A lot of debate at the moment about digital sovereignty, with a very trusted ally threatening to annex Greenland while perhaps shifting its internal power structure (courts vs executive powers) while also continuing a trend of increased executive power over private companies (NSL etc.)
Meanwhile, EU is apparently way behind both China and US in high-tech industry and digital infrastructure in general and AI technology in particular.
So it's a welcome discourse - we really should go through the threat scenarios, in light of the changed parameters. My observations:
* Consider: Could the society function if major cloud services (say, Microsoft 365 or Azure's IaaS services) - were suddenly nullrouted from Denmark? (Keep in mind that Denmark is heavily digitalized in both the private and public sectors)
* While that not a likely scenario, it's no longer an unthinkable scenario, which it seemed to be in 2024. If it's not unthinkable, it could quickly become a credible threat. "Surrender Greenland, or else..."
* Public sector Denmark is very much a "Microsoft first" country, 99.9% of desktops, office networks and productivity. On back-ends, MS is maybe not so big at the state-level systems, but quite dominant at regional and municipal levels.
* Due to GDPR (and various related side quests), public Denmark has been slow-ish in moving to cloud infrastructure, but e.g. Microsoft 365 is gaining marketshare over locally or semi centralized hosted Exchange servers. So the blast radius is unclear.
* At the same time, Microsoft is taking home quite substantial license fees. The minister's reaction could also play into that.
However, the thing to note is that the Ministry of Digital Affairs is a small ministry. While they control some key infrastructure components (few of which run on Windows, AFAIK), they are not at all responsible for choosing other administrative bodies' choice of office suite or the bargaining with Microsoft. In practice, that power is held by the Ministry of Finance, as is so much else. They might be seeing things differently.
Interesting times indeed. And certainly long overdue to consider alternatives realistically and reduce vendor lock-in where feasible.
At least, in this case, the WAF in question had the decency to return 403.
I've worked with a WAF installation (totally different product), where the "WAF fail" tell was HTTP status 200 (!) and "location: /" (and some garbage cookies), possibly to get browsers to redirect using said cookies. This was part of the CSRF protection.
Other problems were with "command injection"-patterns (like in the article, expect with specific Windows commands, too - they clash with everyday words which the users submit), and obviously SQL injections which cover some relevant words, too.
The bottom line is that WAFs in their "hardened/insurance friendly" standard configs are set up to protect the company from amateurs exposing buggy, unsupported software or architectures. WAF's are useful for that, but you still gave all the other issues with buggy, unsupported software.
As others have written, WAFs can be useful to protect against emerging threats, like we saw with the log4j exploit which CloudFlare rolled out protection for quite fast.
Unless you want compliance more than customers, you MUST at least have a process to add exceptions to "all the rules"-circus they put in front of the buggy apps.
Whack-a-mole security filtering is bad, but whack-a-mole relaxation rule creation against an unknown filter is really tiring.
So, no you don't need a "Microsoft-esque" company, you need independent service providers who just know their stuff. Today, a company (any company!) with the proper skills CAN offer setting up and maintaining government infrastructure, independent and sovereign from Microsoft, by using commoditized hardware and open source software, with no long term vendor lock-in.
The offerings do exist, and get some traction. If done right, they should be cheaper in both short and long run, compared to Microsoft licensing.
So, what's holding us back?
1) One element is aggressive pricing for key customers and partners, on the part of the smarter incumbents (in this case Microsoft).
2) Another is a "reverse network effect": Scarcity of talent to create companies like the ones I suggest. And with too little supply, the demand side will be afraid to "not choose IBM" (figuratively).
3) A third is Microsoft 365's real-time collaborative editing. Yeah, really. The needs of some specific users get to dominate decision-making, since the key decisions are pitched in PowerPoint, analysed in Word, budgeted in Excel and distributed using Outlook. A lot of old dogs would have to learn new tricks.
The Eclipse Compiler for Java [1] is a notable exception, architected around incremental compilation, an API for “live” AST manipulation, and a layered non-batch approach to when to invoke various analysis steps.
