New U.S. executive order on cybersecurity
Posted by Alexander_Selkirk@reddit | programming | View on Reddit | 80 comments
Posted by Alexander_Selkirk@reddit | programming | View on Reddit | 80 comments
shevy-java@reddit
"it’s imperative that organizations consider limiting the amount of personal data they store"
So on the one hand: don't store personal data. On the other hand we have Facebook and Google sniffing for user data. Something does not fit here, logically. It is orthogonal.
chipperclocker@reddit
I think its pretty clear. The tech giants believe they have legitimate reason to do that sniffing and believe they can secure what they sniff. Whether that sniffing is good is sort of unrelated, for them the data is both an asset and a liability.
The advise to treat data as a liability applies to everyone, but the companies who need to hear it most are the ones that don't even have a plan for how to use the data they have, they want to hold it forever just in case it ever becomes useful or just arent thinking about retention policies at all
Data is always a liability, and sometimes it is also an asset. But the security world is really trying hard to get everyone to universally view it as a liability.
ScottContini@reddit
Lots of companies think they have a legitimate reason and think they can secure what they sniff. Many of them find out that they have gaps. Even Google had a gap that resulted in the NSA getting heaps of data about their customers.
There needs to be limits to what data these companies can collect and under what circumstances.
Certhas@reddit
GDPR is just that.
ELVEVERX@reddit
Was Google's gap just the NDA asking them for it? Since US companies have no ability to reject government requests for data.
przemo_li@reddit
Depends on subject of request, USA companies can and do regularly object to courts if its about USA citizens.
It's us who do not live in USA and who aren't USA citizens who have it hopeless.
ScottContini@reddit
No. Read the link i posted.
ELVEVERX@reddit
I know i was more commenting on the need for the NSA to hack data of a US companies is basically non existent.
FeetPicsNull@reddit
Everyone must realize there is always a gap in security. The only secure data store is a dead man's brain.
Plank_With_A_Nail_In@reddit
Being able to make money from it at a later date without consent isn't a legitimate reason.
Just make it too hard to do, want to use the data in a marketing campaign six months after you collected it? Sure you can you just got to ask all six million people for their consent again if you don't your CEO goes to jail. Make it clear when you draft the laws that the whole point is to make it a pain in the ass, fuck it call the legislation "Making using personal data a pain in the ass legislation"
Crafty_Independence@reddit
That "legitimate reason" being that they directly profit off that data and contribute to political campaigns to keep the profits unscrutinized
ben_sphynx@reddit
When you consider something, sometimes you conclude 'hell no' and then don't do it.
Maybe-monad@reddit
they should add an "excepting our sponsors"
amroamroamro@reddit
simply put: Do As I Say, Not As I Do
Glizzy_Cannon@reddit
What they mean is if you're not part of the oligopoly of tech giants you dont have the privilege of storing personal data. It's Pay to play
Alexander_Selkirk@reddit (OP)
You mean "contradictory".
NewPhoneNewSubs@reddit
Link to the order rather than the blog about the order:
https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/
tpjwm@reddit
404 not found..
NewPhoneNewSubs@reddit
Huh. Funny. It was there for the last little while. Wonder if inauguration day nuked it or something.
tpjwm@reddit
Yeah that’s my guess, fortunately was able to use the wayback machine to see it
_rezx@reddit
A really fascinating order as it has no material definition in and of itself. Additionally, the idea that there is a large enough pool of software talent in government to validate implementations is a real stretch. If you’re really good at software, you make money in the private sector or you go into intelligence. You do not go to HSA as a rule.
brianly@reddit
This is going to impact many contractors which includes big name software companies selling to the enterprise. It trickles down in requirements that companies’ legal counsel define for them.
These changes are often exploited by competitors. Example: we did XYZ in response to the memo but other company didn’t. The bureaucrat isn’t going to do anything other than demand it from the other company.
Language from the order to highlight:
“Within 30 days of the date of this order, the Director of OMB, in consultation with the Secretary of Commerce, acting through the Director of the National Institute of Standards and Technology (NIST), and the Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA), shall recommend to the Federal Acquisition Regulatory Council (FAR Council) contract language…”
GayMakeAndModel@reddit
What I’m reading is commercial off-the-shelf software (COTS) is going to be under even more scrutiny with even more audits. FML. We already get audited by like three different agencies for security accreditation.
