|
| 1 | +--- |
| 2 | +layout: post |
| 3 | +title: Communities Manager at the OpenSSL Foundation |
| 4 | +comments: yes |
| 5 | +tags: community openssl |
| 6 | +--- |
| 7 | + |
| 8 | +An abbreviated timeline of the last year of my life: |
| 9 | + |
| 10 | +* November 7, 2023: [I was laid off.](https://meta.jlericson.com/t/giving-thanks/237) |
| 11 | +* December 2, 2024: [I wrote about my year of Jubilee.](https://meta.jlericson.com/t/jubilee/323) |
| 12 | +* December 5, 2024: I got word that I'd been hired as [Communities |
| 13 | + Manager for |
| 14 | + OpenSSL](https://openssl-foundation.org/post/2024-10-22-communities-manager/). |
| 15 | + |
| 16 | +For a view of my mental state after a year of scrapping for work, |
| 17 | +consider a dream I had the night after I got the news. In my dream, |
| 18 | +the offer was generous---at the top of my expected salary range. But |
| 19 | +there was a catch: I would be paid entirely with sugar. I mean they |
| 20 | +would ship bags of sugar to my house.[^1] As I considered the offer in |
| 21 | +my dreams, it occurred to me that I could use one bag for consuming, |
| 22 | +but I'd need to find a way to sell the rest.[^2] |
| 23 | + |
| 24 | +Thankfully the actual offer turned out to be easily convertible to |
| 25 | +other goods and services so I will be part of the OpenSSL Foundation |
| 26 | +team soon. What will I be doing? Well, here's the [OpenSSL |
| 27 | +mission](https://openssl-mission.org/): |
| 28 | + |
| 29 | +> We believe everyone should have access to security and privacy |
| 30 | +> tools, whoever they are, wherever they are or whatever their |
| 31 | +> personal beliefs are, as a fundamental human right. |
| 32 | +
|
| 33 | +OpenSSL _already_ provides security and privacy tools. Using the [`openssl` |
| 34 | +command](https://docs.openssl.org/master/man1/openssl/), it's possible |
| 35 | +to: |
| 36 | + |
| 37 | +* [generate a pseudo random number](https://docs.openssl.org/master/man1/openssl-rand/), |
| 38 | +* [determine if a specific number is prime](https://docs.openssl.org/master/man1/openssl-prime/), |
| 39 | +* [compute a password hash](https://docs.openssl.org/master/man1/openssl-passwd/), |
| 40 | +* [create a public/private key pair](https://docs.openssl.org/master/man1/openssl-genpkey/), |
| 41 | +* [verify a certificate chain](https://docs.openssl.org/master/man1/openssl-verify/), |
| 42 | +* [test the speed of various cryptographic algorithms](https://docs.openssl.org/master/man1/openssl-speed/) and, of course, |
| 43 | +* [encrypt or decrypt messages](https://docs.openssl.org/master/man1/openssl-enc/). |
| 44 | + |
| 45 | +This is just a sample of the security and privacy tools OpenSSL |
| 46 | +already offers free of charge. Anybody can use the OpenSSL software |
| 47 | +library and even modify it under [a permissive, open source |
| 48 | +license](https://www.apache.org/licenses/LICENSE-2.0) to build code |
| 49 | +that looks like: |
| 50 | + |
| 51 | +[](https://www.nps.gov/articles/delta-01-501429.htm#4/31.80/-78.13) |
| 53 | + |
| 54 | +So mission accomplished, right? Unfortunately OpenSSL, like all |
| 55 | +software, has bugs. Generally bugs are minor and don't cause |
| 56 | +problems. But a decade ago researchers discovered the [Heartbleed |
| 57 | +bug](https://heartbleed.com/) in OpenSSL.[^3] This bug hid in the code |
| 58 | +for over two years, so it's fortunate that white hat researchers found |
| 59 | +it first. As a result, [The Linux |
| 60 | +Foundation](https://www.linuxfoundation.org/) invested in [OpenSSL |
| 61 | +developers and a security |
| 62 | +audit](https://openssl-foundation.org/post/2023-08-08-finances/) to |
| 63 | +maintain it as a core part of the internet's infrastructure. |
| 64 | + |
| 65 | +[Modern |
| 66 | +cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) |
| 67 | +depends on the difficulty of computing the prime factorization of huge |
| 68 | +numbers. In a 1977 Mathematical GAmes column entitled ["A new kind of |
| 69 | +cipher that would take millions of years to |
| 70 | +break"](https://fermatslibrary.com/s/a-new-kind-of-cipher-that-would-take-millions-of-years-to-break), |
| 71 | +Martin Gardner published an encrypted message with a $100 price for |
| 72 | +deciphering it. He wrote "It is this practical impossibility, in any |
| 73 | +foreseeable future, of factoring the product of two large primes that |
| 74 | +makes the M.I.T. public-key cipher system possible." In 1994, or 17 |
| 75 | +years after the message was published, a team of volunteers using 1600 |
| 76 | +computers [solved the |
| 77 | +riddle](https://web.archive.org/web/20010924035059/http://www.crypto-world.com/announcements/RSA129.txt) |