The LSP for Java [2] used in eg. VSCode’s Java plugins, builds on this API.
But, no, I haven’t seen a generalized approach to this architecture discussed in literature.
By that logic, the worst possible recidivism rate (surely 100%) would make someone 1500x more likely to commit crime than a non-offender.
That’s still a pretty good case for having effective rehabilitation (unless you insist on the death sentence for all prisonable offences)
You don’t have to execute them, just lock them up until they’re too old to be a threat.
I’ve been a victim of violent crime at least a dozen times in my life. I wasn’t the first victim for any of my attackers. Far from it. And I wasn’t the last. Every single one of them escaped. They probably got caught on some other occasion, and maybe they spent some time in prison for that crime. And then they got out and continued robbing and assaulting innocent people. They’ll keep doing this as long as they are physically able.
I don’t really care what happens to them, because they’re basically constantly-exploding bombs that force the rest of us to pay more in taxes for police, invest in more security systems, avoid certain areas at certain times, and generally worry about safety much more than we otherwise would. Most criminals have been given countless chances to not commit crime, and they keep doing it. The sooner they’re separated from society, the better off we’ll all be.
I've moved lots of times. In terms of crime, the SF bay area was by far the worst. The Bronx was second-worst, but I hear it's gotten a lot better since I lived there. Portland has gotten pretty bad over the past few years but at least I can legally carry a gun there.
When you're 5'6" and 120lbs, criminals will target you.
You should try Europe or Australia. The worst I've ever experienced is having someone break and enter while I wasn't there. I have lived in what could be considered less than savoury areas in Sydney and have stayed all over Europe and the world (as a digital nomad, currently at 45 countries).
I wasn't born in the US. I've lived in other countries. There are other disadvantages to places like Europe or Australia (or Japan or China, where I've also spent time) that make the tradeoff not worth it to me. The biggest issue is that you'll always be a foreigner. Even if you jump through the hoops to become a citizen, you won't be accepted the same way that Americans accept immigrants. US conservatives are painted as disliking immigrants, but that's only true for immigrants who don't culturally assimilate. Conservatives have no problem electing immigrants like Winsome Sears, Arnold Schwarzenegger, and Young Kim. The mayor of Helena, Montana is a refugee from Liberia. The state with the most foreign-born governors is Georgia. Anyone who claimed that these people aren't "real Americans" would be shunned and shamed across the political spectrum.
There's also the issue of employment and compensation. My skills are worth far less in other countries. I make over $250k/year in compensation, and my taxes are low enough that I've managed to accumulate "fuck you" money before the age of 40. I could retire, but I want to maximize my family's quality of life. It'd also be nice to have an aircraft and a cabin on some land in the middle of nowhere. My chances of accomplishing those goals in another country are much lower. (I'll probably have the cabin in a few years. The aircraft... well, we'll see.)
If I wanted to move to an area with low crime, I could choose from plenty of places in the US. I don't live in those places because, similar to other countries, I'd have to take a massive pay cut. As remote work becomes more commonplace, that could change.
Interesting points. Yeah, it is pretty funny hearing conservatives being called Nazis and fascists all the time. In many ways America is already living the Star Trek future. Well, except for the UBI. (You'll probably get that soon though, the robots are just about done cooking.)
I heard you can get a used Cessna for $15k. But maybe you want something fancy ;)
The buffer overflow is in the C version of the algorithm (and likely related to loop condition checks idiomatic to C's for-loops).
The Go version is a fresh implementation, not a wrapping of the C version. I'm no Go programmer, but if I'm not mistaken, the Go implementation just eats little slices of the input buffer until no more buffer is left, leaving all the overflow-danger to the Go array implementation:
Just for what it's worth, we're talking about the amd64 assembly version of the SHA3 code in the x/crypto/sha3 library; I didn't look carefully at how it's called, so if it's used incrementally the way this Go code shows, then yeah, it's fine regardless.
A second later
Oh, wait, yeah, this is just the Keccak permutation in assembly, not the entire hash. That was dumb of me. Yeah, this code looks ok?