Plank_With_A_Nail_In@reddit
Plenty of good programmers on contract with HSA, plenty of good programmers doing a couple of years to get cast iron pension.
Programming is easy anyway its design that's hard, wouldn't be able to outsource to India at all if programming was hard.
guest271314@reddit
Fuck U.S. Executive Orders.
Just means the U.S. Congress has abrogated their mandate.
And SCOTUS upholding a fucking ban on TikTok while ruling the Executive has absolute immunity is insane.
The U.S. Government are just gangstaers, wannabe gangsters, and maybe a bot or girl scout mixed in every 1000 employees or so.
Fuck 'em all.
Carthax12@reddit
Brilliant satire! LOL
guest271314@reddit
I'm serious. An Executive Order does not have the force of law enacted by a Legislature. That's what Sepration of Powers is for.
Outside_Knowledge_24@reddit
The EO applies to what gov agencies will purchase. Those decisions are delegated by Congress to the executive. The executive has decided that these security concerns are paramount in selecting vendors. Why would that need "the force of law"? Any private company is free to ignore this and find customers elsewhere
guest271314@reddit
The U.S. Congress doesn't "delegate" executive orders.
Outside_Knowledge_24@reddit
Congress delegates rulemaking authority within the scope of powers and agencies created by Congress. Just as Congress doesn't get involved in hiring decisions for most layers of the federal workforce, why would they get involved in the MANY MANY software purchasing processes across all agencies and departments?
guest271314@reddit
U.S> Congress is lazy as fuck, has basically abrogated their powers to the Executive. Now all Congress does is talk shot to each other and say shit like "You wanna take it outside". Oh, and fund wars that they have not officially declared.
Anyway, I don't fuck with the U.S. Government like that,. Fuck their Executive Orders, and their laws for that matter.
Outside_Knowledge_24@reddit
Good luck with that.
guest271314@reddit
So when the U.S. Department of Justice steals your shit, what's your plan for recourse?
Outside_Knowledge_24@reddit
Well they can't really "steal" the ongoing service and support. We can turn off the system at any time if payment is not received; it's all on our machines. It's not like they're buying a proprietary file. Beyond that, what recourse can one expect against the most hegemonic organization in human history? We play by their rules and hope to profit by them.
guest271314@reddit
I don't entertain hope.
I'm not doing business with a white supremacist organization that has deliberately assassinated Fred Hampton, slaughtered the buffalo, militarily displaced the natives of Turtle Island and Bikini Atoll before blowing the island up, for sport.
They can get it how they live.
Outside_Knowledge_24@reddit
Lmao ok Mr badass. I'll remember that when my client is the Department of Energy or the EPA.
guest271314@reddit
I don't fuck with the U.S. Government, period. The U.S. Government is a foreign power as to me. This is Turtle Island.
Outside_Knowledge_24@reddit
Nobody is trying to stop you from doing that, so keep masturbating I guess 🤷♂️
guest271314@reddit
You can't stop me.
I'll roll through you, or move you out of my way.
Outside_Knowledge_24@reddit
What is more pathetic and laughable than people pretending to be a badass online? Go take your meds or touch grass. Good luck in your crusade against selling to the USG
guest271314@reddit
I don't pretend. I'm not on your side, politically.
Fuck the U.S. Government. I don't do business with that white supremacist organization.
guest271314@reddit
There's no luck involved. That's a political decision.
Outside_Knowledge_24@reddit
Good luck "deciding" that you can insulate yourself from the executive branch's whims
guest271314@reddit
You must be too weak minded and weak politically to stand up and do you.
Outside_Knowledge_24@reddit
Lol are you a child? Try living in the world as it is rather than the world as you'd like it to be. Wake me up when being a keyboard warrior who WILL NOT COMPLY with security guidelines does your any good.
guest271314@reddit
You have no idea who you are dealing with.
I've said "No" and stood on that when challenging one of the Several States in U.S. federal court, from the U.S> District Court all the way up to SCOTUS, over 4 years, by myself.
Unless you have done that yourself, you really have no clue.