| 78 | +in 8 months. In 2015, [Nat |
| 79 | +McHugh](https://natmchugh.blogspot.com/2015/03/the-magic-words-are-squeamish-ossifrage.html) |
| 80 | +broke the code in 4 hours. In the future, quantum computers might use |
| 81 | +[Shor's algorithm](https://en.wikipedia.org/wiki/Shor%27s_algorithm) |
| 82 | +to break much stronger algorithms in a fraction of that time. Just |
| 83 | +today [Google announced a new quantum |
| 84 | +computer](https://www.nytimes.com/2024/12/09/technology/google-quantum-computing.html) |
| 85 | +which sounds like science fiction, but could bring us a step closer yo |
| 86 | +[technological |
| 87 | +breakthrough](https://blog.google/technology/research/google-willow-quantum-chip/).[^4] |
| 88 | + |
| 89 | +In other words, improvements in computer technology, can make |
| 90 | +previously unbreakable code start to look like this: |
| 91 | + |
| 92 | + |
| 93 | + |
| 94 | +The National Institute of Standards and Technology (NIST) recently |
| 95 | +published [four post-quantum encryption (PQE) |
| 96 | +algorithms](https://www.nist.gov/cybersecurity/what-post-quantum-cryptography) |
| 97 | +that might thwart decryption from quantum computers and [OpenSSL has |
| 98 | +begun work on implementing |
| 99 | +them](https://openssl-corporation.org/post/2024-09-17-post-quantum/). Continuing |
| 100 | +to develop the library increases the odds that privacy and security |
| 101 | +tools will continue to be available in the future. |
| 102 | + |
| 103 | +I'm usually suspicious of organizations claiming their specific |
| 104 | +concern is "a human right". It's too easy to pull out that trump card |
| 105 | +to move to the front of the concern line. The right to security and |
| 106 | +privacy, however, has roots in English common law and was expressed in |
| 107 | +[the Fourth Amendment of the US |
| 108 | +Constitution](https://constitution.congress.gov/constitution/amendment-4/): |
| 109 | + |
| 110 | +> The right of the people to be secure in their persons, houses, |
| 111 | +> papers, and effects, against unreasonable searches and seizures, |
| 112 | +> shall not be violated, and no Warrants shall issue, but upon |
| 113 | +> probable cause, supported by Oath or affirmation, and particularly |
| 114 | +> describing the place to be searched, and the persons or things to be |
| 115 | +> seized. |
| 116 | +
|
| 117 | +We tend to keep our private information in electronic documents rather |
| 118 | +than physical papers, which the founders could not have |
| 119 | +anticipated. The government needs a warrant to search my papers and, |
| 120 | +by analogy, the files I send across the internet should enjoy similar |
| 121 | +protection. |
| 122 | + |
| 123 | + |
| 124 | +Footnotes: |
| 125 | + |
| 126 | +[^1]: This dream was almost certainly inspired by [this story about a |
| 127 | + truck-load of |
| 128 | + rice](https://www.boredpanda.com/rice-story-truck-lorry-india/). |
| 129 | + |
| 130 | +[^2]: At the moment I can buy 4 pounds of sugar for $3.14 at |
| 131 | + Walmart. That's 78.5¢ a pound. Depending on my exact expected salary, |
| 132 | + I'd receive between 150,000 to 200,000 pounds of sugar. Depending on |
| 133 | + [the type of |
| 134 | + sugar](https://www.bhg.com/recipes/how-to/bake/how-many-cups-in-one-pound-of-sugar/) |
| 135 | + my salary would be between 300,000 and 800,000 cups. In cubic meters: |
| 136 | + 71 to 198. A [40 foot High Cube shipping container has a max capacity |
| 137 | + of 72 |
| 138 | + m<sup>3</sup>](https://www.icontainers.com/cubic-meter-calculator-cbm/) |
| 139 | + so my employer would need to deliver at least 1 shipping container of |
| 140 | + granulated sugar or up to 3 shipping containers of powdered sugar a |
| 141 | + year to employ me. As my daughter pointed out, we could make and sell |
| 142 | + candy to get rid of all that sugar. In the meantime, I believe I |
| 143 | + could park the container on my driveway, though there might be a city |
| 144 | + ordinance against parking literal tons of sugar at my house. |
| 145 | + |
| 146 | + |
| 147 | +[^3]: To my mind this vulnerability benefited from exceptional |
| 148 | + branding. Attackers could access private data by exploiting a memory |
| 149 | + leak in the implementation of the heartbeat extension. |
| 150 | + |
| 151 | +[^4]: To be clear, this isn't really of any practical use and there's |
| 152 | + [some question](https://x.com/skdh/status/1866352680899104960) |
| 153 | + whether it's genuine progress toward any application at all. |
| 154 | + |
| 155 | +<!-- LocalWords: cryptographic decrypt OpenSSL |
| 156 | + --> |
0 commit comments