How many companies take the time to use penetration testing tools, that have been available for many years, to verify their software (or pay a penetration testing company to do a more thorough job than they have the experience to do internally)?

Some, certainly. Many, possibly. Most, I would wager not.

Even if the back-end is never fully distributed any front-end code obviously has to be, and even if that contains minimal logic, perhaps little more than navigation & validation to avoid excess UA/server round-trip latency, the inputs & outputs are still easily open to investigation (by humans, humans with tools, or more fully automated methods) so by closing source you've only protected yourself from a small subset of vulnerability discovering techniques.

This is all especially true if your system was recently more completely open, unless a complete clean-room rewrite is happening in conjunction with this change.

https://openssf.org/tag/google

"But that's Linux, how small libraries get audit budget..." fortunately LLM has eliminated the need to have small libraires in your dependency chain.

I take back the “I might like to live there” :)

At your cost.

Every time you push. (or if not that, at least every time there is a new version that you call a release)

Including every time a dependency updates, unless you pin specific versions.

I assume (caveat: I've not looked into the costs) many projects can't justify that.

Though I don't disagree with you that this looks like a commercial decision with “LLM based bug finders could find all our bad code” as an excuse. The lack of confidence in their own code while open does not instil confidence that it'll be secure enough to trust now closed.

I believe than N companies using an open source project and contributing back would make this burden smaller than one company using the same closed-source project.

I don't think platform guidelines that anyone listens to have been a real thing for a long time. Even between apps released by MS there is little or no consistency at times, things that should be part of standard OS provided chrome like title-bars are a random mess - good luck guessing what has input focus sometimes, particularly with multiple monitors, as you unlock or switch vdesktop, without clicking to make sure.

I keep thinking of writing something that detects the top-most app window and draws an obvious box around it.

I would use this in a heartbeat. With Windows 10/11 I usually have the option to apply a garish accent color to the active window active. Nowadays, more and more apps don't use native window frames anymore, so that option works less and less.

The W11 task bar with its barely legible indicators doesn't help either.

On a big ultra-wide display with a few windows open, I sometimes struggle to see which one is active.

> I would use this in a heartbeat.

I may one day get around to it. Of the many projects on my “will probably never actually happen” list¹ it is one of the smallest. I did something similar to add other decorations to windows back in my just-post-Uni days². Walking the process list, getting the hWnd(s) you were interested in, and for there the window dimensions, was fairly trivial and it no doubt still is.

----

[1] I mention them here where relevant, in the hopes that someone else will see the ideas and be inspired to implement the them in an open form so I don't have to :-)

[2] ~win2000 era, I was playing in Delphi at the time

But I was in Target one day anyway, and they had a Raspberry Pi 3 kit for sale on the shelf. IIRC, it was one of the Google DIY smart speaker kits. I thought that was neat to see.

My usual source for Raspberry Pi stuff is Microcenter. That's also not near to me, but it's a viable destination that's worth a trip all on its own.

At this Microcenter, they move enough Pi hardware that they don't even have them on the shelves anymore. They're instead stocked at each checkout register, and priced at or below MSRP. They're right there alongside a wide assortment of minimally-packaged house-brand SD cards and USB keys and other geek fodder.

It's quick and easy to walk in and grab a couple of spools of printer filament, some 22AWG solid wire for breadboarding, a card of LR44 batteries for the digital calipers, and a Raspberry Pi. (Well, it can be quick. Last time I went, I got sucked into the mechanical keyboard department for an embarrassingly long time.)

Anyway, they also have NUC-shaped computers there if someone wants go that direction instead. Just pick one out, pay for it, and take it home.

IMO the key benefit of a Pi over an x86/a64 box, assuming you aren't using the IO breakouts and such, is power efficiency (particularly at idle-ish). The benefits of the x86/a64 boxes is computing power and being all-in-one (my need was due to my Pi4-based router becoming the bottleneck when my home line was upgraded to ~Gbit, and I wanted something with 2+ built-in NICs rather than relying on USB so didn't even look into the Pi5). Both options beat other SBC based options due to software support, the x86/a64 machines because support is essentially baked in and the rPi by virtue of the Pi foundation and the wider community making great efforts to plug any holes. A Pi range used to win significantly on price (or at least price/performance) too, but that is not the case these days.

Certainly not everywhere. I definitely remember plenty of tasteless ones, some deliberately so and others just cases of other people's taste differing from mine!

They also understand that they have little or no quality that most people actualy want and from their PoV quality > quantity > nothing.

Or, instead of attempting to enumerate the bad, if you run WordPress make sure it can't call out anywhere except a whitelist of hosts if some plugins have legitimate reasons to call out. Assuming the black-hat jiggery-pokery is server side of course.