Another very minor update, now at 0.3.15, for our nanotime
package is now on CRAN, and has
been built for r2u and
Debian. nanotime
relies on the RcppCCTZ
package (as well as the RcppDate
package for additional C++ operations) and offers efficient high(er)
resolution time parsing and formatting up to nanosecond resolution,
using the bit64
package for the actual integer64 arithmetic. Initially
implemented using the S3 system, it has benefitted greatly from a
rigorous refactoring by Leonardo who not only rejigged
nanotime internals in S4 but also added new S4 types for
periods, intervals and durations.
This release adjusts the package for the maybe overly hasty switch R 4.6.0 has undertaken with respect to using C++20 as a default C++ compilation standard. I am of course largely in favour of such a switch to more modern C++. But I am also cognizant of the fact that not all compilers and machines are ready. And just as I have already seen one other package fail to compile on a particular CRAN system (!!) under C++20, this package all of a sudden, and only on that same system, started to throw two (harmless) compiler warnings. We could call these erroneous as newer versions of the same compiler do not throw them but it does not matter. The decision to default to C++20 has been made, and now we live with it. But maybe some hardware platforms should be moved behind the barn. Either way, this release both adds an explicit cast to two lines that may not really need it (but this will not hurt) and also dials the compilation standard down to C++17 on one particular platform. So once again there are no user-facing changes, or behavioural changes or enhancements, in this release.
The NEWS snippet below has the fuller details.
Changes in version 0.3.15 (2026-05-21)
Add extra
const_castas one CRAN machine with more ancient setup whines otherwise and is obviously less C++20 ready than it thinks
tools/configurealso checks where this is being built and βas needed' downgrades the compilation to C++17
Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository β and all documentation is provided at the nanotime documentation site.
This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.
Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.
As the pace of change accelerates, organizations are moving quickly from AI experimentation to enterprise-scale transformation. Leaders are prioritizing measurable outcomes, faster time to value and repeatability across the business.
But many are encountering the same reality: the challenge is no longer deciding whether to invest in AI β itβs scaling adoption and delivering consistent, enterprise-wide impact.
Over the past year, one thing has become clear. Organizations arenβt asking if AI matters. Theyβre asking how to make it real β how to embed it into the way work gets done and ensure it drives meaningful results.
Thatβs where many are getting stuck.
Because the barrier is no longer experimentation. Itβs execution.
At Microsoft, we believe successful AI Transformation depends on two foundational elements: intelligence and trust.
Organizations need to harness their own work intelligence β the data, workflows and expertise that make their business unique β and apply it through AI in ways that are flexible, secure and governed. That requires a platform that supports model diversity and continuous innovation, without compromising enterprise-grade security, compliance and reliability.
Just as importantly, AI must be embedded into the flow of work β how people collaborate, make decisions and operate day to day. For that to scale, systems must be transparent, secure and accountable.
This is where real enterprise value is created β and where many organizations need a clearer path forward.
Achieving impact at scale requires more than deploying new tools. It requires a trusted foundation β integrating data, security, privacy and governance β and a new model for delivering AI into the business.
Thatβs why Microsoft and EY are deepening our alliance β to help organizations move faster from AI ambition to measurable business outcomes.
There is no shortage of AI pilots in todayβs market. But pilots donβt transform businesses. What organizations need now is the ability to scale AI across the enterprise, integrate it into core workflows and deliver sustained, repeatable impact.
EY brings that experience.
As one of the first global organizations to deploy Microsoft 365 Copilot at scale, EY began with an initial rollout to 150,000 of its people, quickly demonstrating whatβs possible when AI is embedded into everyday work.
The results were significant and measurable:
The impact goes beyond individual productivity into agentic AI in core business operations:
With these results, EY is now expanding Copilot through Microsoft 365 E7 to more than 400,000 of its people worldwide, moving from early success to true enterprise scale.
This is what enterprise-scale transformation looks like β not isolated wins, but sustained impact across the organization.
Itβs also why EY serves as Customer Zero β applying Microsoft AI technologies internally to prove what works before bringing those solutions to clients.
Building on this foundation, Microsoft and EY are jointly investing more than $1 billion in a new initiative designed to help organizations move from isolated AI use cases to enterprise-scale transformation.
This effort brings together Microsoftβs AI platforms, including Azure, Microsoft 365 Copilot, Foundry, Fabric and security β and EYβs deep industry capabilities and transformation leadership.
But what differentiates this initiative isnβt just what we bring. Itβs how we deliver it.
At its core is a shared focus on helping organizations become Frontier Firms β where AI is embedded across the enterprise, not layered on top.
In a Frontier Firm, data, workflows and decision-making are connected end to end. AI becomes part of how work happens, and human expertise is amplified by intelligent systems.
Reaching this level requires more than investment. It requires execution.
This is where our approach is fundamentally different.
