Deleted tweet detection is currently running at reduced
capacity due to changes to the Twitter API. Some tweets that have been
deleted by the tweet author may not be labeled as deleted in the PolitiTweet
interface.
Showing page 227 of 2161.
Eric Geller @ericgeller
We see you, Sagittarius A*. Thanks to "more than 300 researchers from 80 institutes," @ehtelescope brings us the first image of the supermassive black hole at the center of our galaxy, an astonishing look at an object of unfathomable power. https://t.co/CwVEUF6mNF https://t.co/f0Q7Re7Wde — PolitiTweet.org
Eric Geller @ericgeller
Here again is my exclusive story on the OpenSSF plan: https://t.co/5hwrGrvM0p And here's the plan itself: https://t.co/kpSRHcVGk3 Along with details on the meeting that could launch it: https://t.co/HidGVi3ZcK — PolitiTweet.org
Eric Geller @ericgeller
Even as we move on from Log4j, the OpenSSF report argues that its recommendations remain urgent. "The next world-altering critical open-source software vulnerability … is almost certainly already existing, undiscovered, somewhere in our codebases today." — PolitiTweet.org
Eric Geller @ericgeller
Behlendorf said the secure coding curricula proposal was especially imptnt. Most OSS devs never get that training. “We think you could put together a syllabus that wouldn't take more than 20, 30 hours...to go through and certify against [and] would make a world of difference.” — PolitiTweet.org
Eric Geller @ericgeller
OpenSSF GM Brian Behlendorf told me this project will have huge ripple effects. “Some of these problems are problems that have long existed in software security, not just in open-source software,” Behlendorf said. “It's time to really try to put some of them to rest.” — PolitiTweet.org
Eric Geller @ericgeller
It's unclear how many companies will commit to funding the plan, or how much they'll pony up. But many of the companies attending the meeting are OpenSSF members and helped write the plan, so there's likely to be some eagerness to bring it to life. — PolitiTweet.org
Eric Geller @ericgeller
Companies including Google, Microsoft, Meta, Oracle, Red Hat, VMware, Goldman Sachs, and Morgan Stanley are meeting today and tomorrow to discuss OpenSSF's plan and potentially commit to funding it. Neuberger and @robknake will speak. OMB, CISA, & other agencies will send reps. — PolitiTweet.org
Eric Geller @ericgeller
OpenSSF estimates that its plan will cost ~$68 million in the first year and ~$80 million per year after that. But these costs largely cover hiring staff, so if big companies are willing to loan employees to the effort, the actual cost could be less. https://t.co/66tMvhB6sr — PolitiTweet.org
Eric Geller @ericgeller
Other ideas: * Info sharing to identify dependencies & most critical projects * Promoting use of digital signatures to prevent code tampering like w/ SolarWinds * Independent audits of up to 200 most critical OSS components * Adding security tools to software build systems — PolitiTweet.org
Eric Geller @ericgeller
Another proposal is to promote and assist with the conversion of OSS projects from programming languages like C++ to memory-safe languages like Rust. Memory safety issues account for huge %s of flaws that Microsoft and Google find. https://t.co/dQMuBc3POB https://t.co/mYsE7j4vwY — PolitiTweet.org
Eric Geller @ericgeller
A few of the OpenSSF plan's proposals: * Creating education curricula & cert programs and encouraging use by universities & employers * Creating incident response team of 30-40 experts who can help OSS devs fix flaws in a crisis * Vuln scans of top 10k OSS components https://t.co/Dbqpjnbz8j — PolitiTweet.org
Eric Geller @ericgeller
OSS is critical to economic & national security & is used by tons of govt agencies & companies, but it's often poorly & inconsistently maintained by under-resourced teams. https://t.co/jIyIMxSDmf Log4j highlighted this https://t.co/p1BE7l8tmU & led to Biden WH meeting. — PolitiTweet.org
Eric Geller @ericgeller
33 tech giants, big banks, and nonprofits are meeting today & tmrw to discuss an ambitious @theopenssf plan to secure open-source software ecosystem, from coding education to crisis response teams. I got the exclusive on the report and meeting: https://t.co/5hwrGreaBP — PolitiTweet.org
Eric Geller @ericgeller
Now for my other story of the morning... — PolitiTweet.org
Eric Geller @ericgeller
Here again are my story on the cyber EO's one-year anniversary https://t.co/OZ4b5p1jx9 and my interview with Neuberger and Inglis https://t.co/go1b8y5Iq7 — PolitiTweet.org
