Malaysia Airlines Flight 370 vanished in 2014 — and efforts continue to find it. In 2018 a UK-based video producer claimed to have discovered the crashed aircraft on Google Maps — but Newsweek pointed out the same wreckage "is visible in imagery dating back to January 1, 2004 — more than a decade before MH370 disappeared."

Marine robotics company Ocean Infinity also failed to find the aircraft after a five-month search in 2018 — but has returned to the headlines this March, writes the Independent, "claiming that they have scientific evidence" for the flight's final resting place. (The company's CEO says the last six years they've been "innovating with technology and robotics to further advance our ocean search capabilities.")

And this week Indian Express reported that researchers from the UK's Cardiff University investigating the mystery "have come up with a novel plan to unravel it — sea explosions."

More from the Economic Times: Scientists have said that airplanes crashing over oceans create unique acoustic signatures that can travel more than 3,000km through water. These acoustic signatures can be recorded by a network of 11 hydroacoustic stations worldwide that are dotted along the seabed. Researchers at Cardiff University have said that a series of controlled underwater explosions or air gunfire along the 7th arc [where the plane last communicated] can be done to see whether they can isolate a more precise location for MH370.
More details from NDTV: "[W]ithin the time frame and location suggested by the official search, only a single, relatively weak signal was identified,'' Dr Kadri said... ''Similar exercises were performed in the search and rescue mission for the ARA San Juan, a submarine that vanished off the coast of Argentina in 2017. This shows us that it is relatively straightforward and feasible and could provide a means to determine the signal's relevance to MH370, prior to resuming with another extensive search. If found to be related, this would significantly narrow down, almost pinpoint, the aircraft's location,'' Dr Kadri added...

Despite the largest search in aviation history, the plane has never been found.
An announcement from Cardiff University adds that "The experiments would also help develop the use of hydroacoustic technology as a tool for authorities to draw upon when narrowing down potential crash locations for airplanes in the future."

It's "one of the most talked about devices in Silicon Valley," according to tech writer/investor Om Malik.

The company's web site calls it "the computer, de-invented," promising a tablet with "the world's first full-speed paper-like display." But Its founder has structured the company as a Public Benefit Corporation, with its web site describing the eyestrain-relieving tablet as "designed for deep focus and wellbeing. We refuse to accept a future where our devices are exhausting, addictive, and distracting."

Malik writes that Daylight Computer founder Anjan Katta suffers from ADHD, and "wanted something that allowed him few distractions and allowed him to work with intent." What the company has created is a beautiful tablet — about the size of a normal iPad Air. It is just a "little less than white," white, with a gorgeous screen. It is very simple, elegant, and lovely. It has an e-ink screen, and the matte monochrome paper-like display is optimized for reading, writing, and note-taking. It refreshes at 60 frames per second, a pretty big deal for e-ink displays. This different screen technology developed by the company is called LivePaper and it feels as snappy as anything you have experienced on an iPad. This is what puts it a notch above other e-ink tablets. This is precisely why the new Daylight tablet is much less stressful on the eye and easy to use even in direct sunlight. It has 8 GB memory, about 128 GB in-built storage, an 8-core chip, microphones, speakers, and a powerful battery.

There is no camera — thank God!
An ad from the company suggests the tablet "might change the way you think about screens," promising their device is "less distraction. Less addiction. Less eyestrain. Less blue light... Technology that feels a little bit more human, a bit less demanding."

The blog of product designer Arun Venkatesan calls it one of those devices that "signals an exciting new era where we can harness the power of technology without sacrificing our ability to live intentional, balanced lives."

Tom's Guide notes the tablet "is designed to run normal Android apps, and comes pre-installed with apps like Audible, Kindle, Google Docs and more" — and this may be the only the beginning: Based on various podcast interviews we could find of Katta, the DC1 isn't the end goal of the company. Katta wants to see the Live Paper display in all kinds of devices like monitors, laptops and watches.

Is the Daylight DC1 a technology flash in the pan or will we see a wave of Live Paper devices in the future? It'll be interesting to see how this devices truly works once its in people's hands.