Microsoft and EY are cooperating as an integrated transformation engine β co-developing, co-engineering and co-delivering solutions aligned to real business priorities.
A key part of this model is Microsoftβs Forward Deployed Engineers (FDEs), who work side by side with EY transformation teams directly within customer environments.
Together, these teams:
This integrated model closes the gap between strategy and execution. It reduces friction across the technology stack and creates a direct path from pilot to production β at enterprise scale.
It also ensures that intelligence and trust advance together, embedding AI across data, applications and infrastructure in ways that can be governed, secured and continuously optimized.
Importantly, it establishes a repeatable blueprint β one that organizations can use to scale AI adoption across functions, industries and geographies.
Organizations are under pressure to move faster β to go beyond experimentation and deliver AI across the enterprise.
What they need is not just technology, but a clear path to execution β grounded in both intelligence and trust.
AI is not simply about doing work faster. Itβs about enabling people and organizations to do more β focusing on insight, creativity and higher-value decision-making.
Our work with EY demonstrates whatβs possible when AI is deployed with purpose at scale. Together, we are bringing those learnings to customers around the world β helping them accelerate transformation, unlock efficiencies and create new opportunities for growth.
Microsoft and EY are committed to helping organizations turn AI ambition into enterprise impact.
Learn more in the official announcement.
The post From AI pilots to enterprise impact: Why execution is the new differentiator appeared first on The Official Microsoft Blog.
I've heard "containers are not a security boundary" enough times that it's started to feel like received wisdom, and my honest read (after 13+ years) is that it's technically defensible but practically sloppy β and the sloppiness matters.
The part that's true: containers share a kernel, and a kernel exploit crosses the container boundary where a VM would not. That difference is real and non-trivial, and the CVE history backs it up β CVE-2019-5736, CVE-2022-0492, and CVE-2024-21626 all happened in "correctly configured" production containers.
The part I'd push back on is that the comparison point is almost never stated. "Containers aren't a security boundary" is being used as shorthand for "containers aren't a VM boundary" β but the conclusion people seem to draw from that is "therefore don't bother", which doesn't actually follow. The more honest version is that default Docker doesn't provide strong isolation between mutually untrusting parties, but a hardened configuration does.
What ships by default in Moby is actually a pretty reasonable foundation: seccomp is enabled (with a builtin profile blocking ~50 syscalls β credit where it's due: this is mostly @jessfraz's work; she even ran contained.af as a public CTF for years daring people to escape a container under her seccomp profile, and to my knowledge it was never claimed), AppArmor is enabled (the docker-default profile), and several sensitive /proc paths are masked. What's not on by default: no-new-privileges (setuid binaries inside can escalate), CAP_NET_RAW is still granted to every container (even though the kernel has supported unprivileged ICMP sockets for over a decade, meaning most modern distributions no longer need CAP_NET_RAW for ping), and user namespace remapping β though user namespaces aren't quite the silver bullet they might sound like; Debian left them disabled by default for years because the kernel attack surface they exposed hadn't been hardened against unprivileged callers.
The boundary isn't absent β it doesn't come completely pre-assembled. With VMs, the hypervisor is there whether you asked for it or not; with containers, assembling the boundary is left as an exercise for the operator. That's a much more solvable problem than "the technology is incapable", but it does mean the work falls to whoever's running the containers.
So, some things you can do today without waiting for defaults to change:
--user (or USER in your Dockerfile) is worth calling out specifically, because I think it's arguably stronger than user namespace remapping in one important way β and partly for the same reason Debian was hesitant about user namespaces in the first place. User namespace remapping protects the host from a root-in-container escape: if you do escape, you land as an unprivileged user on the host. But you were still root inside the container the whole time. Running as a non-root user means you were never root anywhere. The blast radius of a compromised process is limited whether or not it escapes, including for things like reading secrets, modifying container contents, or lateral movement within the container itself. Most application containers have no legitimate reason to be root.
Beyond that, a short list of things that are easy to enable and hard to justify leaving off:
Log in
--security-opt no-new-privileges β prevents setuid binaries from escalating; can also be set daemon-wide in daemon.json with "no-new-privileges": true--read-only β a read-only root filesystem means a compromised process can't easily persist tooling or modify the container (pair with a writable tmpfs mount for /tmp etc as needed)--cap-drop NET_RAW β or --cap-drop ALL and add back only what you actually need; CAP_NET_RAW is almost never legitimately needed by application containers--privileged β if something seems to require it, the right answer is almost always a more targeted capability grant or bind mount, not the nuclear optiondocker run \
--user 1234:5678 \
--security-opt no-new-privileges \
--read-only \
--tmpfs /tmp \
--cap-drop ALL \
acme/untrusted-workload:latest
None of these require a daemon restart or infrastructure changes, and stacked together they go a long way toward actually building the boundary that the defaults leave unbuilt.