Outside_Knowledge_24@reddit
I neither believe that nor care; you sound more like a second year university student. Please continue ranting as much as you want, I think a few more comments and you'll bring back the Buffalo and Bikini Atoll
guest271314@reddit
I challenged the state in federal court 20 years ago, chap.
I don't care about you or your white supremacist, genocidal government, nor its Several States, either.
Outside_Knowledge_24@reddit
No you didn't. And you obviously care enough to just keep at the this
guest271314@reddit
Yes, I did.
But you wouldn't know the first thing about being the master of your own political manifestation, nor challenging the state and/or a nation state.
guest271314@reddit
The INSLAW Octopus Software piracy, conspiracy, cover-up, stonewalling, covert action: Just another decade at the Department of Justice
Outside_Knowledge_24@reddit
Lmao good luck telling that to a procurement team at an agency run by the EXECUTIVE branch
guest271314@reddit
I don't fuck with the U.S. Government like that.
Outside_Knowledge_24@reddit
Ok, then if you're not selling to a government agency than this EO will have no bearing on you. By all means though, stay mad
guest271314@reddit
I ain't mad. I just know the U.S. Government is a foreign power to me and the U.S. Government is full of shit.
The same organization that forcibly removed the native inhabitants of Bikini Atoll to blow up their home land with a fucking nuclear bomb, for sport, under the auspices of "peace". Fuck 'em.
iNoles@reddit
would it fix npm dependency mess?
kexxty@reddit
Even if it's not perfect, in my opinion it's better than nothing. I like all the required improvements to special publications like the SSDF. I think that will end up benefiting the industry in general.
KevinCarbonara@reddit
It's not better than nothing. It's a list of things that Biden recognized he could take action on, but didn't both. Most of these directions are saying "Agencies should consider doing something".
He's the President. He's in charge of those agencies. They're not supposed to consider anything. He's supposed to issue orders, and they're supposed to follow them.
kexxty@reddit
It sounds like you haven't read it closely enough
KevinCarbonara@reddit
You haven't read it at all.
kexxty@reddit
Whatever you say bro
echomanagement@reddit
What would prevent this from being walked back in a week? I'd imagine this, the AI safety EO, and Biden's original EO are all going into the dumpster, sadly.
steveklabnik1@reddit
A lot of this stuff started under the last Trump administration. I don't think it's as clear cut as that. We'll see how much cutting of the administrative state Trump actually does, but also, given that this is all framed as a matter of national security, I'm not so sure he'd be against it.
echomanagement@reddit
I really hope you're right. I work in a contractor role for a federal agency, and in 2016, we were able to save most of our projects by gluing the word "security" to them.
kexxty@reddit
I agree
dontyougetsoupedyet@reddit
The last few vulnerabilities I fixed were written in managed languages. We have been here before, and last time Dykstra started talking about “a paradise for the lazy, the incompetent, and the cowardly” for good reason. The last recommendations did not make for correct software for the same reason these won’t today, the problem isn’t any programming language it’s a management problem. The same greedy inept managers will continue producing software the cheapest possible way cutting every corner possible and hiring the least costly engineers.
Alexander_Selkirk@reddit (OP)
It is no question that memory-safe languages are massively more secure than assembly, C, and C++. There are tons of statistics which prove that. Programs will still have bug, this for sure, but a buggy program in a language without Undefined Behaviour still does what the code says, while a C++ program with an exploit does whatever bytecodes happens to have been placed on the stack via the network. That's a massive difference. That's as big as a difference as a police officer that can be shot by a bank robber with a machine gun, and one that has a remotely controlled grenade strapped to his stomach with the remote control in the hands of the bandit.
dontyougetsoupedyet@reddit
You are using so much rhetoric because you don’t know very much. I will never understand this larping crap, reading this nonsense about bytecodes placed on the stack via the network is so frustrating, but know nothings will eat it up. You probably know as little about undefined behavior as you do about bytecode. I see straight through this rhetorical crap.
cameronm1024@reddit
Do you disagree with the main point though? That, while all languages can have logic bugs, being able to cause UB exposes you to even greater risk.
Do you wear your seatbelt even though it doesn't prevent 100% of fatalities in car accidents?
dontyougetsoupedyet@reddit
You don't "cause" undefined behavior.
