Apache Software Foundation (ASF was represented by the current President, a board member, and the VP Security https://twitter.com/abayer/status/1481676645891256320)
Linux Foundation (LF it was the @theopenssf leadership led by @brianbehlendorf https://twitter.com/cra/status/1481677285325422592)
"Feds attending include representatives from the departments of Commerce, Defense, Energy and Homeland Security, as well as agencies like the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Director and the Office of Science and Technology Policy."
It is up to us to fix things. We need to get familiar with microkernels, confused deputies, and all the other lessons that go along with the topic.
If we continue insisting that everything will be fine if we just rewrite it in Rust, or make updates smoother, we'll lose the war for general purpose computing.
[Edit] I believe it is completely possible to have usable and secure computing, but only if we use capability based security, which Windows and Linux don't, and can never support.
I know security is important and I do want companies to do better, but where do we end up if we eventually require that all software that can be run has to be signed by some authority that has vetted it, and you can't run XYZ on your machine because it hasn't gone through the right clearance hoops etc, etc, and I understand that won't be the purpose. But my journey started when I had an old HP that had windows ME on it that barely worked so I ripped it off and installed Ubuntu because I heard from a family friend it would run better, doing that eventually led to a successful long career in computing. I think now about how easy it would now be to move from "you have to disable UEFI Secure Boot option" I went through to get Linux on my latest laptop to "This hardware security chip has detected an unsigned OS attempting to load and will now terminate."
I worry as we continue to lock down things in the name of "security" and make them mandatory, as often happens once the government gets involved will eventually lead to crushing the hacking spirit and kill the joy of computing.
On the other hand maybe I am just waxing nostalgic about a pass that never existed that is telling kids to get off my lawn and about how everyone wore an onion on their belt.
Now what may happen (and is already happening in the case of mobile devices) is that rental content (streaming services, etc) will only play if they are on "trusted" hardware. So you can have a development environment, but good luck trying to watch Hulu on it. And the development-capable devices will be more expensive due to lower sales (most people would rather purchase hardware that can access the services they want).
You’re not though. We’re already mostly there with most peoples primary computing devices being Android and iOS devices that are that locked down.
Of course the consequences of this are that everyone that has any power to decide anything on any of this companies treats the federal government as bunch of senile deranged lunatics so the only possible way to work with them is try to make them feel they are still relevant and not upset them.
- If it's even mentioned (hopefully, given log4j topics), nobody will concretely commit to anything that would look like "funding those open source projects we all use internally, rely on, and just assume will be fine." Or putting serious resources to fuzzing, analyzing, and generally beating the hell out of packages like that, committing any fixes back upstream.
- Nobody will be willing to consider that the reason we're in this spot is because we've spent all our effort on complexity and new features instead of actually locking down and making bulletproof a smaller set of features. To borrow from Apple's recent issues as discussed in Project Zero's writings , I'm sure your support for an obscure Xerox compression algorithm was used never, or nearly so, in practice (in text messages!). However, your inclusion of it allowed a nice entry point for some absolutely nasty software. Perhaps, instead of supporting every format under the sun you can find, you can support the common ones only, and lock those down. No, instead, we can convert our facial expressions into animated animals and send them to people (I'm not sure I want to know how many weird corner cases that code has).
- Nothing will change, ransomware will continue, reporters trying to shine light on questionable countries will continue having their phones/laptops/watches/etc hacked to hell and back, and we'll continue stumbling forward in the complexity canyon that swallows everything that gets near it.
We could make major security improvements if we were willing to say, "Let's focus on the 20% of the features that make up 80% of the use, and turn the rest off by default." Simplify the software drastically, which then means we can simplify the hardware because performance isn't as critical. But the tech industry's internal structures are absolutely opposed to this - you're promoted for shipping new features, not maintaining things, and not doing weird low level security analysis and fuzzing.
I'm pretty damned pessimistic about the state of computer security, if it's not obvious.
In fact, actually having too much of a clue is a probably more of a liability when you're summoned to a meeting at the White House, as you might say something they'll hold you to.
Brian Behlendorf is there from the newly formed Open Source Security Foundation, here's his resume, in the form of a Wikipedia entry because he was one of the OG developers for Apache Web Server:
Executives from tech companies aren't usually just random MBAs -- they're often deeply technical people who ran engineering teams with huge impact.
Besides, they're not having a pair-coding session to ship a release to fix Log4J -- they're talking about a coordinated effort to prevent future vulns. Obviously engineering knowledge is necessary but the coordination aspect involves org-wide and industry-wide changes.
I've worked with a wide range of execs across several fields now and many of them are truly exceptional people with deeper understanding of their business's low level details than you'd expect.
Someone on twitter said Linux Foundation as well.
"The summit will also include the Apache Software Foundation — the owner and maintainer of the Log4j library — and Oracle, owner of the Java software platform on which the Log4j library runs. GitHub and the Linux Open Source Foundation will also be represented."
Which makes sense -- they host the Open Source Security Foundation (https://openssf.org/) which is meant to be working on exactly this type of problem.
"ASF was represented by the current President, a board member, and the VP Security"
"from LF it was the @theopenssf leadership led by @brianbehlendorf"
For instance, pushing for big tech anti-trust legislation when cable companies and telcos are just sitting around providing awful service and regularly breaking their promises for coverage and quality.
No focus on improving housing affordability or pressure on state/local governments on solutions. Everyone just turns up their nose until the housing demand squeezes their backyard supply.
Generally very frustrating to see and I don't have confidence that either party is equipped to solve this so I'm not optimistic about post-2022 elections.