Founded in 1963, the Institute of Electrical and Electronics Engineers held a special event Sunday that they said would be "inspiring engineering for the next 50 years."

The event featured talks on the origins of the internet from 80-year-old "father of the internet" Vint Cerf, along with John Shoch (who helped develop the Ethernet and internetwork protocols at Xerox PARC), Judith Estrin (who worked with Cerf on the TCP project), and Robert Kahn (who with Cerf first proposed the IP and TCP protocols). Ethernet co-inventor Bob Metcalfe also spoke at the end of the event.

Long-time Slashdot reader repett0 was an onsite volunteer, and shares that "it was incredible to meet and greet such a wonderful mix of people making technology happen... [T]he event celebrated many key technologies and innovators from the past 50 years and considerations of what is to come in the next 50 years." Video streams are available and more are coming online (including interviews with key innovators, society leadership, and more). If you could not make this event, follow-on activities continue, including the People-Centered Internet Imagine Workshop where a mix of society is working together to consider how to improve humanity's intersection with ever-expanding abilities thanks to technology.
They add that the event was made possible "through the collaboration of many professional computing societies" including the IEEE, People-Centered Internet, Google, Internet Society, IEEE Computer Society, GIANT Protocol, IEEE Foundation — and volunteers from the SF Bay Area ACM and Internet Society.

Thursday long-time Slashdot reader mschaffer reported that "Microsoft's search engine isn't working correctly, and many alternative search engines that rely on it are down, too."

Bing started "having issues" around 1:30 a.m. EST, reports SearchEngineLand (citing Downdector.com, and sharing screenshots of Bing.com searches failing — even on partner sites like DuckDuckGo).

By Thursday morning search capabilities for ChatGPT, Copilot, DuckDuckGo, and other platforms had stopped working, reports the Verge, saying the issues "appeared to be linked to Bing's API and any service that relies upon it." While Microsoft's own web search engine, Bing, was also seemingly affected, according to TechCrunch, it came back online eventually. By 11AM ET, OpenAI posted a note indicating the issue had been resolved, saying, "Between around 10:10 PM PT yesterday and 6:50 AM PT today, we experienced a partial outage affecting ChatGPT's web-browsing capabilities due to Bing being unavailable." DuckDuckGo posted that "we're coming back up" at around 10:30AM ET, and so did Ecosia, which is "the search engine that plants trees."
Copilot users experienced "a loading loop that prevented users from accessing the service," according to the article, while ChatGPT users attempting a web search got error messages instead.

Ars Technica adds that it also stopped searches from Microsoft's Edge browsers (that hadn't changed their default search settings). But they also had a disturbing observation for people worried that web search is dominated by Google: "most of your other major options were brought down by a single API outage... The overwhelming majority of search tools offering an alternative" to Google are using Google, Bing, or Yandex... Yandex, being based in Russia, is a non-starter for many people around the world at the moment."
But their article digs deep into the alternatives, starting with this list compiled by undergraduate CS major Rohan Kumar of search sites with their own indexes — including Mojeek, Stract, and Right Dao and Yep...

Google has warned nonprofit newsrooms that a new California bill taxing Big Tech for digital ad transactions would jeopardize future investments in the U.S. news industry. "This is the second time this year Google has threatened to pull investment in news in response to a regulatory threat in California -- but this time, hundreds of publishers outside of California would also feel the impact," reports Axios. From the report: Google's new outreach to smaller news outlets is happening in response to a different bill, introduced this year by State Sen. Steve Glazer, that would tax Big Tech companies like Google and Meta for "data extraction transactions," or digital ad transactions. Tax revenue would fund tax credits meant to support the hiring of more journalists in California by eligible nonprofit local news organizations. With the link tax bill, Google only threatened to pull news investments in California. But the company is telling partners that the ad tax proposal will threaten consideration of new grants nationwide by the Google News Initiative, which funds hundreds of smaller news outlets, sources told Axios. Previous commitments, however, should be secure. A spokesperson for the Institute for Nonprofit News said the organization believes that grants previously committed through GNI as described here "are secure, so INN members should continue to benefit through this particular Fundamentals Labs program."