This is precisely why it's so frustrating to interact with folks like you, you're convinced that you know something meanwhile you understand so little that you literally can't even accurately communicate while trying to join the discussion. Of fucking course you immediately jump into obnoxious rhetoric about seatbelts as well.
Undefined behavior is not something that exists or happens in a constructed program, it's a property of source code, not an artifact of translation.
Look, you might even know a thing or two, maybe you even know multiple programming languages, but you should take a step back and deeply consider whether you actually understand the things you think you do about safety and security.
You might choose to not believe it but there are boatloads of safe and correct programs doing great things for the world that rely on undefined behavior, mostly because undefined behavior isn't whatever rhetoric-laden crap you think it means. The authors of programs that rely on undefined behavior often deeply understand their target platforms and their toolchains and their programs.
I have nothing more to say to you.
Plasma_000@reddit
You're being pedantic.
Yes UB is a property of source code, but if a programmer puts that into their source then that may make their program behave in unexpected ways like causing memory corruption. I'd say "causing UB" is putting UB into your source code.
I take issue with you saying that there's plenty of software out there that relies on UB... maybe unintentionally..? But I'm very skeptical of that claim otherwise. Finding UB in code usually considered a bug in my experience, and rightfully so. Whatever behaviour you want out of "relying" on UB can usually be gotten without the UB in a much more reliable way.
The reason programmers should never rely on UB is that even if they may understand the generated code now, there's no guarantee that the code will stay the same with a different compiler version, or with slight modifications or even rearranging the code without changing semantics.
Plus in my experience, even the most skilful and experienced programmers write UB without realising.
jl2352@reddit
> the problem isn’t any programming language it’s a management problem.
I really hard disagree with sentiments like this. You are basically saying *'C++ is not the problem, it's management, therefore ignore the C++ issues'*.
Why can't the issue be both?
This executive order is not trying to fix all problems in one sweeping statement. It's trying to target specific areas, and move the industry there.
We know for a fact from decades of work that some languages (like C++) tend to have more memory issues than other languages. Those issues lead to more severe security issues. At this point it's a fact of life backed up by research.
There are good reasons companies invested in moving people from C++ to Java and C# decades ago. The use of Ada in places like defence. Then we Google moving people from C++ to Go, and now we have Rust. Parts of Google (all?) mandate anything new should be choosing Rust over C++. It's not because they spend all day on r/rust drinking the coolaid. It's because shipping severe security issues in Android is an existential problem for the business.
The writing is on the wall that we can have C++ speed and safety. Frankly it's a no brainer that if you need speed, you should use one that brings safety too. Anyone arguing otherwise is arguing in bad faith. Either C++ needs to step up and bring safety, or we should move to a different language. It is that simple.
Outside_Knowledge_24@reddit
Plenty of devs just don't want to add a bunch of non-functional requirements to their work, either. Managing dependencies as versions have CVEs detected, enacting encryption in transit between all services, managing keys, etc etc is all seen as unpleasant or even counterproductive
dontyougetsoupedyet@reddit
Also, things like having a threat model are the least of your concerns when inept middle managers say “I accept the risk” like it’s a magical incantation for reaching short term goals. Vulnerabilities are a management problem.
Alexander_Selkirk@reddit (OP)
Since the author of that OP, Herb Sutter, is a C++ expert, here some interesting discussion on this on /r/cpp.
Middlewarian@reddit
Prediction: C++ has survived many attempts to take it down and will survive this one from the Biden administration as well. I'm biased though as I'm building a C++ code generator.
MeBadNeedMoneyNow@reddit
Go on then.
theryan722@reddit
Wtf are you talking about? Your post is written as if from a schizophrenic on meth.
DragonflyMean1224@reddit
Trump Eliminated protections last time. He will likely make it even easier to buy and sell your data.
guest271314@reddit
You mean the same institution that didn't pay Inslaw, paid a third-party hacker to put a backdoor in PROMIS so they could spy on allies, and the same institution that had Bill Binney and his colleagues arrested after they said the U.S. Government shouldn't be mass spying on U.S. citizens using ThinThread, an has the nerve to talk about cybersecurity?
What a joke.