NIST double security with version 2.0, Fifteen Year Path to Profitability for Nutanix, White House declares war on C and C++, and more!
Welcome to Tech News of the Week with your host, that critical patch bundle that you're totally gonna get installed next week.
Welcome to Terrestrial Nudes on the weekend. This is our weekly tech news podcast where we go over 4 stories that caught our eye. Chris, why don't you kick us off with something about NIST?
Something about NIST? Oh, sorry. I thought we're doing the repeat game. NIST releases cybersecurity framework 2.0, now with double the security. Get it?
Because it's it's 2.0, and the last one was was 1.0. So, like, when you take the the one and you multiply it by 2, you get 2, which is that's twice as many. Jokes are always better if you explain them. I think Gallagher said that. Anyway, the Cyber Security Framework, or CSF as the cool kids call it, is a model framework for companies to build a cyber security program around.
The 1 point o version came out all the way back in 2,014, which makes it approximately 1000 years old in the Internet age. For comparison, Rickrolling only started in 2,007, but I bet you thought it happened in the Clinton administration. The CSF was designed to help, quote, critical infrastructure in 5 key areas around defense of cyber attacks. Those areas were identify, protect, detect, respond, and recover. Now this 2.0 update expands the reach beyond just critical infrastructure to all business and government realms, including brand new sections devoted to small businesses.
This 2.0 also adds the govern pillar to the original 5, highlighting the boring but essential role policy plays in keeping IT resources secured. NIST also released a swath of free online resources to help implement the CSF, which will be a great boon to many companies looking to improve their security posture. The new goal of the CSF, according to NIST director, Laurie Lamasquillo, took a shot at it, is quote, not just about the one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization's cybersecurity needs change and its capabilities evolve. And did I mention free?
In conclusion, just click the link, Leonard. You need to read this stuff.
15 year path to profitability for Nutanix. Hyperconverged software vendor Nutanix has published a net profit with their q 2 2024 results. This is the first time in their 15 year history that they've been profitable. Yay. We did it.
That's not to say that they haven't had decent revenues over the years, but they've never quite been able to spend less than they bring in. Must be all those booth babes on Ferris wheels.
I am not clicking that link. I don't want to get on another list.
One of many reasons that I've never really liked Nutanix as a company. Although their CEO, Rajiv Ramaswami, didn't directly say it, the blockbuster quarter was certainly fueled by the absorption of VMware by Broadcom and the co commitment price hikes that followed. I would expect the tailwinds of the acquisition to continue to fill the sales of many VMware competitors including Nutanix, Scale Computing and Red Hat. Nutanix also has a partnership with Cisco's HyperFlex HCI, which makes me wonder how soon an acquisition might be coming for Nutanix by Cisco. That was on my prediction sheet after all, and finally having a profitable quarter might just be the sign to Cisco or other possible suitors that it's time to put a ring on it.
The White House declares war on c and c plus plus. Mhmm. Yep. You heard me. What a world we live in.
We go from the release of CSF 2.0, an unambiguously good thing, to Biden's White House saying that c and c plus plus are bad because cybersecurity? Dumb thing. TLDR. Ostensibly, the reason for this announcement is because of the fact of security concerns that these bedrock languages have, particularly around buffer overflows, everybody drink, and memory management. Now I'm going to leave jokes about Biden and memory to the side.
If you like unfunny things, you can always go back to Twitter. The idea here is simple. The way c and c plus plus handle data in memory is not secure. There are other languages that do it securely. You should use those languages.
To quote the document itself, programmers writing lines of code do not do so without consequence. The way they do their work is of critical importance to the national interest. In order to reduce memory safety vulnerabilities at scale, creators of software and hardware can use secure building blocks of cyberspace, unquote. Ignoring the fact that that sentence sounded like it was written by AI, the report does not name the languages which should be used. Instead, of course, says that they should just be quote memory safe.
This, I guess, ignores the fact that it is totally possible to write memory safe c and c plus plus code. So I don't know. I get that being secure, especially in programming, means taking sometimes some not so obvious routes. But this whole thing really has a warning do not drink sticker on the Drano bottle vibe to it to me. One would have hoped that everyone knew this already.
But I suppose there's always a small percentage that don't. And if you're one of them, just use Rust, I guess. Why not? But don't tell you're doing it. That dude gets real mad when you talk shit about c plus plus.
I didn't even get into it on the main show up and coming, but that was one of the recommendations of the secure by design. It was to use memory safe languages, and they specifically called out c and c plus plus as being insecure. Fun. New Zealand is gaslit on leap day. Self-service gas pumps in New Zealand suddenly stopped being able to process credit card transactions on Thursday.
The cause? Sleep day. Apparently, the code running on the Invenco supplied terminal was unable to properly handle the date and just stopped processing credit card transactions. Other forms of payment continued to work, and it appears that the issue was constrained to only Invenco terminals in New Zealand. Worldline, who supplied the original code for the credit card processing, reported that all their other customers had no issues.
So it would appear to be something specific to Invenco's implementation. The outage lasted for about 10 hours until a software fix could be rolled out to resolve the issue. Let's hope the patch remembers to also account for leap hours, leap minutes, and leap seconds, all of which are real things because our solar system is a random collection of unplanned matter in physics slowly sliding into inevitable entropy. Also, time is a flat circle.
I mean, I've been saying this for years. Leap day only comes around once every 4 years. Right? It should just be a holiday. Yes.
So what you know, that's what the gas pumps were doing. They were trying to help us out.
They were on holiday. Alright. That's it. We're done. Goodbye, everybody.
Go away.