https://daniel.haxx.se/blog/2024/08/14/so-the-department-of-energy-emailed-me/
In a perfect example of checkbox security in action:
I received an email today. What follows is a slightly edited version (for brevity).
From: DOE Attestation Subject: [ACTION REQUIRED] U.S. Department of Energy Secure Software Development Attestation Submission Request
OMB Control No. 1670-0052 Expires: 03/31/2027
Hello Haxx
** The following communication contains important DOE Secure Software Development Attestation Submission instructions. Please read this communication in its entirety. **
The U.S. Department of Energy (DOE) has identified your company's software as affected by this request. The list of impacted software products and versions can be found below.
DOE Request:
In support of the Office of Management and Budget (OMB) requirement to collect attestations per M-22-18, please complete the U.S. Department of Energy Secure Software Development Attestation Form (DOE Common Form). If you are unable to attest to all secure software development framework (SSDF) practices, please be sure to attach your Plan of Action and Milestones (POA&M). The software listed below has been identified as being associated with your company and requires DOE to collect an attestation for the software.
Product Name Version Number
libcurl 8.3
His reply sorted that out....
Hello Department of Energy,
I cannot find that you are an existing customer of ours, so we cannot fulfill this request.
libcurl is a product we work on. It is open source and licensed under an MIT-like license in which the distribution and use conditions are clearly stated.
If you contact support@wolfssl.com we can remedy this oversight and can then arrange for all the paperwork and attestations you need.
Thanks
,
/ Daniel
Basically I read that to be "pay to be one of our customers and then we can talk."
Have any others in our community had similar requests, and how did you respond?
(Score: 4, Touché) by ikanreed on Friday August 16 2024, @08:26PM (1 child)
Do a lot more for no reason so the government can also use your free software. Thank you!
(Score: 3, Funny) by SomeRandomGeek on Friday August 16 2024, @08:43PM
How long do you think it will take the DOE to figure out that they basically can't function without libCurl, and try asking nicely?
(Score: 5, Interesting) by krishnoid on Friday August 16 2024, @08:30PM (7 children)
Googling for "Software Development Attestation Submission Request" only shows this one email. You'd think a lot of other open source people (and others) would have received something similar.
(Score: 5, Informative) by VLM on Friday August 16 2024, @08:47PM (3 children)
Its basically this
https://www.whitehouse.gov/wp-content/uploads/2022/09/M-22-18.pdf [whitehouse.gov]
(Score: 5, Interesting) by RS3 on Saturday August 17 2024, @01:53AM (2 children)
Uh, excuse the interruption, but whitehouse.gov is a WordPress site? I don't know what to think.
(Score: 0) by Anonymous Coward on Sunday August 18 2024, @03:38PM
Are you expecting any sort of intelligence out of the Biden Harris administration?
Or from any administration for that matter?
(Score: 3, Informative) by krishnoid on Tuesday August 20 2024, @05:03PM
And one WordPress is proud to showcase [wordpress.org], whaddya know.
(Score: 4, Informative) by darkfeline on Friday August 16 2024, @09:22PM
SSDF is definitely a thing (our large tech company is spending a lot of resources on compliance). However, it really only applies to companies that supply software to the government commercially and not open source. I suspect that FOSS provided by companies who have a (separate) contract with the government get caught in the crossfire since liability is unclear.
Join the SDF Public Access UNIX System today!
(Score: 0) by Anonymous Coward on Friday August 16 2024, @09:27PM
Same guy received a similar letter from NASA four years ago:
https://daniel.haxx.se/blog/2020/12/17/curl-supports-nasa/ [daniel.haxx.se]
(Score: 3, Insightful) by Samantha Wright on Friday August 16 2024, @11:04PM
Presumably most such letters are received by security-through-obscurity-type private corps who wouldn't have a reason to post DOE correspondence on the Internet. libcurl is used in a lot of things!
