> Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.
Basically when any software/library/whatever has a vulnerability, they have to communicate that out themselves, in some format.
If I'm developing a product built on 20 libraries, it won't just be a matter of scanning CVEs for major vulnerabilities any more, so I'm more likely to miss one.
"always update" doesn't always work, when to manage a product you realistically have to version pin.
This is deliberate. I just want to figure out the avenues of communication and coordination between trump admin and moscow so we can pin them down better.
So, while arguably true, there wont be a single source of truth of new cve's. It doesn't however mean there wont be.
I would imagine the only SANE option would be some kind of git repository where CNA's can collaborate. Probably run some code across to make the website that people can easily access.
Is MITRE's CVE program redundant with NIST's National Vulnerability Database? I'm having a hard time telling how the two are related, or if NVD is simply performing the same service as MITRE.
NIST NVE relies on the CVE program. (vulnerabilities get reported, MITRE assigns CVEs and publishes them, NIST then copies that list and adds their own scoring etc to it)
Grok becoming an artificial nepobaby running the entire CVE program with zero oversight sounds so fucking funny I don't even care, PLEASE god make this real holy shit I can't breathe at the thought
You manage the system and not the CVEs themselves. The simplist thing would be a list of numbers that correspond to Google docs. The owner of the Google doc can share it with the needed parties and eventually set it as public.
You truly believe that the CVE database (and others like CWE) are only about assigning serial numbers to random reports, don't you? I see people underestimating and understanding the work of others in matters like this. Is that a trend now?
No I don't believe that, but it might as well operate like that. The extra stuff isn't truly needed and was being outsourced to the companies that own the products since it wasn't providing much value. Take a look at Daniel's blog posts about CVEs for curl for what happens when you let them handle it.
I saw this same behavior quite a while back. While I'm out of the CVE game these days, it seems that there is a forever rotating new group of people who simply don't and can never see the complexities on the process.
I think it's a testament to the previous stewardship that it appears so simple.
For decades, the US could be counted upon to fund things with little immediate benefit but massive long-term positive externalities. I don't think its likely that the republican party will "go back to normal" post-Trump, so we can all kiss the long-term reputation building that American hegemony relied upon goodbye. Short of a great depression-esque political reset, I do not see things changing for the better.
Threat intelligence firm Flashpoint noted in March 2024 it was aware of 100,000 vulnerabilities with no CVE number and consequently no inclusion in NVD. More worryingly, it said that 330 of these vulnerabilities (with no CVE number) had been exploited in the wild.. Since the start of 2024 there have been a total of 6,171 total CVE IDs with only 3,625 being enriched by NVD. That leaves a gap of 2,546 (42%!) IDs.
Despite all those private companies and various OSS projects being willing to contribute ideas, infrastructure and code, they have somehow failed to coalesce into a decentralized replacement for NVD, built on CC0 data and OSS tooling.
I tried to look over the history and I only see a funding increase, CISA cut $3.7 million at the end of 2023 for the next year and in response NIST reallocated extra funding to NVD: $8.5 million in 2024
A funding shortfall and strain isn't a funding cut. And from what I see there was a funding increase.
> According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
> CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued
2024
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025
Assuming that's spread over both years it wasn't as big of an increase as I said, but is still an increase even inflation adjusted.
> 2025 article claims 30% increase in 2024 workload
Underfunding in the face of more workload isn't itself a funding cut.
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.”
Did NVD receive 300MM annual funding pre-2024? That would be a 98% funding cut.
Why? This administration is not acting in good faith, you don't have to act as if they are. People and institutions doing that is part of how we got here in the first place.
They could attack the non-steelmanned version, but that just opens them up to having their own comments attacked. You quickly get derailed. (It's sometimes called "sealioning".)
They could propose alternatives, but that too is subject to sealioning. Real alternatives are always subject to tradeoffs, and the answer to "how about you do X instead of attacking me?" is always "no".
They could refrain from discussing it, but that just allows the offenses to continue.
So what often happens is that people persist in acting as if this were a sincere discussion, and hope that a majority will recognize the quality of your argument. It's a lousy plan but I don't have much else to suggest.
I still find it wild that so many people are trying to frame these decisions through a political lens. This is the actions of a foreign bad actor dismantling critical institutions from within, not "bad policy".
> I still find it wild that so many people are trying to frame these decisions through a political lens.
Why? The decisions are pretty well politically aligned with the ideology which detests the size and scope of the government (realistically, those aspects which the ideologues feel are not in their interest). What is unexpected is the swiftness and the brutality of action, but revolutions tend to be messy, and make no mistake, this is a revolution.
> This is the actions of a foreign bad actor
Now this sounds like a coping strategy: everything is so preposterous it couldn't possibly be homegrown. Foreign influence and underhanded actions are as old as human interactions, but IMO outright plants can't succeed without a massive economic and power asymmetry between the adversaries.
lol, coping strategy? I'm not American and have no reason to 'cope' with anything. There is enough evidence to make a strong allegation about Trump being a Russian asset.
The entire world seems to be able to 'cope' with that assessment.
They are not. Trump is no libertarian or small government guy. The build the wall guy is the opposite of that. Even with stuff like social security he usually at least rhetorically claimed to be for more benifits (as long as it goes to "real Americans") and he is all for increasing police and military spending. And generally spending more on stuff that gives him money. Plus giant tax increases (tarrifs). He doesn't care much if government is dismembered as long as it owns the libs and gets rid of the public corruption prosecutors/others who might stand up to him
Trump's actions towards Putin are highly irrational. Maybe he's being blackmailed, maybe he's being bought, maybe he just has likes Putins style but there is a reason people suspect him despite it being unlikely in the general case.
> He doesn't care much if government is dismembered
This is exactly the process that conservatives take to privatise services into their own friends pockets. Destroy services until they're ineffective and use it as an excuse to privatise it.
There's no such thing as small government, only large sprawling private services that the government hands money to.
Imagine being eaten alive by a cackling hyena that ambushed you and all the while being like "hmm what is the appropriate steelman here? why do I deserve this? why is this just?"
In reality this would never happen so all these people playing steelman are just detached/insulated.
I just don't see how it is universally so, frankly. As a general guideline sure but some discernment is necessary nothing is gained from steelmanning apartheid or the third reich or torture prisons or or you see my point I hope.
We're way past the point of policy disagreements the relevant question right now is how do you stop them. It's certainly not by reimagining your adversary's actions in the most charitable light.
Exploiting the need to invent a "logical" reason to do something illogical is the exact attack vector that the Gish Gallop uses to fuck over people.
Like you get that right? This administration does not discuss or debate, it shits out lies and laughs as people play make believe high school debate games, and give them infinitely more effort than they did.
There is no such thing as "effectively arguing" against a Gish Gallop, that's it's entire purpose.
I think it’s ignorance and arrogance. The US seems to be on a path to lose technological and science leadership. The current leadership doesn’t seem to understand things that aren’t flashy. I wonder when they’ll dial back on food safety. I am sure RFK knows some vitamins that protect against salmonella
important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries. can't wait to see what plague demon spawns out of a food industry running amok after the FDA gets gutted.
> important to note: the US's food safety is already really bad. salmonella isn't a thing you have to worry about in first world countries.
There were 65,000 cases of salmonellosis in the EU in the most recent data I could find (2022). Thats a lower per capita rate than the US, but definitely not zero.
I agree that it’s not zero, but according to CDC, the US sees about 1.35 million cases per year in a population of about 346 million, which is about 390 cases per 100,000 people. Your figure for the EU over a population of 447 million in 2022 gives 14.5 cases per 100,000 people, or more than a factor of 26 less.
Being 26 times less worried about something translates, at least for most things, for me, to not being worried about it any more.
"The vast majority of chicken processed in the United States is not chilled in chlorine and hasn't been for quite a few years," says Dianna Bourassa, an applied poultry microbiologist at Auburn University, "So that's not the issue."
Salmonella and it causes are very regional in EU. Places like Finland have basically 0 cases of salmonella caused by domestic poultry products per year. If there salmonella is found from any chicken in the flock, the whole flock will be quarantined and generally fully slaughtered (meat & eggs must be pasteurized after the slaughter if they are sold). In 2023 0.1% of the tested flocks had salmonella.
I don't think he's considered a small gov conservative. He increased spending last time and has continued so far this term. His tariffs are one of the biggest expansions in gov interference in modern history. They are also attempting to significantly expand executive power beyond even 9/11 terrorism days.
Listen, I hate the debt, but we have an income problem, not a spending problem. The military looks like a waste, but it does more than build bombs i.e research etc.
The issue we have is that republican every chance they get since the 1970s have cut taxes. And then blamed democrats for causing the deficits. We don't need smaller governments. We need a reasonable tax system that taxes people. It can be progressive like it was before we decided rich people just need it easier than poor people.
Yes, I will pay more taxes sign me up, especially if they can finally fix the roads and fund research. The problem is my taxes as a middle-class person go up and rich people get a tax cut. It's stupid. I like water provided by government utilities, I like planes that don't crash into stuff because there are air traffic controllers. These things used to work because we paid for them. When you buy cheap you get cheap.
Military also employs a bunch of people who otherwise would be poor. Also provides a gentrification path for a bunch of previously poor people extending throughout their lives.
I think people VASTLY overestimate the amount of graft in military procurement.
Lockheed only has a $100b market cap. Raytheon has $200b. General Dynamics $74b
The reality is that US defense spending pays American designers and American laborers high prices for their American effort. We pay basically the same prices for ammo and supplies and services as other countries.
When we pay $13 billion for an aircraft carrier, that's just what it costs to build a gigantic boat with nuclear reactors. The French paid $4 billion for their aircraft carrier, and a $12 billion Gerald R. Ford class is over twice as large as the Charles de Gaulle (40k tons vs 100k tons), and much much much more advanced.
Americans love to misunderstand the cost of military things. They will scream about the F35's $1.5 trillion "price tag", ignoring that the estimate is for 50 years of operations and maintenance as well as initial purchase. Actual purchase price is about $90 million a plane, which is reasonable. Which makes sense, since being not stupidly overpriced was a key point of the program. The operational cost is about $40k a flight hour, which is roughly the same as the F-14, another high tech superplane program.
Yeah republicans claim to want to run the government like a business, but the first thing a business should do when they have a deficit is raise revenue! And especially in the case of the US government, the the only barriers to doing that are self-imposed.
That's a good idea to raise during the budget time or with some warning ahead of time. But even discussing the cost of CVE program itself is likely a waste of time and money. When trying to deal with 2tn deficit, looking at things that historically got ~$5M is just a distraction. And the lack of it may cost even more given how many existing agreements/contracts rely on cve to be a thing - maybe just in gov lawyers having to rewrite things.
Selling bonds is not the same thing as a family budget being in the red. Either you know this and you're making this argument in bad faith, or you don't and, well...
This is an absolute pittance compared to the total budget. And considering the current administration wants a $4T tax cut they are not interested in trimming the deficit at all.
Yep, DOGE is a song and dance distraction. If they were serious about lowering the deficit they wouldn't have laid off ~12K IRS workers (whom show a 7x ROI per head.) They also wouldn't be asking to increase the military budget to $1 trillion per year. Trump has spent 1/3 of his days in office so far golfing; $30 million+ so far paid to Trump properties for the privilege of that. This is the biggest capture in US history and it's all out in the open.
> I really can't think of a non- nefarious justification for this
Tragedy of the commons - NVD and the CVE project havr been backlogged and facing funding issues for a couple years now, and most security vendors are either cagey about providing vulns in a timely manner (as it can reduce their own comparative advantage), or try upsell their own alternative risk prioritization scores.
Every company will gladly use NVD and CVE data, but no one wants to subsidize it and help a competitor, especially in an industry as competitive as cybersecurity.
Probably the thinking goes that someone in the international community will step in. CVE is in practice a global registry for all, thus "Why should the USA Department of Homeland Security pay for all the freeloaders".
Still shortsighted and stupid, but it's plausible this is intended as leverage to get someone else to pony up.
Reduce government spending; since it's not actually a government organization (as far as I can tell, I never looked into it before), other organizations can fund it. How much goes into this organization a year anyway? I'm seeing a Mitre corporation that does lots of other stuff too that has a revenue of 2.2 billion a year.
Multi-trillion-dollar companies benefit from and contribute to this system, surely they can spare 0.01% of their revenue to this bit of critical infrastruture?
Yes, you can also run such a system based on donations. But I personally think that such a system is important enough to be paid for by the government. When you run on donations, there will always be conflicts of interest and the risk of running out of funds.
But yeah, Mitre being a private organization that was paid for by the government was a problem.
Yes, I'm sure corporations funding the CVE system would go wonderfully.
"It would be best if we don't see any severe CVEs for our products this quarter, if you want our funding next quarter."
Reduce spending. Steelmanning (not actually believing this): it probably cost a lot for what is essentially a database, and can be done cheaply by private sector (Google, Microsoft).
It's a dying empire, really nothing else to say. The USA led world order is over, we've voted ourselves out of it, and now need to learn how to deal with that.
I'll admit this is a bugbear of mine, but I think this is the reason "steelmanning" is counterproductive.
Steelmanning is a neologism that serves no purpose other than in-group signaling. There was already a perfectly acceptable term for the same concept, one with more nuance and a rich history: Charitability.
The major difference is that charitability is about treating your interlocutor with respect. Steelmanning is about using one's own intellect to make your interlocutor's argument better than them. Because charitability is based on a concept of mutual respect, if somebody clearly doesn't respect you one iota, then why would you be charitable? Steelmanning tries to divorce the person from the argument, and is ironically both arrogant and naive.
NIST maintains the National Vulnerability Database (NVD).. This is a key piece of the nation’s cybersecurity infrastructure. There is a growing backlog of vulnerabilities.. based on.. an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.. We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government, and other stakeholder organizations that can collaborate on research to improve the NVD.
> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
Vulnerability enrichment was mentioned in many talks. However, most organizations seem to handle it internally. There doesn’t appear to be momentum toward a shared or open source solution – at least not yet.
Following your comment's reference leads to a claim of NVD needing 300 to 550 million (?!) per year, but only receiving 4 million in funding. If anyone has pre-2024 data on NVD or MITRE CVE funding, that would be helpful, https://news.ycombinator.com/item?id=43701532
I've noticed that there's a post like this in most articles on HN that could be construed as negative for the current administration: some vague false statement followed by either a factually incorrect explanation or some quote that does not support the statement.
Your post has now been edited to be factually correct. But the misleading implication that this abrupt cut is part of some other cuts that started before remains.
The post (currently AND previous to comments being moved here from a different HN thread) links to the official _2024_ (not 2025) statement about NVD cutbacks. Here's a 3000 word article with quotes from Linux Foundation and commercial vendors, around the same time, https://news.ycombinator.com/item?id=43700884
I did find this post to be non-helpful and confusing. It would be helpful to edit it (or write differently in the future) to clarify that the sudden defunding event occurring today is separate and not related to the previous funding cuts. If that's the case.
Is there no connection between 2025 funding cuts and previous ones? e.g. If a year of work after the previous cuts resulted in an open-data collaboration between NVD and commercial vendors to share a subset of CC0 vulnerability metadata, could that industry collective now argue for government to share (with companies) the burden of funding an open, decentralized program for CVE tracking? Commercial vendors could still offer additional metadata and analytics, over and above the public baseline.
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
> A coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide. “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
Reading that article closely it says nothing about an NVD budget cut, only a NIST one. They were trackijg the changes after NIST's budget was cut, not NVD's. As pointed out below, CISA announced a cut and then NIST more than made up for it by reallocating funds, for an NVD funding increase, even though NIST had their overall budget cut.
One of your references has budget numbers that are two orders (?!) of magnitude higher than the CISA number. Hopefully someone can chime in with granular historical data for NIST NVD and MITRE-via-NIST CVE funding.
