Hacker News new | past | comments | ask | show | jobs | submit login
White House will meet execs from Apple, Amazon, IBM to discuss software security (reuters.com)
26 points by ksec 6 days ago | hide | past | favorite | 40 comments





Just to try and clean up the attendee list since each article has a slightly different list:

Apache Software Foundation (ASF was represented by the current President, a board member, and the VP Security https://twitter.com/abayer/status/1481676645891256320)

Linux Foundation (LF it was the @theopenssf leadership led by @brianbehlendorf https://twitter.com/cra/status/1481677285325422592)

Akamai

Alphabet

Amazon

Apple

Cloudflare

GitHub

IBM

Meta

Oracle

VMWare

"Feds attending include representatives from the departments of Commerce, Defense, Energy and Homeland Security, as well as agencies like the Cybersecurity and Infrastructure Security Agency, the National Institute of Standards and Technology, the National Science Foundation, the Office of the National Cyber Director and the Office of Science and Technology Policy."


It's very interesting Alphabet is not on that list.

Oversight by me -- they're definitely there. Added now.

I predict the principle of least privilege will appear in the conversation zero times, along with zero instances of seL4, microkernels. Also absent will be any suggestion that the NSA be directed to actually help secure our nations computers in a meaningful way.

It is up to us to fix things. We need to get familiar with microkernels, confused deputies, and all the other lessons that go along with the topic.

If we continue insisting that everything will be fine if we just rewrite it in Rust, or make updates smoother, we'll lose the war for general purpose computing.

[Edit] I believe it is completely possible to have usable and secure computing, but only if we use capability based security, which Windows and Linux don't, and can never support.


Honestly I am really concerned that eventually open computing and the days of a couple of college kids in a garage building a product that turns into a multi-million dollar success, are going to disappear under the guise of security.

I know security is important and I do want companies to do better, but where do we end up if we eventually require that all software that can be run has to be signed by some authority that has vetted it, and you can't run XYZ on your machine because it hasn't gone through the right clearance hoops etc, etc, and I understand that won't be the purpose. But my journey started when I had an old HP that had windows ME on it that barely worked so I ripped it off and installed Ubuntu because I heard from a family friend it would run better, doing that eventually led to a successful long career in computing. I think now about how easy it would now be to move from "you have to disable UEFI Secure Boot option" I went through to get Linux on my latest laptop to "This hardware security chip has detected an unsigned OS attempting to load and will now terminate."

I worry as we continue to lock down things in the name of "security" and make them mandatory, as often happens once the government gets involved will eventually lead to crushing the hacking spirit and kill the joy of computing.

On the other hand maybe I am just waxing nostalgic about a pass that never existed that is telling kids to get off my lawn and about how everyone wore an onion on their belt.


I doubt we will be in that situation, because then by definition all development will stop, and programming education will also stop. There will always be hardware or systems that you can develop on.

Now what may happen (and is already happening in the case of mobile devices) is that rental content (streaming services, etc) will only play if they are on "trusted" hardware. So you can have a development environment, but good luck trying to watch Hulu on it. And the development-capable devices will be more expensive due to lower sales (most people would rather purchase hardware that can access the services they want).


> On the other hand maybe I am just waxing nostalgic about a pass that never existed that is telling kids to get off my lawn and about how everyone wore an onion on their belt.

You’re not though. We’re already mostly there with most peoples primary computing devices being Android and iOS devices that are that locked down.


I predict it will be "we'll do what we can about security, now what can you do about further opening up immigration...". Apparently this was their primary concern when they had that meeting with Trump.

When I hear this, I start thinking, are they getting called because of too much security?

Not to this meeting. This meeting is the circus act where the government subtly (or sometimes not so subtly) tells them they are really worried about security and they are thinking about enacting draconian laws where they are basically responsible each time a user get phished, and where they have to pay hefty fines to the government each time there's a data leaks. Then there's the meetings that are not advertised where they ask them to make the devices less secure so that the government can spy on everyone. This has been going on for more than five years already.

Of course the consequences of this are that everyone that has any power to decide anything on any of this companies treats the federal government as bunch of senile deranged lunatics so the only possible way to work with them is try to make them feel they are still relevant and not upset them.


Predictions:

- If it's even mentioned (hopefully, given log4j topics), nobody will concretely commit to anything that would look like "funding those open source projects we all use internally, rely on, and just assume will be fine." Or putting serious resources to fuzzing, analyzing, and generally beating the hell out of packages like that, committing any fixes back upstream.

- Nobody will be willing to consider that the reason we're in this spot is because we've spent all our effort on complexity and new features instead of actually locking down and making bulletproof a smaller set of features. To borrow from Apple's recent issues as discussed in Project Zero's writings [0], I'm sure your support for an obscure Xerox compression algorithm was used never, or nearly so, in practice (in text messages!). However, your inclusion of it allowed a nice entry point for some absolutely nasty software. Perhaps, instead of supporting every format under the sun you can find, you can support the common ones only, and lock those down. No, instead, we can convert our facial expressions into animated animals and send them to people (I'm not sure I want to know how many weird corner cases that code has).

- Nothing will change, ransomware will continue, reporters trying to shine light on questionable countries will continue having their phones/laptops/watches/etc hacked to hell and back, and we'll continue stumbling forward in the complexity canyon that swallows everything that gets near it.