(Score: 5, Interesting) by JoeMerchant on Friday August 16 2024, @09:46PM (3 children)
In our industry, we "qualify" components like libcurl as SOUP - Software Of Unknown Provenance. If libcurl has been qualified as appropriate for our use of it, version controlled, verified and validated for our use cases and the resulting system meets all requirements, then the SOUP is ready to ship.
The wrinkle here is: security requirements. If libcurl is in any way in a position to pose a security risk to the system, and the system has security requirements that could be impacted by use of libcurl, then the qualification as appropriate goes a LOT farther than simple: "test department ran their procedures and it did what we want it to do." Now, instead of just proving positive performance of required functions, you're essentially attempting to prove no possibility of negative requirements occurring.
The current security landscape is a hot mess. I just attended a "community of practice" meeting within our (international 100K employee) company where the marketing folks were confessing that they only just became aware of security certification standards (which we don't currently have documented compliance with) that are starting to block sales of our products in many countries. And, even within the EU, every country has their own distinct security standards, so demonstrating compliance with - for instance: Germany's standards, doesn't get you covered for Spain or Italy... Questions like: do these standards apply to our products' development process, or company wide practices like employee laptop security, or? were met with answers like: "well, yes, all of that... and more."
It's important, it's how we're going to "survive" WWIII (which, in many ways, is already in progress: https://www.wilsoncenter.org/event/all-you-need-to-know-about-russian-hackers [wilsoncenter.org] https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-critical [justice.gov] https://adf-magazine.com/2022/12/cyber-scammers-hackers-pose-continuing-threat-to-africa-in-2023/) [adf-magazine.com] It's also more chaos than order...
🌻🌻🌻 [google.com]
(Score: 3, Insightful) by captain normal on Friday August 16 2024, @11:09PM (2 children)
In the last week I have received 4 texts from (supposedly the USPS). All from different numbers, saying they couldn't deliver a package because of an incomplete address. As I definitely am not expecting a package, I marked it spam and refused to respond. Something I would recommend Dan Stenberg doing.
The Musk/Trump interview appears to have been hacked, but not a DDOS hack...more like A Distributed Denial of Reality.
(Score: 3, Funny) by JoeMerchant on Saturday August 17 2024, @12:56AM (1 child)
I read somewhere (here, at least) that those USPS fish mails are part of a kit sold by a Chinese site to over 1000 skript kiddiez who have been flooding every US email address with them.
🌻🌻🌻 [google.com]
(Score: 4, Insightful) by deimtee on Saturday August 17 2024, @02:05AM
Not just the US email addresses. I get them to several .com.au emails.
Strangely enough, I'm not expecting any packages from USPS either.
One job constant is that good employers have low turnover, so opportunities to join good employers are relatively rare.
(Score: 3, Interesting) by looorg on Friday August 16 2024, @10:14PM (6 children)
This one seems a bit odd. It seems very automated and not reviewed by any human with a working couple of brain cells.
I know foreign languages might be strange and all but they can't really believe his family name is Haxx? Right? Wouldn't it then at least be Mr. Haxx? That he isn't in the USA is apparently not a problem. Even tho he has been denied entry on multiple occasions as far as I can remember. So he is clearly some kind of dangerous haxxor based on his name. Are the DOE sure they want to run haxx software?
Also libcurl 8.3? That is about a year out of date now. Is the Department of Energy running old out of date software that doesn't have all the latest security updates, patches and fixes? Lets hope it is not run on any mission critical hardware.
They also seems to have missed that the software is free. You can pay for support if you like. I think that applies for them to. Is free an alien concept to them?
At least he has a sense of humor about the whole thing, something government agencies are usually not known for.
(Score: 2) by MostCynical on Saturday August 17 2024, @12:47AM (1 child)
His surname is Sternberg.
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 3, Informative) by coolgopher on Saturday August 17 2024, @01:52AM
No, Stenberg. Literally Stonemountain in Swedish.
(Score: 2) by driverless on Saturday August 17 2024, @04:10AM
So a completely standard communication from a government department in other words.
(Score: 2) by Hartree on Saturday August 17 2024, @06:12AM
"Is free an alien concept to them?"