Reminds me of Trump's first term where he said if we stopped testing for Covid, we'd stop catching new cases and case numbers would go down. If you stop testing for vulnerabilities then vulnerabilities go down. Easy stuff.
For those reading, a fair few of my recent posts were downvoted after this comment, and it was initially flagged.
If I violated some rule so be it, and I could care less about internet points, but it certainly feels like suppression of individuals based on individual posts which is a behaviour that could end up being the death of hn.
It seems phrasing it in the form of a joke was too much.
I was trying to convey (with levity/humor) WHY it should continue to be funded as well as the argument that should be made to the one currently in control of the spineless US Congress.
Yes, fixing the vulnerabilities is important. However what the government probably does gain from it is an inside advantage in the lead time for vulnerabilities to protect against, as well as to exploit on adversaries.
I can't believe what a bunch of bollocks this administration is. I couldn't believe it the first time, and this time I thought "Well at least I'm ready, it will be a lot like last time" and it's so much worse
A lot was lost in the midterms and Supreme Court appointments.
Hopefully these 4 years energize people to vote. I know protesting and direct action and so on are also important, but the gradient is not negative for voting for every office you can vote for in every election.
Given the current government has blown off an unanimous 9-0 supreme court decision, right now I can't feel too optimistic there will even be more elections.
I think there will be more elections, but I think they will be fraudulent, because I think Trump has shown he is adept at turning things around and then trying to pretend that what he's doing is analogous to what the other side has done.
For example, a lot of people have forgotten, but the phrase "fake news" originally came about in the wake of the 2016 election about all the (actually false) misinformation that was spread on social media in the run up to the election. Trump adeptly then co-opted the term, so any news he didn't like he could just call it "fake news", and who was to say any news he called fake was any less fake than what people were calling fake before?
My guess is the 2028 elections will be marked by fraud, and then when people protest or object, Trump and the Republicans will just say "Hey, you called all those Jan 6 protesters traitors and said the election was secure, how is now any different? Now you're all the traitors."
The only belief that gives me hope these days is "History will judge the complicit."
> Trump tells them they are OK. They are worthwhile.
The chasm between what Trump says (and what the propaganda says about him) and what he actually does is astounding. Most of his fans are completely uninformed of what he says and does. We've never had a president (and cabinet) with more conflicts of interest. He's been a pioneer at abusing power; tariffs on Canada because of a fentanyl crisis... give me a break!
> The Democrats say "we feel your pain" Fuck them, truly. Voters do not want some Harvard educated lawyer to "feel their pain".
Yeah, apparently they want some billionaire who doesn't pay his taxes, who was given millions by his daddy, and who famously stiffed small business contractors at his buildings, to say he feels their pain.
That said, I actually upvoted your comment because right now it's heavily downvoted but I actually think there is an important point behind your comment. It may feel insane to me, but Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people). Trump understood this, the Democrats didn't, or worse, branded anyone who harbored some of this anger as a bigot. This is basically how all fascist leaders come to power - the parallels with Mussolini are uncanny, right down to having a minor body part shot off in an assassination attempt.
Relevant recent example to me: a lot of folks can't understand the hypocrisy about bitching about inflation under Biden, but then saying "we'll hunker down" in response to the expected inflation from tariffs. The difference is the Trump base believes he is taking them "back to the promised land", and for better or worse Trump is definitely a man of action, so they're more willing to put up with temporary hardships if they think the direction is right. With Biden and the Dems, they just believe they'll get more of the "slow slide."
> Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people).
I agree. And they're not wrong to want to go back or blame someone. We can "go back" in terms of increasing the QoL of our populace. Idk, the Democrats were always clear about wanting to uplift people. Obamacare and Medicare for All were extremely clear policy positions meant to uplift the common man. Eliminating student debt (a policy I don't agree with) was also obviously positioned to help people improve their economic and social standing.
I don't know why people say Democrats missed this and Trump saw it? The Democrats won on slogans that capitalized exactly this sentiment. Obama's "Hope" and "Yes we can" are obviously in a context where people didn't have hope or questioned whether we could.
I think he just got lucky against bad candidates, and we ascribe way too much to his branding and the other garbage. Clinton's branding was about HER (i.e. I'm with her), not about THE PEOPLE (biggest political branding mistake in the 21st century imo). And Harris never had the popularity to go to to toe with Trump.
Idk, I think people are mad, but I think the Democrats have spoken to that more authentically and proven themselves to actually do things that help the common man than Trump ever has
The Democrats were always constrained by what's reasonable, whereas Trump has been able to promise the sky, even though delivering it means the sky is now falling.
We never ever told people they are losers for wanting a better life. One of the most popular candidates for the Dem ticket was Bernie Sanders. He actually wanted to cut our biggest budget line items and spend them on the things people worry about the most (healthcare, something most Americans worry about being able to afford).
Trump is a literal billionaire. How is him telling the sons of people who used to do manufacturing that they're okay any better than a Harvard educated lawyer saying he feels for them (Trump and Vance are both Ivy League educated, btw)?
I also want Americans to have a better life. I also think we spend way too much elsewhere instead of at home. A lot of Democrats think that and drive policies for that. Trump may care about that too, but you can't vote for who makes you feel good. You have to learn how to vote for who will actually improve your life. We are the rulers of America, we have to understand our economy, our government, etc. No one is going to do it for us. I'd much rather vote for someone who talks down to me and will deliver stability than a guy who hypes me up and tanks the economy
I'm scared that elections won't be secure, especially with the way the Republicans are trying to (arguably unconstitutionally) wield federal power to force individual states to change their systems in abrupt ways.
You are assuming there will be next elections that are free, fair, and matter.
Trump says a lot of things that ultimately doesn't matter, but he has also said, and is the type of brute to believe it, that he intends to stay in power. He and his cronies have successfully dismantled the checks and balances that should have prevented him from doing they, legally. IMO the only way he leaves the White House without stirring trouble is in a casket.
I would rather that he stays alive for the rest of his term. I am more scared of the damage that could be done by Vance. Trump is inept and easy to manipulate, but is fairly predictable in his actions. Vance and his technocrat bros could cause a lot more damage on the other hand. I'll take the devil we "know".
I fear the situation either ends badly or in a bloodshed. They aren't respecting the courts, so assuming they will accept defeat in elections is naive.
People can learn once the world puts most of its money into education.
The unfortunate part is that education is often also part of propaganda and spinning history for said propaganda. These days I wish education had a bigger emphasis on history and history should be looked at from different angles, like how the same thing is being taught from different angles.
>These days I wish education had a bigger emphasis on history and history should be looked at from different angles, like how the same thing is being taught from different angles.
It does. In higher education.
You cannot force someone to learn something. The mean-spirited bully not paying attention in high school history class and barely getting a C- to graduate didn't exactly learn anything about nuanced topics like "The Nazis didn't start the holocaust right away" and "Fascism is inherently incompetent, and that makes it so much worse"
If parents raise their kids to not consider education important (and millions of parents in the US have always done just so, we have an insane level of anti-intellectualism in this country), you won't get educated kids.
Every time someone says "I wish school taught <X>", plenty of schools EXPLICITLY DO THAT, and it doesn't work, because the person complaining was one of the kids crying "When will I ever use this" instead of paying attention.
The same adults who complain that school didn't teach them "critical thinking" are upset that school didn't walk them through the process step by step, as if you can't balance a check book with fucking basic algebra you learn by 4th grade. Meanwhile, 90% of the uproar about "new math" ends up being parents who can't even manage to understand basic word problems, you know, things which take critical thinking to work through?
I've had people complain that school should teach them how to calculate a mortgage, which is funny, because those people sat next to me in Precalculus as we literally did mortgage calculation problems.
The USA is struggling with multiple generations of people who have insisted that education is not only useless, but a liberal agenda, or even a devil-run plot to distract you from god. It's insane.
> Hopefully these 4 years energize people to vote.
This euphemism has to end. I think you mean: "Hopefully these 4 years energize people to vote Democrat".
Why not just say it plainly instead of using supposedly non-partisan language? This neutral phrasing seems to be an appeal to a "silent majority" that agrees with you and disagrees with Republican leadership. What if that silent majority doesn't exist?
You're right in that it's possible that the silent majority doesn't exist.
But personally, the reason I believe it does exist is two-fold:
1. The "My vote won't change anything" rhetoric only ever gets expressed by left-leaning people.
2. Only left-leaning people require endless purity tests for their political candidates and will refuse to vote for anybody that they don't think is the perfect candidate. These are the ones that talk about being fed up for having to choose between the lesser of two evils, then look like a Surprised Pikachu when Trump wins.
> This neutral phrasing seems to be an appeal to a "silent majority" that agrees with you and disagrees with Republican leadership. What if that silent majority doesn't exist?
Then we are on course to lose our spot on top of the world, and I should probably plan to get laid off. Idk, I get what you mean, but not agreeing with Democrats (I don't really agree with them much) and wanting a stable country with a good economy are way different things. I can hold my nose and vote for someone who doesn't actively try to tank the economy, the same way many conservatives (especially religious ones), held their nose and voted for Trump
It was all opinion. Trump said a lot of stuff before this election, but he said a lot of stuff before his first one too.
When people disagreed on what he might do, it was all guesses. There was no evidence to base anything on. Would his second term be restrained by people around him like in his first? That would be an evidence-based extrapolation. Would tariffs be all talk and little action, like in his first term? Extrapolating from evidence, they would be. But 2025 isn't 2017. Things would be different, but how? It's all guesses.
It's insanely naive to have thought a second Trump admin would not be worse in every possible way. Did you pay attention at all to what was going on with SCOTUS? Project 2025?
Saying "there wasn't any evidence" is borderline bot-speak. Anybody who thought Trump 2.0 was going to be like the first round was simply not paying attention at all and anybody telling others it wasn't going to be like the first admin is either a Russian troll, the mainstream media, or just plain irresponsibly ignorant.
"Nobody could have foreseen this" is about the dumbest take I think I've seen so far.
I didn't claim any of those things were specific to Project 2025.
We've known about RFK Jr all along so yes, if somebody is surprised by the secretary of health being anti-vax, that somebody is irresponsibly ignorant. If that somebody also claims that nobody could have foreseen this, or that prior to him being picked they were fond of reassuring people that "there's no way it'll be that bad"... yeah I'd 100% associate that with the type of behavior becoming of a Russian troll.
I find it really weird and cringey that you're bringing up ego. I don't feel like I'm smarter than everybody else, nor am I claiming to be, nor do I see how any of my comments could even be construed as such. To say this is about me thinking I'm smarter than everybody else is to imply that I'm relishing in the fact that I "foresaw what others couldn't", which is just... an insanely idiotic thing to say. I'm not a sociopath. And for what it's worth, I know plenty of people who also saw this coming.
To be clear, it's a tragedy that so many people were ignorant of what a second Trump admin would be capable of, but that's not really the point I'm trying to make; I am specifically taking issue with your insistence that it was somehow impossible for anybody else to foresee this.
> I find it really weird and cringey that you're bringing up ego. I don't feel like I'm smarter than everybody else, nor am I claiming to be, nor do I see how any of my comments could even be construed as such.
Then you should re-read your comment. Calling people "insanely naive"? "Bot-speak"? The "dumbest take"? "Irresponsibly ignorant"?
And you really think you're not trying to portray yourself as smarter than everyone else who didn't see this coming?
Your comments are insulting, provocative, in bad faith, and do not belong on HN.
I was trying to make a reasoned point that no, most reasonable smart people didn't expect the Trump administration to be anything like what it is now. I don't know of anyone who predicted this. Your claims to the contrary are simply rewriting history. You're calling people ignorant, when you seem to be the one with the faulty memory.
I hope you can learn a little humility. Good luck to you.
Sorry, but this is a very misguided take. He tried to do all the same things his first term, but enough people around him kept him in check. Now, he explicitly got "yes" folks around him and purged the career folks who'd uphold the Constitution. He's emboldened like a child who just learned they can command the world to do their bidding without restraint.
Weren't there major problems with the current CVE implementation, especially with the waves of script kiddies and AI tools spamming the database and the fact that projects who take security seriously have little to no say in the "score" that gets assigned?
and then a random 9.8 critical comes that affects some software you have in a way that makes it a 0 in your environment but it doesn't matter cause the cve tanks your organizational Security Score (tm) by 10 arbitrary points and management is wondering when you'll secure the company again because the Security Score is their only tangible deliverable to measure success
I feel that. So tired of management being completely uninterested in actual, actionable security holes but getting wildly spun up because they saw a notice with a big scary number that has absolutely no relevance in our architecture.
Yeah like when we bundled in a .js library for client side date processing that has a CVE affecting node.js servers with high score. Our auditors don’t care they tag the whole app as high risk. It doesn’t even run on the server!
the auditors that sign off on your security to meet your clients requirements usually know way less about your security posture than your clients do
its all just surface-level box-checking. most companies required to get 'penetration tests' just get an overpriced Nessus scan sold as a pentest and that meets their reqs.
Incompetent auditors don't detract from the classification system, though. If we removed every data point auditors misinterpret or don't care to understand, we may as well remove all metrics.
Most tracking tools have exception processes. But yeah, security as a product family instead of a simple score seems to be a foreign concept at most companies.
Don’t let the perfect be the enemy of good. It is(was?) a very useful and important system.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
I disagree that it is Way Better than before. A judgement call is worth more than a team wasting effort chasing irrelevant pseudo-vulnerabilities being reported as vulnerabilities. A broken yardstick is worse than no yardstick.
But that's an issue organizations bring upon themselves, by defining semi-arbitrary KPIs that are used without proper interpretation. It's not directly caused by CVEs or assigned scores. It's like blaming git that it count lines in diffs, because your company created a KPI that measures developer's based on LOC changes.
Spot on. Vulnerability scanners that make up an organizational Security Score (TM) tend to operate at the wrong level of abstraction, flagging some library somewhere that never runs and has nothing to do with your production flow or architecture, or some test keys with zero security impact. Go explain that to management, because obviously the security tools are right and you are wrong. This sad state of affairs is unfortunately the best that the security industry has been able to deliver. Trying to wrangle complexity by adding more complexity is the craziest notion to me. Yes, no scoring scheme is perfect, but when the scheme introduces more noise, what have we gained (well, security vendors gain, but what have organizations gained).
That's very cool. You probably know more about it than I do, then, but my advice is to articulate the exact problem you try to solve.
I expect your field is probably teeming with AI proposals or offers on how to manage vulnerabilities, but that is doubtful the way, because again it is adding complexity, and no classifier is perfect, especially when scanners fail to understand scanned applications and their threat models or environment.
Stop selling external scanners, start simplifying code? This will never work, of course, because security vendors sell the promise of security to those willing to buy it, in the form of add-on products and capabilities.
Empower people to ignore scanner reports without so much red tape? That would never work either, because megacorp wants compliance and reduced liability.
Build secure systems as opposed to cataloging and scoring flaws? That would never work, because building secure systems is hard, nature tends to favor otherwise.
Charge people for adding complexity and credit them for removing complexity? Sadly, there is no way to do that, especially since products must ship and quality is hard to observe, since it is often invisible and only surfaces when things are broken.
Off the top of my head, would be nice to require proof of exploitation, by adding CTF-like capabilities to apps, such that only if the flag is captured do we consider the report real. This places more burden on scanners, in that it is no longer enough to report an outdated library. Requiring some proof of exploitability reduces noise and increases SNR, reducing false positives. Naturally, not all vulnerabilities have working exploits, and scanners can never fully simulate an adversary, so we may get more false negatives, but at least we would not have to waste so much time upgrading pointless modules and breaking applications to appease a false report. So the idea is "here is a dummy asset, show me how you leaked or compromised it". Adding the dummy asset should be cheap, but would force scanners to better simulate an attack.
At the very least, there ought to be a knob to decrease scanner sensitivity.
