ICEI is changing open source infrastructure for the better. With your help, we can do even more.
New Guard is the ongoing effort by ICEI to identify, recruit, train and mentor early and mid-career technologists to become the "next generation" of critical internet infrastructure developers and maintainers.
The current generation of the architects and developers of the internet are reaching retirement age, and in some cases have already passed away. Since much of this code does not have a 'corporate' plan in place to transition its support to new 'employees', we need to proactively plan and work to get the right people able to take over and continue to "hold up the sky".
Code camps don't teach this. Universities don't teach this. Internet infrastructure software is a huge and diverse set of moving parts, each requiring technical skill, a deep understanding of engineering for high security and reliability, and knowledge of some esoteric corners of the computing world. New Guard instills these qualities through mentorship: cross-mentorship among peers with a common goal, and mentorship obtained working under the internet's Old Guard software maintainers.
SNMP protocol is widely used protocol to monitor and maintain routers, switches, computers, printers, and other devices such as UPS's. This protocol is not only used to monitor and manage devices connected within an organization's network. This protocol could go all the way up to Tier 1 ISP's. Net-SNMP (www.net-snmp.org) is the reference implementation of SNMP, and is the most widely-used SNMP implementation. The reference implementation can run on most *nix-based OS's, and various processor architecture. Unfortunately, the project's development activity has slowed significantly; the latest release, 5.7.3, was released in December 2014. Coupled with issues within the existing RFC's, this has lead to non-compliant SNMP implementations; or, worst, proprietary protocols that effectively replaces SNMP. The fragmentation of monitoring and management protocol could lead major issues down the road.
The main goal of the "Net-Snmp Rescue" project is to assure the longevity of the SNMP protocol, and its reference implementation. By providing a robust and well-maintained implementation, we hope that relevant organizations will use SNMP that adheres to the standard allowing for better maintainability of the networks that has now become an integral part of our world. Our goals is to make the current code base more readable; reduce the number of open bugs; improve performance; increase maintainability; and produce documentation for future users and developers.
Hathi is a project to develop a decentralized social-network-oid communications medium catered to the needs of people and projects who need to communicate in order to get things done, rather than the more typical goals of talking with family and friends or “shouting at the world”. While many communication mediums already exist and are in use (IRC, mailing lists, Discord, software forge forums, etc) they all have problems including outright forgetting discussion history (IRC), difficulty finding history that does exist (mailing lists), and dependence on the beneficence of third parties (Discord, forge forums).
In a forgotten age of the world Usenet filled this gap, but evolving technology and its inability to use cryptography for authentication or privacy resulted in a slow lingering death. Now Usenet exists mostly as a geological strata of archives, with a topsoil made from tremendous quantities of pirated media. A replacement is needed, Hathi is being developed to be that replacement.
ICEI partnered with Indiana University's Center for Applied Cybersecurity Research and the NSF-funded Center for Trustworthy Scientific Cyberinfrastructure to stage a rescue of NTP. Within a few short months, the rescue team had migrated the code base and its history into git, replaced the fragile build system with a stable, modern one, brought enough documentation up to date to begin onboarding new developers, and begun fixing security flaws. This work, though not adopted by NTP Classic's maintainer, resulted in a fork: the NTP Security Project, or NTPSec.
NTPSec has continued the work begun by the rescue team and built upon it, with an impressive and ongoing refactor. NTPsec has eliminated the attack surface it inherited from NTP Classic by removing about 75% of the code, most of which was unneeded, redundant, or unreachable kludge. This has resulted in NTPSec being immune to the majority of NTP Classic security vulnerabilities before discovery. Thanks to NTPSec's improved toolchain and smaller code base, NTPSec can also patch flaws much more quickly when they are discovered.
To learn more about the NTP rescue and its implication for future interventions on a similar scale, see Susan Sons's slides from her O'Reilly Security Conference 2016 presentation, or this article in the NY Observer.
Information Security for Shared Infrastructure
Security issues are of concern in any software, but most especially in infrastructure software due to its ubiquity and criticality (read: because it’s everywhere, and if it stops working en masse we stop having an Internet). ICEI’s primary software security effort at this time is ISSI, the Information Security for Shared Infrastructure project. This was launched in May 2015 thanks to generous support from Indiana University's Center for Applied Cybersecurity Research.
ISSI aims to improve the security of infrastructure software we all rely on by providing security expertise and extra manpower to critical software projects in need of help with vulnerability management, security-focused code refactoring, testing, and other areas relevant to security.
If you maintain an open source infrastructure software project that needs help in these areas, please email email@example.com for assistance.
ICEI has partnered with the GPSd team to support its first new release since 08-Jan-2016. On 07 September 2017, GPSd released version 3.17 based on work funded by ICEI.
GPSd is a service daemon that monitors one or more GPSes or AIS receivers attached to a host computer through serial or USB ports, making all data on the location/course/velocity of the sensors available. GPSd is everywhere in mobile embedded systems. It underlies the map service on Android phones. It's ubiquitous in drones, robot submarines, and driverless cars. It's increasingly common in recent generations of manned aircraft, marine navigation systems, and military vehicles.
In February 2015, the reference implementation of the Network Time Protocol--the method that nearly every computer on earth uses to discover the time and syncronize its clock--was in dire straits. At that time, "NTP Classic", as we've come to call that first implementation:
- was not get C99 compliant (it was coded to multiple C programming language standards, the newest of which was over 16 years out of date)
- had documentation between 6 and 30 years out of date.
- had a fragile build system dependent on one single, ailing server that was behind on security updates and had an unknown configuration no one could reproduce
- had open source code, but that code was locked up in a proprietary repository that was prohibitively difficult for developers to get license to access
- had technical debt dating back decades
- had major resource allocation problems: one paid developer compared to two paid administrative staff and one paid fundraiser
NTP Classic was a source of major security problems, both in NTP servers and in any machine those servers were used to bounce and amplify attacks onto. NTP was both essential to, and a danger to, the entire internet.