> The users (i.e. high level U.S. officials) did no due diligence.
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.
> ... narrative has become we expect them to be making low-level IT decisions too?
I think that's a misdirection.
The narrative is that:
a) they were using a compromised piece of software
b) they should not have been using that software - not (necessarily) because it was compromised, but because it wasn't US DoD accredited for that use case.
(I understand your point that these guys are not tech savvy, and do not need to be, but they should be regulation-savvy (clearly they either are not, or willingly broke those regulations), and they should be following organisational guidelines that presumably cover the selection and use of these tools types.)
Yeah, and the purchase approval process is in place specifically so that someone who knows what to look for has looked at it and verified that it's an acceptable configuration.
This is the exact same problem as Clinton's blackberry enterprise server. Doing it right was hard and time consuming, so they ignored that and did what they wanted.
Only we should be a lot more demanding that our officials in 2025 have a better basic understanding of the importance of computer security than in 2005.
It is too early to tell, but given that these people openly attack scientists and other experts (they don’t agree with), I wouldn’t be surprised if they ignored advise of their IT experts.
It's not too early to tell, we knew from the beginning that the use of Signal (let alone its clone) was not authorised to be used for such communications.
Yes, there's a fleet of people who are supposed to make such tech decisions. The people involved specifically went against those rules. The existence of a group chat using an authorised app is a violation on its own, adding a journalist to it is a violation on top of a violation.
Adding a journalist was accidental, but using such an app (despite it not being approved) is very intentional.
IT staff that knew it was illegal to provide them tools for a conspiracy were fired or silenced. So the only people left were their cronies, who instantly complied with their illegal request, to the best of the cronies' abilities. For such national failures, the buck has to stop at the very top, not on some IT monkey.
This is typical for highly corrupt governments and autocracies, they crumble from within because the autocrats can't trust random, competent people so their inner circle becomes saturated with people who are selected on the basis of loyalty not competence, and these people end up making the most important decisions and running the country.
Would tend to agree with most of that, but I think the assertion is Petey needed to ask his IT leadership to do the due diligence before diving in, not that he needed to decide using his own depth of skills and experience.
I assume he did and they said it was a bad idea - the memo they'd released a few weeks prior about Signal vulnerabilities seems to suggest a lack of faith in that approach - but he was already banging away on his phone with all the grocery reminders and definitely not battle plans he needs to keep pushing out. Which is also how it feels in the enterprise space these days.
Strange thing to see our bureaucracy start to behave like a corporation instead of the other way around.
Their massive it staff provides them with a way to communicate securely and they ignore it deliberately so that their communications are not preserved for history or for future court cases.
Can you actually? Every major city I've been to in the past five years is pretty harsh on that sort of thing. I'd happily pay $300 to avoid the risks of arrest and having all my stuff stolen.
Funny but couches can be pretty comfortable, and in the days of Airbnb being a monetized couchsurf, you'd at least wake up to fresh coffee
Safe place to stash your luggage is another matter, there's a dozen apps that cater to this need now too so if you are sleeping in the bus station at least you can put your baggage behind a locked door
> there's a dozen apps that cater to this need now
Before someone declared a need for buggy and unreliable locker apps, for decades prior you could deposit something called a "coin" into a slot which would allow you remove an equally archaic object called a "key" from the lock, which you would deposit in your pocket and be on your merry way.
> Before someone declared a need for buggy and unreliable locker apps, for decades prior you could deposit something called a "coin" into a slot which would allow you remove an equally archaic object called a "key" from the lock, which you would deposit in your pocket and be on your merry way.
Back in the '90s, sure, but then some people flew a plane into a tower block and apparently this meant we need to pay $20 for some minimum wage dude to put our bags on a shelf that's only open 9-5 instead.
