead, it “uses the caller's destination buffer as a scratch pad, scribbles 4 bytes past the legitimate output region, and never restores them,” Theori said. “The ‘copy’ of the AAD ESN bytes ‘fails’ to stay inside the destination buffer.”

The worst Linux vuln in years

Other security experts echoed the perspective that CopyFail poses a serious threat, with one saying it’s the “worst make-me-root vulnerabilities in the kernel in recent times.”

The most recent such Linux vulnerability was Dirty Pipe from 2022 and Dirty Cow in 2016. Both of those vulnerabilities were actively exploited in the wild.

Linux distributors frequently stick with older kernel versions and backport fixes into them. There’s no indication in the disclosure deadline that Theori ever contacted the distributors. With the exploit available before fixed distributions were available, the disclosure amounts to something very similar to a zero-day vulnerability being dropped, although the stiffer term is probably "zero-day patch gap."

"The org doing the disclosure… did an absolutely terrible job of vulnerability coordination,” Will Dormann, a senior principal vulnerability analyst at Tharros Labs, said in an interview. "What is mind boggling to me is that in their writeup they both: A) list 4 affected vendors, and B) tell readers to apply vendor patches. But before firing away with the publication, they didn't bother to see if ANY of the vendors that they list ACTUALLY HAVE PATCHES. (None do).”

Theori representatives did not respond when asked to comment.

Distributions known to have patched the vulnerability included Arch Linux and RedHat Fedora. Those known to have released mitigation guidance at the time this post went live include:

• SUSE
• RedHat
• Ubuntu

People seeking the status of other distributions should check with the respective vendors.

Theori said that it discovered the vulnerability after its researcher, Taeyang Lee, found surface area in the crypto subsystem (specifically, splice() hands page-cache pages and scatterlist page provenance) had been underexplored. Using its AI-powered Xint code security tool, the researchers then found the bug after about an hour of scan time. The company said it has also developed an exploit that uses CopyFail to break out of Kubernetes containers.

The severity of the threat posed by CopyFail and the likelihood of active exploitation is high enough to warrant all Linux users to investigate their systems immediately. Individual distributors provide useful mitigation guidance, as does the post by Schrijvershof linked above.

Read full article

Comments

From watching too much Nordic noir, I have learned the key lessons to Scandinavian safety: Stay out of the deep woods, avoid all "rustic villagers," flee every solstice or equinox ritual, and run screaming from any creature (human or otherwise) wearing antlers in the wrong anatomical location.

But assuming you can avoid pagan magic and the "old gods," Nordic countries do well on many other measures of human development. In the most recent World Happiness Report, for example, Finland tops the list while Iceland, Denmark, Sweden, and Norway are all in the top six. (Costa Rica is the non-Nordic exception here, taking the fourth spot.)

These countries are also near the top in global average life expectancy.

They also happen to have the most press freedom on the planet.

Reporters Without Borders (or RSF, to use the initialism for its French name, Reporters Sans Frontières) today released the 2026 version of its venerable World Press Freedom Index, and Norway continues its decade-long run atop the leaderboard. Finland, Sweden, Denmark, and Estonia are also in the top 10 spots. Looking at the report's global map, the Nordic region stands out as the freest spot on Earth for journalists; it is the only area of the map to be marked in green.

Unfortunately, overall press freedom has declined. According to RSF, for the first time in its history, "over half of the world’s countries now fall into the 'difficult' or 'very serious' categories for press freedom. In 25 years, the average score of all 180 countries and territories surveyed in the Index has never been so low."

Negative changes have been pronounced in the Americas, where "the situation has evolved significantly." The US is now in 64th place globally, falling seven spots in one year. The US ranks behind Namibia (23), South Africa (21), Costa Rica (38), and Canada (20). It has fallen below even war-torn countries like Ukraine (55), which managed to improve its own position by seven places in one year. From the report:

In the United States (which ranks 64th out of 180 countries and territories) journalists who were already fighting against economic headwinds and dealing with a crisis of public trust—among other challenges—now also contend with President Donald Trump’s systematic weaponisation of state institutions, including funding cuts to public broadcasters such as NPR and PBS, political interference in media ownership, and politically motivated investigations targeting disfavoured journalists and media outlets.

Since his return to office, journalists have also been targeted on the ground during protests, reflecting a broader deterioration that amounts to one of the most severe crises for press freedom in modern US history.

Asia is the one continent where full-on press repression is basically a fact of life, with most countries colored deep red on the RSF map. Apart from a few smaller states—South Korea, Japan, and Taiwan, in particular—the Asia-Pacific region is "one of the most repressive regions in the world—and the situation continues to deteriorate," says RSF.

Due to its size and the scale/quality of its repression, China stands out here. It ranks 178 out of 180 countries for press freedom and is "the world’s largest jailer of journalists, with more than 100 currently detained," RSF says.

To further silence journalists, it accuses them of “espionage,” “subversion,” or “picking quarrels and provoking trouble,” three "pocket crimes," a term used by Chinese law experts to describe offences that are so broadly defined that they can be applied to almost any activity. Independent journalists can also be legally placed in solitary confinement for six months under “Residential Surveillance at a Designated Location” (“RSDL”) in China’s “black prisons,” where they are deprived of legal representation and may be subjected to torture.

In order for Chinese journalists to renew their state-sanctioned press cards, they must also "download the Study Xi, Strengthen the Country propaganda application that can collect their personal data."

The only countries worse are North Korea and Eritrea.

How to help

As journalists ourselves, reports like this hit hard, especially when they show a world sliding further into humanity-denying autocracy. If you feel similarly, this might be a good moment to donate to those press organizations that are making a difference around the world.

• Subscribe to local outlets that matter to you, especially newspapers backed by nonprofits rather than private equity, like the Philadelphia Inquirer, the Chicago Sun-Times, or the Pittsburgh Post-Gazette.
• Subscribe or donate to global journalists who help you understand the world better and who hold the powerful accountable. (I have found the Kyiv Independent to be a terrific resource for understanding Ukraine, for instance, and they don't shy away from investigations of political corruption or problems within the Ukrainian army.)
• Donate to press freedom groups like RSF or Reporters Committee for Freedom of the Press.
• And if you have anything left over, consider subscribing to Ars Technica. For just $25/year, you can read Ars without tracking and without ads, supporting our writers, editors, and copyedit team as we attempt to report with both fairness and flair on a world being changed inexorably by technology.

Read full article

Comments