New U.S. executive order on cybersecurity
Posted by Alexander_Selkirk@reddit | programming | View on Reddit | 31 comments
Posted by Alexander_Selkirk@reddit | programming | View on Reddit | 31 comments
NewPhoneNewSubs@reddit
Link to the order rather than the blog about the order:
https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/
_rezx@reddit
A really fascinating order as it has no material definition in and of itself. Additionally, the idea that there is a large enough pool of software talent in government to validate implementations is a real stretch. If you’re really good at software, you make money in the private sector or you go into intelligence. You do not go to HSA as a rule.
Plank_With_A_Nail_In@reddit
Plenty of good programmers on contract with HSA, plenty of good programmers doing a couple of years to get cast iron pension.
Programming is easy anyway its design that's hard, wouldn't be able to outsource to India at all if programming was hard.
kexxty@reddit
Even if it's not perfect, in my opinion it's better than nothing. I like all the required improvements to special publications like the SSDF. I think that will end up benefiting the industry in general.
KevinCarbonara@reddit
It's not better than nothing. It's a list of things that Biden recognized he could take action on, but didn't both. Most of these directions are saying "Agencies should consider doing something".
He's the President. He's in charge of those agencies. They're not supposed to consider anything. He's supposed to issue orders, and they're supposed to follow them.
kexxty@reddit
It sounds like you haven't read it closely enough
echomanagement@reddit
What would prevent this from being walked back in a week? I'd imagine this, the AI safety EO, and Biden's original EO are all going into the dumpster, sadly.
kexxty@reddit
I agree
dontyougetsoupedyet@reddit
The last few vulnerabilities I fixed were written in managed languages. We have been here before, and last time Dykstra started talking about “a paradise for the lazy, the incompetent, and the cowardly” for good reason. The last recommendations did not make for correct software for the same reason these won’t today, the problem isn’t any programming language it’s a management problem. The same greedy inept managers will continue producing software the cheapest possible way cutting every corner possible and hiring the least costly engineers.
Alexander_Selkirk@reddit (OP)
It is no question that memory-safe languages are massively more secure than assembly, C, and C++. There are tons of statistics which prove that. Programs will still have bug, this for sure, but a buggy program in a language without Undefined Behaviour still does what the code says, while a C++ program with an exploit does whatever bytecodes happens to have been placed on the stack via the network. That's a massive difference. That's as big as a difference as a police officer that can be shot by a bank robber with a machine gun, and one that has a remotely controlled grenade strapped to his stomach with the remote control in the hands of the bandit.
dontyougetsoupedyet@reddit
You are using so much rhetoric because you don’t know very much. I will never understand this larping crap, reading this nonsense about bytecodes placed on the stack via the network is so frustrating, but know nothings will eat it up. You probably know as little about undefined behavior as you do about bytecode. I see straight through this rhetorical crap.
Outside_Knowledge_24@reddit
Plenty of devs just don't want to add a bunch of non-functional requirements to their work, either. Managing dependencies as versions have CVEs detected, enacting encryption in transit between all services, managing keys, etc etc is all seen as unpleasant or even counterproductive
dontyougetsoupedyet@reddit
Also, things like having a threat model are the least of your concerns when inept middle managers say “I accept the risk” like it’s a magical incantation for reaching short term goals. Vulnerabilities are a management problem.
Alexander_Selkirk@reddit (OP)
Since the author of that OP, Herb Sutter, is a C++ expert, here some interesting discussion on this on /r/cpp.
guest271314@reddit
Fuck U.S. Executive Orders.
Just means the U.S. Congress has abrogated their mandate.
And SCOTUS upholding a fucking ban on TikTok while ruling the Executive has absolute immunity is insane.
The U.S. Government are just gangstaers, wannabe gangsters, and maybe a bot or girl scout mixed in every 1000 employees or so.
Fuck 'em all.
Carthax12@reddit
Brilliant satire! LOL
guest271314@reddit
I'm serious. An Executive Order does not have the force of law enacted by a Legislature. That's what Sepration of Powers is for.
Outside_Knowledge_24@reddit
The EO applies to what gov agencies will purchase. Those decisions are delegated by Congress to the executive. The executive has decided that these security concerns are paramount in selecting vendors. Why would that need "the force of law"? Any private company is free to ignore this and find customers elsewhere
Outside_Knowledge_24@reddit
Lmao good luck telling that to a procurement team at an agency run by the EXECUTIVE branch
Middlewarian@reddit
Prediction: C++ has survived many attempts to take it down and will survive this one from the Biden administration as well. I'm biased though as I'm building a C++ code generator.
MeBadNeedMoneyNow@reddit
Go on then.
theryan722@reddit
Wtf are you talking about? Your post is written as if from a schizophrenic on meth.
shevy-java@reddit
"it’s imperative that organizations consider limiting the amount of personal data they store"
So on the one hand: don't store personal data. On the other hand we have Facebook and Google sniffing for user data. Something does not fit here, logically. It is orthogonal.
amroamroamro@reddit
simply put: Do As I Say, Not As I Do
Glizzy_Cannon@reddit
What they mean is if you're not part of the oligopoly of tech giants you dont have the privilege of storing personal data. It's Pay to play
chipperclocker@reddit
I think its pretty clear. The tech giants believe they have legitimate reason to do that sniffing and believe they can secure what they sniff. Whether that sniffing is good is sort of unrelated, for them the data is both an asset and a liability.
The advise to treat data as a liability applies to everyone, but the companies who need to hear it most are the ones that don't even have a plan for how to use the data they have, they want to hold it forever just in case it ever becomes useful or just arent thinking about retention policies at all
Data is always a liability, and sometimes it is also an asset. But the security world is really trying hard to get everyone to universally view it as a liability.
Crafty_Independence@reddit
That "legitimate reason" being that they directly profit off that data and contribute to political campaigns to keep the profits unscrutinized
ScottContini@reddit
Lots of companies think they have a legitimate reason and think they can secure what they sniff. Many of them find out that they have gaps. Even Google had a gap that resulted in the NSA getting heaps of data about their customers.
There needs to be limits to what data these companies can collect and under what circumstances.
Alexander_Selkirk@reddit (OP)
You mean "contradictory".
DragonflyMean1224@reddit
Trump Eliminated protections last time. He will likely make it even easier to buy and sell your data.
guest271314@reddit
You mean the same institution that didn't pay Inslaw, paid a third-party hacker to put a backdoor in PROMIS so they could spy on allies, and the same institution that had Bill Binney and his colleagues arrested after they said the U.S. Government shouldn't be mass spying on U.S. citizens using ThinThread, an has the nerve to talk about cybersecurity?
What a joke.