Solving this problem in a generalized way is really hard.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
The scores were never going to be that accurate across people's environments (IDK how much other places relied on them, places I worked never did that much) and issues with the scores don't seem to be a good justification to torch the whole CVE system anyway.
This^ and to add to that, at the very least MITRE assigned IDs which is great. Plus they did an initial scoring, which, well… will never be perfect like you said and I’m sure these things evolve throughout time and get better (not talking necessarily CVSS vX).
What a shame on this current gov. administration, if you can even call it that.
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
> But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day.
I suppose more people would be more amenable to these wholesale cuts if the current administration weren't blowing through even more money than before [0]:
> The new Treasury Department data shows a deficit of $1.307 trillion for October through March, the first six months of the fiscal year 2025. And spending is $139 billion more in the first three months of 2025 compared to the same period last year, with borrowing over that period $41 billion higher.
We're currently fighting no wars and yet Trump is proposing a record $1 trillion defense budget [1]:
> “We’re going to be approving a budget, and I’m proud to say, actually, the biggest one we’ve ever done for the military,” he said. “$1 trillion. Nobody has seen anything like it.
And that's before proposed cuts to tax revenue [2]:
> Extending the expiring 2017 Tax Cuts and Jobs Act (TCJA) would decrease federal tax revenue by $4.5 trillion from 2025 through 2034. Long-run GDP would be 1.1 percent higher, offsetting $710 billion, or 16 percent, of the revenue losses.
So this whole "we're just imposing much needed austerity" to justify penny-wise-pound-foolish policies is kind of laughable when the proposed increase to our peacetime defense budget alone wipes out Elon's most recent estimate of DOGE's total savings [3].
Yes. The Republicans are not and never have been united around fiscal conservatism. Eliminate-the-deficit libertarians are one faction within the party but not the dominant one, and Trump doesn't come from it. Same with most right wing parties the world over: the bigger faction is usually one that likes both tax cuts and spending increases. That's why deficits are out of control across the west: between the tax-and-spend left and the don't-tax-but-spend right, the don't-tax-and-don't-spend contingent isn't big enough to outvote the others. Clinton was very unusual in this regard, perhaps a product of the short post-USSR consensus.
Elon is a libertarian and has been allowed to go do some spending cuts around the edges. This gets support from Republican members of Congress partly because the USG turns out to be spending a lot of money on highly partisan Democrat projects, but mostly because it's someone else doing the cutting and not them. Even if they know they should be doing it themselves they don't want the crazies trashing their cars, so if some outsider does it for them that's a deal they'll happily take whilst it lasts.
All that said, it's inevitable that the administration would be blowing through more money than before even with DOGE. It's the nature of debt that it compounds. The level of cuts required to even keep the deficit stable would be huge because interest payments are accelerating, and the cuts DOGE are allowed to make are small (even when they go further than they might technically be allowed).
Right now there's just no mainstream support in US politics for serious austerity. There never is in any country, but sometimes the public can be convinced to agree to some amount if politicians do a good job of communicating the deficit problem. The UK in 2010 is an example of that, where the Conservative/Lib Dem alliance was able to convince the public to vote for spending cuts (albeit not as deep as were actually required... but it tided the UK over until the economy started growing again).
This is like, exactly the sort of thing that the public sector should be doing. There's no profit incentive for this to happen in the private sector.
I don't disagree with your overall sentiment re: unsustainable debt. But the answer must be reform and taking hard looks at the military budget, not just randomly cutting programs that you disagree with politically.
They are doing it, but there's no profit incentive. Github is a bit of a special case because of their commitment to OSS and the broader engineering community, but the moment a downturn occurs and MS takes a harder look at P&Ls, you better believe that's on the chopping block.
The public sector is exactly where you need things that are important to society but don't make money.
There's a profit incentive: GitHub sells its services. The free stuff is an advert.
At any rate, even if they give it away for altruistic reasons, Microsoft is a sustainable going concern that brings in more than it spends. It can afford charity. The US government isn't and can't.
you like to say word 'bikeshedding', adoption of formal intellectualish sounding terminology even when inappropriate is orange-site affliction I advise against. I am saying this for your own sake... speak truths with POWER
Maybe you don't see how it's bikeshedding. Ah well, let me try to explain.
It's because it's like if someone had forgotten to validate the user's role in an endpoint in a Django app, and someone said that they should have used Rails because it's easier to understand. In reality both are easy enough to understand to be able to do an authorization check, and the framework isn't the issue. So the person suggesting Rails is bikeshedding.
Likewise, if someone made another vulnerability database it would likely have the same issue, and this isn't really the place to solve it. If somehow this does trigger the realization to solve it, then it will be by luck.
We're getting into pedantic arguments, but bikeshedding is when multiple people argue to death about the easy stuff because it's easy, and don't argue at all about the actually hard stuff, because none of them know enough to argue about it. I don't know what your example is, but it's not bikeshedding.
I had argued for a less pedantic take, but I guess by replying to you I'm being pedantic. It seems to me that my example not only is bikeshedding by the definitions I find but also that to me it fits your definition of it. It's easier to talk about what framework you think is best than it is to talk meaningfully about process, which is more relevant place to look to prevent serious bugs, assuming both frameworks are capable. https://en.wiktionary.org/wiki/bikeshedding
Bikeshedding is when people need to make a decision on something, and keep talking and talking about the easy stuff. Your example of someone offering a driveby opinion isn't an instance of a group of people needing to make a decision.
Ah, it wasn't a driveby opinion how I imagined it, and I've experienced stuff like it in the past. It would then go into talking about rails features and libraries that could save the day, and the django counterparts. The decision that needed to be made would be what action to take to prevent a similar issue from occurring in the future.
I'm not saying it doesn't happen, but bikeshedding is when you say "OK guys we need to figure out the architecture of this complicated new service" and then there's a bunch of debate on libraries and frameworks and very little debate on the actual (hard) problem it needs to solve.
Thank you for the unsolicited defense. Linguistic bikeshedding is tantamount to an ad hominem. It's the mark of someone unable or unwilling to form a rational, valid argument or engage in civil discourse. Let's instead refocus to the HN site guidelines please. :o)
As an active consumer of CVEs: yea there are major problems. No there's nothing better and no I don't have any better ideas.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
Yeah, most businesses need window cleaners too. If you're a window cleaner and you complain about all the birds shitting on windows, I dunno what to tell ya.
If you're working in compliance either
A) you're stuck in your compliance job, that sucks, CVSS scores aren't the reason why though.
Often it is a second order impact. This creates a bunch of work for the compliance people, but then the compliance people end up competing a bunch of work for everyone else. If you count anyone who might have to follow compliance as working in compliance, then I purpose that there isn't enough non-compliance jobs to go around.
a) If you are having to do busywork for compliance reasons, you are either disempowered to push back on bullshit work (case A above, unfortunate, but your job was gonna suck anyway), or it's not really a second order effect, you work in compliance in a meaningful way.
b) Compliance bullshit seems to expand into the space available to it. Nobody thinks CVSS scores are meaningful, the fact that they feed into compliance processes is not the CVSS scores' fault it's the compliance machine just globbing onto random bullshit as its expansion continues. If you took away CVSS scores it feels like it would just glob onto something else instead.
Anyway, in the end I think we aren't disagreeing about that much. I think they're silly, if someone wanted to get rid of them I wouldn't try to defend them at all. I just wouldn'e be the person to push for that.
Getting a bit tired of posts like this (no offense), something dumb / nefarious happens like funding is cut for <useful thing>, then someone posts an off the cuff comment or question like, "wasn't this <useful thing> not that useful because <superficial reason>?".
Why do people do this, to down play all the destruction of the last few months? Seems to be some type of coping mechanism.
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
> I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
Vampire capitalism. They want civilization to break down so they can offer a solution for profit. The enemies of all people and life on the planet are a tiny group of oligarchs and their supplicants.
I agree, given the right definition of “capitalism”.
Unfortunately “capitalism” has two quite different meanings. Which are rarely clarified in use.
Capitalism with a big C, a too common overarching ideology, gets bent to mean whatever the greedy, unethical and rich want it to mean so they can get more money.
But small c capitalism, evolving from both practical and ethical foundations, is a system so useful it has multiplied the benefits of civilization. But it is just one such system.
It can’t do everything, it needs other independent systems (justice, dispute resolution, rules of clarity, risk & trust limiting systems, for starters) to work, and extending it to places it doesn’t work causes great harm.
(Like when perversely applied to those enabling systems, in big C form, as is happening now.)
Hah. I’ve been hearing this No-True-Scotsman for Capitalism for decades now. It’s what we’ve got and is widely understood as capitalism. I won’t repeat your last sentence but the sentiment is similar.
It's no different from what apologists for Communism and any number of other -isms will tell you. "B...b...but it's never really been tried." Capitalists are as entitled to that excuse as anyone else.
It's almost as if no economic, social, or political system known to mankind will stand up for long under a determined onslaught of corruption.
Absolutely not. They are not broadly experts, and they are not making these decisions after careful consideration, as evidenced by their continual acts of stupidity and basic errors and cutting things despite having no idea what it is they are cutting. Musk got in an argument with someone who said DOGE cut funding for a cancer treatment program, and Musk was calling the person a liar, and the person provided evidence and Musk admitted it was an accident. They are a clown car of idiots who vastly overestimate their own knowledge and underestimate how much good the government actually does. They think they can just slash and burn and there will be no negative consequences because they think the government is worthless.
She was an Objectivist. She considered social security to be "legalized plunder". Then when she needed it, she decided to take it.
One of her wonderful worldviews was to rejects altruism as a moral imperative, arguing that individuals should live for their own rational self-interest. Social security, based on the idea of supporting others, contradicts this principle.
It takes strong and complex social glue to create a place where millions can safely follow their own self-interest.
Which means anyone whose wisdom matches their self-interest is going to understand that different things have very different efficiencies at different scales.
And some things happen to be dramatically more efficient/person and more effective, the larger the scale they can be coordinated at.
>It takes strong and complex social glue to create a place where millions can safely follow their own self-interest.
This exactly. All of these people who profess to believe in objectivism could easily move to a failed state and do anything they want to with zero government intervention. But they don't do that. They want all of the benefits of a working government with none of the things required to actually create a working government.
Also, even if you don't need it yourself, it's far nicer to live in a society where people's basic needs can be met otherwise we end up living in some kind of Mad Max apocalyptic wasteland where people with nothing and nothing to lose roam the country looking for targets.
> One of her wonderful worldviews was to rejects altruism as a moral imperative, arguing that individuals should live for their own rational self-interest. Social security, based on the idea of supporting others, contradicts this principle.
This position was already pointed out by Plato (in the Gorgias IIRC) as being inconsistent. Political systems are made up by people - if a society, in particular a democratic one, has certain systems in place, then this is probably because it was (at least believed to be) in the people's self interest.
I don't see altruism as being outside of my own self-interest. I think that you get what you give, so having to give up some money to the public good is OK (usually not awesome, but OK).
What's funny, and it might be because of the translation, but I first thought her book where all entrepreneurs are hidden away in a sort of parallel country was a dystopian satire and a joke about some people sense of self importance. Then I learned about her (and when the book was written too) and realised her book was to be read as it was written, 'seriously'. Which makes it silly, but a funny story.
They've done their degrees and masters in Computer Science, and many of them dropped out. But they focused on AI, so I'm assuming this makes them great at statistics, but does this mean they are great at security? Given the way they've gone through a variety of departments, I'd say they aren't.
The DOGE crew are incompetent. Witness their firing of all the people who look after the nuclear stockpile and Ebola research.
Hang out around here for a while and you will realize quickly that us tech bros mostly just know tech stuff. Our perceived intelligence in topics which we don't spend our time on is called hubris and we are swimming in it at all times.
wunderkind is a loanword, it's one of those cases of a German word being used but being odd in English since it's so similar.
Like kindergarten which is often speller as "garden".
Certainly, so we have to critically look at the terms and check which have been used by the Nazis to promote their ideology. It is a call to make in each case.
You stated Endgegner was not used lightly in Germany when it was. You seemed to think Wunderwaffe was used lightly in English when it was not. And searching for Endgegner and Endlösung found our comments and a few opinions they sound similar. No evidence or claims of origin. I conclude Endgegner does not originate from Endlösung probably.
If I'm giving them the benefit of the doubt (which I hate), it's a shotgun approach; cut things relentlessly and see what falls apart. Chaos engineering applied to a country and / or the world.
That’s exactly what it is, and they said as much repeatedly while campaigning. Voters, in their zealotry against the perceived status quo, failed to realize how much of what we have right now you don’t want to cut recklessly, as well as just how reckless the people that they were choosing to do that job were.
I can't tell what argument you're making within the context of my post?
The OP said indiscriminately, which means they're cutting uniformly across the board. I responded with "mostly discriminately" which means they're more selectively cutting based on prejudice. You then linked me a data point where you show they cut funding because it has the word "homo" in it and tell me to "get a hold of myself".. but your link would directly support what I've said?
It is clear from context that the original comment is using "indiscriminately" in a sense of "without due care; thoughtlessly". Your first reply comes across as simply contradicting it, i.e. asserting that actually these cuts were made with an appropriate level of thoughtfulness. Your point that there are criteria which are being applied is a useful contribution, but you should have expanded on this in your original comment, as it was not clear that you were reframing the discussion in this way.
Respectfully, I took the word at face value and made what I thought was a fair, albeit half-jokingly correction. Certainly, I understood the context of the original post and I expected that this community would understand my follow up comment which is using correctly applied English. For whatever it's worth, I see no synonyms for indiscriminately that would fall under "without due care; thoughtlessly" on Merriam-Webster. Even if I understood what the OP was saying, it was not technically the correct verbiage to use. I would have thought I'd receive a similar level of "allowable nuance" in my comment that the OP was afforded.
Most of the general population can’t read above something like a fifth grade level. Here on HN it’s higher, but I wouldn’t say it’s safe to assume you can just engage in even mild word play without risking being misinterpreted, unfortunately.
Written word play, especially in such a short sentence, will be hit or miss with even capable readers because one's interpretation will be devoid of interpersonal context (including nonverbal signals) and heavy on other context such as expecting some in this community to continue to defend Elon/DOGE because we've seen it plenty on HN to date.
He came in quite hot and has made no acknowledgements of my rebuttal. To be honest, taking a deep breath and giving me a more sensible response than what I got could have gone a lot way.
We're allowed, and should be encouraged, to write with a small amount of nuance and creativity.
My intent was to argue by counterexample. That grant being cut merely because of containing the prefix homo is an example of indiscriminate cutting, in my opinion. Actually effectively cutting grants that only related to homosexuality or something would've been discriminate.
However, I might still be misunderstanding you, pardon me.
> That grant being cut merely because of containing the prefix homo is an example of indiscriminate cutting, in my opinion.
I disagree. I think it would be considered "discriminate cutting".
> Actually effectively cutting grants that only related to homosexuality or something would've been discriminate.
I agree and that's the point I was making. They're just cutting grants with the word "homo" in them because it meets their criteria of interest for cutting. Whether they deal with homosexuality or not is not a discriminate vs indiscriminate topic, but a topic of DOGE's competency in actually executing on their discriminate cutting vision.
Indiscriminate means at random or without judgement. The comment you're arguing with clearly (and cleverly) said the cuts are not random. As one data point, I did not read the comment as contradicting anything, but as agreeing and expanding.
Afaik there's never been a DEI initiative (or similar, I'm not American) that I've ever heard of to hire more gay people specifically. Most of us would hate to be hired for our sexuality rather than our skills.
There's nothing "woke" about it and screaming woke woke woke isn't going to change the fact that we exist and you don't like it. I'd tell you what I really think of you but it would invoke Dang.
You misinterpreted that comment, which was sarcastically pointing out a study which was purportedly cut simply because it had the word part “homo” in it.
