On 2023-02-22 14:17, Gilbert Detillieux wrote:
You'd think with the combined wealth and resources of Alphabet/Google, Apple, and Microsoft, they'd find it in their best collective self-interest to fund a project to replace this garbage with some, you know, actually secure code.
1) not having to pay for it; and
2) having a scapegoat for stuff that goes sideways.
Both sound awful to me, but I am not a CEO for a reason...
On 2023-02-22 15:12, Adam Thompson wrote:
The OpenSSL team, however, appear to be rather resistant to help. Serious NIH syndrome. Also they're more focused on preserving backwards compatibility than correctness or security. And also don't respond well to criticism, from what I've seen.
Amusing, isn't it? Every once in a while someone shows up smearing the OpenBSD developers for *reasons*, but as far as I can tell they strike a good balance between stability - avoiding changes for the sake of it - while regularly dropping the dead weight to make things secure and to move forward. A reasonable compromise, if you will.
On 2023-02-22 15:37, Gilbert Detillieux wrote:
Longer term, maybe a complete re-imagining is what the industry will need to move forward. Most companies and developers are motivated more by new features than by correctness or security, sadly.
Let me present the Schrödinger's SysAdmin:
- If things break, well, it's your fault. You shouldn't have messed with anything, it was working before. Don't fix what isn't broken. - If things work, are you even doing anything? If nothing is breaking, you must be useless.
It's hard to sell something that, when done, won't change anything as far as most people are concerned. No new apparent features; instead, potential for disruption and costs. All of that to protect from the *threat* - as in something that may or may not happen - of an attack.
At best, you can try and argue that something /could have happened/, but didn't. Even if you can prove it, more often than not, someone could easily think you're exaggerating to prove a point.
The optimist wishes executives could see the light. The realist knows that, as long as someone other than themselves can be blamed, more often than not they won't let you do what you must.... until the moment where you /should have done it. /Then, it's /your fault./ Or, instead, they just buy insurance for it, pretend no one could ever have seen it coming, and move along.
Yes, some places do see past all the cynicism, and have some accountability. But we would not have landed where we are if that weren't the exception to the rule, so it is what it is. Let's hope it finds a way to go that does not involve a huge BANG.