We could make major security improvements if we were willing to say, "Let's focus on the 20% of the features that make up 80% of the use, and turn the rest off by default." Simplify the software drastically, which then means we can simplify the hardware because performance isn't as critical. But the tech industry's internal structures are absolutely opposed to this - you're promoted for shipping new features, not maintaining things, and not doing weird low level security analysis and fuzzing.

I'm pretty damned pessimistic about the state of computer security, if it's not obvious.

[0]: https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...


Strange title, especially the cherry picked companies (by Reuters, not OP). Full list from the article:

  Alphabet/Google
  Amazon
  Apple
  DHS
  DoD
  IBM
  Meta/Facebook
  Microsoft
  Oracle
So all the major clouds, all the major desktop OS companies, all the major mobile OS companies. "from major tech companies" seems more reasonable.

What in God's name would any execs from those or any other company realistically be able to share about software security?

Given that the first two represent an enormous amount of the overall compute use (mac computers, aws cloud machines) and their surface areas are directly related to our national defense, I think they'd be able to share a fair amount.

I think the point was that executives won't have enough technical knowledge to be able to say much about it except in extremely vague terms like "we take security seriously".

In fact, actually having too much of a clue is a probably more of a liability when you're summoned to a meeting at the White House, as you might say something they'll hold you to.


This is such a cynical view unfortunately shared by a lot of people in the thread. For two examples, the VP Security of ASF is there, here's his resume:

> https://www.linkedin.com/in/mark-j-cox/

Brian Behlendorf is there from the newly formed Open Source Security Foundation, here's his resume, in the form of a Wikipedia entry because he was one of the OG developers for Apache Web Server:

https://en.wikipedia.org/wiki/Brian_Behlendorf

Executives from tech companies aren't usually just random MBAs -- they're often deeply technical people who ran engineering teams with huge impact.

Besides, they're not having a pair-coding session to ship a release to fix Log4J -- they're talking about a coordinated effort to prevent future vulns. Obviously engineering knowledge is necessary but the coordination aspect involves org-wide and industry-wide changes.


No argument that they have the experience and knowledge within their organizations. I think OP was expressing doubt that "execs" will be informed enough to deliver actionable insights.

OP would be wrong, then. The execs those companies send will be a combination of politically brilliant and technically knowledgeable.

I've worked with a wide range of execs across several fields now and many of them are truly exceptional people with deeper understanding of their business's low level details than you'd expect.


OP may be wrong or may not be. It is certainly not a rule that all executives are as you describe and there is no shortage of anecdotes to oppose yours.

Part of their job should be to convey upward feedback. If employees and teams write them good scripts, they should be able to deliver.

I love how Microsoft is a footnote but they put Amazon in the headline.. for software security.

Amazon is important due to the widespread use of AWS

And does anyone really use MS products?

I would hope there is more government - industry communication than this.

Because I'm sure this is going to lead to security for the people and definitely for sure not pushes for more avenues for mass surveillance...

But no one from Apache, and no one from any of the other major OSS projects

Apache is apparently included. https://www.theverge.com/2022/1/13/22881813/white-house-tech...

Someone on twitter said Linux Foundation as well.


It's in that verge article;

"The summit will also include the Apache Software Foundation — the owner and maintainer of the Log4j library — and Oracle, owner of the Java software platform on which the Log4j library runs. GitHub and the Linux Open Source Foundation will also be represented."

Which makes sense -- they host the Open Source Security Foundation (https://openssf.org/) which is meant to be working on exactly this type of problem.


People form Apple and IBM are members of the Apache Software Foundation. Thought I am not sure if executive level has any members.

Did you find the full list of attendees? I haven’t been able to

It's coming out in drips and drabs;

https://twitter.com/cra/status/1481677285325422592

"ASF was represented by the current President, a board member, and the VP Security"

"from LF it was the @theopenssf leadership led by @brianbehlendorf"


IBM?

IBM owns RedHat, one of the largest open source companies.

Somebody had to take notes.

Wer schreibt, der bleibt, ja? Har, har.

When these people get together I cannot imagine anything good for regular people coming from it.

Ok, but please don't post unsubstantive comments here. Especially not dyspeptic ones. It makes for worse discussion.

The White House seems laser focused on issues that are not that important to most people. Yes, "cyber security" is always relevant -- but what is accomplished by a high-profile photo op meeting like this? What does the White House/Executive branch really have to offer? Next week, is there going to be a high-profile meeting with cereal makers to discuss nutrition? I mean, that's important too I guess...

Normally my response here would be, "the government is doing a lot of things and focus here doesn't mean no focus on the other issues" but lately I'm wondering what they are actually doing about the meaningful "everyday" problems (in quotes because cyber security is an every day/all day problem, but doesn't feel like the forefront of the issues the average American faces today).

For instance, pushing for big tech anti-trust legislation when cable companies and telcos are just sitting around providing awful service and regularly breaking their promises for coverage and quality.

No focus on improving housing affordability or pressure on state/local governments on solutions. Everyone just turns up their nose until the housing demand squeezes their backyard supply.

Generally very frustrating to see and I don't have confidence that either party is equipped to solve this so I'm not optimistic about post-2022 elections.


Cyber Security I would argue falls under a national defense issue, as a foreign power being able to take control of Industrial and Control systems would likely cause the issue to jump to the top of many Americans concerns if their power or water shut off. Generally I agree with you and am critical of a lot of the cirucs around it but, this is one of the areas I would argue the White House as Commander in Chief should actually be involved in.



Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: