If you're concerned that Rust has been compromised you should consider where that leaves Python.
The NSA is both offensive and defensive. Part of their mandate is to protect American infrastructure for foreign attacks. A switch like this is one of the easier ways to protect against foreign threats and it is something that is routinely advocated for by most large tech companies and cloud providers.
As for that Datacenter in Utah - it is a large Government project. The idea that the US Government is efficient with its resources or that its operatives are trying to maximize the use of their resources is not well supported by historical precedent. If the project is written off as yet another make-work job project for a reliably red state then I am sure we can all sleep well knowing that our tax dollars have been well spent.
That's how they're supposed to operate, not how they actually operate. They've been hoarding zero-days for years, and they have even worked surreptitiously to undermine encryption by endorsing algorithms that they had already compromised. They couldn't give a single fuck about protecting US infrastructure if it comes at the cost of their offensive weapons portfolio.
You have far greater faith in the ability of a leader to create organizational alignment than I do. Are you sure there isn’t some part of the NSA which is on an ego-driven mission to prioritize national security?
It has nothing to do with leadership, just incentives. If you're a world class hacker, your most prominent options are:
1) do black hat shit and risk prison time for gains that are hard to realize
2) work in white hat security and get paid a ton of money
3) work for the government and make very little money, but get to do black hat shit with impunity
It's pretty easy to imagine that the people submitting applications to work for the NSA have no interest in protecting the US from big bad overseas hackers.
I think it doesn't require organizational alignment or faith in a leader for bad acting to occur. While I agree reality is more often obvious and mundane, the NSA has demonstrably not operated in the USA's best interests. The Snowden leak proves its inefficiencies, lack of oversight, and lack of access governance. History supports your point, but it also supports counter productive actions and nefarious self and private interests by individuals and small groups within those government agencies. It only takes a few minutes searching for leaks that made it to the main stream media to show both statements are true.
While this topic is about the NSA I feel this are relevant questions:
Why do we still have a FDA given they fail so regularly to catch food and drugs that harm people?
Why do we still have a FTC given they've fail so regularly to prevent monopolistic behavior from telecoms?
Why do we still have a FBI given they fail so regularly to prevent mass shootings and domestic terror attacks?
Why do we still have a NSA given they fail so regularly at sharing information allowing foreign entities penetrating our financial and tech sectors?
Surely you recognize at some point inefficiency must give way to the question, has this been done intentionally? Especially since that is supported historically.
Oh I'm sure bad acting does occur. That is not the question at hand.
The question at hand is: Is a recommendation to use memory-safe programming languages evidence that those languages are less safe than we previously thought?
There are two competing notions:
A. This being announced now is evidence that the NSA has recently succeeded in finding a way to subvert the security guarantees of rust.
B. This being announced now is evidence that the good actors (or actors who want to appear good) in the NSA have finally gotten through the red tape to do what is nominally their jobs.
And to be able to discern between the two possibilities, you just have to ask yourself the question: has specific NSA technology recommendation consistently been provided in our best interest?
Their track record is spotty at best, and has only gotten worse over time. So to the extent that they are recommending using memory safe languages, that's great...it's advice that would be corroborated by other institutions, researchers, and practitioners. But the moment they recommend a specific set of technologies to use, that should give you pause.
That being said, the report doesn't specifically recommend just those specific languages, and merely provides them as examples...so as long as I'm not in charge of securing an adversarial nation/state's infrastructure, I'm not gonna worry about the potential nefariousness of this recommendation.
Those questions are stupid, it's like asking why bother having software if it so regularly has bugs? There must a nefarious plan behind the software development sector!
There should have been a commission formed about the p0wn goal that was EternalBlue. Microsoft charging for security patches should get the execs thrown in jail. The NSA should be disclosing big RCEs like this to the vendor and figuring out how to ensure that everyone is patched.
A commission would find that there was no problem whatsoever.
Almost everybody misunderstands NSA's defensive mandate. They aren't corporate America's QA department, they don't have a "let's find and report exploits" mission - their defensive mission applies to "national security systems" and other "defense industrial base" ones. Those are computers/networks running fairly specific tasks; they are generally not internet connected, and sitting in secure buildings with 24 hour security and surveillance, so securing them revolves around a lot of physical security and controlled access.
YOU don't have one of these systems, corporation XYZ doesn't have one, there is no requirement NSA disclose jack shit to anybody unless they want to. And in the ETERNALBLUE case one of their tools leaked so they helped head off a lot of problems by voluntarily telling Microsoft about it.
As for who is responsible for this - I thought all the people here are free market worshipers. If Silicon Valley tech companies, one of the richest class of private enterprises in the world, need what are effectively government subsidies to cover their bug ridden insecure products, well that sounds like multiple market failures to me.
NIST Dual EC DRBG never really gained adoption. As far as I could find, some did use it for FIPS conformity until 2014. The attempt is still egregious though.
You act as if the NSA is one monolithic hive mind. They have offensive cats and defensive cats, and they don’t talk to each other as much as you’d think they do.
As for that Datacenter in Utah - it is a large Government project. The idea that the US Government is efficient with its resources or that its operatives are trying to maximize the use of their resources is not well supported by historical precedent. If the project is written off as yet another make-work job project for a reliably red state then I am sure we can all sleep well knowing that our tax dollars have been well spent.