Justine Zwiebel / BuzzFeed
It was the last thing Steve Marquess and Stephen Henson wanted to hear. In 2006, three years into a struggle to get a key component of OpenSSL validated as secure by the U.S. government, and they'd received bad news: Their code needed more work. OpenSSL is the default encryption engine used by much of the internet and the government was adamant any program it gave approval to would be stringently tested. Marquess, a consultant for the Department of Defense, had given years of his life and his whole project’s budget to getting this approval — the government’s official money had run out six months after the project began in 2003.
“We kept getting requirements to make silly changes,” explains Marquess, now a 59-year-old biker who has traded government work for equally stressful 40-hour-or-more weeks in the shadow of Sugarloaf Mountain near Adamstown, Md. “And we kept making them.”
Marquess was mostly acting as a liaison between the government and his sometime partner — and the genius behind the upkeep of the OpenSSL code itself — Stephen Henson, a reserved, reclusive 46-year-old Brit with a Ph.D. in graph theory mathematics who lives in Staffordshire, England. “Everyone was preparing to walk away” from the project because of the difficulties, writes Henson via email. This is his first and only public comment on OpenSSL since the Heartbleed bug — a routine coding error that triggered the largest security breach in the history of the human race, compromising passwords and sending companies and governments scrambling — became known to the general public on April 7.
Early in the morning of Thursday, June 15, 2006, Marquess and Henson were sent a near-impossible task. The Cryptographic Module Validation Program, a joint U.S.–Canadian validation body that fell under the auspices of each country’s government, wanted the team to make a raft of complicated code changes to meet the requirements for accreditation under its security standard. And it had to be done fast. “If we didn’t do it by Monday morning, they’d reject our validation, we’d have to start over again, and it’d take another three years,” says Marquess, bitterness rising in his voice at the memory. “Now this is a huge amount of work — days of silly, pointless work. And this pissed Steve Henson off.”
Henson was on his summer vacation in Great Yarmouth, a seaside resort near Norfolk, England. He had nothing but an HTC Hurricane cell phone, a laptop, and a frustratingly slow internet connection for company. Like Marquess, he was incensed: After several years struggling with government bureaucracy for little to no pay, he wasn’t about to give up now. As Marquess puts it, “At that point in time, completing the project became a matter of stubbornness.”
Henson sent off an email to Marquess around 4 a.m. “I was irritated by this ultimatum, couldn’t sleep, and decided to use this time to see if I could get a solution,” Henson explains.
“And he got it done,” Marquess says quietly. Henson worked through the night, and sent off a preliminary solution that could work. Big government was placated. “That’s the kind of guy you want at your back.”
The events of that weekend brought the two men close together with a bond that is just as strong today as it ever was — despite the fact that they’ve never met in person. “My skills, such as they are, lie in coding. I am not a businessman,” Henson writes. “Steve Marquess is far better at that side of things than I am. In short he handles the things I cannot and vice-versa.”
Before that June weekend and since, companies and government departments have benefitted from OpenSSL’s free price and constant updates, often without giving back. Overwork and understaffing — two things that have been cited as the main causes of the Heartbleed bug, which suddenly brought OpenSSL and its gatekeepers to the world’s attention — aren’t news to Steve Henson and Steve Marquess. But thanks to Heartbleed, everyone else is beginning to understand what the duo have known for a while: Something needs to change, and goodwill and fond words alone won’t cut it. Right now significant parts of the internet’s cryptographic security rely on a tiny handful of people who are already stretched to the limits. If that fails, the modern world as we know it could cease to work as it should.
Open-source software has been a boon for all, allowing users access to high-powered free versions of commercial software, no strings attached. They’ve all noticed the benefits, and warmly embraced open source. Companies like Barclays have been able to draw down spending on software by 90% through changing its program allegiances. The U.S. government is picking up the pace of development of its own open-source programs, while the U.K.’s minister in charge of technology implementation across government believes significant savings can be made by using free tools.
If it weren't for security toolkits like OpenSSL, every time you log into Instagram or Gmail, or enter your credit card details on Netflix or Etsy, security keys that handle your personal information would theoretically be vulnerable. Thirty billion e-commerce transactions were estimated by consultancy CapGemini to have been carried out last year; a significant share of those were handled in part by OpenSSL.
