The lead editors are responsible for maintaining ethical standards, and they represent the NYT. Adjust your impression of the NYT reputation based on this story. Also see the other comment on this article about Naomi Wu being doxxed, where the risk is deadly living under a tyrannical regime: the NYT hired the journalist responsible, who doesn't believe any mistake was made there.
It's just assumed in your comment that this should only be about the media outlet, and that we should ignore the journalist involved.
The problem with people trying to shut down others primarily comes from individuals. Often that's individuals on social media. In this case it's a journalist. These individuals can destroy other people's lives, yet they essentially face zero consequences for doing so.
And each time they succeed, like in this case, they embolden others to do it.
For twitter, you have a point. For something being paid for and published by an organization, this is driven by the organizational culture which pays them to do so.
You shouldn't trust someone who misleads with: "Now, 70% of the CVEs originating at Microsoft are memory safety issues, Levick said. “There is no real trend it’s just staying the exact same,” he said. “Despite massive efforts on our part to fix this issue it still seems to be a common thing.”"
There is a trend, and the trend has been a MASSIVE reduction in memory errors. The percentage of security issues that are memory errors says nothing of the totals, which is what matters.
Microsoft could go through 2021 with only one CVE and we'd see articles like this saying "100% of security vulnerabilities are caused by memory errors, we must switch to Rust!"
Here is the data from Microsoft Security Response Center on this [1]. Slide 5 shows double as many CVEs as 4-5 years prior, triple as many as 6-8 years prior. Further, slide 10 shows 70% of CVEs are memory safety and that ratio has been constant since 2006. It follows that the absolute number of CVEs which are memory safety is double 4-5 years prior and triple 6-8 years prior, which is inconsistent with a massive reduction.
The magnitudes here are in the many hundreds of CVEs per year from Microsoft (and growing), not "one CVE in 2021". 70% there is not a negligible number.
Now divide the number of CVEs in each year by the LoC maintained. You're again looking at completely the wrong number. Line-for-line, C/C++ written today at MSFT/Goog has less memory errors than 10 years ago, and even less exploitation of memory errors. Anyone who lived through the rise and fall of Internet Explorer intuitively knows this.
Dividing by the LoC is a mistaken way of looking at this data. Regardless of the amount of code in a browser or in Windows, an attacker may only need ONE exploitable bug to cause mischief. If the amount of code in Windows grows by a factor X from year to year, the CVEs per LoC better be shrinking by at least factor X (this is where Rust comes in) or else the system is getting less secure. Thus the absolute number is the relevant metric, and indeed is the number reported by Microsoft Security Response Center.
> the CVEs per LoC better be shrinking by at least factor X (this is where Rust comes in) or else the system is getting less secure
Do you really think windows 95 was more secure than win 10? Or that IE6 was more secure than the latest IE? The newer versions are way more secure, it's not even close. Your data is giving you incorrect conclusions, because you're combining and cutting the data in ways that don't make sense.
> There is a trend, and the trend has been a MASSIVE reduction in memory errors. The percentage of security issues that are memory errors says nothing of the totals, which is what matters.
Except that CVE's seem to be increasing over time across the industry, not falling. There is no overall reduction in the numbers.
I agree. While Rust is clearly a step forward in programming languages (and we need a step forward), modern tools built to deal with the issues common in C and C++ like coverage-guided fuzzers, ASan, Valgrind, etc. have made huge improvements in finding memory safety vulnerabilities and other issues. Mitigations have also improved, making it more difficult to exploit memory safety issues.
While I think that unmanaged (i.e. no runtime or interpreter) memory-safe programming languages are a good idea, they're not magic and we shouldn't ignore the other major security tooling improvements recently.
I should note that fuzzers/address sanitizer/Valgrind are very good tools, but they are not perfect. Projects that use them heavily still see issues due to memory-safety bugs. (And yes, memory-safe programming languages are not a magic bullet to fix all bugs; they just help with memory safety…)
Because Microsoft (and Google, who shares this opinion on memory safety in c++) are the groups that develop asan and similar tools, and who have some of the best practices around code review, testing, and CI.
Yet they still say rust is better in the long run. Why so you think that is?