You have got to stop engaging with the idea of “woke” as a specific ideology to stand against. It’s like you purposefully intend to misunderstand common shared meanings of words.
There are many problems going on right now, but in terms of cuts this is one of the most problematic: everything is secret, with no oversight or deliberation. It's indistinguishable from corrupt malice because it's not done with open thoughtfulness.
I just can't believe your take on this. The White House press secretary has directly said, multiple times, "this is the most transparent administration ever". /s
In reality, this entire process is insanity. We've had examples of government spending overhaul in the past - early(?) 90s - both sides worked together, cut lots of spending across programs, downsized tens of thousands of federal workers, and balanced a budget, to the point where we had a surplus. It was tough, took time, wasn't perfect, but was deliberated and debated and far far far more open and transparent than all this. But their goal was actually improving government (even if that meant reducing some areas). The current 'leadership' goal is to dismantle/destroy as much as possible, as this is led by people who think government in general should not exist.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
Stupidity rarely has a consistent destructive track record. You score occasional wins. Only malice allows every decision to do damage. (The other razor, essentially - Occam)
I love Hanlon's razor. Super-helpful in certain contexts: "Never attribute to malice that which is adequately explained by stupidity."
But, having known about it for a dozen years now, I also find it inadequate alone as a razor without the following caveats/corollaries:
Hubbard's corollary to Hanlon's Razor: "Never attribute to malice or stupidity that which can be explained by moderately rational individuals following incentives in a complex system". ( https://en.m.wikipedia.org/wiki/Hanlon's_razor#Exceptions )
Or (HN) Nerdponx's punchier simplification: "When money is at stake, never attribute to incompetence what could be attributed to greed." ( https://news.ycombinator.com/item?id=41066724 )
Hanlon's Razor is susceptible to pathological inputs, causing unbounded runtime.
A large amount of things related to Trump fall into that category, and it's important to recognize when you need to instead treat it as a superposition: It is both malice and incompetence, unless the perpetrators decide to plead just one or the other.
Hanlon's razor is utter trash. In most contexts that people bring it up, sufficient stupidity IS malice, because at a certain level of resources and responsibility, you do not have an excuse to be that stupid
You can only get into such a position if you've ignored smart people telling you "No". That's malice.
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
I think it's more of a principle: if it looks like someone could charge money for it, they think that would make the country stronger, because all they understand is first-order profit. Trump's ethics is "get away with whatever you can".
For instance, most people find healthcare middlemen (pharmacy benefit managers, etc) to be grotesque parasites. But to a laissez-faire fundamentalist, they're smart for finding a way to liberate some profit, even laudable.
This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on. If you look at the federal budget it's nearly impossible for DOGE to hit their stated goals without touching benefits like medicare and social security (which are off limits so far) so the only option is deep, deep cuts into the narrow slice of the federal budget that excludes those protected categories.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
They are breaking down the federal government intentionally. DOGE was never going to hit their goals, they were impossible to hit. The goals were just cover to take full control over anything they can get their hands on.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
They voted for others to be hurt and to lose benefits, not their “in group.” Surprise surprise, they are considered the waste by those they voted for.
I hate Trump as much as the next guy, but let's not take things out of context, he clearly seems to mean it in a "I want everyone" sense here, rather than just the poorly educated specifically.
His statements were of inclusion into a set of suckers, he was only cheering of the relative sizes of those that vote for him. I understand what you are saying, and this isn't it.
> DOGE has been about fighting corruption and reducing wasteful spending
It absolutely staggers me that anyone can still say this with a straight face. I will ask this, though: as part of the DOGE fight against corruption and wasteful spending how many of Elon Musk's government contracts and subsidies have been cut?
Also ~12K IRS workers (7x per head ROI) and inspectors general (who actually get results and are fully accountable) have been cut. And our already bloated military budget is increasing to $1 trillion without an eye being batted. DOGE is theatre.
"A system’s function or purpose is not necessarily spoken, written, or expressed explicitly, except through the operation of the system. The best way to deduce the system’s purpose is to watch for a while to see how the system behaves. Purposes are deduced from behavior, not from rhetoric or stated goals.” —- Donella Meadows
> "A system’s function or purpose is not necessarily spoken, written, or expressed explicitly, except through the operation of the system. The best way to deduce the system’s purpose is to watch for a while to see how the system behaves. Purposes are deduced from behavior, not from rhetoric or stated goals.” —- Donella Meadows
I see at least three obvious reasons for the cuts:
1. Politically-motivated "purge the weak" Nazi stuff - Cutting Medicare, cutting Medicaid, cutting Social Security, cutting education, cutting anything that benefits people who are old, poor, queer, female, etc.
2. Privatization - NWS and NOAA are wonderful public services, and they'd rather profit from the data they produce. This is why taxes in the US are such a bitch to file, tax companies oppose any policy change that would make the paperwork easier for filers.
3. They might actually be Russian assets. Tearing down institutions that took generations to build makes space in the world for Russia to exert more influence. You can tell this is working because Europe is now wanting to re-arm.
It makes me sad. If I had a billion dollars I would still want to live in a better country. These guys only want a better world for themselves, and making everyone else into a permanent servant underclass only plays into that.
I'd say that the rhyme and reason are quite clear [0]. They published a playbook, and they are implementing it at a record pace.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
They have to find some gumbah to head the security dept,because the best one they had,left in a hurry. Heard he went to Denmark. ( I am really really kidding )
> This sort of thing is happening across the federal government. There is no rhyme or reason. DOGE has been given an unrealistic target for cuts and they're desperately cutting whatever they can get their hands on
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
The ryme is Humpty Dumpty, had a great fall. Now China and Russian security forces step up their relentless attacks. Let's hope the white house falls first.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
> In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
This is actually simply not true. The Republican party before the Tea Party looked nothing at all like this. Trump won the presidency last year riding a wave of distinctly not-your-typical-Republican lower class voters. As he rose the old guard Republican establishment formed the anti-Trump wing of the party until they were forced out one by one.
To put some numbers to this: Bush won the upper income brackets by 5+ points in 2000, with a lead that widened as you went up the income ladder. Trump lost the equivalent brackets in 2024 by 5+ points, a 10 point swing away from what Bush won them by. The lower brackets are even more stark, with a whopping 18-point swing towards Trump in the $30k-$50k bracket (inflation adjusted to $15k-$30k).
These numbers show that Trump is not a Republican in the George W Bush sense and he's certainly not a Republican in the Ronald Reagan sense. He's a populist and won on a populist agenda by putting together a coalition of rabid social conservatives (who probably really did go Bush in 2000) and poor people (who largely did not).
Populism is not an agenda it's a style. Also the majority of poor people voted Democrat, the majority of people with low education levels voted for Trump (which is not the same thing as dumb, although voting for Trump is dumb regardless of PhD or lack of HS diploma). There's overlap between low levels of education and income but if you define class by income then low income people mostly voted Dem
You are ignoring that trump rode to power explicitly by enabling the shittest of Republicans that already exist. To try and let republicans off the hook for supporting him, especially a 2nd time? Is hilarious
I'm upvoting you because you make a coherent argument, and votes here should be for that, not whether I agree with you or not.
I would agree he's not George Bush, much less Ronald Reagan. Nevertheless those who voted for Bush and Reagan also voted for Trump.
This has been "decades" in the making in the sense that since Obama was elected (in 2008), Republicans have embraced racism at the heart of their populist message. That swing rightward was made palatable to center republicans with a woman democratic candidate in 2016 (one not terribly well liked in democratic circles) and a black woman candidate in 2024.
While racism, and misogyny gather a bunch of votes, long-term distrust of institutions is sown, and fostered. Republican policy becomes protecting white guys, and especially old, rich, white guys.
Reagan was popular and competent, and worked for the good of America. Today's president is nothing like him, but wins because a bunch of people "vote Republican".
> Today's president is nothing like him, but wins because a bunch of people "vote Republican".
There's a component of that, but it's not the primary cause. A lot of former Republicans stopped voting Republican with Trump, including a lot of old rich white guys, and a lot of the current Republican voters didn't vote for Bush. He wins because of the new wave of voters that counterbalanced the flight of the educated core of the Republican establishment.
There are extremely superficial similarities here, but they're just that: extremely superficial. Along the same axis but in totally different orders of magnitude, and orders of magnitude make a difference.
Obamacare and communism are along the same axis too, but the Republicans who claimed they were the same thing were obviously wrong.
When someone hands you a pencil, you don't wonder what variety of tree the wood came from, or what paint chemistry was used for the coating. It's a pencil. You might have broad opinions on whether the one in your hand is comfortable to use, and sharp - but you leave the details to the pencil makers.
About 70% of the population engage with politics the same way: Leave the details to the people who do this stuff for a living.
Do they expect to be disappointed? Sure, but everyone who engages with politics expects to be disappointed.
This pencil was proudly advertised as being comprised of the remains of all that was decent in humanity. The fact that it wrote in blood was gleefully touted and cheered.
You are a pencil company director. A CEO candidate promised to cut expenses by 30% by eliminating waste. People who do this stuff for a living countered wood and graphite exceed 70% of your expenses. The CEO candidate proposed to increase graphite spending. Do you wonder what the CEO would do if hired?
This is exactly the attitude Putin tries to encourage in his population. If enough people don't pay attention or don't think what they do matters, it's easier to subjugate a population.
If people in the US aren't starting to notice what Musk/Trump are doing it will bode very poorly for the future of the US.
Remember, DOGE has nothing to do with money or "efficiency". It's a pure ideological dismantling of the Federal government aimed at eliminating oversight, regulations, assistance and entitlements as envisioned by ultra-conservatives for decades.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
> The U.S. system of government relies on established norms as much as it does law.
And it's also happily breaking the law. The Executive doesn't legally have the power to allocate resources (or not), not to mention the power to arbitrarily suspend due process.
Something different like gay people, women, immigrants all suffering while they laugh. Who's laughing now? From an outsiders perspective, I sincerely hope that Republicans get to feel a fraction of what these usually marginalised groups feel every day.
You'd think that lessons would incite learning but that has never seemed to be the case throughout history.
As if laws have any meaning to this administration, and anyone expecting this will only last four years instead of turning into one of those countries so much admired by the captain at the helm, is fooling themselves.
When the citizens realise this, the structures to clamp down any revolution will be in place.
"CVE" is trademarked and emphasized (e.g. included in the shorthand notations, e.g. CVE-2014-0160), explicitly to prevent other groups from using "CVE" in a way that causes confusion in the marketplace. And yes, this is the same reason trademarks exist for commercial purposes.
But imagine if Microsoft could issue CVEs against Apple ... or OpenAI against Anthropic, etc.
The label "CVE" has to have a known authority to be useful. And the only way to ensure that is to trademark it. See also: "Linux™".
Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
> Your words don't make any sense in this environment. The idea that any person at an agency could stand up to or convince the DOGE team of anything is preposterous.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
DOGE is doing this, it's not a "scapegoat", and Trump is not going to negotiate anything here, that's ridiculous.
What leverage do you have for the DOGE boys? What power? Resigning? Because on the Defense side of the government the best leverage that some teams have found is mass resignation, meaning that nothing happens.
There is no negotiating with bullies, it merely breeds more concessions.
> DOGE is doing this, it's not a "scapegoat", and Trump is not going to negotiate anything here, that's ridiculous.
DOGE follows Trump's direction and acts on his behalf, as you must know. They make a big deal out of DOGE so Trump's name is less attached to these actions. Then they can take much of the blame with them when they go away, with Trump and the GOP blaming them for 'excesses'.
> Trump is not going to negotiate anything here, that's ridiculous.
> What leverage do you have for the DOGE boys?
You don't understand how negotiations work. Everyone has interests, strengths and weaknesses, and power. You need to make it in Trump's interest to keep the CVE program.
Everyone saying they are helpless, and that anything else is ridiculous, are panicking. Very unfortunately - dangerously - many people legitimize the panic. It's so normalized that it's "ridiculous" not to panic.
Every day you continue this behavior, you fall further and further behind and lead others in that direction. Will you wake up in time?
I don't think there's any reason to believe that Trump is mentally competent to understand what's happening here or engage in any kind of meaningful negotiation.
It's just not practical to organize a rally to save a niche cybersecurity program. People are busy protesting to protect Medicaid and keep themselves out of foreign gulags, they can't divert the attention to CVE.
> Isn't the US supposed to be the birthplace of modern democracy?
I would not dare not mention the revolutions in England and in France. And before that some Greece city states, and definitely Rome. The US declaration of independence is just another point.
> You need to make it in Trump's interest to keep the CVE program.
This guy is ~80 years old and bragged about "person, woman, man, camera, TV." He recently got into a Tesler and exclaimed "everything's computer!" Have you seen the way his aids explain executive orders to him (like a child) before he signs them?
He doesn't have the foggiest notion of comprehension of what the CVE program is, or how it would benefit him. Unless you're greasing his wheels, it's not going to happen.
I'm curious by what means you think Trump can be bargained with.
Do you mean things like handsfull of like-minded countries selling t-bonds? No one in the R party has any leverage, and it's not clear that even a few US billionaires could exert any influence.
Do you really think Trump has ever heard of "CVE" or could comprehend them?
No, it's definitely DOGE doing all of this. Each one of these young fools need to be named and shamed. The level of damage they have done is unprecedented. They will, in their later years, hopefully look back at this time in their life with a great deal of shame and embarrassment.
I have the feeling that there will be no redemption arc for those ones and the repenting would be for show before a court of public opinion.
I'm going to be to the point here, if you guys over there don't start to heavily push and organise, and I said it already, you're one Reichstag fire away from something very bad, and from my point of view, there is probably one kristallnacht pending in the mix.
This is not a hyperbole and if someone wonders why this has relevance to the discussions, in this case most of the people around here are blue team, and it does feel like the red team has already taken anything that wasn't attached and now taking the time to take what's bolted on...
I guess the silver lining of all this, is in their hubris, they forgot the bread and games motto, so they're might still be a chance to turn things around somewhat... But the window is closing at an impressive speed.
I'm an Australian. We have a guy called Clive Palmer, who has formed a party called (no joke) the "Trumpet of Patriots". It's certain nobody will vote for him. The opposition leader married himself to MAGA (and close to Trump) and now it appears like this will prevent him from winning.
It needs to be the "shame and embarrassment" Nazis felt at the end of WWII and not the traditional shame and embarrassment they are used to feeling after losing the civil war and Jim Crow laws. It will just happen again in a generation otherwise.
Nazi did not felt shame and embarrassment. They felt loss. They felt to be weak. Nazi and Germans felt sorry for themselves after the WWII. The feeling of sorry for stuff they have done to others is something Germany found a bit later, largely due to Nuremberg and general policies not allowing it to stay hidden.
Forget about them feeling sorry for anyone but themselves. They will feel resentful and as if they were being treated unfairly even when actual clear criminal investigation happens.
You don't think they are carrying out Trump's goals? They are just working independently? The great similarity between their actions and Trump's goals and methods is coincidental?
Why are you protecting Trump, the President, from responsibility?
No, blaming "someone inside DHS" is what makes no sense. It 100% makes sense to blame DOGE and actual perpetrators. You can stop them only if you start to blame those who do the stuff you dont like instead of blaming everyone else except them.
If you made this careful analysis, you'd hear "CRISSAKE WE NEED THIS DONT TOUCH IT" for almost everything (and it likely would be right for a significant portion but not everything).
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
You forget that their stated policy (and I don't doubt their commitment) is that whoever complains the loudest were probably scamming. That "honest people don't complain"
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
> perhaps the thinking is to radically change approaches?
If there had been a replacement or reform plan for even one single iota of the things this admin has cut, I might give them the benefit of the doubt. But there's not. It's just kill, kill, kill.
> I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
Come on, are you living under a rock right now? There are massive indiscriminate funding cuts to anything that Elon/Doge deems to be "fraud", and they explicitly do not care about the collateral damage.
