[FoRK] Atom vs. JSON? Re: Microsoft gets a new religion: VisualStudio Core, aka Atom

J. Andrew Rogers andrew at jarbox.org
Sat May 30 14:56:28 PDT 2015

> On May 4, 2015, at 6:20 PM, dan at geer.org wrote:
>> <snip>
>> I've mentioned it before here but a lot of open source software is
>> slowly being killed by the cloud because cloud providers generate
>> a lot of margin on TCO arbitrage. Most open source infrastructure
>> software is badly architected and poorly implemented because so
>> much of it started with the design of one person trying to solve a
>> problem they were not experts at solving, which has punishing TCO
>> implications at scale.
>> </snip>
> Well, well taken.  Since I'm focused on security software, do
> you think your comments (cloud eclipse of open source) applies
> less, more, or the same to security software, per se?  If you
> prefer, you can broaden your answer to include any software
> that requires trust built on hostile analysis of the code
> body.

I am not sure, too far out of my area of expertise. 

Two considerations come to mind that put open source security software in an awkward place:

The exploitability of silicon, microcode, and firmware below the level where open source security software usually operates is an unsolved problem. Most computing hardware comes with an exploitation vector built-in these days. It was always there but the increasing strength of the software stack is making lower level attacks more attractive and they are being used more often. The software is a Maginot Line and the hardware is Belgium.

A lot of the cloud infrastructure silicon is becoming semi-custom and a lot of what is being put into the “custom” part is security and robustness related.  Big cloud providers have teams of people that know how to monkey their own hardware systems (semi-custom silicon, firmware, and boards) and it is becoming a pretty common practice. In some ways, this is a renaissance time for infrastructure hardware. 

For me, looking at this, it comes down to this:

Basically, I do not trust hardware I can buy generally, and there is sufficient evidence of broad exploitability that it renders the trust of software moot to some extent. Big cloud providers are investing real effort in securing and increasing robustness of their hardware at a low level both for reputational and TCO reasons, an option not currently available to the open source community at large. In recent conversations with a couple vendors, this has become a point of marketing for them. 

Even if/when it trickles down into the commodity components, it is not clear that the open source community will embrace it since hardware is strongly vendor-centric.

More information about the FoRK mailing list