tv The Communicators CSPAN January 23, 2016 6:30pm-7:02pm EST
talks about the primary -- new hampshire senator jeanne shaheen talks about the primary and her support of hillary clinton. that's tomorrow on c-span. >> now on c-span, we want to introduce you to craig timber. he covers technology for the washington post. you have written a series that severalover the past months called "the net of insecurity." what is the goal of this series? last year, oure executive editor summoned me and our editor to his office. he said the internet, how can it be so essential, but so insecure? after the sony hack and others, this project is an attempt to answer that question. of theis the openness internet -- does it make it a
security risk? it's interesting to think about the big questions that the people who designed this thing were thinking about. none of it had to do with some day an iphone or a game you could play over the internet. it was all about connecting people. they didn't have our contemporary notion of vulnerability. beingere thinking about able to get academics to talk to other academics, maybe shares them files. they whirl a worried about the cold war and that the russians might someday truck -- they were a little worried about the cold war and at the russians might to infiltrate the network. but this is was at the essence of what is so amazing about the internet. we would not have the internet if it wasn't so open as it is.
the ability to log on and become heart of an open community is what made the internet what it is -- part of an open community is what made the internet what it is today. what you have gotten is a of moments ofe dawning awareness. the first one in the first piece of the project. 1988. the morris worm gets loose, this computer science student releases this thing online and it starts to crash hundreds of thousands of computers and caused billions of dollars in damage. and all of these guys who had been working on the internet 20 years earlier basically all at once said my god, what have we done? that terrified them. they were appropriately concerned that the very essence of productivity and openness was
in danger. the internet is getting close to being a half-century old. successive wave of new generations of people in charge, they all held on the security of generation. they plow forward, and in a way they make the same mistakes over again. peter: who was robert morris? sciencee was a computer student, the son of an nsa official, it turns out. he wanted to see if you could let something loose that would crawl around the internet by itself. differentpeople have memories. his account became that it was a programming error that replicated with a degree of frenzy he did not anticipate. but it did crash computers all over the world. early,ght was relatively
so it's not as if a lot of things went down, electrical grids or things along those lines, but it did cause a high degree of havoc. he was later convicted for computer abuse. but he is now a professor at m.i.t.. it didn't turn out all bad for .im once you connect everything, all sorts of things can happen. someone in moscow or manila can reach out and touch me on a computer sitting in my home. peter: was professor morris looking to cause harm when he created this worm? it doesn't seem so. he was attempting to solve a computer science riddle. he just created something that crawled around and found its way across the internet in a viral way. he overshot the mark of it.
at least, that was his account. peter: you mentioned some of the graybeards. who were they? is now an most famous executive at google. he sat down and wrote a lot of the early code, early design with his colleagues. there was a holcomb padre -- a holcomb padre -- a whole adre of folks. their job was to solve problems that did not have immediate payoff for the u.s. military. they were trying to figure out, you know, we have these computers. what if we could get them to talk to one another? what if i could be sitting in palo alto and be sending a file
to a scientist in washington, d.c.? or alternatively, what if i wanted to log on and immediately work on a computer in washington, d.c. as if i was there? at that point they were leveraging what was a fairly scarce number of computers overall. how can we mean a k? how can we share these resources? -- how can we communicate? how can we share these resources? they built something frictionless and didn't anticipate that we might want to keep some people off that network. peter: you use the term "patch and pray." what is that? craig: it's a derogatory term -- it firstout emerged in the mid-1990's.
you would say a software developer at microsoft or oracle would release these bits of software that were not really solid from a security point of view. they claimed to do. they would print something on your printer or create imagery or sound on your computer, but they have all these holes in them that people could get into and used to take control of your computer. , since the 1990's, the world wide web has been created. there is this amazing rise of uptake and connect to many -- connectivity all over the world. there were companies that served , companies that had amazing profits for decades. but it took outsiders to point
out that their stuff wasn't really locked down. you had a rise of hacker groups that would go in and find problems, very real problems, and the software companies would eventually fix the problem. that was the patch part. then the hackers would find more problems and they would patch them again and then pray that they wouldn't find more problems. this goes on all the time. people who make those types of software hope it turns out ok. often, we know, it doesn't. still put security is a secondary issue when it comes to developing software, using the internet. craig: i think secondary would be really generous, frankly. there are five pieces in the
project that have now been released as an e-book on amazon. in each of the pieces, you see this wrestling with conflicting demands. early internet architects were worried about connectivity. later on, people were worried about making money. they are working about producing products that people are going .o use in large numbers they had this amazingly good operating system called linux. the people involved were always weighing demands. no point in making a piece of software perfectly safe if it doesn't do anything useful. so the dilemma is, they wanted to be useful. they want it to be fast. they want it to have features that appeal to all of us. these individual exchanges, individual decisions about do we
make this more safe or more fast , more safe or more awesome, fast and awesome pretty much always win for decades and decades now. and a marketplace is rewarding those decisions. would you pay three times as much for a smart phone that was radically more secure but also radically more difficult to use? the crashed all the time? that maybe you wanted to go to a website and play a song but it won't play the song because the security features think you could be hacked through the code of the song. as consumers, we are forever choosing things other than security. we are choosing speed, performance, features. security is may be between 5-10 on the list of priorities for software developers, whatever
else they say. developers will tell you that security doesn't really pay. there isn't a business model around it that turns out to be compelling. peter: what is an operating system, exactly? is the most essential piece of software in any computer. keyboard,e a k on my the check needs to know that i have done that and respond in a way that is useful. to operating system needs allow the hardware and the software to communicate so that thosee try to do things, things happen. so when i use a word processor, i may be typing craig timber, but the operating system
with the hardware and allows craig timber to appear on my screen. it is the foundational software of everything we use. how many operating systems are widely used today? on how youepends define operating system. there are narrow, proprietary only in aat work certain type of machinery or vehicle. but there are several very big ones that you are familiar with. linux, andc os, others that are smaller and more niche in their emphasis. peter: you mentioned that your fourth piece in this series was torvald.and linus who is that?