Eric Geller @ericgeller
Neuberger said the EO remains a top priority for both her and Inglis, despite the two of them having broad portfolios that keep them very busy. “This was the president's major cybersecurity initiative — to ensure, frankly, we walk the walk and don't just talk the talk.” — PolitiTweet.org
Eric Geller @ericgeller
Cabinet secretaries, agency directors, and their deputies are "in this discussion," Inglis said. "They're driving this forward. That's new, that's novel, and I think that's going to make a difference." — PolitiTweet.org
Eric Geller @ericgeller
In terms of oversight, Inglis said he personally tracks agencies' progress toward EO goals on a monthly basis. He regularly calls agency leaders (seven times last week) and has "very cordial discussions ... with an equal sense of urgency on both sides of the telephone.” — PolitiTweet.org
Eric Geller @ericgeller
When I asked how agencies were doing migrating to cloud, installing EDR software, and improving their log collection, Inglis said this work will continue in a follow-up to the EO under the auspices of the admin's zero-trust strategy. https://t.co/bhabFkIDat — PolitiTweet.org
Eric Geller @ericgeller
On encryption/MFA, Inglis said the relatively modest statistics (64% encrypting data at rest, 65% encrypting data in transit, 58% requiring MFA) nonetheless reflect “a dramatic improvement” from the situation “that we inherited when we came into this administration.” — PolitiTweet.org
Eric Geller @ericgeller
On the contractor rules, Neuberger said experts told the White House while they were planning the EO that “the more advanced companies who take security seriously had already implemented” these practices, “and the ones who hadn't would be embarrassed.” — PolitiTweet.org
Eric Geller @ericgeller
@ncdinglis "We've made massive progress since the EO was issued in a way that hadn't been done in the last decade," Neuberger said. "We laid out a path and created a sense of urgency by the tight timelines within there." — PolitiTweet.org
Eric Geller @ericgeller
When I talked to NSC's Anne Neuberger and @ncdinglis (full interview here https://t.co/go1b8y5Iq7), they said they were very happy with the EO's accomplishments. “Despite the fact that we set aggressive goals for ourselves," Inglis told me, "we have largely achieved those.” — PolitiTweet.org
Eric Geller @ericgeller
Everyone agreed that the biggest factor in the EO's success or failure would be whether the Biden White House maintains aggressive oversight of agencies as they comply with its directives. That's part of why Congress created @ONCD. Speaking of which... — PolitiTweet.org
Eric Geller @ericgeller
Most people I talked to said we should give the EO another year or two before judging its success or failure. “One year is not a lot of time to evaluate meaningful changes,” said Andy Grotto, an Obama NSC cyber holdover in the early Trump admin who wrote Trump’s cyber EO. — PolitiTweet.org
Eric Geller @ericgeller
This was always going to be one of the EO's most challenging sections. Longstanding issues — budget/staff shortages, cyber competing with other priorities, legacy IT that's tough to upgrade, preference for old but familiar over modern but new — are slowing this work. — PolitiTweet.org
Eric Geller @ericgeller
One of the centerpieces of the EO is its security mandates for federal networks, from encryption to MFA to logging to EDR to cloud migration. As I recently reported, encryption/MFA compliance is sluggish: https://t.co/9HQjUfv31X But... — PolitiTweet.org
Eric Geller @ericgeller
The EO directed NIST to launch pilot programs to study the idea of putting Energy Star-esque security labels on software & IoT products. An update on that work is expected this week. Experts said labels could improve consumer behavior but were tricky b/c code changes so quickly. — PolitiTweet.org
Eric Geller @ericgeller
Agencies are required to follow NIST's new software security guidelines (intended to encourage improvements across the whole industry) when buying products. https://t.co/7y6SK3buJp OMB is expected to issue full guidance on that requirement this month. — PolitiTweet.org
Eric Geller @ericgeller
The EO required the govt's procurement rules body to issue new cyber rules for contractors, including for protecting their systems and reporting incidents. But that body still hasn't issued the rules https://t.co/34Ko9VGwWY & they could take a while to finalize after that. — PolitiTweet.org
