ICEI is changing open source infrastructure for the better. With your help, we can do even more.
New Guard is the ongoing effort by ICEI to identify, recruit, train and mentor early and mid-career technologists to become the "next generation" of critical internet infrastructure developers and maintainers.
The current generation of the architects and developers of the internet are reaching retirement age, and in some cases have already passed away. Since much of this code does not have a 'corporate' plan in place to transition its support to new 'employees', we need to proactively plan and work to get the right people able to take over and continue to "hold up the sky".
Code camps don't teach this. Universities don't teach this. Internet infrastructure software is a huge and diverse set of moving parts, each requiring technical skill, a deep understanding of engineering for high security and reliability, and knowledge of some esoteric corners of the computing world. New Guard instills these qualities through mentorship: cross-mentorship among peers with a common goal, and mentorship obtained working under the internet's Old Guard software maintainers.
ICEI partnered with Indiana University's Center for Applied Cybersecurity Research and the NSF-funded Center for Trustworthy Scientific Cyberinfrastructure to stage a rescue of NTP. Within a few short months, the rescue team had migrated the code base and its history into git, replaced the fragile build system with a stable, modern one, brought enough documentation up to date to begin onboarding new developers, and begun fixing security flaws. This work, though not adopted by NTP Classic's maintainer, resulted in a fork: the NTP Security Project, or NTPSec.
NTPSec has continued the work begun by the rescue team and built upon it, with an impressive and ongoing refactor. NTPsec has eliminated the attack surface it inherited from NTP Classic by removing about 75% of the code, most of which was unneeded, redundant, or unreachable kludge. This has resulted in NTPSec being immune to the majority of NTP Classic security vulnerabilities before discovery. Thanks to NTPSec's improved toolchain and smaller code base, NTPSec can also patch flaws much more quickly when they are discovered.
To learn more about the NTP rescue and its implication for future interventions on a similar scale, see Susan Sons's slides from her O'Reilly Security Conference 2016 presentation, or this article in the NY Observer.
Information Security for Shared Infrastructure
Security issues are of concern in any software, but most especially in infrastructure software due to its ubiquity and criticality (read: because it’s everywhere, and if it stops working en masse we stop having an Internet). ICEI’s primary software security effort at this time is ISSI, the Information Security for Shared Infrastructure project. This was launched in May 2015 thanks to generous support from Indiana University's Center for Applied Cybersecurity Research.
ISSI aims to improve the security of infrastructure software we all rely on by providing security expertise and extra manpower to critical software projects in need of help with vulnerability management, security-focused code refactoring, testing, and other areas relevant to security.
If you maintain an open source infrastructure software project that needs help in these areas, please email firstname.lastname@example.org for assistance.
In February 2015, the reference implementation of the Network Time Protocol--the method that nearly every computer on earth uses to discover the time and syncronize its clock--was in dire straits. At that time, "NTP Classic", as we've come to call that first implementation:
- was not get C99 compliant (it was coded to multiple C programming language standards, the newest of which was over 16 years out of date)
- had documentation between 6 and 30 years out of date.
- had a fragile build system dependent on one single, ailing server that was behind on security updates and had an unknown configuration no one could reproduce
- had open source code, but that code was locked up in a proprietary repository that was prohibitively difficult for developers to get license to access
- had technical debt dating back decades
- had major resource allocation problems: one paid developer compared to two paid administrative staff and one paid fundraiser
NTP Classic was a source of major security problems, both in NTP servers and in any machine those servers were used to bounce and amplify attacks onto. NTP was both essential to, and a danger to, the entire internet.
ICEI has partnered with the GPSd team to support its first new release since 08-Jan-2016. On 07 September 2017, GPSd released version 3.17 based on work funded by ICEI.
GPSd is a service daemon that monitors one or more GPSes or AIS receivers attached to a host computer through serial or USB ports, making all data on the location/course/velocity of the sensors available. GPSd is everywhere in mobile embedded systems. It underlies the map service on Android phones. It's ubiquitous in drones, robot submarines, and driverless cars. It's increasingly common in recent generations of manned aircraft, marine navigation systems, and military vehicles.