DC Union station charged me I think 10usd per bag per 24hr , no smaller unit accommodated, but I decided $30 was worth it to enjoy my Amtrak layover for 3 hours and walked to the botanic garden unencumbered
Vienna Austria has a great set of lockers at their central station, I think I paid 3 or 4 euro for 12 hours for a locker. Venice too, but I did not anticipate that Venice has nowhere to lock up a bicycle, so I ended up paying 18 euro to store my "oversize luggage" for the day.
All in all I found European train stations to have better accommodations than American (makes sense because people actually use them everyday, 100+ trains a day in Berlin vs a place like Cincinnati with 2 trains a day)
Bilbao Spain I was glad to find a convenience store that was on the apps but also just accepted 5 euro to take my bags into their store room a few hours. I bet most hotel receptions would make that deal with you too.
Nador, Morocco I could not find anyone to take my luggage, the train station attendant told me to try the bus station, but the bus station attendant refused without my having a bus ticket, "even with cash?" "Even with cash"
> Windows LTSC builds don't have Microsoft Store preinstalled
No, it's not that it isn't "preinstalled", the Microsoft Store is literally not supported on LTSC, by design. LTSC was never intended to run the Store. The original use case for LTSC was for ATMs, industrial control equipment, hospitals, and the like, where IoT wasn't appropriate, where you needed the ability to run full desktop applications.
> Microsoft offers no official way to re-enable it.
Yeah that's because the Store was never supposed to run on LTSC. It's not supported. Why would they offer an official way to re-enable it? The whole point of LTSC is that it doesn't include the store.
If someone cobbled together an ugly hack to shoehorn it in, by definition it could break at any time.
If by "customer" you mean "way of making money", I agree, since I didn’t pay for it. OTOH, I have been running LTSC on my desktop for years because it's the best edition of Windows, and I haven't had any issues with the Store, which I had to install manually, thus far.
To be fair, the headline could have been better worded. The convention for something like this is
“Show HN: Title of Repo”
I could understand how one might not understand what the aim of this post was. Maybe the ensuing conversation could have been handled better, but I would certainly include the parent comment in that indictment.
> I see he's also using fopen/fread/fclose rather than CreateFile/ReadFile/WriteFile/etc.
It's a todo list, not a network service. So what if it's using unbounded strcpy's all over the place? It has basically no attack surface. He wrote it for himself, not for criticism from the HN hoi polloi.
For once maybe take someone's work at face value instead of critiquing every mundane detail in order to feel like the smartest person in the room.
Computers are tools to get stuff done. Sometimes those tools are not pretty.
I place much of the criticism being levied here in the same category as the "we must rewrite 'ls' in Rust for security" nonsense that is regularly praised here.
So what if it's using unbounded strcpy's all over the place? It has basically no attack surface. He wrote it for himself, not for criticism from the HN hoi polloi
I didn't point that out so I could be the smartest person in the room and I certainly don't subscribe to the whole rewrite-the-world in rust.
The sheer amount of time I spent debugging problems caused by buffer overruns and other daft problems is immense. It's literal days of my life that could have been saved had safer APIs been created in the first place.
It's a cool toy program and I encourage the learning but maybe let's try and avoid unnecessary problems.
Hey, they don't have excel or word, like I have at work, and none of the other professional software like Photoshop or premiere, I can't play AAA games, and none of my friends use it either. But that's cool. The clipboard though... that I cannot abide.
Put another way, I strongly disagree that the clipboard is the main obstacle. (And fwiw, Linux has been my main OS for decades)
You got it backwards.
Mmb used to work flawlessly in Linux as in other X11 based unices "back in the day" before some DEs decided they would do it differently to be more palatable to people used to $OTHER_OS
I don't remember the details as I'm never been a desktop person, but I do remember that I got surprised one day to discover that something that simple ceased to be reliable.
The common shortcuts do work in 99% of situations. The primary exception is terminals.
The problem is mainly that Linux has two clipboards running simultaneously, with slightly different behaviors.