craig: he is an amazingly bright as a college student in helsinki, finland, created a scratch,ot quite from but with the help of other people, and what he did was revolutionary. he called it open source. he did the first 100 things you needed to do right to make an operating system work, and then he said ok, world, send me your improvements and updates. the world did. hundreds of thousands of computer developers eventually were involved in creating this operating system. inreleased it to the public 1991 with about 10,000 lines of code. , and there are
19 million lines of code. he didn't write all of that. hundreds of thousands of people wrote all of that, but he threw all the years has managed this growth. it's kind of an amazing story. that atoperating system once manages to be very fast, very flexible. computerss can run -- can run on years for linux. millions of computers do. and it's free. in the end, it's a community project. it's frankly one of the most amazing stories in the history of the internet. the issue i see in that story is years,ter all of these
there has been a persistent conversation about whether it is secure enough. the thinking of a lot of very smart people is that when it first came out, it was probably a lot more secure than the alternative we could have gotten from microsoft or apple, but it is no longer clear that's true. built linuxy that also did not have security as a top priority. they also were focused on speed, thosemance, features, sorts of things, and security fell somewhere down the list. there is a call now to rethink revisionsdo major new to the way it works because it has become so widespread in the world. was rathertorvald about security, is
that correct? spent several hours with him in his hometown of portland a little while ago. knack for saying outrageous things which, when you're writing a new story, is very helpful. and one of the things he will say is that most security people are crazy or think in black and white terms. if you think about security is the first thing you do, you never make anything interesting. that doesn't mean that when there are security problems he doesn't think about them or work to fix them. he has not been as forward-looking as some people would like him to be in problems.ng security
there is just a trade-off here. have performance and features or have security, and he is on the performance and features side. security people are saying it's great that it's so fast, but you are risking real problems down the road. linux is not only on your desktop computer, but every android device in the world, virtually every supercomputer in the world, and most of the servers that make the internet work, so security experts of the world are saying wow, if linux ,s going to be everywhere basically emerge as the dominant operating system of what i have come to think of as the connected world and universe where everything is linked to everything else, then maybe we
need to put our energy into thinking around the corner a little bit. the security experts would love decision-makers at linux with think five years out, 10 years out, and think how do we avoid the next generation of disasters? peter: how does security affect internet speed and agility? that's the billion dollar question, if you will. have acurity features real consequence. computer workour more slowly. they make some things that used to work. work. probably all of us have the experience that there is some program -- used to work not work. theably all of us have
experience that there is some program we have used for years and the next day it doesn't work. verizon doesn't update on your phone in the next day the program is it working. it's frustrating. ,s you add layers of security there is always the danger that orff gets slower or glitchy something. is how muchl debate are we willing to be a little slower, a little less feature-rich to be more secure? theexample, to prevent government from coming in and taking a bunch of data or ashley. -- or ashley madison being hacked. there are real consequences of
the decisions we make. in a world where everything is going to be online and there are going to be more devices running linux than there are humans in the world, at a certain point , do we need to pay a higher price in terms of speed, in terms of performance, in terms of features that in the future the internet could be a safer place for all of us where we live in ever larger portion of our lives. -- as is he researched you researched this series, did you start to get worried? craig: i have been covering technology since 2012 and every month i get more worried. it's a perilous world. i feel like i am forever learning things that scare me. i terrorized by kids. i put stickers on their cameras,
lock up their computers and things like that. i do think that on some level, insecurity is the price of having the kind of robust online world we have in the same way are automobile fatalities the price of having a highway system. the ability to move from continent to continent in a relatively seamless way means having airline crashes. with a do come away sense that we could do better. and if security is -- let's say number eight in the decision making choices of software makers, if it moved up to number three, that can be a good thing. i don't know how we could get to that place. i don't know how we enable that change. a lot of people think u.s.