Valgrind was not developed by Google and probably accounts for the main reduction. Asan has seen a way more recent takeup in OSS.
Microsoft and Google are not monoliths, and this particular submission is from a "cloud developer advocate", so I attach exactly zero importance to it as far as C/C++ are concerned.
> , so I attach exactly zero importance to it as far as C/C++ are concerned.
He's repeating statistics that members of the C++ committee will agree with, so I'm not sure what's controversial.
> Valgrind was not developed by Google and probably accounts for the main reduction. Asan has seen a way more recent takeup in OSS.
You miss the point. Despite these things, and despite aggressive compiler flags and everything else, the majority of bugs are memory safety issues. Whether you look at windows, chrome, or the Linux Kernal itself (KASAN). That seems fairly conclusive.
And yet here you are arguing, what exactly? That the person making the statement isn't technical enough for you, so it's all lies?
As a bit of an aside,
> Valgrind was not developed by Google and probably accounts for the main reduction
I never said it was. However one of the most active maintainers works at Mozilla, who's opinion on the safety of C++ is also probably in line with Google and Microsoft here, given their relationship with Rust.
> This is about CVEs. CVEs are about exploitable vulnerabilities, and most of useful software in that area is in C/C++.
I'm not sure what you're getting at here. The claim isn't that 70% of CVEs are memory vulns, but that 70% of CVEs in C/C++ are memory vulns. So how much or how little C/C++ is used is irrelevant.
> If anything, I'd be interested in the numbers of the internal ad-critical C++ code in Google or a HFT bank.
Do you think that Google wouldn't be pushing as hard as they are for improvements in this space if they thought things were fine and dandy?
I've lived in Capitol Hill for 9 years. I've been attacked twice by crazy people. One time it was a physical attack, the other time it was a man singling me and my family out and approaching within a few feet while screaming very aggressively (my family was visiting me at the time).
I'm a large man. It's worse for people who are not physically imposing. A woman I knew worked an early shift job (leave at 3:45am to open up). She was regularly followed and harassed while walking to work sometimes by gangs of men, she left the city in less than a year.
These problems are getting worse because there's literally hundreds of thousands of citizens (you can see them in this comment chain) who will rush to disagree with anyone who raises these problems. I'm well-equipped to buy a house here, but we decided several days ago to stop looking for one. We decided we're going to leave the Puget Sound area to get away from this.
WaPo holds the distinguished title of being the first and only newspaper in the US whose editorial board endorsed the arrest and criminal charging of their own source.
I hold the WaPo in high regard and tend to read it everyday but I missed this entirely, and sounds rather shocking. Could you please source your statement?
Me shouting at a cloud: "every day" means "all days" or, adverbially, "on every day"; "everyday" means "ordinary, common, expected".
I know I'll get downvoted, but I see the conflation of "everyday" and "every day" everywhere and it's driving me bonkers.
ETA: Note, they are pronounced differently. "Everyday" has a single primary stress on the first syllable. "Every day" has two primary stresses, one on the first syllable and one on the last.
Snowden passed his trove of classified info to two papers: WP and Guardian. Snowden never published any of his trove, he relied on these two papers to determine what was newsworthy and publish it.
WP published various parts of the trove they deemed newsworthy, and ultimately won and accepted a Pulitzer for this.
Then the editorial board signed and published a statement that said some of what was released from the trove actually wasn't newsworthy and were reasonable and legal defense programs. The editorial board recommended that because of this Snowden should be charged. In the editorial itself they acknowledge that the illegal behavior that was discovered can't be used as a defense in court.
The WP was offered and accepted the responsibility to parse this trove and publish only what is newsworthy. They messed up and published a couple documents that weren't newsworthy. They never publish any kind of apology or correction for it, instead they indict their own source, and recommend he be charged for that!
There's an unprecedented level of malice and incompetence displayed here. Look at the revolt in the NYT newsroom about the Cotton op-ed, and compare to literally not a word said in opposition to the WP editorial (which was written and signed by the editorial board, unlike the Cotton op-ed). The WP is rotten throughout, and shouldn't be held in even the slightest regard as a newspaper when they use their position to destroy the protection of sources that journalists fought for so long to preserve.