In reality, the clipboard works fine. There are some gotchas, but for everyday use it's perfectly fine. The opinion expressed by parent comment is, uh, unconventional. I've never heard this take before. Most people consider Linux clipboards an annoyance that we should fix someday, it's not a showstopper by any means (for average users)
I like them being separate. The main one feels more intentional than the selection buffer, which I mostly use for grabbing text I want right now. I'd be annoyed if my main clipboard got overwritten every time I selected text.
I just tend to completely forget the select-clipboard even exists - right until a HN submission reminds me, or I drop some garbage in the middle of the text I'm writing.
Text-wise the only thing I can think of where clipboards don't Just Work is indeed terminals, but I hardly consider that an issue in practice. Either it's a trivial session and I'll happily right-click to paste, or I'm in tmux and using lead key prefixes for shortcuts already.
Cross-app rich media copy/paste does have a habit of being a bit buggy from time to time, though...
In practice, it's not really an issue. In some applications (most notably terminal emulators, where ctrl+c is already used to terminate a process) you have to use an alternative combination (e.g. ctrl+shift+c).
MacOS neatly avoids this issue with the command key, but I'm not sure what happens in Windows.
> I think the whole program may have cost the government maybe $10k total.
Your numbers are off by an order of magnitude. There is no government program in existence that costs $10k total, you are almost assuredly ignoring overhead and all other costs. It's like calling a contractor to repair something, then crying foul when he charges $350 because you found the part on Amazon for $15.
But let's assume it was $10k.
> $10k to build knowledge of cutting edge science that filters into industry. $10k to help give needed manpower to research projects that need it. $10k to give people who otherwise didn't have a road into science, exactly what they need to get their foot in the door.
To be blunt, you are upset because you got to work on a fun boondoggle project and others are being denied that privilege. I won't doubt it was fun and educational but I can't in all honesty pretend that is a good value for the taxpayers.
Unless you are producing something of value to the public, it's wasteful, and that $10k deserves to be returned to the taxpayers.
Taxpayers are not on the hook to keep you busy with pointless yet fun busy-work. That is private industry's job.
Money "wasted" by the NSF is far better spent than money wasted in, say, the Google Graveyard or any other monument to private malinvestment. This is because science has a value capture problem by design, making it systematically uninvestable by the private market, making opportunities plentiful -- and making it an archetypal example of a place where government investment has a role to play, because we can capture value as a country that is impossible to capture as a company.
The real scandal is that we don't do more of it: our global competitors do not share the same contempt for science that is increasingly infecting the USA, and slowing our jog as they pass us is the worst strategy I can possibly imagine.
This is an opportunity for private industry to step up and step in, while drastically reducing the size of government.
I hear the Juicero had an outstanding power supply.
For all the waste, some folks probably learned a lot about power electronics.
It seems odd to me that of all places, a forum run by a VC outfit, thinks a government jobs program to churn STEM grads with nonsense projects is the way to go.
Do you think Juicero wanted to end up with a bunch of people who learned how to make an outstanding power supply and nothing else to show for it? Did the actual work on the power supply end up being available to anyone else? Maybe we should have an organization that actively wants to invest in things like this, rather than depending on the waste of VCs?
> This is an opportunity for private industry to step up and step in, while drastically reducing the size of government.
Did... you actually read the comment you're replying to? They're explicitly stating that there is a large pool of work that _the private sector is actively disincentivized to invest in_, and the only way it gets done is for other mechanisms to fill the gap.
The alternative to federal investment in research isn't the private sector picking up slack. It's for the old patronage system of the 1800's to come back. But that system was effective only when the size of problems was relatively "small" - we need to leverage economies of scale to efficiently pursue many types of cutting edge research.
Those STEM grads took years to train through NSF-funded programs. Why would private industry waste their quarterly revenues on STEM grads who will become useful only after 4-6 years of training?
Also, I bet VCs are far _more_ aware than the average Joe of the wide body of worthwhile but uninvestable ideas. After all, they are responsible for saying "no" to them and gently redirecting them to government/patronage/charity while asking to keep in touch in case the field becomes investable (because that's the story of how their boss got rich).
