Conversation

Biggest impact will be AWS if they manage to actually widely distribute keys. We'll see. If every account that paid for support got a free key, that'd move the needle.

Quote Tweet

Eric Geller

@ericgeller

Aug 25, 2021

Embargo has lifted on WH cyber meeting announcements. * Microsoft: offering $150m worth of security help to govt agencies * Google: donating $100m to help orgs that secure open-source software * Amazon: free security tokens for AWS users * IBM: cyber training for 150k people

Show this thread

InsanityBit

@InsanityBit

Aug 26, 2021

Interestingly, seems that the vast majority of responses disagree. 100m+ for "security" is not real value. Free tokens that can be applied to any service (not just AWS) is (potentially) huge and, most importantly, addresses a REAL threat, not just "make security better".

InsanityBit

@InsanityBit

Aug 26, 2021

IMO AWS showed everyone else up here. Addressed a real problem, helps their direct customers be safe across services, didn't have to spend 100M+ on nothing.

Replying to

If Google gave money to

@OSTIFofficial

or something like this, or funded development/donated to critical infrastructure, that's not a bad contribution IMO. Lifting OpenSSL out of its previously underfunded state was a massive boost to everyone's security (for example).

Replying to

and

Funding insecure infrastructure rather than replacing it with secure infrastructure isn't a long-term solution. It may make things worse rather than making them better. No amount of funding is going to make OpenSSL into a project focused on security/correctness like BoringSSL.

Replying to

I don't think what they intend to do with that money is simply funding critical open source infrastructure. I think they intend for most of it to be used on efforts like the Rust TLS stack they're funding via ISRG. abetterinternet.org/post/preparing At least, I hope that's their plan.

Replying to

Similarly, see opentitan.org which is an open hardware secure element they could use to replace their Titan secure elements in Pixels and their servers, but available for others too. Google does fairly aimlessly throw money at projects but has more focused efforts too.

opentitan.org

Open source silicon root of trust (RoT) | OpenTitan

The first open source project building a transparent, high-quality reference design and integration guidelines for silicon root of trust (RoT) chips

Replying to

and

Yeah, my concern was this was going to be aimless. If they actually put money into meaningful projects, I support that, but "open source security" is scary-vague. Giving people tokens has obvious, real value. I don't have to really guess as much about it.

Replying to

and

Google has gotten pretty good at this especially now that they're onboard with Rust. Likely interested in funding replacing a bunch of infrastructure with solid Rust projects, among other things. Android 12 even replaces most of the old C++ Bluetooth stack with a new Rust one.

8:32 PM · Aug 26, 2021Twitter Web App

Replying to

I think you might end up being pleasantly surprised by how they use the money. I think they've gotten a lot smarter over the past couple years. They've realized that a lot of what they were doing is a dead end and while they're still funding it, they're shifting to better things.

Replying to

and

That's encouraging at least.

Replying to

and

Interesting. Rust at Google has been something I've watched for a while and it felt fragmented for a long time, only recently (last year) making progress in some orgs. Seems like Fuschia was critical for that, since it unblocked build system support.

Replying to

and

Rust is now one of the official AOSP languages with C++, Java and Kotlin. New components are going to be primarily written in Kotlin at a high level and Rust for low-level code. Fuchsia and AOSP have both thoroughly rejected any further use of Go beyond in the build system, etc.

Show replies

Replying to

and

Handing out security keys to people who don't already have them is probably has the most immediate impact, agree. Also agree replacing hulking memory-unsafe code bases is a nice medium/long term goal. But this will take time.

Replying to

and

It's going pretty fast for AOSP. Everyone using supported Pixels will get an over-the-air update to Android 12 bringing the Rust Bluetooth stack. I expect they'll be introducing dramatically more of it for Android 13 as long as deploying it for Android 12 goes well.

Show replies