This is not about the DHS or "compartmentalization". This is just a politician running amok and having real consequences.
Also there has been funding cuts to all agencies where Musk is currently under investigation. NHTSA is getting cut so they can't get in the way of Tesla.
No one analyzed it most likely. It’s possible on of the college students working for Doge doesn’t understand security because they are a child with no real world experience that Elon brought in to slash costs.
The private sector zero day market collapsed last year with Zerodium - corporate bug bounties, nation states in-housing offensive security operations, and the democratization of knowhow destroyed the Zero Day market.
Why would they spend money to replace it? The idea is to weaken and destroy the US and its institutions. Giving Palantir money might mean that security improves, and that goes against their goals. They have already demanded that Russia stop being treated as a cybersecurity threat in other areas of the government, this is a way to ensure that systems are vulnerable to attack.
Exactly. The Trump admin is well on its way tanking the USD with tariffs and getting every country (including the penguins) mad at us. The rationalization given by the admin for tariffs (trade imbalance) make zero sense, and they haven't offered anything else.
These sort of government services are always under attack by private organizations. The US Gov doesn't have to give Palantir or whoever a contract, they just cede the ground, give the right people a heads up, and then make the new subscription service a "recommended service provider" as a solid to whichever of Elon's circle gets the nod.
In the UK the some "entrepreneur" was after monetizing access to the Land Registry a couple of years ago. Apparently the free UK Gov service was not fit for purpose it needed a paywall to make it better. Nothing as globally significant as the CVE database, but you can see if the vultures are going after small UK Gov services, something like the CVE database is absolutely a chance to add to the executive bonus pool.
> This sounds like looking for lemonade in a genocide.
It really doesn't. This level of catastrophising has no point. It would be nice if CVE continued to exist, but it wasn't close to perfect, and perhaps it can continue in another form. There's no particular reason the US taxpayer has to sponsor global security threat tracking any more than any other taxpayer or customer.
This is also a myopic argument against funding standards bodies that support the internet.
The point of having a global, shared database is a single, authoritative (more-or-less), semi-vetted repository that can hold vendor accountable externally without digital amnesia or downplaying issues, and global unique identifiers. If that takes an international nonprofit funded by bits of the free world who are okay with investing in commonwealth infrastructure, so be it. Those who don't understand what they're destroying so casually are ignorant, and possibly evil if they do understand.
> This is also a myopic argument against funding standards bodies that support the internet.
No, it's the opposite. Things like this shouldn't be in the hands of a single government. They should be independent and funded by many parties. The part of your message that isn't catastrophisation is agreeing with exactly what I'm saying.
It's more likely to boost the zero day black market. I don't know if I want to attribute this to idiocy (indiscriminate cost cutting), greed (contracts for their crony pals) or malice (hoarding and trading 0 days).
The trick is that there's more than one person involved in making these things happen. In this way, greed, malice, and idiocy can work hand in hand. Such is entropy.
I find it a little incredible people are still talking about "four years".
They tried to reject the election result and do a coup, and were rewarded for it by getting back into power. They are refusing to follow the law or the courts. They are sending people to gulags in foreign countries. All the checks and balances were destroyed last time. The party has been stripped of anyone who would fight the admin or reject this illegality. They have set up a power grab over elections.
There will not be free and fair elections in four years unless they are simply too incompetent to rig it, the rubicon was crossed long ago. Without mass protest that makes it impossible for them to hold power, American democracy is dead.
They have tried to do it, they say they want to do it, they have the ability to do it, they are actively doing it, and no one is stopping them. How are people still acting like in four years they are going to neatly hand over power to be prosecuted for their crimes?
Organizing mass protests isn't something you do instead of organizing electoral opposition. Even in countries that haven't had fair elections for a while, people generally still organize opposition and talk about how they're going to vote. The best way to ensure your opponents retain power is to go around telling people it's too late and they've already won.
I'm not saying people should not organise to vote, I'm objecting to the framing of "in four years this will be over" or "in four years we can fight this", if you are waiting for elections to solve this alone, that's a mistake. Elections alone won't be enough. It's not too late to do anything, it is too late for just voting against it to be enough.
I agree that elections alone aren't enough, but the question of whether you expect a chance to reset in 4 years affects a lot of strategic calculations. If you expect Trump will face democratic accountability in 2026 and 2028, it makes sense to focus on things like tariffs that a lot of voters will find mildly uncomfortable. If you don't, any energy you spend on things that don't produce mass mobilization is wasted.
I understand you have elections in two years, don't you ? I don't know if a complete reversal congress is possible.
That would be a good litmus test. "They" have not prevented special elections so far ; if "They" need to prevent the next one, whatever they try will happen then, I suppose ?
I'm British, but I think to expect free and fair election in the US in two years is to stick your head in the sand.
I don't see them preventing elections, but just rejecting or altering results that don't support them: the litmus test is already triggered: the special election in North Carolina has an ongoing court case trying to throw out ballots to allow the Republican to win.
They have also pushed a executive order claiming sweeping powers over elections which they will use as pretext to do this nationally. Blatantly illegal, but they have already shown they are ignoring the courts, so who will hold them to account? Mass civil unrest is the only thing left.
I'm not suggesting anyone give up on the elections: I'm saying prepare for the inevitable attempt to rig them. Voting alone is not enough, people must be ready for mass civil unrest when they throw out votes and claim victory.
Some companies are already clueless when it comes to CVE management. Probably won’t see the effects immediately but give it a few more years for new generation of vulns to be created/found and we will be back to early 2000s level security.
Open season on American corporations for domestic and foreign hackers.
If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.
Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.
Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?
This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.
Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.
You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)
This time they published Project 2025, telling you what they were going to do.
Project 2025 literally calls for dismantling the DHS. Seems pretty unsurprising that the CVE database wouldn’t be in the list of things they’d care to maintain in that process.
It’s astounding that the users here watched all the horrendous things going on and ignored them. But now the CVE numbers are gone it’s shocking and too far.
Come again? This is Hacker News, a heavily moderated forum with a narrow focus. We don't discuss Israel or El Salvador here (unless it's tech related.)
I would hope the folks that frequent HN would not be so insular as to only read what happens on HN and not read any other news source.
If you’ve somehow missed Trump’s systematic dismantling of academic freedom or his disappearing of folks he doesn’t like, then we have a far bigger problem than the limits of what is discussed on HN.
Please, this place has permeated with Trump rage since before he took office. The only way you could think he was ignored is to not have read any comments.
1,179 comments
[ 5.7 ms ] story [ 272 ms ] thread> Hearing a bit more on this. Apparently it's up to the CVE board to decide what to do, but for now no new CVEs will be added after tomorrow. the CVE website will still be up.
If I'm developing a product built on 20 libraries, it won't just be a matter of scanning CVEs for major vulnerabilities any more, so I'm more likely to miss one.
"always update" doesn't always work, when to manage a product you realistically have to version pin.
This is dangerously stupid.
I would imagine the only SANE option would be some kind of git repository where CNA's can collaborate. Probably run some code across to make the website that people can easily access.
It's going to be a mess.
https://lwn.net/Articles/851849/
The world needs more volunteers like you.
I think it's a testament to the previous stewardship that it appears so simple.
all the meaningful ones will show up on HN
Now if you want that (even just funding) to be a thing ... you have to go through Trump & Co and pay your bribe to get it back up.
This isn't just a rapid disassembly of economic structures, any trust and goodwill is completely obliterated as well.
A funding shortfall and strain isn't a funding cut. And from what I see there was a funding increase.
2025 article claims 30% increase in 2024 workload, https://www.securityweek.com/mitre-signals-potential-cve-pro...
> According to NIST, while the National Vulnerability Database (NVD) is processing incoming CVEs at the same rate as before the slowdown in spring and early summer 2024, a 32 percent jump in submissions last year means that the backlog continues to grow.
2023
> CISA had previously been supporting the NIST NVD program with approximately $3.7 million per year in interagency funding, which they have discontinued
2024
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025
Assuming that's spread over both years it wasn't as big of an increase as I said, but is still an increase even inflation adjusted.
> 2025 article claims 30% increase in 2024 workload
Underfunding in the face of more workload isn't itself a funding cut.
> While NIST has since reallocated $8.5 million to NVD for fiscal years 2024 and 2025, this funding remains a fraction of the $300 million to $400 million estimated to be needed annually to fully restore capacity, with an additional $120 million to $150 million required to prevent further system “deterioration.”
Did NVD receive 300MM annual funding pre-2024? That would be a 98% funding cut.
MITRE CVE/CWE budget is more transparent than NVD since it's a contract, listed on USAspending.gov.
Why? This administration is not acting in good faith, you don't have to act as if they are. People and institutions doing that is part of how we got here in the first place.
As you say, that's exactly what got us here. But the alternatives are very unclear, and seem deeply unpleasant.
They could attack the non-steelmanned version, but that just opens them up to having their own comments attacked. You quickly get derailed. (It's sometimes called "sealioning".)
They could propose alternatives, but that too is subject to sealioning. Real alternatives are always subject to tradeoffs, and the answer to "how about you do X instead of attacking me?" is always "no".
They could refrain from discussing it, but that just allows the offenses to continue.
So what often happens is that people persist in acting as if this were a sincere discussion, and hope that a majority will recognize the quality of your argument. It's a lousy plan but I don't have much else to suggest.
Surely there's an antibody response.
Why? The decisions are pretty well politically aligned with the ideology which detests the size and scope of the government (realistically, those aspects which the ideologues feel are not in their interest). What is unexpected is the swiftness and the brutality of action, but revolutions tend to be messy, and make no mistake, this is a revolution.
> This is the actions of a foreign bad actor
Now this sounds like a coping strategy: everything is so preposterous it couldn't possibly be homegrown. Foreign influence and underhanded actions are as old as human interactions, but IMO outright plants can't succeed without a massive economic and power asymmetry between the adversaries.
The entire world seems to be able to 'cope' with that assessment.
Trump's actions towards Putin are highly irrational. Maybe he's being blackmailed, maybe he's being bought, maybe he just has likes Putins style but there is a reason people suspect him despite it being unlikely in the general case.
This is exactly the process that conservatives take to privatise services into their own friends pockets. Destroy services until they're ineffective and use it as an excuse to privatise it.
There's no such thing as small government, only large sprawling private services that the government hands money to.
In reality this would never happen so all these people playing steelman are just detached/insulated.
> Why?
It's a sensible practice and good practice
Like you get that right? This administration does not discuss or debate, it shits out lies and laughs as people play make believe high school debate games, and give them infinitely more effort than they did.
There is no such thing as "effectively arguing" against a Gish Gallop, that's it's entire purpose.
If the steelmanning fails then you can you can be even more confident that it is in bad faith.
There were 65,000 cases of salmonellosis in the EU in the most recent data I could find (2022). Thats a lower per capita rate than the US, but definitely not zero.
Being 26 times less worried about something translates, at least for most things, for me, to not being worried about it any more.
https://www.npr.org/sections/shots-health-news/2025/04/15/nx...
https://www.npr.org/sections/shots-health-news/2025/04/15/nx...
"The vast majority of chicken processed in the United States is not chilled in chlorine and hasn't been for quite a few years," says Dianna Bourassa, an applied poultry microbiologist at Auburn University, "So that's not the issue."
According to https://pmc.ncbi.nlm.nih.gov/articles/PMC11945640/ most of the outbreaks in humans (where exact cause was found) were caused by foreign vegetables.
On other hand countries like Italy find positive samples from 27% of their flocks ( https://efsa.onlinelibrary.wiley.com/doi/epdf/10.2903/j.efsa... ). USA doesn't do testing at that level as far I understand, I only found that 8% of the tested chicken parts have salmonella (https://www.propublica.org/article/salmonella-chicken-usda-f...).
https://usafacts.org/government-spending/
The issue we have is that republican every chance they get since the 1970s have cut taxes. And then blamed democrats for causing the deficits. We don't need smaller governments. We need a reasonable tax system that taxes people. It can be progressive like it was before we decided rich people just need it easier than poor people.
Yes, I will pay more taxes sign me up, especially if they can finally fix the roads and fund research. The problem is my taxes as a middle-class person go up and rich people get a tax cut. It's stupid. I like water provided by government utilities, I like planes that don't crash into stuff because there are air traffic controllers. These things used to work because we paid for them. When you buy cheap you get cheap.
Lockheed only has a $100b market cap. Raytheon has $200b. General Dynamics $74b
The reality is that US defense spending pays American designers and American laborers high prices for their American effort. We pay basically the same prices for ammo and supplies and services as other countries.
When we pay $13 billion for an aircraft carrier, that's just what it costs to build a gigantic boat with nuclear reactors. The French paid $4 billion for their aircraft carrier, and a $12 billion Gerald R. Ford class is over twice as large as the Charles de Gaulle (40k tons vs 100k tons), and much much much more advanced.
Americans love to misunderstand the cost of military things. They will scream about the F35's $1.5 trillion "price tag", ignoring that the estimate is for 50 years of operations and maintenance as well as initial purchase. Actual purchase price is about $90 million a plane, which is reasonable. Which makes sense, since being not stupidly overpriced was a key point of the program. The operational cost is about $40k a flight hour, which is roughly the same as the F-14, another high tech superplane program.
Tragedy of the commons - NVD and the CVE project havr been backlogged and facing funding issues for a couple years now, and most security vendors are either cagey about providing vulns in a timely manner (as it can reduce their own comparative advantage), or try upsell their own alternative risk prioritization scores.
Every company will gladly use NVD and CVE data, but no one wants to subsidize it and help a competitor, especially in an industry as competitive as cybersecurity.
This is one of those things the government does for the benefit of the whole.
Still shortsighted and stupid, but it's plausible this is intended as leverage to get someone else to pony up.
Multi-trillion-dollar companies benefit from and contribute to this system, surely they can spare 0.01% of their revenue to this bit of critical infrastruture?
They would, if we made companies pay their taxes.
Yes, you can also run such a system based on donations. But I personally think that such a system is important enough to be paid for by the government. When you run on donations, there will always be conflicts of interest and the risk of running out of funds.
But yeah, Mitre being a private organization that was paid for by the government was a problem.
Steelmanning is a neologism that serves no purpose other than in-group signaling. There was already a perfectly acceptable term for the same concept, one with more nuance and a rich history: Charitability.
The major difference is that charitability is about treating your interlocutor with respect. Steelmanning is about using one's own intellect to make your interlocutor's argument better than them. Because charitability is based on a concept of mutual respect, if somebody clearly doesn't respect you one iota, then why would you be charitable? Steelmanning tries to divorce the person from the argument, and is ironically both arrogant and naive.
April 2024, https://nvd.nist.gov/general/news/nvd-program-transition-ann...
Sep 2024, Yocto Project, "An open letter to the CVE Project and CNAs", https://github.com/yoctoproject/cve-cna-open-letter/blob/mai...> Security and vulnerability handling in software is of ever increasing importance. Recent events have adversely affected many project's ability to identify and ensure these issues are addressed in a timely manner. This is extremely worrying.. Until recently many of us were relying not on the CVE project's data but on the NVD data that added that information.
Five years ago (2019), I helped to organize a presentation by the CERT Director from Carnegie Mellon, who covered the CVE backlog and lack of resources, e.g. many reported vulnerabilities never even receive a CVE number. It has since averaged < 100 views per year, even as the queue increased and funding decreased, https://www.youtube.com/watch?v=WmC65VrnBPI
The funding appears to have been cut off today, and both of these comments seem to talk about continuing work and how important it is.
Do you mean to say that some form of threat to the NVD has been around for over a year now? Just want to be sure I'm parsing correctly!
May 2024, https://therecord.media/nist-database-backlog-growing-vulnch...