"Value capture problems don't exist because capitalism is perfect" is the kind of misconception that can only survive far away from the actual process of finding investments and making returns.
> I won't doubt it was fun and educational but I can't in all honesty pretend that is a good value for the taxpayers.
The students who work on these types of projects go on to create technology, companies, and jobs. The skills and experience they learn is a direct injection into our innovation economy.
And of course that's not even to mention that a lot of the things they work on will never get vetted in private industry, so we'll never even know if there is value hidden in the weeds.
Sure, but there needs to be some justification or measuring stick to decide what's worth researching and what isn't. Otherwise you're just burning up money and labor on fruitless tasks.
Reading some of the comments in this thread it sounds like people are in favor of spending any amount of money on researching any topic without any discrimination whatsoever. That doesn't sound like a good idea to me.
It’s also easily abused…the parent post is a pretty solid example of how that happens. More than any individual action by the administration, decades of reinforcement and reification of this thinking in a major segment of society is what is going to doom us.
People celebrating their own destruction by spouting the propaganda they’ve been fed is somehow both terrifying and uniquely interesting to me.
This. I can just provision in the backdoor interface on the modem with a config file anyways and gain access.
Plus depending on model (like Arris modems), I can do things like set the password of the day seed (away from the factory default) to further lock it down and gain management access remotely.
I don't know much about DOCSIS, but this is absolutely false for fiber here in The Netherlands. You can hook up your own OPNsense machine (or whatever you like) with an SFP+ module of your own choosing (as long as the transmitter is compatible, etc.). There is no way for the ISP to do any remote management.
DOCSIS is slowly dying here anyway and bleeding customers because the cable providers are not competitive when it comes to internet. If they didn't have better linear TV packages the bleed would even be larger.
DOCSIS modems require a configuration file from the cable modem termination system. This dictates the whole configuration from RF map and channel plan to things like QoS and management. Even with a customer-supplied modem, the CMTS will still supply a configuration file the modem must obey (and the CMTS will enforce).
For many modems on the customer market this also can mean that the ISP can push their own version of the firmware for a modem if you buy identical - such as pushing SURFboard updates.
> I am on fiber and if I want to I can hook up my own router directly to fiber with an SFP+ module
I don't think you quite understand how this works.
The ISP controls whatever the other end of that fiber is plugged into. It doesn't matter if the medium is fiber, or copper, or a piece of string. The ISP always has control of the other side of the customer interface. It doesn't matter if the box physically resides in your home or not.
In the case of Starlink, it's all contained within one box.
In the case of DOCSIS (cable), you may physically own the modem, but the ISP controls the firmware it netboots and has full remote admin to the device.
It gives them access to the LAN so they can, for instance, figure out how many internet gadgets your house has and sell that information to advertisers, or do even worse than than.
Sorry, but your answer is all over the place. First you talk about the other end and then you talk about the modem. I don't care about DOCSIS, it's slowly dying here, almost all people have fiber to home in my country (last time I checked, it's getting close to 90%).
So, let's talk about fiber. So:
The ISP controls whatever the other end of that fiber is plugged into. It doesn't matter if the medium is fiber, or copper, or a piece of string. The ISP always has control of the other side of the customer interface. It doesn't matter if the box physically resides in your home or not.
Sure, the ISP owns the other end, but what's your point? By using my own router (and my own SFP+ module, which is less important), the ISP does not have a device (backdoor) on my network and cannot control my router. Sure, they could capture traffic on their end, but at that point it's pretty much all encrypted anyway. If I don't trust my provider knowing to what individual hosts I connect, I could set my router to tunnel all traffic to another host/VPN/whatever.
At any rate, using your own router + maybe modem removes the worst backdoor when it comes to providers.
The correct answer is no one outside US Government IT knows for sure what is or isn't approved per their own rules. Every article (and comments therein) are just speculation and people trying to confirm their own biases, desperately looking for something to blame someone for, to produce more rage-bait and thus feed more ad clicks.