(this post was written with the assistance of "claude my eyes right out" but all thoughts and understanding are Tianon's)
Correct me if I'm wrong but it sure looks like Apple just casually dropped agentic AI being built into iPhone
β Dylan (@DylanMcD8) May 19, 2026
Yes, in this video it's being used for Voice Control, but if a person can control their iPhone with natural language so can an AI agent! pic.twitter.com/S6DQOiQGsO
I was getting β<XF86AudioPlay> is undefinedβ in the status bar of Emacs displayed every 2-3 seconds. Nowhere else I noticed any misbehavior or problems, and also couldnβt find any related log entries. It didnβt stop, though didnβt want to reboot my system to see whether that would fix the problem, but it was driving me nuts.
Now, as a starting point I adjusted my sway configuration, to react to the XF86AudioPlay key press event:
bindsym XF86AudioPlay exec playerctl play-pause
After reloading sway, my music player started to play for 2-3 seconds, stopped playing, started again, etc. It wasnβt a Emacs bug, but something indeed seemed to send the XF86AudioPlay key event every 2-3 seconds. It wasnβt my USB keyboard or any stuck key on it, as verified also by unplugging it. So which device was causing this?
libinput from libinput-tools to the rescue:
% sudo libinput debug-events [...] -event12 KEYBOARD_KEY +0.000s KEY_PLAYPAUSE (164) pressed event12 KEYBOARD_KEY +0.000s KEY_PLAYPAUSE (164) released event12 KEYBOARD_KEY +2.887s KEY_PLAYPAUSE (164) pressed event12 KEYBOARD_KEY +2.887s KEY_PLAYPAUSE (164) released event12 KEYBOARD_KEY +5.773s KEY_PLAYPAUSE (164) pressed event12 KEYBOARD_KEY +5.774s KEY_PLAYPAUSE (164) released [...]
The `event12` device was sending this event, whatβs behind this?
% sudo udevadm info /dev/input/event12
P: /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
M: event12
R: 12
J: c13:76
U: input
D: c 13:76
N: input/event12
L: 0
S: input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: DEVPATH=/devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
E: DEVNAME=/dev/input/event12
E: MAJOR=13
E: MINOR=76
E: SUBSYSTEM=input
E: USEC_INITIALIZED=12468722
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_INPUT_SWITCH=1
E: ID_PATH=pci-0000:00:1f.3-platform-skl_hda_dsp_generic
E: ID_PATH_TAG=pci-0000_00_1f_3-platform-skl_hda_dsp_generic
E: XKBMODEL=pc105
E: XKBLAYOUT=us
E: XKBOPTIONS=lv3:ralt_switch,compose:rctrl
E: BACKSPACE=guess
E: LIBINPUT_DEVICE_GROUP=0/0/0:ALSA
E: DEVLINKS=/dev/input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: TAGS=:power-switch:
E: CURRENT_TAGS=:power-switch:
% sudo udevadm info -a /dev/input/event12 | grep -iE 'kernels|drivers|name'
KERNELS=="input17"
DRIVERS==""
ATTRS{name}=="sof-hda-dsp Headphone"
KERNELS=="card0"
DRIVERS==""
KERNELS=="skl_hda_dsp_generic"
DRIVERS=="skl_hda_dsp_generic"
KERNELS=="0000:00:1f.3"
DRIVERS=="sof-audio-pci-intel-tgl"
KERNELS=="pci0000:00"
DRIVERS==""
Behind this event12 is sof-hda-dsp Headphone, and evtest confirms that:
% sudo evtest No device specified, trying to scan all of /dev/input/event* Available devices: /dev/input/event0: AT Translated Set 2 keyboard /dev/input/event1: Sleep Button /dev/input/event10: ThinkPad Extra Buttons /dev/input/event11: sof-hda-dsp Mic /dev/input/event12: sof-hda-dsp Headphone /dev/input/event13: sof-hda-dsp HDMI/DP,pcm=3 /dev/input/event14: sof-hda-dsp HDMI/DP,pcm=4 /dev/input/event15: sof-hda-dsp HDMI/DP,pcm=5 /dev/input/event16: Yubico YubiKey OTP+FIDO+CCID /dev/input/event17: Apple Inc. Magic Keyboard with Numeric Keypad /dev/input/event18: Apple Inc. Magic Keyboard with Numeric Keypad [...] Select the device event number [0-24]: ^C
We can even get further information:
% sudo evtest /dev/input/event12
Input driver version is 1.0.1
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "sof-hda-dsp Headphone"
Supported events:
Event type 0 (EV_SYN)
Event type 1 (EV_KEY)
Event code 114 (KEY_VOLUMEDOWN)
Event code 115 (KEY_VOLUMEUP)
Event code 164 (KEY_PLAYPAUSE)
Event code 582 (KEY_VOICECOMMAND)
Event type 5 (EV_SW)
Event code 2 (SW_HEADPHONE_INSERT) state 0
Properties:
Testing ... (interrupt to exit)
Event: time 1779295060.175766, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 1
Event: time 1779295060.175766, -------------- SYN_REPORT ------------
Event: time 1779295061.951168, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295061.951168, -------------- SYN_REPORT ------------
Event: time 1779295061.951194, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295061.951194, -------------- SYN_REPORT ------------
Event: time 1779295064.548671, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295064.548671, -------------- SYN_REPORT ------------
Event: time 1779295064.548689, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295064.548689, -------------- SYN_REPORT ------------
Event: time 1779295067.437172, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295067.437172, -------------- SYN_REPORT ------------
Event: time 1779295067.437187, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295067.437187, -------------- SYN_REPORT ------------