Google's concern, sources familiar with the company's thinking told Axios, is that the new California ad tax bill could set a troubling wider precedent for other states. California's Senate tax committee approved the "ad tax" bill May 8. Days after that, Google started making calls to nonprofits about potentially pausing future Google News Initiative funding, sources told Axios. Opponents argue (PDF) the ad tax burden would get passed down to consumers and businesses. They also say the measure would face legal challenges, similar to a digital ad tax introduced in Maryland last year.

An anonymous reader quotes a report from Ars Technica: If you're tired of Google's AI Overview extracting all value from the web while also telling people to eat glue or run with scissors, you can turn it off -- sort of. Google has been telling people its AI box at the top of search results is the future, and you can't turn it off, but that ignores how Google search works: A lot of options are powered by URL parameters. That means you can turn off AI search with this one simple trick! (Sorry.) Our method for killing AI search is defaulting to the new "web" search filter, which Google recently launched as a way to search the web without Google's alpha-quality AI junk. It's actually pretty nice, showing only the traditional 10 blue links, giving you a clean (well, other than the ads), uncluttered results page that looks like it's from 2011. Sadly, Google's UI doesn't have a way to make "web" search the default, and switching to it means digging through the "more" options drop-down after you do a search, so it's a few clicks deep.

Check out the URL after you do a search, and you'll see a mile-long URL full of esoteric tracking information and mode information. We'll put each search result URL parameter on a new line so the URL is somewhat readable [...]. Most of these only mean something to Google's internal tracking system, but that "&udm=14" line is the one that will put you in a web search. Tack it on to the end of a normal search, and you'll be booted into the clean 10 blue links interface. While Google might not let you set this as a default, if you have a way to automatically edit the Google search URL, you can create your own defaults. One way to edit the search URL is a proxy site like udm14.com, which is probably the biggest site out there popularizing this technique. A proxy site could, if it wanted to, read all your search result queries, though (your query is also in the URL), so whether you trust this site is up to you.

Ben Schoon reports via 9to5Google: After first appearing earlier this year, YouTube once again appears to be rolling out a new redesign for its website that everyone hates. In mid-April, Google started testing a redesign to YouTube's website, which moved the title of the video, its description, and the comments to the side of the screen. In their place, video recommendations were moved directly underneath the video being watched with much larger thumbnails and titles. The change was widely hated by almost everyone who got it, but it didn't show up for all users. In the weeks to follow, YouTube reverted the redesign. Now, the YouTube redesign is back.

As spotted by many users, YouTube has started rolling out this redesign yet again. The new look has been appearing over the past few days, though it doesn't seem like it's a wide rollout. Rather, it appears to still be a test more than anything else. What does this second attempt mean? It's still unclear if YouTube intends to make this new look the default experience, but a second round of testing certainly implies more data is being gathered.

An anonymous reader shares a report: Did your company recently send you a phishing email? Employers will sometimes simulate phishing messages to train workers on how to spot the hacking threat. But one Google security manager argues the IT industry needs to drop the practice, calling it counterproductive. "PSA for Cybersecurity folk: Our co-workers are tired of being 'tricked' by phishing exercises y'all, and it is making them hate us for no benefit," tweeted Matt Linton, a security incident manager at Google.

Linton also published a post on the Google Security blog about the pitfalls of today's simulated phishing tests. The company is required to send fake phishing emails to its employees to meet the US government's security compliance requirements. In these tests, Google sends an employee a phishing email. If the worker clicks a link in the email, they'll be told they failed the test and will usually be required to take some sort of training course. However, Linton argues that simulated phishing tests can lead to harmful side effects, which can undermine a company's security. "There is no evidence that the tests result in fewer incidences of successful phishing campaigns," Linton said, noting that phishing attacks continue to help hackers gain a foothold inside networks, despite such training. He also pointed to a 2021 study that ran for 15 months and concluded that these phishing tests don't "make employees more resilient to phishing."