Every single article is written with the presumption that there are no actual IT people in the White House, that someone wheeled in a Starlink dish on a dessert cart in the yard which is somehow running the entire government. It's silly and ridiculous.
> The correct answer is no one outside US Government IT knows for sure what is or isn't approved per their own rules
Veterans Affairs actually publishes a list of approved software as part of their Technical Reference Model: https://www.oit.va.gov/services/trm/ (don’t know how complete it is)
But I’m not aware of other agencies doing this. I suppose that VA, given the nature of what they do, likely feels that there is less risk in publicising this information
There’s also the FedRAMP program for centralized review of cloud services - fedramp.gov - I haven’t looked to see if Telemessage is listed as approved but I see some references to FedRAMP and Telemessage online suggesting that it may be
Another source of info is SAM.gov - https://sam.gov/opp/ab5e8a486e074d73bfe09b383ba819ab/view (that’s for NIH) - if there is an agency paying for it, you can assume they’ve approved it for use (or are in the process of doing so) even if they haven’t otherwise publicly said they are. But, not all contracts are public, so just because you can’t find it on SAM.gov doesn’t mean it doesn’t exist
>that someone wheeled in a Starlink dish on a dessert cart in the yard
That situation was ridiculous, in that to score the marketing points, but fighting with the whitehouse IT the starlink is installed at a remote location with much the same point of failure as their fibre services.
A few decades ago, the Republican party had one foot in the anti-intellectual camp, but only one.
They were the party of young-earth creationists, religious pro-lifers, climate-deniers and gun-lovers - but also of educated fiscally conservative folks. The party would welcome economics professors and leaders of medium-sized businesses, promising no radical changes, no big increases in spending or regulation, and a generally pro-market/pro-business stance.
The genius of Trump was in realising the educated fiscally conservative folk were driving 95% of the republican policy agenda but only delivering 10% of the votes. The average Republican voter loves the idea of disbanding the IRS and replacing all taxes with tariffs on imports. Sure, you lose the educated 10% who think that policy is economic suicide - but you can more than make up for it with increased turn-out from the other 90% who are really fired up by the prospect of eliminating all taxes.
And it works - jumping into the anti-intellectual camp with both feet has delivered the house, the senate, the presidency (electoral college and popular vote), and the supreme court.
The conservative movement has a brain-drain because they've realised they don't want the votes of smart, educated people.
Their take on scripture is deliberately anachronistic. We didn’t have the medicine or sanitation 2000 years ago to place their kind of value on a fetus.
The medicine in question comes from the very scientific establishment that grew out of scholasticism, which is why I find the accusation of anti-intellectualism rather strange.
My point is that you have to distinguish between arguing against the output of the intellectual activity and arguing against the intellectual activity taking place.
It’s possible that I misread it, since I don’t understand the accusation of anti-intellectualism.
Isn’t it rather pro-intellectual to found universities like that of Bologna in 1088 and pour massive amounts of resources into research to ensure we eventually get to the level of obstetric medicine that we have?
And isn’t it on the contrary intellectually lazy to throw your hands up and declare life to be disposable simply because you don’t know how to treat and prevent diseases and can’t be bothered to figure out how?
If I'm following you, I should state that I don't see anything anti-intellectual in Christianity as a concept or in practice. The anti-intellectualism I was referring to is specifically regarding the idea that the bible proscribes abortion, solely because the train of thought is anachronistic.
But why would they? It's not their job. They have massive IT staff supporting them. "High level U.S. officials" are just executives; the pointy-haired bosses to the pointy-haired boss. Only difference is these wear little decorative pins over their breast pocket.
Every Fortune 500 company has dedicated IT staff for execs; someone you can call 24/7 and say "my shit's broke" and they respond "we just overnighted you a new phone".
These people couldn't even install an app on their MDM-controlled device, now the narrative has become we expect them to be making low-level IT decisions too?
Next week we'll be scrutinizing Pete Hegseth's lack of thoughts on rotating backup tapes.