Event: time 1779295070.323775, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295070.323775, -------------- SYN_REPORT ------------
Event: time 1779295070.323790, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295070.323790, -------------- SYN_REPORT ------------
Event: time 1779295073.200350, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295073.200350, -------------- SYN_REPORT ------------
Event: time 1779295073.200373, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295073.200373, -------------- SYN_REPORT ------------
Event: time 1779295076.076228, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295076.076228, -------------- SYN_REPORT ------------
Event: time 1779295076.076250, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295076.076250, -------------- SYN_REPORT ------------
Event: time 1779295078.961740, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295078.961740, -------------- SYN_REPORT ------------
Event: time 1779295078.961754, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295078.961754, -------------- SYN_REPORT ------------
Event: time 1779295081.850156, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295081.850156, -------------- SYN_REPORT ------------
Event: time 1779295081.850175, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295081.850175, -------------- SYN_REPORT ------------
Event: time 1779295083.306612, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 0
Event: time 1779295083.306612, -------------- SYN_REPORT ------------
So when I plug in my headphone (see the `SW_HEADPHONE_INSERT` event), the unexpected behavior starts, unplugging stops the problem.
Good! But what was totally unexpected for me: my headphone, being a Beyerdynamic DT-990 Pro, does not have any keys. 8-)
As it turned out, the headphone jack seemed to have been not entirely clean. The analog side of the jack triggers a behavior within the audio codec, where it seems to interpret the fluctuating impedance as a play button of the headset, being pressed, again and again.
I cleaned the jack of my headphone and my XF86AudioPlay problem is gone, case closed.
Note: learn more about Microsoft 365 Copilot availability here.
Eddy Cue has consistently pushed the boundaries of entertainment and storytelling, building platforms and experiences that have redefined how audiences engage with culture. Under his leadership, Apple has not only produced world-class content but has also shaped the future of entertainment through innovation, creativity and an unwavering commitment to quality. We're delighted to honor Eddy as our 2026 Entertainment Person of the Year.
Following the series of various Linux exploits of the last three weeks, the bug of today is PinTheft [CVE-2026-43494] which is local root privilege escalations.
The vulnerability can be mitigated by unloading and blocking rds modules, linux-vulnerability-mitigation as of 20260519-1 (uploaded to sid, trixie-fastforward-backports and people.debian.org/~daniel) does that automatically for you.
Updates:
default Debian kernels (bullseye, bookworm, trixie, and testing/unstable, experimental) are not directly affected because autoloading of the rds modules is disabled by rds-Disable-auto-loading-as-mitigation-against-local.patch
Added references to CVE-2026-43494
Note: MacRumors is an affiliate partner with Amazon. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running.
"Building an E2EE protocol that works seamlessly across all of those surfaces simultaneously is, to my knowledge, unlike anything else that's been shipped. DAVE is likely one of the internet's most platform-diverse E2EE voice and video implementations."Discord says it's now stripping out the remaining client code that allowed unencrypted fallback, so that encrypted calls will be the only option rather than a default. "We have no current plans to extend E2EE to text messages," added Smith.
Over the years, as our software and product has evolved, the breadth of features and benefits included with your Plex Pass has expanded. This increase ensures we can continue to invest resources into building and maintaining the Plex personal media software, while continuing to offer a Lifetime option.For those unfamiliar with Plex, it is media server software that lets users stream their library of content from a device with the server software installed to any other connected smartphone, tablet, or TV. The Plex Pass unlocks features like server management, hardware transcoding, offline downloads, mobile syncing, remote streaming, and more.
Apple Inc. ("Apple") will have the right to make employment offers to and hire certain employees of Animato, Inc. ("Animato"), receive a non-exclusive license to Animato's intellectual property rights, and acquire Animato's patent applications. Animato develops and distributes software that creates virtual avatars for video chats and tutoring.Animato was founded in October 2022 by Francesco Rossi, who previously spent seven years at Apple before leaving to start the company.
