Share this page!

Matthew Green Profile picture
Twitter logo
11 Dec, 11 tweets, 2 min read
Watching this log4j bug metastasize, I’m seeing people ask why industry doesn’t fund open source. I don’t have a great answer, but I have some thoughts following the experience with Heartbleed in ‘14. 1/
When Heartbleed dropped, it was very similar to log4j: an underfunded OSS project (OpenSSL) that nobody thought about, but was *everywhere*. It took everyone by surprise, and even woke industry up. The result was a surge of funding. 2/
Industry (not the government, who still though “infrastructure” meant dams and bridges) suddenly realized they were using this stuff everywhere. So the Linux Foundation created the Core Infrastructure Initiative (now the OpenSSF). coreinfrastructure.org 3/
Money that was presumably hanging out in couch cushions suddenly became available to fund OSS teams. But there was a problem: nobody quite knew who to fund! 4/
One answer was OpenSSL, obviously. But once you’ve searched for your keys under the streetlamp, where do you go next? So the answer was to pick a handful of obvious targets and throw some money at them. 5/
You might imagine that there’s a huge database out there that lists every widely-used OSS dependency along with the current team funding status, plus some measure of the “impact” a serious vuln would have. Weirdly, there isn’t. 6/
A bunch of people have a list in their heads. But almost by definition, the real surprises aren’t on that list. If they were, maybe the problems would already be solved. 7/
Ok, so what I’m saying is that if you want to solve this problem, to me the missing resource is not money. It’s *visibility*. We all know the landmines are out there — but we can’t see them. 8/
Maybe there’s someone doing the analysis already. Maybe these resources exist now (they didn’t 7 years ago!) But if they don’t exist, they should. It would do more good than any number of millions of $. 8/
If they don’t exist, it would be very useful to retask some government resources away from E5 licenses or whatever towards building those resources. //
As a follow-up: @FiloSottile has a nice post about professionalizing the role of OSS maintainer. This is great! But I would still argue that money is finite, and knowing which projects need help is a basic missing ingredient. blog.filippo.io/professional-m…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matthew Green

Matthew Green Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @matthew_d_green

Matthew Green Profile picture
11 Dec
When is “turn off the cloud” no longer a viable option.
I think it’s optimistic that 40% of people think our devices will continue to be useful in the future without a connection to a cloud service.
Ok. I did not phrase this question well so let me try again. At what point do you think our mobile devices will become sufficiently tied to cloud services that “turn off cloud” is no longer an option — either explicitly, or *effectively*.
Read 6 tweets
Matthew Green Profile picture
6 Dec
The HSM universe is a nightmare. It’s genuinely terrible.
It’s like someone at the NSA in 1991 decided what the use-cases and APIs should look like, and nobody ever cared to bring any of it into the 21st century. It’s such garbage.
This is the “use cases” section for Amazon CloudHSM and reading the manual it’s like: yup, that’s pretty much all you could ever do with this garbage API.
Read 5 tweets
Matthew Green Profile picture
4 Dec
I love Bell Labs (in the 1960s) for their combination of technical prescience and terribly-stupid prediction quality. ethw.org/w/images/c/c7/… Image
This is how they thought electronic payments would work. In fairness, it’s not that bad compared to the status quo 1965-2015. Image
It’s kind of amazing when you feed this through Kubrick. ImageImageImageImage
Read 4 tweets
Matthew Green Profile picture
2 Dec
I think it’s funny how little computer security people know about the Dapp ecosystem. It’s like they’re living in the hotel from The Shining and they have no idea what’s going down in Room 237.
Crypto/security people: we can’t *possibly* run a secure messaging app over the web because everything’s too insecure!

Dapp folks: let’s secure $100m using Javascript served by Cloudflare.
In case you don’t know what I’m on about. coindesk.com/business/2021/…
Read 6 tweets
Matthew Green Profile picture
1 Dec
Oof. I would say that NSS gives me the willies but all these crypto libraries give me the willies. googleprojectzero.blogspot.com/2021/12/this-s…
Oh god oh god. Image
Where am I going to store my post-quantum RSA keys in this data structure? Has anyone even thought about this?
Read 4 tweets
Matthew Green Profile picture
30 Nov
This picture should be presented to everyone who activates iCloud Backup.
“Our end-to-end encrypted system is only really encrypted if you don’t touch our janky unencrypted backup service that we practically beg you to use.”
Maybe if Apple implements some really good automated scanning in iMessage, the government might allow me to encrypt my backups.
Read 14 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @matthew_d_green has new unrolls!

Check out other threads from @matthew_d_green!

Read all threads by @matthew_d_green

:(