> I see this as step into a massive disaster.

Yeah, let's hope that never happens. [1]Oh, wait. [wikipedia.org]

[1] https://en.wikipedia.org/wiki/United_States_government_group_chat_leaks

Well, XKCD dependency (https://www.explainxkcd.com/wiki/index.php/2347:_Dependency ) came out 5+ years ago and was already true for 10 years before that in all SaaS. And even in home rolled systems of banks, fintech and other mainstream and "sober" services, though idk about defense specifically.

And some aspects of things have gotten better, but there's still no way, afaik, for anyone to REALLY certify something like even a Linux distribution except in the sense of 'yeah we'll try to fix it when the C

The thing with security is that its hard, and its annoying, and it grates on bosses who want to "move fast and break things".

Proper institutional IT security is less about keeping on top of the latest way to manipulate a malloc() to generate a buffer overflow, although thats ALSO important, and more about the procedures and practices in an organization. You got virus checkers and software solutions to handle the technical stuff, the hard part is to convince the damn receptionist to stop buying from spam mails, because THATS where most of the damage comes from.

And in an organization with thousands of people, thats going to mean procedures procedures and more procedures. You need regular audits to quantify what the risks are, what the vunerabilities are, and what is to be done to patch up those holes. You need training to teach people not to open unverified atttachments. You need up to date inventories on computers as well as a regulated and planned approach to keeping up to date with software patches, and making sure all of your software is licensed (The whole thing falls apart when ted from marketing is using a pirated version of photoshop). All of this is a lot of work, and its all essential if you dont want the chinese running rampage through your network.

But so many bosses I've had , have hated this stuff. Its not how they operated when the company was 5 guys in an industrial unit. Well, Mo' Money, Mo' Problems, what works for 5 guys will not work for 500 guys because everythings exponentially more complex now, and so are the stakes. And heres the thing, when you got a government stuffed with startup-guy posers who think they know how to run a business, they'll start thinking government departments with 20,000 employees should be run like a 5 guy start-up where the weekly payroll is paid off the bosses credit card.

You saw the height of this hubris with DOGE when they actually thought they could get 6-7 guys working for a couple of months to replace giant mainframe systems that had literal decades worth of code cruft. Yeah no, big-boy world doesnt work like that.

And you can't do security by just keeping Norton up to date, not when China is literally hiring hundreds of top tier hackers to break in and steal anything not nailed down.

> Did you hear we are funding insurgents in canada? That is a real sentence that I wrote that has real meaning and isn't just a shitpost.

Someone must have told him Alberta has half as much oil as Venezuela, and it’s a whole lot closer.

I'm sure Trump sends email in bulk to Putin along with the Ukraine intel

> The reasoning is honestly just baffling. Apparently the old requirements "diverted agencies from developing tailored assurance requirements for software and neglected to account for threats posed by insecure hardware." by requiring that people keep track of what software they were actually using .

It's definitely "organizational speak", but afaict the SBOM thing, and the attestations about the whole dependency tree is virtually impossible for the large majority of COTS systems, especially SaaS ones. Like actually doing what the old policy seems to claim that it wants would increase costs ten fold or 100 fold. So i think the thing getting repealed was not realistic and IS just a paper exercise of people exchanging lies, as well meaning as it was...

So i think it's maybe worthwhile to actually f

> In with another.

I was in a DevOps position at my previous employer. We were running around like maniacs getting ready to comply with the old rules.

It's been a few years. I wonder if they ever got it squared away...

Thanks for the background. I too am shocked that vendors were whining about having to comply with security standards.

No, you're right -- it's TOTALLY a "valid" point that vendors shouldn't have had to attest to the security of a "major version change." Afterall, major version changes are known for minor changes in the platform's design.

And it's TOTALLY a "valid" point that Officers of companies signing the attestation shouldn't have to face criminal liability for willfully providing false or misleading i

This was actually my job at a previous employer and I actually know something about this, and I didn't form an opinion based on a cursory review of some links, like apparently you just did.

Yes, software security is a real problem these days. The xz debacle showed everyone where the real risks are. There are so many ways now to get backdoors injected into major open source projects by finding the tiniest vulnerability and social engineering the hell out of it -- in the case of xz they found a stable, basical