Google pays Reddit $60 million a year to train its AI on posts on Reddit, and it looks like Google's AI is now pulling directly from the dregs of the internet. Google's AI overview for "cheese not sticking to pizza" is brilliant information it got from an 11-year-old Reddit post.

iFixit and Samsung are parting ways. Two years after they teamed up on one of the first direct-to-consumer phone repair programs, iFixit CEO and co-founder Kyle Wiens tells The Verge the two companies have failed to renegotiate a contract -- and says Samsung is to blame. From a report: "Samsung does not seem interested in enabling repair at scale," Wiens tells me, even though similar deals are going well with Google, Motorola, and HMD. He believes dropping Samsung shouldn't actually affect iFixit customers all that much. Instead of being Samsung's partner on genuine parts and approved repair manuals, iFixit will simply go it alone, the same way it's always done with Apple's iPhones. While Wiens wouldn't say who technically broke up with whom, he says price is the biggest reason the Samsung deal isn't working: Samsung's parts are priced so high, and its phones remain so difficult to repair, that customers just aren't buying.

An anonymous reader quotes a report from Krebs On Security: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops. At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.

With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.

In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups. "Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."

The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."

A copy of the UMD research is available here (PDF).

Amazon is upgrading its decade-old Alexa voice assistant with generative AI and plans to charge a monthly subscription fee to offset the cost of the technology, CNBC reported Wednesday, citing people with knowledge of Amazon's plans. From the report: The Seattle-based tech and retail giant will launch a more conversational version of Alexa later this year, potentially positioning it to better compete with new generative AI-powered chatbots from companies including Google and OpenAI, according to two sources familiar with the matter, who asked not to be named because the discussions were private. Amazon's subscription for Alexa will not be included in the $139-per-year Prime offering, and Amazon has not yet nailed down the price point, one source said.

While Amazon wowed consumers with Alexa's voice-driven tasks in 2014, its capabilities could seem old-fashioned amid recent leaps in artificial intelligence. Last week, OpenAI announced GPT-4o, with the capability for two-way conversations that can go significantly deeper than Alexa. For example, it can translate conversations into different languages in real time. Google launched a similar generative-AI-powered voice feature for Gemini.

Meta's AI chief said the large language models that power generative AI products such as ChatGPT would never achieve the ability to reason and plan like humans, as he focused instead on a radical alternative approach to create "superintelligence" in machines. From a report: Yann LeCun, chief AI scientist at the social media giant that owns Facebook and Instagram, said LLMs had "very limited understanding of logicâ... do not understand the physical world, do not have persistent memory, cannot reason in any reasonable definition of the term and cannot planâ...âhierarchically."

In an interview with the Financial Times, he argued against relying on advancing LLMs in the quest to make human-level intelligence, as these models can only answer prompts accurately if they have been fed the right training data and are, therefore, "intrinsically unsafe." Instead, he is working to develop an entirely new generation of AI systems that he hopes will power machines with human-level intelligence, although he said this vision could take 10 years to achieve. Meta has been pouring billions of dollars into developing its own LLMs as generative AI has exploded, aiming to catch up with rival tech groups, including Microsoft-backed OpenAI and Alphabet's Google.

Android Authority's Mishaal Rahman reports that the group speaker volume controls feature is back in Android 15 Beta 2. "Google intentionally disabled this functionality on Pixel phones back in late 2021 due to a legal dispute with Sonos," reports Rahman. "In late 2023, Google announced it would bring back several features they had to remove, following a judge's overturning of a jury verdict that was in favor of Sonos." From the report: When you create a speaker group consisting of one or more Assistant-enabled devices in the Google Home app, you're able to cast audio to that group from your phone using a Cast-enabled app. For example, let's say I make a speaker group named "Nest Hubs" that consists of my bedroom Nest Hub and my living room Nest Hub. If I open the YouTube Music app, start playing a song, and then tap the cast icon, I can select "Nest Hubs" to start playback on both my Nest Hubs simultaneously.

If I keep the YouTube Music app open, I can control the volume of my speaker group by pressing the volume keys on my phone. This functionality is available no matter what device I use. However, if I open another app while YouTube Music is casting, whether I'm able to still control the volume of my speaker group using my phone's volume keys depends on what phone I'm using and what software version it's running. If I'm using a Pixel phone that's running a software version before Android 15 Beta 2, then I'm unable to control the volume of my speaker group unless I re-open the YouTube Music app. If I'm using a phone from any other manufacturer, then I won't have any issues controlling the volume of my speaker group.

The reason for this weird discrepancy is that Google intentionally blocked Pixel devices from being able to control the volume of Google Home speaker groups while casting. Google did this out of an abundance of caution while they were fighting a legal dispute. [...] With the release of last week's Android 15 Beta 2, we can confirm that Google finally restored this functionality.

Alphabet's moonshot factory, X, is scaling back its ambitious projects amid concerns over Google's core search business facing competition from AI chatbots like ChatGPT. The lab, once a symbol of Google's commitment to innovation, is now spinning off projects as startups rather than integrating them into Alphabet. The shift reflects a broader trend among tech giants, who are cutting costs and focusing on their core businesses in response to the rapidly evolving AI landscape.

Microsoft is planning to either add subtitles or even dub video produced by major video sites, using AI to translate the audio into foreign languages within Microsoft Edge in real time. From a report: At its Microsoft Build developer conference, Microsoft named several sites that would benefit from the new real-time translation capabilities within Edge, including Reuters, CNBC News, Bloomberg, and Coursera, plus Microsoft's own LinkedIn. Interestingly, Microsoft also named Google's YouTube as a beneficiary of the translation capabilities. Microsoft plans to translate the video from Spanish to English and from English to German, Hindi, Italian, Russian, and Spanish. There are plans to add additional languages and video platforms in the future, Microsoft said.

An anonymous reader quotes a report from Reuters: Alphabet's Google has preemptively paid damages to the U.S. government, an unusual move aimed at avoiding a jury trial in the Justice Department's antitrust lawsuit over its digital advertising business. Google disclosed (PDF) the payment, but not the amount, in a court filing last week that said the case should be heard and decided by a judge directly. Without a monetary damages claim, Google argued, the government has no right to a jury trial. The Justice Department, which has not said if it will accept the payment, declined to comment on the filing. Google asserted that its check, which it said covered its alleged overcharges for online ads, allows it to sidestep a jury trial whether or not the government takes it.

The Justice Department filed the case last year with Virginia and other states, alleging Google was stifling competition for advertising technology. The government has said Google should be forced to sell its ad manager suite. Google, which has denied the allegations, said in a statement that the Justice Department "manufactured a damages claim at the last minute in an attempt to secure a jury trial." Without disclosing the size of its payment, Google said that after months of discovery, the Justice Department could only point to estimated damages of less than $1 million. The company said the government has said the case is "highly technical" and "outside the everyday knowledge of most prospective jurors."

An anonymous reader shares a report: Google is pouncing on Microsoft's weathered enterprise security reputation by pitching its services to government institutions. Pointing to a recent report from the US Cyber Safety Review Board (CSRB) that found that Microsoft's security woes are the result of the company "deprioritizing" enterprise security, Google says it can help. The company's pitch isn't quite as direct as Microsoft CEO Satya Nadella saying he made Google dance, but it's spicy all the same. Repeatedly referring to Microsoft as "the vendor" throughout its blog post on Monday, Google says the CSRB "showed that lack of a strong commitment to security creates preventable errors and serious breaches." Platforms, it added, "have a responsibility" to hold to strong security practices. And of course, who is more responsible than Google?

"The computer scientist regarded as the 'godfather of artificial intelligence' says the government will have to establish a universal basic income to deal with the impact of AI on inequality," reports the BBC: Professor Geoffrey Hinton told BBC Newsnight that a benefits reform giving fixed amounts of cash to every citizen would be needed because he was "very worried about AI taking lots of mundane jobs".

"I was consulted by people in Downing Street and I advised them that universal basic income was a good idea," he said. He said while he felt AI would increase productivity and wealth, the money would go to the rich "and not the people whose jobs get lost and that's going to be very bad for society".
"Until last year he worked at Google, but left the tech giant so he could talk more freely about the dangers from unregulated AI," according to the article. Professor Hinton also made this predicction to the BBC. "My guess is in between five and 20 years from now there's a probability of half that we'll have to confront the problem of AI trying to take over".

He recommended a prohibition on the military use of AI, warning that currently "in terms of military uses I think there's going to be a race".

Jeremy Allison — Sam (Slashdot reader #8,157) is a Distinguished Engineer at Rocky Linux creator CIQ. This week he published a blog post responding to promises of Linux distros "carefully selecting only the most polished and pristine open source patches from the raw upstream open source Linux kernel in order to create the secure distribution kernel you depend on in your business."

But do carefully curated software patches (applied to a known "frozen" Linux kernel) really bring greater security? "After a lot of hard work and data analysis by my CIQ kernel engineering colleagues Ronnie Sahlberg and Jonathan Maple, we finally have an answer to this question. It's no." The data shows that "frozen" vendor Linux kernels, created by branching off a release point and then using a team of engineers to select specific patches to back-port to that branch, are buggier than the upstream "stable" Linux kernel created by Greg Kroah-Hartman. How can this be? If you want the full details the link to the white paper is here. But the results of the analysis couldn't be clearer.

- A "frozen" vendor kernel is an insecure kernel. A vendor kernel released later in the release schedule is doubly so.

- The number of known bugs in a "frozen" vendor kernel grows over time. The growth in the number of bugs even accelerates over time.

- There are too many open bugs in these kernels for it to be feasible to analyze or even classify them....

[T]hinking that you're making a more secure choice by using a "frozen" vendor kernel isn't a luxury we can still afford to believe. As Greg Kroah-Hartman explicitly said in his talk "Demystifying the Linux Kernel Security Process": "If you are not using the latest stable / longterm kernel, your system is insecure."
CIQ describes its report as "a count of all the known bugs from an upstream kernel that were introduced, but never fixed in RHEL 8." For the most recent RHEL 8 kernels, at the time of writing, these counts are: RHEL 8.6 : 5034 RHEL 8.7 : 4767 RHEL 8.8 : 4594

In RHEL 8.8 we have a total of 4594 known bugs with fixes that exist upstream, but for which known fixes have not been back-ported to RHEL 8.8. The situation is worse for RHEL 8.6 and RHEL 8.7 as they cut off back-porting earlier than RHEL 8.8 but of course that did not prevent new bugs from being discovered and fixed upstream....

This whitepaper is not meant as a criticism of the engineers working at any Linux vendors who are dedicated to producing high quality work in their products on behalf of their customers. This problem is extremely difficult to solve. We know this is an open secret amongst many in the industry and would like to put concrete numbers describing the problem to encourage discussion. Our hope is for Linux vendors and the community as a whole to rally behind the kernel.org stable kernels as the best long term supported solution. As engineers, we would prefer this to allow us to spend more time fixing customer specific bugs and submitting feature improvements upstream, rather than the endless grind of backporting upstream changes into vendor kernels, a practice which can introduce more bugs than it fixes.
ZDNet calls it "an open secret in the Linux community." It's not enough to use a long-term support release. You must use the most up-to-date release to be as secure as possible. Unfortunately, almost no one does that. Nevertheless, as Google Linux kernel engineer Kees Cook explained, "So what is a vendor to do? The answer is simple: if painful: Continuously update to the latest kernel release, either major or stable." Why? As Kroah-Hartman explained, "Any bug has the potential of being a security issue at the kernel level...."

Although [CIQ's] programmers examined RHEL 8.8 specifically, this is a general problem. They would have found the same results if they had examined SUSE, Ubuntu, or Debian Linux. Rolling-release Linux distros such as Arch, Gentoo, and OpenSUSE Tumbleweed constantly release the latest updates, but they're not used in businesses.
Jeremy Allison's post points out that "the Linux kernel used by Android devices is based on the upstream kernel and also has a stable internal kernel ABI, so this isn't an insurmountable problem..."