Anyway, it's our fault. We pretend things like preventing LimeWire from being installed is a simple problem to solve, if only you "took security seriously". In fact, it's a problem we don't know how to effectively solve. We lie claiming we know how to solve it.
-
Show this thread
-
That's why I get annoyed every time people propose "simple" public policy, like demanding a "software bill of materials". They pretend the problem is easy, but only because they are Dunning-Krueger on it.
3 replies 3 retweets 19 likesShow this thread -
Replying to @ErrataRob
I'm with you on the rest of the thread, but what is the argument against a bill of materials? I think I like the idea, it would certainly make my work easier. It's a niche value, and probably wouldn't be useful for most people, but that's also true of nutrition labels.
1 reply 0 retweets 5 likes -
Replying to @taviso
Superficially, it looks easy, since we are listing the major components of software already anyway, for license purposes. But a bill of materials will mean going down to a deep level, listing every little component, every theoretical dependency.
1 reply 0 retweets 1 like -
Replying to @ErrataRob @taviso
For example, everybody using a Linux kernel will have to list every device driver included in the kernel. The userland part will have to list every piece of software in userland.
2 replies 0 retweets 1 like -
Replying to @ErrataRob
I would expect a useful bom to just say "linux 3.12.8", your argument is that it's too complicated to codify how that should be formulated? I agree it's not simple, but it seems surmountable, no?
1 reply 0 retweets 2 likes -
Replying to @taviso
So when I report a vuln in a USB driver, does "linux 3.12.8" help? How do I know whether the vendor included that driver or not? If the bom is too high level, it's not much use. To be of use, it needs to be extremely low level, an overwhelming amount of effort.
2 replies 0 retweets 3 likes -
Replying to @ErrataRob
Ah, I see now - you see bom as a way to check if something contains a flaw just by looking at a table. You're right, that is clearly never going to work. I saw it differently, a way to speed up audits and assess attack surface.
1 reply 0 retweets 3 likes -
Replying to @taviso
While it would help your audits, it'll be a pox on corporate audits, filling them with information they cannot meaningfully act upon. Cybersec is already full of unactionable data companies cannot use, yet cannot bear to do without.
1 reply 0 retweets 1 like -
Replying to @ErrataRob
I agree it's of niche value - but wouldn't that argument also work against nutrition labels? Unactionable isn't the right word here, it would reduce the cost of an assessment. Sure, most people don't want that, but most people don't care how much fiber is in peanut butter.
2 replies 0 retweets 0 likes
People who do need precise nutritional information need those labels, and people who need an assessment to deploy something in a critical context would want a bom? I think I could see the argument that it's too high a burden for vendors for too few niche users, though.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.