CISA and FBI recommends all critical software to not be implemented in C/C++ by 2026
CISA and FBI recommends all critical software to not be implemented in C/C++ by 2026
This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs).
Rust lobbyists winning
They’re currently exploring using AI to mass translate software from C to Rust, which will be hilarious if it doesn’t cause Armageddon
I'm actually in favor of this. It's a really good idea, and I hope the state uses it for all the important databases they're gonna use to put us in the camps.
Please dont be a hater. Comrade AI might just save lives here.
that seems like it wouldn't work very well except maybe for small programs. the kinds of bugs they're trying to catch and prevent here may need substantial changes to the program's design in order to prevent. Like the borrow checker literally does not exist in C and it is not a thing people thought about when writing asynchronous C code. Maybe the AI will take a shortcut and write a bunch of unsafe rust code, but in that case what's the point?
This won't work completely. Large language models usually fail thoroughly when writing Rust code as there's not as much training data.
LMAO!
"And where did that bring you? Back to me."
- COBOL
Which do you think happened?
-
Honest appraisal of C++ security problems
-
They figured out some security hole in C++ programs that makes them even worse than we thought
-
Some contractor bribed them to say this so that they can get contracts porting stuff to Rust
-
Some contractor dug up new legitimate security holes in C++ programs so they can convince the FBI to say this so they can get contracts porting stuff to Rust
-
High ranking FBI officials are rust fanboys
I think contractor bribes, but I think that last two are fun.
It's just the obvious thing. C and C++ don't have safeguards against dangerous programming mistakes. Programming languages exist that do. There are to this day still software vulnerabilities being caused by subtly incorrect code that C and C++ require being treated as legitimate.
-
Must be a lot of rust devs in the streets if we’re getting a make work program for em…
Am I wrong or is this a strong point in favor of c/c++? I'd generally want to do whatever the opposite is of what the FBI would like me to do.
"critical software" here refers to weapons systems, spying systems, government surveillance systems, cyberwarfare software, etc.
Do you work on critical software
If I did, it wouldn't 😉
"critical software" here refers to weapons systems, spying systems, government surveillance systems, cyberwarfare software, etc.
Why would they announce it instead of just memoing to their ghoul coders?
their reasoning is that rust (and perhaps others) that can be used in place of c or c++ have stronger compile time memory and thread safety checking which are two major sources of bugs and exploit vectors. So it's not like they're infiltrating the language in this case the way they would with crypto.
Right but AI translating of all government code is good. This is what you want, especially if shit goes down. Dont tell your enemy to stop pouring the kool aid.
Nah, that kind of reasoning is like "nazis think people should get armed, so we shouldn't."
It's not really a strong point. C++ has its place for graphics programming and gamedev and C has its place for embedded, but Rust would be a better choice for something like a cryptography app to help revolutionaries communicate for example.
JAVA IT IS MWAHHAHHHAHHAHHAA
You joke, but modern Java is much less bad than it used to be, the JVM is very well optimized, and other JVM languages like Kotlin and Clojure are actually good.
Yeah, kotlin rules
Permanently Deleted
They blow me cuz they below me
Skill issue. Just write better code
I hope you're joking. This mindset has had terrible consequences, such macho bullshit needs to go.
The Zionazis will find your mistakes before you do. So have the computer check your work as much as possible.
This kind of makes me want to write code in C out of spite.
I really want Go but without a garbage collector is that too much to ask
have you like, tried Rust?
comrades pls don't think Rust is bad just because the bad guys have realized it's good
My only real criticisms of rust are aesthetical. I never liked how C++ is full of macros and :: and <> and rust inherits that a bit.
I use Go because of the work I do right now, which is deep in Kubernetes and APIs for which Go is just more convenient. Protobuf and K8S are of course supported by rust and many other languages as well, but in Go it’s simply easy… Go was designed from the bottom up to write APIs basically so it’s good at that. And most, almost all, of the K8S ecosystem uses Go which means I’d need a good reason not to use Go for that since standardization, interoperability, and ecosystem are key concerns.
You can use rust for this too, for sure no problem. But with Go you’re doing all of that pretty much out of the box.
The Go ecosystem in general is a little bit stronger due to higher adoption, although I wouldn't really call that a weakness of rust.
And finally less people use Rust which is another consideration for long term maintenance concerns, but to be fair Go adoption is also low.
I’m never an evangelist for any language. Well, if I could simply write everything in typescript I would to be honest because I think it’s just swell but obviously its not for this use case, and the above are the reasons why I use Go and get my teams to use Go for the use case of services, Kubernetes controllers, and since we want to use Go for those things we then also use Go for other random things like CLIs etc just because it makes sense to limit tech stack sprawl.
also, separate comment, what are you generally building? if you're writing Go because it's network code, you might want to look into Elixir. It's GC but the behavior of BEAM is more soft-RT friendly due to its history in telephony, you might be more at home there
i have not tried it myself but have you taken a look into zig? it looks alot like go but is lower level. i have heard good things about it and it looks nice. of course the ecosystem is quite limited since it's a quite new language
I haven’t checked it out at. Thanks for the suggestion :), it might be the dream
Is CERT code included? I think there is a group working on a secure version of C++ as well. I'm not convinced that shifting experienced programmers to mew less familiar syntax will improve software quality. Improving the language rather than changing to another might be a better approach.
I guess assembly also ought to be avoided since all of the power/flaws of C are extant in it as well.