> Moving forward, cybersecurity companies will have to “fill the void” .. NVD said in April [2024] that it is “working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.” .. CISA acknowledged the concerns and outrage of the security community and said it is starting an enrichment effort called “Vulnrichment," which will add much of the information described by Garrity to CVEs.
The second VulnCon event took place last week and no silver bullet has appeared, https://ygreky.com/2025/04/vulncon-2025-impressions/
People who actually work with CVEs have been posting about this problem on HN for 18 months.
NIST budget was cut 12% in FY 2024 (Oct 2023 - Sep 2024).
An earlier bill to supplement NIST funding has been reintroduced in 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...
If you still have a cached copy of their original post you should publicly edit your earliest reply with their original quote.
Edit_1: found a proposed bill, April 2025, https://fedscoop.com/public-private-partnerships-bill-nist-h...
> A bipartisan bill that would establish a nonprofit foundation aimed at boosting private-sector partnerships at the National Institute of Standards and Technology was reintroduced in the House and the Senate.. the proposed foundation structure was described as replicating similar nonprofits that support public-private partnerships at other science agencies.. we encourage a strategy that leverages NIST’s leadership and expertise on standards development, voluntary frameworks, public-private sector collaboration, and international harmonization.. NIST’s funding has been in focus following a budget cut of roughly 12% to $1.46 billion in fiscal year 2024.
Edit_2: is there a shortage of database rows, or people to write a shell script? Why not pre-allocate N CVE IDs for every CNA, while a new plan is worked out? At least one random commercial vendor could foresee the shutdown early enough to reserve CVEs.
> Garrity posted on LinkedIn, “Given the current uncertainty surrounding which services at MITRE or within the CVE Program may be affected, VulnCheck has proactively reserved 1,000 CVEs for 2025,” adding that Vulncheck “will continue to provide CVE assignments to the community in the days and weeks ahead.”
MITRE CVE/CWE contract, $29M for 2024-2025, https://www.usaspending.gov/award/CONT_AWD_70RCSJ24FR0000018...
> A coalition of longtime, active CVE Board members have spent the past year developing a strategy to transition CVE to a dedicated, non-profit foundation. The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide. “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” said Kent Landfield, an officer of the Foundation.
That article is about how the volume of software vulnerabilities are increasing, resulting in difficulty keeping up by the CVE and NVD projects.
Please stop spamming this thread with political spin.
> Since February 2024, the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) has encountered delays in processing vulnerabilities.. caused by factors such as software proliferation, budget cuts and changes in support.. NIST, an agency within the United States Commerce Department, saw its budget cut by nearly 12% this year.
If I violated some rule so be it, and I could care less about internet points, but it certainly feels like suppression of individuals based on individual posts which is a behaviour that could end up being the death of hn.
I was trying to convey (with levity/humor) WHY it should continue to be funded as well as the argument that should be made to the one currently in control of the spineless US Congress.
Yes, fixing the vulnerabilities is important. However what the government probably does gain from it is an inside advantage in the lead time for vulnerabilities to protect against, as well as to exploit on adversaries.
This sucks, plain and simple.
Hopefully these 4 years energize people to vote. I know protesting and direct action and so on are also important, but the gradient is not negative for voting for every office you can vote for in every election.
For example, a lot of people have forgotten, but the phrase "fake news" originally came about in the wake of the 2016 election about all the (actually false) misinformation that was spread on social media in the run up to the election. Trump adeptly then co-opted the term, so any news he didn't like he could just call it "fake news", and who was to say any news he called fake was any less fake than what people were calling fake before?
My guess is the 2028 elections will be marked by fraud, and then when people protest or object, Trump and the Republicans will just say "Hey, you called all those Jan 6 protesters traitors and said the election was secure, how is now any different? Now you're all the traitors."
The only belief that gives me hope these days is "History will judge the complicit."
The chasm between what Trump says (and what the propaganda says about him) and what he actually does is astounding. Most of his fans are completely uninformed of what he says and does. We've never had a president (and cabinet) with more conflicts of interest. He's been a pioneer at abusing power; tariffs on Canada because of a fentanyl crisis... give me a break!
Yeah, apparently they want some billionaire who doesn't pay his taxes, who was given millions by his daddy, and who famously stiffed small business contractors at his buildings, to say he feels their pain.
That said, I actually upvoted your comment because right now it's heavily downvoted but I actually think there is an important point behind your comment. It may feel insane to me, but Trump is so beloved by his base because he was the first one to really acknowledge their anger and give it validity. "Make America Great Again" is a slogan that works because a lot of people have seen their financial and social position deteriorate over the past 30-40 years and they want to go back and they want someone to blame (even if going back is impossible and they're blaming the wrong people). Trump understood this, the Democrats didn't, or worse, branded anyone who harbored some of this anger as a bigot. This is basically how all fascist leaders come to power - the parallels with Mussolini are uncanny, right down to having a minor body part shot off in an assassination attempt.
Relevant recent example to me: a lot of folks can't understand the hypocrisy about bitching about inflation under Biden, but then saying "we'll hunker down" in response to the expected inflation from tariffs. The difference is the Trump base believes he is taking them "back to the promised land", and for better or worse Trump is definitely a man of action, so they're more willing to put up with temporary hardships if they think the direction is right. With Biden and the Dems, they just believe they'll get more of the "slow slide."
I agree. And they're not wrong to want to go back or blame someone. We can "go back" in terms of increasing the QoL of our populace. Idk, the Democrats were always clear about wanting to uplift people. Obamacare and Medicare for All were extremely clear policy positions meant to uplift the common man. Eliminating student debt (a policy I don't agree with) was also obviously positioned to help people improve their economic and social standing.
I don't know why people say Democrats missed this and Trump saw it? The Democrats won on slogans that capitalized exactly this sentiment. Obama's "Hope" and "Yes we can" are obviously in a context where people didn't have hope or questioned whether we could.
I think he just got lucky against bad candidates, and we ascribe way too much to his branding and the other garbage. Clinton's branding was about HER (i.e. I'm with her), not about THE PEOPLE (biggest political branding mistake in the 21st century imo). And Harris never had the popularity to go to to toe with Trump.
Idk, I think people are mad, but I think the Democrats have spoken to that more authentically and proven themselves to actually do things that help the common man than Trump ever has
Trump is a literal billionaire. How is him telling the sons of people who used to do manufacturing that they're okay any better than a Harvard educated lawyer saying he feels for them (Trump and Vance are both Ivy League educated, btw)?
I also want Americans to have a better life. I also think we spend way too much elsewhere instead of at home. A lot of Democrats think that and drive policies for that. Trump may care about that too, but you can't vote for who makes you feel good. You have to learn how to vote for who will actually improve your life. We are the rulers of America, we have to understand our economy, our government, etc. No one is going to do it for us. I'd much rather vote for someone who talks down to me and will deliver stability than a guy who hypes me up and tanks the economy
You are assuming there will be next elections that are free, fair, and matter.
Trump says a lot of things that ultimately doesn't matter, but he has also said, and is the type of brute to believe it, that he intends to stay in power. He and his cronies have successfully dismantled the checks and balances that should have prevented him from doing they, legally. IMO the only way he leaves the White House without stirring trouble is in a casket.
The unfortunate part is that education is often also part of propaganda and spinning history for said propaganda. These days I wish education had a bigger emphasis on history and history should be looked at from different angles, like how the same thing is being taught from different angles.
It does. In higher education.
You cannot force someone to learn something. The mean-spirited bully not paying attention in high school history class and barely getting a C- to graduate didn't exactly learn anything about nuanced topics like "The Nazis didn't start the holocaust right away" and "Fascism is inherently incompetent, and that makes it so much worse"
If parents raise their kids to not consider education important (and millions of parents in the US have always done just so, we have an insane level of anti-intellectualism in this country), you won't get educated kids.
Every time someone says "I wish school taught <X>", plenty of schools EXPLICITLY DO THAT, and it doesn't work, because the person complaining was one of the kids crying "When will I ever use this" instead of paying attention.
The same adults who complain that school didn't teach them "critical thinking" are upset that school didn't walk them through the process step by step, as if you can't balance a check book with fucking basic algebra you learn by 4th grade. Meanwhile, 90% of the uproar about "new math" ends up being parents who can't even manage to understand basic word problems, you know, things which take critical thinking to work through?
I've had people complain that school should teach them how to calculate a mortgage, which is funny, because those people sat next to me in Precalculus as we literally did mortgage calculation problems.
The USA is struggling with multiple generations of people who have insisted that education is not only useless, but a liberal agenda, or even a devil-run plot to distract you from god. It's insane.
This euphemism has to end. I think you mean: "Hopefully these 4 years energize people to vote Democrat".
Why not just say it plainly instead of using supposedly non-partisan language? This neutral phrasing seems to be an appeal to a "silent majority" that agrees with you and disagrees with Republican leadership. What if that silent majority doesn't exist?
But personally, the reason I believe it does exist is two-fold:
1. The "My vote won't change anything" rhetoric only ever gets expressed by left-leaning people.
2. Only left-leaning people require endless purity tests for their political candidates and will refuse to vote for anybody that they don't think is the perfect candidate. These are the ones that talk about being fed up for having to choose between the lesser of two evils, then look like a Surprised Pikachu when Trump wins.
Then we are on course to lose our spot on top of the world, and I should probably plan to get laid off. Idk, I get what you mean, but not agreeing with Democrats (I don't really agree with them much) and wanting a stable country with a good economy are way different things. I can hold my nose and vote for someone who doesn't actively try to tank the economy, the same way many conservatives (especially religious ones), held their nose and voted for Trump
A lot of people seemed to have had this theory, despite all the evidence to the contrary.
It was all opinion. Trump said a lot of stuff before this election, but he said a lot of stuff before his first one too.
When people disagreed on what he might do, it was all guesses. There was no evidence to base anything on. Would his second term be restrained by people around him like in his first? That would be an evidence-based extrapolation. Would tariffs be all talk and little action, like in his first term? Extrapolating from evidence, they would be. But 2025 isn't 2017. Things would be different, but how? It's all guesses.
It's only hindsight that is 20/20.
> Hindsight 20/20? Oh, I saw all of this, and I knew all of this would happen.
Great. So I assume you made massively leveraged bets to short the stock market and are now rich?
Or maybe you didn't, because talk is cheap, and you didn't actually know anything. Because nobody knew anything.
> Stupid Americans.
Please take this kind of talk elsewhere. Trump didn't even win 50% of the vote. But regardless, insulting entire nationalities is never called for.
> Or maybe you didn't, because talk is cheap, and you didn't actually know anything. Because nobody knew anything.
Wait. Your argument for why people weren't prepared for a second Trump admin being worse is... that they didn't think to get rich off of it?
I did expect the stock market to go down, and sold quite some stocks at high point before the recent turndown.
I didn't place massive leveraged bets, because I am not an idiot.
Saying "there wasn't any evidence" is borderline bot-speak. Anybody who thought Trump 2.0 was going to be like the first round was simply not paying attention at all and anybody telling others it wasn't going to be like the first admin is either a Russian troll, the mainstream media, or just plain irresponsibly ignorant.
"Nobody could have foreseen this" is about the dumbest take I think I've seen so far.
We've known about RFK Jr all along so yes, if somebody is surprised by the secretary of health being anti-vax, that somebody is irresponsibly ignorant. If that somebody also claims that nobody could have foreseen this, or that prior to him being picked they were fond of reassuring people that "there's no way it'll be that bad"... yeah I'd 100% associate that with the type of behavior becoming of a Russian troll.
I find it really weird and cringey that you're bringing up ego. I don't feel like I'm smarter than everybody else, nor am I claiming to be, nor do I see how any of my comments could even be construed as such. To say this is about me thinking I'm smarter than everybody else is to imply that I'm relishing in the fact that I "foresaw what others couldn't", which is just... an insanely idiotic thing to say. I'm not a sociopath. And for what it's worth, I know plenty of people who also saw this coming.
To be clear, it's a tragedy that so many people were ignorant of what a second Trump admin would be capable of, but that's not really the point I'm trying to make; I am specifically taking issue with your insistence that it was somehow impossible for anybody else to foresee this.
Best of luck in life.
Then you should re-read your comment. Calling people "insanely naive"? "Bot-speak"? The "dumbest take"? "Irresponsibly ignorant"?
And you really think you're not trying to portray yourself as smarter than everyone else who didn't see this coming?
Your comments are insulting, provocative, in bad faith, and do not belong on HN.
I was trying to make a reasoned point that no, most reasonable smart people didn't expect the Trump administration to be anything like what it is now. I don't know of anyone who predicted this. Your claims to the contrary are simply rewriting history. You're calling people ignorant, when you seem to be the one with the faulty memory.
I hope you can learn a little humility. Good luck to you.
Even the premise of their argument is silly -- "evidence-based extrapolation" lmao that's not how politics work at all.
its all just surface-level box-checking. most companies required to get 'penetration tests' just get an overpriced Nessus scan sold as a pentest and that meets their reqs.
Trump must be receiving a lot of emails from companies wanting to fill the void, and I bet the Trumpiest of them all is going to be awarded a contract worth 10x the budget CVE had, and do a much worse job.
There are far too many bad actors for us to operate as an industry with no yardstick.
I expect your field is probably teeming with AI proposals or offers on how to manage vulnerabilities, but that is doubtful the way, because again it is adding complexity, and no classifier is perfect, especially when scanners fail to understand scanned applications and their threat models or environment.
Stop selling external scanners, start simplifying code? This will never work, of course, because security vendors sell the promise of security to those willing to buy it, in the form of add-on products and capabilities.
Empower people to ignore scanner reports without so much red tape? That would never work either, because megacorp wants compliance and reduced liability.
Build secure systems as opposed to cataloging and scoring flaws? That would never work, because building secure systems is hard, nature tends to favor otherwise.
Charge people for adding complexity and credit them for removing complexity? Sadly, there is no way to do that, especially since products must ship and quality is hard to observe, since it is often invisible and only surfaces when things are broken.
Off the top of my head, would be nice to require proof of exploitation, by adding CTF-like capabilities to apps, such that only if the flag is captured do we consider the report real. This places more burden on scanners, in that it is no longer enough to report an outdated library. Requiring some proof of exploitability reduces noise and increases SNR, reducing false positives. Naturally, not all vulnerabilities have working exploits, and scanners can never fully simulate an adversary, so we may get more false negatives, but at least we would not have to waste so much time upgrading pointless modules and breaking applications to appease a false report. So the idea is "here is a dummy asset, show me how you leaked or compromised it". Adding the dummy asset should be cheap, but would force scanners to better simulate an attack.
At the very least, there ought to be a knob to decrease scanner sensitivity.
Maybe I have a dependency on Foo which has a critical vulnerability in a feature that I don't use. I suppress the warning and all is well. Then two weeks later someone on my team decides to use that feature, not knowing that there's a problem with it. Now we're fucked, and we'll never know because the vulnerability has been suppressed.
What a shame on this current gov. administration, if you can even call it that.
I think the question everyone in this thread should ask is: why is it the government's job to do this, especially given the prior widespread view that they're doing a bad job? Is the software industry so immiserated by poverty that it cannot organize its own distribution of security bulletins? Clearly not: GitHub already runs its own vuln tracking scheme that's better integrated with the tooling we use for open source software. The industry routinely sets up collaborations like standards bodies, information sharing groups and more. And there is as whole ecosystem of security companies to help you understand vulns in your stack.
So there seems nothing specific to CVEs that requires government involvement, but the existence of the tax funded scheme does discourage the creation of competitors that might function better.
But, to CVE or not to CVE ... that is not the question. US deficit spending is out of control. This sort of thing had to happen some day. It's what Europeans in the 2010s called "austerity" and it always makes some people scream but this graph:
https://fiscaldata.treasury.gov/americas-finance-guide/natio...