Makes no difference to the government bureau-crazies. They'll happily mandate you use a massively expensive substitute (that is often a repackaging of the original product) rather than the free so the legal department is happy and they have someone they can browbeat into compliance or pay extra to get compliance.
Why would they care? It comes out of your budget, not theirs. There's only fallout for them when it becomes a political/PR problem and administrators at the very top of the organization have problems due to it.
(Score: 3, Interesting) by GloomMower on Saturday August 17 2024, @08:00PM (1 child)
> Also libcurl 8.3? That is about a year out of date now.
When I worked for a defense contractor we had many software or libraries over 10 years old. Some version goes through all this red tape to be audited and approved. Since it technically works no one wants to go through all that process again to get another version approved.
I know there is a security trend to just always keep blindly updated, but I believe we'll find out soon when that could really also bite you in the butt. Something like the XZ Utils story, but end up being bigger. I suppose the CrowdStrike event is an example of frequent and fast updates backfiring.
A lot of security requirements are a joke and a theater. I get really mad at them because it makes work a lot harder for no gain, except to pretend to be secure. I don't know exactly what the answer it but it has got to be something better than what is currently going down.
(Score: 3, Interesting) by canopic jug on Sunday August 18 2024, @03:49AM
I know there is a security trend to just always keep blindly updated, but I believe we'll find out soon when that could really also bite you in the butt.
There are examples out in the wild already.
We had Ext4 data corruption in stable kernels [lwn.net] just last year. That was a really big one which we should still be talking about. The potential for catastrophic impact was enormous since EXT4 is the default file system and as good as everywhere. That the impact turned out so mild was mostly but not entirely luck.
Money is not free speech. Elections should not be auctions.
(Score: 5, Interesting) by Hartree on Saturday August 17 2024, @06:01AM
I've seen amazing damage from this sort of thing.
This kind of nonsense happens far too often when government edicts are blindly enforced. The university I work for demanded that a provider of a crystallographic database for which there is no effective substitute do an unreasonable amount of such documentation and compliance due to a state law. This database is used worldwide in labs from chemistry to materials science etc.
The small company replied that they were a UK company and were under no onus to comply with US state laws and to please stop using their database as we were not that important to them. The university ultimately saw reason and found a way around it so we could use it again, but it hampered research and publications of papers that would normally cite the database for months.
As if that wasn't enough of a lesson, they tried the same thing with Autodesk who refused to renew the campus site license. There's still fallout from that fiasco as every administrative copy of their software has to be individually licensed.
I wish it was only software that happened with. A large, specialized and very expensive vacuum kiln stopped working and they tried to force the small company that made it jump through hoops in order to come and fix it. Once again, the company told them to get stuffed and was the only one capable of the repairs. It stayed down until the researcher (one of our star ones) wrote to the local newspaper to protest it thus causing enough embarrassment that a "thou shalt" came from on high. They ultimately got it fixed, but it was a big reason that professor went elsewhere.
This is what happens when those enforcing this nonsense have no fallout from stopping anything productive. At least in industry you can go broke, but government organizations are immune from that.
(Score: 2) by weirsbaski on Saturday August 17 2024, @10:09AM (1 child)
This seems like a "damned if you do, damned if you don't" situation.
If the gov't enforces secure-app compliance, that edict shows up absolutely everywhere even if in situations like this where it doesn't make sense.
But if the gov't doesn't enforce compliance, then s/w turns into a lawless free-for-all, where you'd get code-monkeys pulling all sorts of shady crap just to get tasks checked off their list. "Use this library called 'WeDidntEvenTryToHideTheBackdoor' developed by coders in the military of some country where privacy is just an after-thought? No matter, I'll be on a different project by the time that shit hits the fan." (Sadly, I know this happens in some places b/c I've watched it happen in real time.)
(Score: 2) by HiThere on Saturday August 17 2024, @01:39PM
To be fair, libcurl when working properly seems like a security problem. What it's *designed *to do is facilitate the transmission of information.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.