Mastodon Feed
Reblogged by cstanhope@social.coop ("Your friendly 'net denizen"):
signal9@hackers.town ("signal9 :hackers_town:") wrote:
I have said, and I've printed a sticker in case you don't hear me say it:
Defend Dangerous Computing
I don't know if I've ever said why.
VS Code + Github hold a monopoly on the software development process like hasn't been seen since before the days of GNU. (You can @ me about GNU later, that's not the point right now.) Developers have been lured to this end by very nice to use tools, that are "free." These tools are both owned by Microsoft who can integrate them together as tightly as anything. The average, I would guess, developer experience is completely tied up in VS Code and Github.
Many of us don't use either, we can get back to that point later.
Now that we're all settled in to the default MS workflow, let's introduce a couple more technologies that seem obvious for security: Trusted Computing, SBOM and Software Identification.
There is a movement to secure the open source supply chain. I'm intimately familiar, and have been working in that space for a few years now. There are others more involved and smarter than me, look them up. A large open source software ecosystem has a broad attack surface, and this is making some people nervous. With something greater than 80% of enterprise software comprising of open source components, there are those in the security community who are nervous about the potential for malicious code to be introduced somewhere within this vast, porous field. In order to answer to this threat, new elements of control are being explored. Most of these seem benign on their own.
Having a bill of materials for a piece of software is fine. Having a reasonable assurance that the software you are running is the software that you think you are running is fine. Signing packages, libraries, SBOMs and various attestations is also fine, probably even good.
VS Code and Github are already starting work to make providing signed SBOM and attestations seamless for developers. Additional work being proposed by CISA aims to make it easier to identify software packages, and Microsoft will no doubt provide free, robust tools to make this simple for developers as well. No doubt, these tools will integrate seamlessly between Code and Github with little to no effort. We have an open source code ecosystem we can trust.
Did somebody say Trust? Let's add Trusted Computing. Without getting way into implementation specifics, Trusted Computing (and it's ilk) are designed to ensure that only the software that the hardware manufacturer deems "safe" may be run. Combined with secure software identification, SBOMs and trusted certificates, Trusted Computing we have an impenetrable fortress within which approved software may be safely run. Right?
"Safe" is not necessarily determined by the user of the system, but by the manufacturer, by regulators, by law. With a hegemony in place to ensure that software is identified, signed and approved, and hardware will only run approved software, this is looking pretty sweet for the monopolists - all with the blessing of regulators to give real teeth to any punishment for violation. CFAA gets even more powerful, no?
By willingly leaning into the VS Code + Github monopoly, developers are cutting a clear path to domination in exchange for "free", convenient tooling. These same folks might say of Alphabet or Meta, "If you're not paying, you're the product." Why would this be any different for corporate development tools?
This story gets even spookier when you add browser monopoly, cloud monopoly, what have you. If you don't like the word "monopoly", try "monoculture" and see if that makes you feel any better.
So, I say fuck safe (I work in cybersecurity, the irony is not lost on me), give me Dangerous Computing. Give me keen tools that I control that, yes, I might be able to cut myself on. Give me weapons, or get out of my why while I build my own.
DEFEND DANGEROUS COMPUTING