... is not sustainable. Up to 1984 overall US debt was stable. Since then its growth rate became dangerous. Debt/GDP ratio is now worse than just after WW2. The federal government is currently spending more on interest than on defense or Medicare:
https://www.crfb.org/blogs/interest-costs-have-nearly-triple...
The US is currently getting its first taste of what parts of Europe started going through in 2008, and unfortunately there's bad news: the cuts you're seeing now are mostly cosmetic. They're what can be done within the current framework of laws, sort of, with lots of bending of the rules and creative interpretations of them and maybe some oversteps. But it's just the start of what's needed. Large scale reform of the laws themselves will be required regardless of whoever wins the next elections.
Because the private sector can't see past their profit motive to the national defense motive.
I suppose more people would be more amenable to these wholesale cuts if the current administration weren't blowing through even more money than before [0]:
> The new Treasury Department data shows a deficit of $1.307 trillion for October through March, the first six months of the fiscal year 2025. And spending is $139 billion more in the first three months of 2025 compared to the same period last year, with borrowing over that period $41 billion higher.
We're currently fighting no wars and yet Trump is proposing a record $1 trillion defense budget [1]:
> “We’re going to be approving a budget, and I’m proud to say, actually, the biggest one we’ve ever done for the military,” he said. “$1 trillion. Nobody has seen anything like it.
And that's before proposed cuts to tax revenue [2]:
> Extending the expiring 2017 Tax Cuts and Jobs Act (TCJA) would decrease federal tax revenue by $4.5 trillion from 2025 through 2034. Long-run GDP would be 1.1 percent higher, offsetting $710 billion, or 16 percent, of the revenue losses.
So this whole "we're just imposing much needed austerity" to justify penny-wise-pound-foolish policies is kind of laughable when the proposed increase to our peacetime defense budget alone wipes out Elon's most recent estimate of DOGE's total savings [3].
[0] https://apnews.com/article/trump-biden-budget-deficit-spendi...
[1] https://www.militarytimes.com/news/pentagon-congress/2025/04...
[2] https://taxfoundation.org/research/all/federal/trump-tax-cut...
[3] https://www.nytimes.com/2025/04/14/us/politics/elon-musk-dog...
Elon is a libertarian and has been allowed to go do some spending cuts around the edges. This gets support from Republican members of Congress partly because the USG turns out to be spending a lot of money on highly partisan Democrat projects, but mostly because it's someone else doing the cutting and not them. Even if they know they should be doing it themselves they don't want the crazies trashing their cars, so if some outsider does it for them that's a deal they'll happily take whilst it lasts.
All that said, it's inevitable that the administration would be blowing through more money than before even with DOGE. It's the nature of debt that it compounds. The level of cuts required to even keep the deficit stable would be huge because interest payments are accelerating, and the cuts DOGE are allowed to make are small (even when they go further than they might technically be allowed).
Right now there's just no mainstream support in US politics for serious austerity. There never is in any country, but sometimes the public can be convinced to agree to some amount if politicians do a good job of communicating the deficit problem. The UK in 2010 is an example of that, where the Conservative/Lib Dem alliance was able to convince the public to vote for spending cuts (albeit not as deep as were actually required... but it tided the UK over until the economy started growing again).
This is like, exactly the sort of thing that the public sector should be doing. There's no profit incentive for this to happen in the private sector.
I don't disagree with your overall sentiment re: unsustainable debt. But the answer must be reform and taking hard looks at the military budget, not just randomly cutting programs that you disagree with politically.
More like the Clinton approach.
https://github.com/advisories
Note that many of these entries start with GHSA not CVE.
Agree that the military budget should face large cuts too, unless I guess a major war breaks out.
The public sector is exactly where you need things that are important to society but don't make money.
At any rate, even if they give it away for altruistic reasons, Microsoft is a sustainable going concern that brings in more than it spends. It can afford charity. The US government isn't and can't.
All this does is help Putin and other rich grifters.
It's because it's like if someone had forgotten to validate the user's role in an endpoint in a Django app, and someone said that they should have used Rails because it's easier to understand. In reality both are easy enough to understand to be able to do an authorization check, and the framework isn't the issue. So the person suggesting Rails is bikeshedding.
Likewise, if someone made another vulnerability database it would likely have the same issue, and this isn't really the place to solve it. If somehow this does trigger the realization to solve it, then it will be by luck.
Absolutely. And if the headline was "DHS proposes improvements and streamlining to the CVE program" we'd all probably be cheering.
Leaping from "This is Flawed" to "Let's kill This" is a logical fallacy. A flawed security registry is clearly better than no security registry.
In honesty to say "logical fallacy" is spoddy, I advise against for aesthetic reason.
CVE is simply identification of a flaw, not a scoring system.
The scores are mostly useless, I would not care if they disappeared, I do not look at them. I don't really understand why people get so upset about garbage scores though. If a high CVSS score creates a bunch of work for you then your vuln mag process is broken IMO. (Or alternatively, you are in the business of compliance rather than security. If you don't like working in compliance, CVSS scores aren't the root cause of your misery).
Having a central list of "here's a bunch of things with stable IDs that you might or might not care about" is very valuable.
So, most businesses. They all need their ISO/NIST/HIPAA/etc certs.
If you're working in compliance either
A) you're stuck in your compliance job, that sucks, CVSS scores aren't the reason why though.
B) you enjoy compliance.
C) you should change jobs.
a) If you are having to do busywork for compliance reasons, you are either disempowered to push back on bullshit work (case A above, unfortunate, but your job was gonna suck anyway), or it's not really a second order effect, you work in compliance in a meaningful way.
b) Compliance bullshit seems to expand into the space available to it. Nobody thinks CVSS scores are meaningful, the fact that they feed into compliance processes is not the CVSS scores' fault it's the compliance machine just globbing onto random bullshit as its expansion continues. If you took away CVSS scores it feels like it would just glob onto something else instead.
Anyway, in the end I think we aren't disagreeing about that much. I think they're silly, if someone wanted to get rid of them I wouldn't try to defend them at all. I just wouldn'e be the person to push for that.
Why do people do this, to down play all the destruction of the last few months? Seems to be some type of coping mechanism.
It's the way it is because there isn't a good alternative. They cannot possibly know every environment that we operate in.
To this day we still have large corporations down playing their issues, and it was way worse 20 years ago.
I wonder what level of compartmentalisation inside DHS means they didn't see this as having sufficient downsides?
I ask this, because I don't think anyone in the subject matter specialist space would have made a strong case "kill it, we don't need this" and I am sure if asked would have made a strong case "CRISSAKE WE NEED THIS DONT TOUCH IT" -But I could believe senior finance would do their own research (tm) and mis-understand what they saw in how other people work with CVE, and who funds it.
This was not a carefully-weighed decision based on a cost-benefit analysis. This was a political order, consistent with the administration's policy of "cut everything, recklessly, indiscriminately."
Unfortunately “capitalism” has two quite different meanings. Which are rarely clarified in use.
Capitalism with a big C, a too common overarching ideology, gets bent to mean whatever the greedy, unethical and rich want it to mean so they can get more money.
But small c capitalism, evolving from both practical and ethical foundations, is a system so useful it has multiplied the benefits of civilization. But it is just one such system.
It can’t do everything, it needs other independent systems (justice, dispute resolution, rules of clarity, risk & trust limiting systems, for starters) to work, and extending it to places it doesn’t work causes great harm.
(Like when perversely applied to those enabling systems, in big C form, as is happening now.)
Indeed.
It's almost as if no economic, social, or political system known to mankind will stand up for long under a determined onslaught of corruption.
One of her wonderful worldviews was to rejects altruism as a moral imperative, arguing that individuals should live for their own rational self-interest. Social security, based on the idea of supporting others, contradicts this principle.
Which means anyone whose wisdom matches their self-interest is going to understand that different things have very different efficiencies at different scales.
And some things happen to be dramatically more efficient/person and more effective, the larger the scale they can be coordinated at.
This exactly. All of these people who profess to believe in objectivism could easily move to a failed state and do anything they want to with zero government intervention. But they don't do that. They want all of the benefits of a working government with none of the things required to actually create a working government.
This position was already pointed out by Plato (in the Gorgias IIRC) as being inconsistent. Political systems are made up by people - if a society, in particular a democratic one, has certain systems in place, then this is probably because it was (at least believed to be) in the people's self interest.
https://www.openculture.com/2016/12/when-ayn-rand-collected-...
The DOGE crew are incompetent. Witness their firing of all the people who look after the nuclear stockpile and Ebola research.
[0] https://www.404media.co/anyone-can-push-updates-to-the-doge-...
[1] https://www.npr.org/2025/04/15/nx-s1-5355895/doge-musk-nlrb-...
[2] https://www.bloomberg.com/news/articles/2025-03-14/doge-staf...
https://en.m.wikipedia.org/wiki/Wunderkind_(disambiguation)
Other example includes: Endgegner (final boss) or Endlösung (final solution)
I would suggest to avoid such terms.
I did not know about this, thanks for die Vorwarnung. In context, I'd assume "ultimate enemy" (Gegner=opponent) as "final boss" sounds videogame.
Either the philosophers or the mathematicians/physicists likely coined them.
The parallels to Nazi Germany's striking but impractical weapons seemed intended every time I heard or read Wunderwaffe in English.
Endgegner originates from Endlösung and while it indeed often is used without thought, the question if it should be used lightly.
“Wunderkind” mispronounced as “Wonder Kid” is a running joke in that show.
https://www.reddit.com/r/TedLasso/comments/132rw9v/what_the_...
If I'm giving them the benefit of the doubt (which I hate), it's a shotgun approach; cut things relentlessly and see what falls apart. Chaos engineering applied to a country and / or the world.
Perceived, not actual, because spreading lies and misinformation is what makes the most money for the ad sellers that make up 90% of our industry.
Mostly discriminately, tbh.
The OP said indiscriminately, which means they're cutting uniformly across the board. I responded with "mostly discriminately" which means they're more selectively cutting based on prejudice. You then linked me a data point where you show they cut funding because it has the word "homo" in it and tell me to "get a hold of myself".. but your link would directly support what I've said?
https://www.merriam-webster.com/thesaurus/indiscriminately
It seems then that you could have acknowledged MiguelX413's comment without the feigned aloofness?
We're allowed, and should be encouraged, to write with a small amount of nuance and creativity.
However, I might still be misunderstanding you, pardon me.
I disagree. I think it would be considered "discriminate cutting".
> Actually effectively cutting grants that only related to homosexuality or something would've been discriminate.
I agree and that's the point I was making. They're just cutting grants with the word "homo" in them because it meets their criteria of interest for cutting. Whether they deal with homosexuality or not is not a discriminate vs indiscriminate topic, but a topic of DOGE's competency in actually executing on their discriminate cutting vision.
There's nothing "woke" about it and screaming woke woke woke isn't going to change the fact that we exist and you don't like it. I'd tell you what I really think of you but it would invoke Dang.
In reality, this entire process is insanity. We've had examples of government spending overhaul in the past - early(?) 90s - both sides worked together, cut lots of spending across programs, downsized tens of thousands of federal workers, and balanced a budget, to the point where we had a surplus. It was tough, took time, wasn't perfect, but was deliberated and debated and far far far more open and transparent than all this. But their goal was actually improving government (even if that meant reducing some areas). The current 'leadership' goal is to dismantle/destroy as much as possible, as this is led by people who think government in general should not exist.
it might also be deliberate: that they actually don't think the government should be involved in this sort of thing. after all, someone could be making a profit on this, and that seems to be their highest value. if gov is involved, that makes it a communal effort, and you know what else starts with "commun-"?
yes, those reasons are stupid and ignorant AND intentional.
but is there any evidence against that interpretation?
(Leaving aside that there's plenty of evidence of malice here.)
But, having known about it for a dozen years now, I also find it inadequate alone as a razor without the following caveats/corollaries:
Hubbard's corollary to Hanlon's Razor: "Never attribute to malice or stupidity that which can be explained by moderately rational individuals following incentives in a complex system". ( https://en.m.wikipedia.org/wiki/Hanlon's_razor#Exceptions )
Or (HN) Nerdponx's punchier simplification: "When money is at stake, never attribute to incompetence what could be attributed to greed." ( https://news.ycombinator.com/item?id=41066724 )
A large amount of things related to Trump fall into that category, and it's important to recognize when you need to instead treat it as a superposition: It is both malice and incompetence, unless the perpetrators decide to plead just one or the other.
You can only get into such a position if you've ignored smart people telling you "No". That's malice.
Yes, there are apparently various ways of profiting from vulnerabilities. The interesting question would be whether any of the regime insiders have a way to profit.
For instance, most people find healthcare middlemen (pharmacy benefit managers, etc) to be grotesque parasites. But to a laissez-faire fundamentalist, they're smart for finding a way to liberate some profit, even laudable.
There is no rhyme or reason to what gets cut, other than someone under pressure to hit KPIs (dollars cut) was desperately searching for things that looked easy to cancel.
This is happening everywhere the federal government touches. Most people aren't aware of it until they come around and pull the rug on something that intersects with your own life.
Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
> Even my die-hard Republican distant relatives are suddenly shocked because programs they benefited from are being cut. They thought they voted for something different.
They voted for others to be hurt and to lose benefits, not their “in group.” Surprise surprise, they are considered the waste by those they voted for.
Trump in Nevada: 'I Love the Poorly Educated' https://www.youtube.com/watch?v=Vpdt7omPoa0
It absolutely staggers me that anyone can still say this with a straight face. I will ask this, though: as part of the DOGE fight against corruption and wasteful spending how many of Elon Musk's government contracts and subsidies have been cut?
The Moving Goal Posts in Musk’s DOGE Cuts: Why Elon Musk and his team have struggled to make the spending cuts they promised - https://www.nytimes.com/2025/04/14/us/politics/elon-musk-dog... | https://archive.today/GPDNY - April 14th, 2025
Elon Musk dramatically lowers his DOGE spending cut targets (again) - https://www.msnbc.com/rachel-maddow-show/maddowblog/elon-mus... - April 11th, 2025
See How Government Spending Is Up Even as Musk Touts Savings: Musk team’s $150 billion in savings barely dents $6.8 trillion in spending largely on autopilot, WSJ analysis finds - https://www.wsj.com/politics/policy/trump-doge-government-sp... | https://archive.today/DGGhX - April 11th, 2025
"A system’s function or purpose is not necessarily spoken, written, or expressed explicitly, except through the operation of the system. The best way to deduce the system’s purpose is to watch for a while to see how the system behaves. Purposes are deduced from behavior, not from rhetoric or stated goals.” —- Donella Meadows
The purpose of a system is what it does.[1]
[1] https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_wha...
1. Politically-motivated "purge the weak" Nazi stuff - Cutting Medicare, cutting Medicaid, cutting Social Security, cutting education, cutting anything that benefits people who are old, poor, queer, female, etc.
2. Privatization - NWS and NOAA are wonderful public services, and they'd rather profit from the data they produce. This is why taxes in the US are such a bitch to file, tax companies oppose any policy change that would make the paperwork easier for filers.
3. They might actually be Russian assets. Tearing down institutions that took generations to build makes space in the world for Russia to exert more influence. You can tell this is working because Europe is now wanting to re-arm.
It makes me sad. If I had a billion dollars I would still want to live in a better country. These guys only want a better world for themselves, and making everyone else into a permanent servant underclass only plays into that.
> The NSC [National Security Council] staff will need to consolidate the functions of both the NSC and the Homeland Security Council (HSC), incorporate the recently established Office of the National Cyber Director, and evaluate the required regional and functional directorates.
> Given the aforementioned prerequisites, the NSC should be properly resourced with sufficient policy professionals, and the NSA should prioritize staffing the vast majority of NSC directorates with aligned political appointees and trusted career officials. - Project 2025, pg 52.
> ... History shows that an unsupervised NSC staff can stray from its statutory role and adversely affect a President and his policies. Moreover, while the NSC should be fully incorporated into the White House, it should also be allowed to do its job without the impediment of dually hatted staff that report to other offices. - Project 2025, pg 53.
