The internet has never been secure
Thinking
Last week, Twitter's former head of security, Pieter Zatko, aka Mudge, testified before the US House Judiciary Committee about his allegations of security vulnerabilities and shitty practices at the company. It's not his first time testifying before Congress -- he was part of a hacker group called l0pht that testified before the Senate in 1998 about security vulnerabilities of the internet. They claimed that any of them could take down the Internet within thirty minutes.
Mudge's testimony last week is part of a larger power struggle between the US government, Twitter (and to some extent, its fellow social media behemoths), and, annoyingly, Elon Musk. His allegations have bearing on an earlier FTC consent decree that required Twitter to ensure security for its users private information, as well as on the threatened deal for Elon Musk to buy Twitter. Those things have been taking up much of the airtime in mainstream news coverage of Mudge's allegations.
But the connection of these two testimonies, separated by over two decades, makes it clear that the fundamental problems of online security haven't changed. It's hard to keep data protected from malicious actors. It's hard to keep data protected from incompetent actors. It's all hard!
The underlying structure of the internet--the protocols and network backbone--is much the same as it was in 1998, though I think most experts have more faith in the system's robustness now than the l0pht hackers did then. But there's also a lot more infrastructure today. Even at the height of the dot-com boom, nobody would have claimed that any of the major internet companies was part of the infrastructure of the internet. Critics (including Mudge and his fellows) directed their ire at hardware and OS companies like Microsoft, and at the insecurity of network protocols.
Today, internet giants like Twitter and Google and Facebook and Amazon are unquestionably part of the infrastructure of both the internet and thus our society's broader communication abilities. The criticisms of monopoly power and abdication of security responsibilities remain the same, though. Through the last quarter-century, we've created new vulnerabilities at least as fast as we've resolved old ones. We continue to allow a handful of companies to hoard power over our digital information, and we continue to be vulnerable to the (often good-faith) design decisions made for a mind-bogglingly smaller network.
The internet has always been insecure. Who is blamed for that insecurity changes over time, as does who is at risk. But as Mudge's two testimonies show us, we haven't done a great job grappling with that fundamental problem at the heart of the internet: it was not designed with security in mind.
Next week, I'll resurrect some graveyard writing about that history: the networking design choices that opened up the paths we're traveling now.
Reading
If you just can't wait for next week to read more about the history of internet security, the Washington Post has a 5-part series of longform articles on the topic (including one about the l0pht testimony) from 2015. Part 1 is here: https://www.washingtonpost.com/sf/business/2015/05/30/net-of-insecurity-part-1//
Doing
I got my flu shot and covid booster this week! I'm amazed (I am not amazed) at how badly the rollout of this new booster has gone. It took me a while to realize I was eligible (unlike the extra rounds of boosters from the initial series), and then my first appointment was canceled last-minute because there's a shortage of the Moderna booster? It's exhausting, how many mistakes get made over and over again. I guess that's sort of the point of this newsletter, isn't it: humans can be very obtuse.