The program’s roots start in Australia in 1995 with the development of a cryptographic protocol implementation called SSLeay, created by Tim Hudson and Eric Young (the “eay” stands for Eric A. Young). There were ways of encrypting information passed from person to person and peer to peer online before SSLeay, but strict export laws in the U.S., where those progenitors were developed, meant that unless you lived in the 50 states or a dependent territory, you couldn’t access them. In fact, a quirk of the U.S. legal system meant that cryptography was, until the late 1990s, placed on the U.S. Munitions List, alongside semi-automatic firearms and tanks.
“We actually had no choice in terms of a new implementation from scratch,” says Tim Hudson. “At that time you simply couldn't license full-strength cryptographic toolkits from any of the inventors of the technology — U.S. companies could not export it. So if you were non-U.S.A.-based you either had to go with deliberately weakened security systems or write your own.”
Beginning that year, Hudson and Young wrote their own SSL implementation, and for three years supported its development before they moved into the paid sector at RSA Security in late 1998. That left a gap that needed filling.
On Dec. 18, 1998, Ben Laurie, who had been involved in the upkeep of SSLeay, sent an email to subscribers of the Apache-SSL mailing list with the subject line “[ANNOUNCE] New version of SSLeay.” Laurie wrote that he and Stephen Henson, a fellow SSLeay coder, were looking for advice, suggestions, and a name for a new version of SSLeay they were continuing in the absence of Young and Hudson. One response suggested “OpenSSL” as the name. It’d take a few weeks — and a new year — until Hudson and Laurie felt willing to reveal any more about their project.
On Thursday, Jan. 7, 1999, Laurie sent out another email. This one, titled “ANNOUNCE: OpenSSL (Take 2)” and complete with some ASCII art, declared the start of the OpenSSL project, “a collaborative effort to develop a robust, commercial-grade, fully featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.”
OpenSSL took on the 165,000 lines of code that formed SSLeay and began rapidly building it out over the coming decade. During this time, the number of users of OpenSSL increased too — including some within the highest levels of government. The Defense Advanced Research Project Agency (DARPA) and the U.S. Department of Homeland Security have both in the past confirmed their use of OpenSSL. Big companies and government clients became comfortable with the workings of OpenSSL, and in the early 2000s further solidified its role as a crucial cornerstone of the internet’s infrastructure.
As Steve Marquess gradually drew down the work on his government contract in 2009, he still had strong connections to those — particularly Steve Henson — he had met through the OpenSSL project. When they came to him that year asking for help with consulting contracts, Marquess went one better: He set up the OpenSSL Software Foundation (OSF) for the explicit purpose of raising revenue to fund OpenSSL’s development. Unlike many entrepreneurs, Marquess wasn’t hoping for a bounteous exit or public acclaim. For him, OpenSSL was a passion, one he could focus on in retirement: “My daughter’s graduating from school, the house is paid off, I don’t have to worry about starving anymore, and I’m thinking what can I do to help these guys? So I say I’ll do the only thing I know how to do: hustle a small business. That’s why I created OSF: for the explicit purpose of raising revenue.”
“Steve Henson’s always been there for me,” he continues. “I feel like I’m doing a good thing for OpenSSL and him right now. You can’t expect the people coding OpenSSL to starve. But that’s what tended to happen and that’s what, when I first met Steve Henson, was happening to him.” (According to one source, before the foundation was created, Henson earned around $20,000 a year.)
The OpenSSL Software Foundation has never received more than $1 million in income in a given year. It survives mostly through for-hire contracts with big companies. These can range from ad hoc arrangements earning $250 an hour to longer-term work for hire over the course of several years. A fraction of the OSF’s income is donations from supporters and well-wishers. From that cache of money, running costs for the foundation such as outsourcing validation testing (which runs into hundreds of thousands of dollars a year) and new servers and equipment — a recent server upgrade in Germany cost $8,200 alone — is taken out. After that, there's not much remaining.
by Amazon Auto Links
The Internet Is Being Protected By Two Guys Named Steve
#SteveMarquess, #StephenHenson
Nessun commento:
Posta un commento