The goal is to build up a political organisation to use as a weapon, and to scrap the rest - as a legal excuse to say that the political appointments will be necessary.
[0] https://www.project2025.observer/
You make it sound like poor DOGE employees are being forced to do this on this kind of schedule, which definitely isn't the impression I got. They're all a bunch of incompetent overconfident weirdos who think they know better and what to do. Is there any pressure to do anything quickly?
And the US federal budget is quite easy to trim. E.g. remove an aircraft carrier from the planned construction pipeline and you've saved $15 billion with no actual ramifications.
Out of curiosity, which programs? And is this enough to change their opinion about Trump, or do they still think it'll be worth it?
Like what exactly? I mean the guy ran on cutting the budget by 2 trillion. In his last term he gave tax breaks yo the rich. Where did they think the cuts were coming from?
He ran very hard on raising tarrifs. Which demonstrably raise prices (thats literally their goal.) But now people claim "I didn't vote for this."
In truth they voted for him because he was the Republican on offer and they're die-hard Republican. The Republican party has made no secret of its agenda for decades.
I get it, people are good at cognitive dissonance. But this is the place for blunt truth. They voted for this. I'm not letting Republicans got off the hook here. They voted for this.
Just like to my Republican friends who are upset that CVE is cut. You voted for this. The general public benefit from CVE even though they dont know it exists. Just like you benefitted from dozens of other programs you didn't know existed, but have also been cut.
That's the problem with cuts. They ultimately end up hurting everyone.
Now clearly there's some fat that could be trimmed. Companies do it all the time. Done well its good. Swinging a hatchet in a crowded elevator does not seem like "Done well".
This is actually simply not true. The Republican party before the Tea Party looked nothing at all like this. Trump won the presidency last year riding a wave of distinctly not-your-typical-Republican lower class voters. As he rose the old guard Republican establishment formed the anti-Trump wing of the party until they were forced out one by one.
To put some numbers to this: Bush won the upper income brackets by 5+ points in 2000, with a lead that widened as you went up the income ladder. Trump lost the equivalent brackets in 2024 by 5+ points, a 10 point swing away from what Bush won them by. The lower brackets are even more stark, with a whopping 18-point swing towards Trump in the $30k-$50k bracket (inflation adjusted to $15k-$30k).
These numbers show that Trump is not a Republican in the George W Bush sense and he's certainly not a Republican in the Ronald Reagan sense. He's a populist and won on a populist agenda by putting together a coalition of rabid social conservatives (who probably really did go Bush in 2000) and poor people (who largely did not).
I would agree he's not George Bush, much less Ronald Reagan. Nevertheless those who voted for Bush and Reagan also voted for Trump.
This has been "decades" in the making in the sense that since Obama was elected (in 2008), Republicans have embraced racism at the heart of their populist message. That swing rightward was made palatable to center republicans with a woman democratic candidate in 2016 (one not terribly well liked in democratic circles) and a black woman candidate in 2024.
While racism, and misogyny gather a bunch of votes, long-term distrust of institutions is sown, and fostered. Republican policy becomes protecting white guys, and especially old, rich, white guys.
Reagan was popular and competent, and worked for the good of America. Today's president is nothing like him, but wins because a bunch of people "vote Republican".
There's a component of that, but it's not the primary cause. A lot of former Republicans stopped voting Republican with Trump, including a lot of old rich white guys, and a lot of the current Republican voters didn't vote for Bush. He wins because of the new wave of voters that counterbalanced the flight of the educated core of the Republican establishment.
Starve the beast is older than the Tea Party.[1]
[1] https://en.wikipedia.org/wiki/Starve_the_beast
Obamacare and communism are along the same axis too, but the Republicans who claimed they were the same thing were obviously wrong.
When someone hands you a pencil, you don't wonder what variety of tree the wood came from, or what paint chemistry was used for the coating. It's a pencil. You might have broad opinions on whether the one in your hand is comfortable to use, and sharp - but you leave the details to the pencil makers.
About 70% of the population engage with politics the same way: Leave the details to the people who do this stuff for a living.
Do they expect to be disappointed? Sure, but everyone who engages with politics expects to be disappointed.
> Do they expect to be disappointed?
Aurornis said their relatives were shocked.
If people in the US aren't starting to notice what Musk/Trump are doing it will bode very poorly for the future of the US.
They voted for the leopards to eat other people’s faces, not their’s.
This isn't speculation or hyperbole, it's specifically laid out in their published plans: By hobbling or outright eliminating federal agencies responsible for executing the laws passed by Congress, the administration can circumvent the democratic process and impose their extreme vision of limited government on the country, regardless of popular support.
The U.S. system of government relies on established norms as much as it does law. Conservatives realized that they can ignore precedent with impunity if they had an executive willing to do so. They then spelled out exactly how, and are now enacting that plan.
Then SCOTUS's decisions last summer turbo boosted their agenda. The ruling that only Congress can hold the President legally accountable essentially means executive power is unchecked if the legislature is unwilling or unable to Impeach and convict. The President can now confidently ignore the law and judicial orders with a veneer of legality. And this is what he's doing.
(The fact that all this just so happens to benefit Russia after their decade long campaign to destabilize their opponents in the West is a topic for speculation.)
DOGE is about permanently altering how our country works modeled on the right wing worldview, plain and simple. Since that's their overall goal, they're not concerned where they swing the wrecking ball - it's all going to get destroyed eventually.
And it's also happily breaking the law. The Executive doesn't legally have the power to allocate resources (or not), not to mention the power to arbitrarily suspend due process.
You'd think that lessons would incite learning but that has never seemed to be the case throughout history.
When the citizens realise this, the structures to clamp down any revolution will be in place.
"CVE" is trademarked and emphasized (e.g. included in the shorthand notations, e.g. CVE-2014-0160), explicitly to prevent other groups from using "CVE" in a way that causes confusion in the marketplace. And yes, this is the same reason trademarks exist for commercial purposes.
But imagine if Microsoft could issue CVEs against Apple ... or OpenAI against Anthropic, etc.
The label "CVE" has to have a known authority to be useful. And the only way to ensure that is to trademark it. See also: "Linux™".
Most of vulns will go unaddressed because company like palantir will most likely want only really good vulns like 0-click RCE.
Anything that weakens the US or puts our cybersecurity in a place that Russia can exfiltrate data will happen. This is not about the US needing anything and it's silly to think otherwise. See also the NLRB whistleblower and the security backdoors that DOGE demanded to allow data exfiltration and the subsequent death threats to the whistle blower.
You mindset is behind the times and needs to adjust to a, frankly, insane current reality.
Your comment embraces and spreads the powerlessness they want you to feel and spread.
Of course you can stop them - like any other negotiation in life, especially non-friendly ones, you need to make it in Trump's interest either by carrot or stick. Trump has interests; identify them and identify your power in those regards ('power and interest' is the term), and use it.
Also, stop helping them make DOGE the scapegoat. It's Trump.
What leverage do you have for the DOGE boys? What power? Resigning? Because on the Defense side of the government the best leverage that some teams have found is mass resignation, meaning that nothing happens.
There is no negotiating with bullies, it merely breeds more concessions.
DOGE follows Trump's direction and acts on his behalf, as you must know. They make a big deal out of DOGE so Trump's name is less attached to these actions. Then they can take much of the blame with them when they go away, with Trump and the GOP blaming them for 'excesses'.
> Trump is not going to negotiate anything here, that's ridiculous.
> What leverage do you have for the DOGE boys?
You don't understand how negotiations work. Everyone has interests, strengths and weaknesses, and power. You need to make it in Trump's interest to keep the CVE program.
Everyone saying they are helpless, and that anything else is ridiculous, are panicking. Very unfortunately - dangerously - many people legitimize the panic. It's so normalized that it's "ridiculous" not to panic.
Every day you continue this behavior, you fall further and further behind and lead others in that direction. Will you wake up in time?
The amount of disrespect you have shown for someone that is just telling you 99% of federal workers have absolutely no leverage says a lot.
I would not dare not mention the revolutions in England and in France. And before that some Greece city states, and definitely Rome. The US declaration of independence is just another point.
That's an assertion without any any argument. It means nothing.
> The amount of disrespect you have shown for someone that is just telling you 99% of federal workers have absolutely no leverage says a lot.
What does it say? Why is such a person somehow special?
This guy is ~80 years old and bragged about "person, woman, man, camera, TV." He recently got into a Tesler and exclaimed "everything's computer!" Have you seen the way his aids explain executive orders to him (like a child) before he signs them?
He doesn't have the foggiest notion of comprehension of what the CVE program is, or how it would benefit him. Unless you're greasing his wheels, it's not going to happen.
one it costs the us and is needed by everyone, so he thinks but paying it someone will pick it up and then the us will be the free loader.
second, he understands that helps he and his pals wash dirty money.
Do you mean things like handsfull of like-minded countries selling t-bonds? No one in the R party has any leverage, and it's not clear that even a few US billionaires could exert any influence.
Do you really think Trump has ever heard of "CVE" or could comprehend them?
I'm going to be to the point here, if you guys over there don't start to heavily push and organise, and I said it already, you're one Reichstag fire away from something very bad, and from my point of view, there is probably one kristallnacht pending in the mix.
This is not a hyperbole and if someone wonders why this has relevance to the discussions, in this case most of the people around here are blue team, and it does feel like the red team has already taken anything that wasn't attached and now taking the time to take what's bolted on...
I guess the silver lining of all this, is in their hubris, they forgot the bread and games motto, so they're might still be a chance to turn things around somewhat... But the window is closing at an impressive speed.
The rest of the world is mostly against Trump.
Forget about them feeling sorry for anyone but themselves. They will feel resentful and as if they were being treated unfairly even when actual clear criminal investigation happens.
Why are you protecting Trump, the President, from responsibility?
That's why the current approach seems to be to axe everything, listen to how much screaming there is, then reinstate only the projects where the screaming is really loud.
The "Musk algorithm" is described in detail, and can be summed up as a "reverse Chesterton's fence"
"If you are not forced to reinstitute 10% of the rules you slashed, you have not slashed enough".
What happens while the 10% are slashed is left as an exercise to the voter.
Hopefully, the cve db will be deemed part of the 10%.
"We are paying MITRE how much? Bigballs and co will write a better ststem in 1 week and have it integrated with xAI. How hard could it be? Send out a first draft of an xAI contract to our DHS contact"
All of this is criminal behavior on the the current regime.
The National Vulnerability Database has been unable to keep up with the flow of CVEs for over a year now:
- https://anchore.com/blog/national-vulnerability-database-opa...
- https://www.cyberreport.io/news/cve-backlog-update-the-nvd-s...
- https://www.ibm.com/think/insights/cve-backlog-update-nvd-st...
- and many, many, many others
It has been a complete disaster for months. At this point, perhaps the thinking is to radically change approaches?
If there had been a replacement or reform plan for even one single iota of the things this admin has cut, I might give them the benefit of the doubt. But there's not. It's just kill, kill, kill.
Come on, are you living under a rock right now? There are massive indiscriminate funding cuts to anything that Elon/Doge deems to be "fraud", and they explicitly do not care about the collateral damage.
This is not about the DHS or "compartmentalization". This is just a politician running amok and having real consequences.
In the UK the some "entrepreneur" was after monetizing access to the Land Registry a couple of years ago. Apparently the free UK Gov service was not fit for purpose it needed a paywall to make it better. Nothing as globally significant as the CVE database, but you can see if the vultures are going after small UK Gov services, something like the CVE database is absolutely a chance to add to the executive bonus pool.
But maybe this is an opportunity to do CVE better.
Okay, how? This sounds like looking for lemonade in a genocide.
It really doesn't. This level of catastrophising has no point. It would be nice if CVE continued to exist, but it wasn't close to perfect, and perhaps it can continue in another form. There's no particular reason the US taxpayer has to sponsor global security threat tracking any more than any other taxpayer or customer.
The point of having a global, shared database is a single, authoritative (more-or-less), semi-vetted repository that can hold vendor accountable externally without digital amnesia or downplaying issues, and global unique identifiers. If that takes an international nonprofit funded by bits of the free world who are okay with investing in commonwealth infrastructure, so be it. Those who don't understand what they're destroying so casually are ignorant, and possibly evil if they do understand.
No, it's the opposite. Things like this shouldn't be in the hands of a single government. They should be independent and funded by many parties. The part of your message that isn't catastrophisation is agreeing with exactly what I'm saying.
They tried to reject the election result and do a coup, and were rewarded for it by getting back into power. They are refusing to follow the law or the courts. They are sending people to gulags in foreign countries. All the checks and balances were destroyed last time. The party has been stripped of anyone who would fight the admin or reject this illegality. They have set up a power grab over elections.
There will not be free and fair elections in four years unless they are simply too incompetent to rig it, the rubicon was crossed long ago. Without mass protest that makes it impossible for them to hold power, American democracy is dead.
They have tried to do it, they say they want to do it, they have the ability to do it, they are actively doing it, and no one is stopping them. How are people still acting like in four years they are going to neatly hand over power to be prosecuted for their crimes?
That would be a good litmus test. "They" have not prevented special elections so far ; if "They" need to prevent the next one, whatever they try will happen then, I suppose ?
I don't see them preventing elections, but just rejecting or altering results that don't support them: the litmus test is already triggered: the special election in North Carolina has an ongoing court case trying to throw out ballots to allow the Republican to win.
They have also pushed a executive order claiming sweeping powers over elections which they will use as pretext to do this nationally. Blatantly illegal, but they have already shown they are ignoring the courts, so who will hold them to account? Mass civil unrest is the only thing left.
If you can't vote your representative out of office, then, well, yeah, you're not really in a democracy anymore.
I guess you can always incorporate and sell bitcoins - then, you have a chance to buy your élections.
Or, admit that you now leave in a dictatorship, and thank your maga neighbors for that.
At some point, both Presidents Musk and Trump die of old age, and a window of opportunity for change opens.
We are going to have elections.
Open season on American corporations for domestic and foreign hackers.
If program isn’t brought back then CVE database likely to be fragmented amongst the “private” CVE databases.
Sec Corp A has 700 well documented CVEs but Sec Corp B has 702 CVEs in their database since NIST funding pulled. What do corps do? Maybe some of them with massive budgets setup contracts with both to get “full spectrum coverage”. Maybe other non-technical companies that think of IT as strictly a cost will go with the cheapest or forego it all together.
Who knows maybe we get ~~~free labor~~~ open source community to pick up the slack?
This country with the orange man administration is quickly going to shit. Not in a “I dislike {opposing party} way” either. In a “I dislike authoritarian regimes” way.
Who is still stunned by these things? They want you to be stunned; they want you to tell everyone else that you're stunned to spread feelings of terror and powerlessness. If you actually are stunned, you are stunningly ignorant. If you are not and still saying it, perhaps to emphasize your unhappiness, you are a 'useful idiot'. Either way, if you are saying it, you are a useful idiot.
You should have known decades ago: The GOP impeached a President for lying about sex; they fabricated intelligence to invade another country (killing thousands of Americans and 100,000+ Iraqis) - and that was all before 2004. They've voted almost unanimously, multiple times, to bankrupt the country (by refusing to authorize debt for existing obligations). Nobody (i.e., the Dems failed to) stopped them or made them pay a price, so why wouldn't they keep doing those things. (Edit: And if you object because the analysis criticizes one side and therefore you reject it as partisan, that's a big part of the reason nothing was done.)
This time they published Project 2025, telling you what they were going to do.
This is your moment! Enjoy it!
If you’ve somehow missed Trump’s systematic dismantling of academic freedom or his disappearing of folks he doesn’t like, then we have a far bigger problem than the limits of what is discussed on HN.
Many most voted and most commented submissions were the other things.