Nadia Eghbal's Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure is a long, detailed report on the structural impediments to maintaining key pieces of free/open software that underpin the internet — it reveals the startling fragility of tools that protect the integrity, safety, privacy and finances of billions of people, which are often maintained by tiny numbers of people (sometimes just one person).
The paper is excellent, but suffers from some organizational deficits, the first being a lack of a good executive summary for people who aren't sure if they want to read 142 pages; the second being that the main event really starts on page 58, in the "Challenges Facing Digital Infrastructure" (the preceding is history and background), which moves on to strategies for fixing things.
I saw an incredibly important presentation on this last week at the O'Reilly Security Conference in New York: Susan Sons's Saving time: How a few committed people helped hold up the Internet. . .again. Sons works with Indiana University's Center for Applied Cybersecurity Research and the Internet Civil Engineering Institute, and her presentation recounted her work to drastically improve and stabilize the Network Time Protocol (NTP).
NTP is how virtually every computer you interact with keeps its clock accurate, which is a function so fundamental to the functioning of the internet that it can't be overstated. Without NTP, huge chunks of metaphorical concrete would crumble and fall off of our virtual bridges, sowing chaos and misery. What's more, vulnerabilities in NTP had turned the internet's many time-servers into force-multipliers for Denial of Service attacks, making merely punishing attakcs into nearly unstoppable ones.
Until ICEI and CACR got involved with NTP, it was supported by one person, part time, who had lost the root passwords to the machine where the source code was maintained (so that machine hadn't received security updates in many years), and that machine ran a proprietary source-control system that almost no one had access to, so it was very hard to contribute to it.
Sons's presentation ended with a showstopper slide showing how much of the internet's key infrastructure was supported by one, two or three people. Recall that in the wake of the Snowden revelations, we learned that the world's most widely used email encryption tool was maintained part-time by one guy, who was going broke. Thunderbird, the mail client that this tool relies on, is now effectively orphaned.
Recall that when Heartbleed struck, revealing that Openssl — which secures billions of dollars' worth of transactions, not to mention many other kinds of sensitive data-handling — had been dangerously insecure for many years, we learned that it, too, had one full-time, (under)paid maintainer.
I was so impressed by Sons's work that I ended up donating to both CACR and ICEI. The combination of Eghbal's exhaustive research and Sons's holistic approach to analyzing, organizing and streamlining vulnerable infrastructure is just what we need: a statement of an urgent problem and a plausible way to solve it.
We spend a lot of time talking about "the cyber," and usually, we're talking about sexy attacks on specific websites or services. But these deep, unsexy, structural problems in the internet's core services pose a threat that's much more grave than the 0-days in Ios or Android, or poor Internet of Things security.
The current state of our digital infrastructure is one of the most
poorly understood issues of our time. It is critical that we understand it.
By making a voluntary investment in our underlying infrastructure,
developers made it easier for others to build software. By giving it
away for free instead of charging for it, they fueled an information
Developers did not do this for altruistic reasons. They did it because
it was the best way to solve their own problems. The story of open
source software is one of the great modern day triumphs of the
We are lucky that developers have borne the hidden cost of these
investments. But their initial investments only get us so far.
We are merely at the beginning of the story of how software trans-
formed humanity. Marc Andreessen, the co-founder of Netscape and
well-known venture capitalist behind the firm Andreessen Horowitz,
observed in 2011 that "software is eating the world." 205 Since then, 205
that statement that has become canon for the modern age.
Roads and Bridges: The Unseen Labor Behind Our Digital Infrastructure [Nadia Eghbal/Ford Foundation]
(via 4 Short Links)