governments or other governments could use their power to insist that things be more secure. we will only buy an operating system that is really locked down and that creates more incentive for that technology to spread more widely in the world. i think some of that is beginning to happen. but it's a deeply vexing problem. things.these we want these experiences. if my son is lost and sends me a text, i want to get that text. i want to know how to find him. at the same time, i would like it if not everybody can find him. these dimensions are almost certainly permanent. we have entered a new world of connectivity that is not going to go away barring some unimaginable catastrophe, but
it's incumbent on us to take these issues more persistently seriously, to demand that morenies do better, pay attention to security, and demand that our government do better than it historically has. peter: you wrote about the late and 1990's. cyber security has become pretty big business, hasn't it? craig: there is a lot of money spent on cyber security. it's well into billions of dollars a year. but there is a difference if you are a big company making your computer safer and making the whole system safer. there is little bit of a tragedy here. commons banks spent a lot of money on internet security. when they get hacked, we don't feel as badly, because they made
those kind of investments. but what about the rest of us? while it is nice that my bank is more likely to be able to keep track of how much money i have and where it's going, we are not seeing those kinds of on theents being made operating systems, the way different routers talk to each other, the way the internet is mesh of computers talking to each other constantly, this amazing speed. most amazing revelations of doing this kind of reporting is that there is really nobody in charge of this. it was made by humans, but it's w truly beyond the
comprehension of anyone human. that makes it harder to work on the deep, systemic problems that come up again and again. , an individual bank or university can do a much better job. maybe they hire the right people and do the right kinds of investments in hardware and software. a bead a train everybody to do a better job. but still, i don't -- maybe they train everybody to do a better job. but still, my sense is it's not getting better. there are more hacks all the time. they seem more severe all-time. the only thing i can conclude is that for all of the individual attention that some people and institutions can pay to this problem, all the money that is brought to bear, there is a very -- there are some very deep problems that aren't getting dealt with. in part because some people don't think of it is their problem. there is a giant internet thing
out there that kenexa all of us. but who is protecting -- that connects all of us. but who is protecting the public commons, the public part, if you will, the road network that connects all of us? peter: and a check contractor was the door into the target -- an hvac contractor was the door into the target hack. craig: these systems and a being so much more incredibly complex than laypeople understand. that's a good example, the target hack. the hvac contractor's connection to the computer system. there are people who spend their lives tried to break these things people keep fixed -- people spend their lives trying to keep fixed. there is a lot of incentive in finding holes in these things.
question, why the did potentially sensitive pentagon data once flow through beijing? what the answer to that? is the answer to that? craig: we don't really know the answer. let me explain a little bit. phone, verizon is my network. my phone sends a signal to verizon and verizon sense it around the world. s it around the world. once the communication gets to transitionctors, the happens at a sophisticated level .
as these think of them giant, mighty rivers, the mississippi of the internet. the data is transmitted through a protocol that was built a couple of decades ago, but it turns out, like all of this , these are rivers that can be diverted if you know what you're doing. there was a time a couple of years ago when all of this data from the united states suddenly and mysteriously, for less than half an hour, flow through all these giant computers in beijing . that included a bunch of military data. , it is certainly the case that most of the time when these itzy things happen online, is in an accident.
it's not like you see signs that say this is the beijing government or we are the hackers taking all your stuff. we don't know why a big hunk of american information including a large amount of military data suddenly flowed through china couple of years ago. we know it happened. we don't know why it happened. we may never know why it happened. peter: why are you at stanford? craig: i am doing a knight journalism fellowship, which is just about the nicest thing that can happen to a journalist. we do journalism -- we do research into journalism issues. i arrived with the last piece of the series to complete, the one about the linux operating system. been a little distracted, but stanford is an amazing place and the night program is an amazing program.
i am doing research on some of the business problems with journalism. as he may have heard, it has not been a great decade or so for the industry. i am looking -- i is to be a foreign correspondent for south africa. covering the world is important, and there is not always a huge mass readership base could i'm attending the research -- base. i'm attempting to research it. the state of american journalism is in peril. inthe metrics don't line up this day and age, there is always the danger that big news organizations will either do less or stop. host: greg timbered contributed
to the pulitzer prize-winning coverage of the national security agency. timburher is robert g, who covered vietnam. a pulitzer prize winner in his own right, isn't it? greg: he went on to be a journalist mainly for the baltimore sun and baltimore evening sun, and wrote a few books, including the nightingale's song, which has fascinating facts about john mccain and john poindexter did characters who are big players in the reagan administration. all of them were vietnam veterans, like my dad. host: thanks for being on the communicators.