Mr. Timberg, youve written a series over the past several months called the net of insecurity. Whats the goal of this series . Guest well, about this time last year the post executive editor summoned me and my editor to his office and essentially asked us what the hell is wrong with the internet . How can it be so essential to everything in our lives and yet so insecure . This came in the aftermath of the sony hack and quite a few others. And this project is really an attempt to answer that question. Host is the openness of the internet, does it make it a Security Risk . Guest yeah. I mean, its interesting to think about the Big Questions that the people who designed this thing were thinking about. None of them had to do with, you know, someday creating an iphone or anything like it or someday creating a game you could play over the internet. It was all about connecting people. And they didnt have sort of our contemporary notion of vulnerability the way we think of to it. They were thinking about, they were thinking about being able to get academics to talk to other academics, maybe share some files. They were a little worried about the cold war and that the russians might try to penetrate the network, but the idea that the internets users would actually attack other Internet Users didnt really occur to anybody at that time. So, yeah, the openness is absolutely the essence of the security problem, but its also whats so amazing about the internet. We would have no internet if it wasnt as open as it is. It was the ability of people to log on and become part of an Online Community that made the internet what it is today. So, Craig Timberg, at what point did security become a priority for Internet Developers . Guest you could make the case that it never has. [laughter] what youve gotten is a successive wave of moments of dawning awareness. Really the first one i deal with in the first piece of the project was in 1988 when the morris worm gets loose, this Computer Science student releases this thing online, it crashes hundreds of thousands of computers and costs billions of dollars in damage. And all of these gray beards, all of these guys who had been working on the internet 20 years earlier basically all at once said, oh, my god, what have we done . And that terrified them. And they were appropriately concerned that at the very essence of connectivity and openness there was this danger lurking there. And yet, you know, at that point they werent in charge anymore. And so the internet is now, its getting close to being a half century old to, and with each successive wave of new generations in charge, they all plow forward and forget the security nightmares and, in a way, sort of make the same mistakes all over again. Host what was the morris worm, and who is Robert Morris . Guest Robert Morris was a Computer Science student, the son of an nsa official, as it turns out. And he wanted to basically see if you could let something loose that would crawl around the internet all by itself. His account of it later became, you know, hed sort of done a programming error, so instead of just crawling around, it took over machines and replicated itself with a degree of frenzy that he didnt anticipate. It crashed computers all other the world. 1988 was kind of early, so its not like a lot of things went down, but it did cause a high degree of havoc. He was later convicted for, you know, computer abuse, but hes now, you know, he went on to a successful career as a entrepreneur, hes now a professor at mit, so it didnt turn out all bad for him. The world at that point began to realize once you connect everything up, all sorts of things can happen. Someone in moscow or manila can just reach out and touch me right on a computer sitting in my home. Host so was professor morris looking to cause harm when he created this worm . Guest it doesnt seem so, no. He was attempting to sort of solve a Computer Science riddle, could you create something that just crawled around and found its way across the internet by itself in a viral way. And he seemed to have, he overshot the mark a bit, at least thats his account of it later. Host Craig Timberg, you mentioned the gray beards. Who were some of the gray beards that created the internet . Guest well, the most famous ones are people like vince serf whos now, you know, an executive at google, sat down and wrote a lot of that early code. I guess it wasnt code at that point, but early design with his colleagues. It was a whole cadre of folks at an institution called arpa which now is called darpa, what they called the Blue Sky Research agency at the pentagon, and they were their job was to look around the corner and do, solve problems that didnt have immediate payoff for the u. S. Military. So they were trying to figure out, you know, we have these computers, you know, what if we could get these computers to talk to one another. What if we could, what if i could be sitting in palo alto as i am now and immediately be sending a file to a scientist in washington, d. C. . Or alternatively, what if i wanted to log on and immediately work on a computer in washington, d. C. That was essentially as if i was there . So they were thinking about leveraging what at that point were a fairly scarce number of computers overall, these giant mainframes. Said how can we communicate, how can we share these resources. And so they built something that was really, you know, frictionless that didnt, that didnt anticipate that we might want to keep some people off of that network. Host you used the term in your series, mr. Timberg, patch and pray. What is that . Guest right. [laughter] so thats a kind of, its a derogatory term that came about, i think it first emerged in the mid 90s when you would say that, you know, a software developer, a microsoft or an oracle would release these bits of software that were, that werent really solidding from a Security Point of view solid from a Security Point of view. They did what they claimed to do, they would print something on your printer, or they would create some imagery or some sound on your computer, but they had all of these holes in them that people could get into and eventually use that to take control of your computer. So the sort of historical moment here is the mid 90s. The worldwide web has been created, theres this amazing rise of uptake and connectivity all over the world, and, you know, there are companies that serve that emerging market which was huge and powerful and very lucrative companies got, you know, had amazing profits for many years, many decades. But it took outsiders to point out that their stuff wasnt really locked down. So you end up with a rise of these hacker groups that would go in, and they would find problems. They would reveal problems, and then the Software Companies would eventually fix the problem. So thats the patch part of the brain. And then the hackers would come in, and theyd find more problems, and they would get patched again, and again they would pray that there would be no more problems. This just went on and on and on and still goes on today. Lots of software we use all the time has lots of problems, and the people that make those types of software hope that it turns out okay, but often it doesnt. Host so we still put security as a secondary issue when it comes to developing software, using the internet . Guest i think secondary would be really generous, frankly. In all of the pieces, you see with the internet being five pieces in the project, its now been released as an ebook on amazon and on the Washington Post web site, and in each of these pieces you see this wrestling with conflicting demands, right senate right . Early architect was worried about connectivity. Later on people are worried about making money, producing products that consumers are going to buy and use in large numbers. The last piece is about, you know, a very popular and, frankly, amazingly good operating system called lin new york stock exchange. Its not enough to make a piece of software if it isnt perfectly safe. The dilemma is they want it to be useful, to be fast, toffeetures that are going to appeal toffeetures that are going to appeal to all of us. And these individual decisions about do we make this thing more fast or more safe or more awesome. The fast and awesome pretty much always win for decades and decades and decades now. And the marketplace is rewarding those decisions, right . Which you pay, you know, three times as much for a smartphone that was radically more secure but also was radically more difficult to use, that crashed some of the time, that maybe you want to go to a web site and looked at, you know, play a song, but it wont play the song because the security features think that theres a danger that you could be hacked from something coded in the digitization of the song, right . As consumers, hundreds of millions, billions of us now, were forever choosing things other than security. Were choosing the speed, the performance, the features. And so security, i dont know, i think its maybe somewhere between 510 on the list of priorities of most Software Developers for whatever else they say. They will tell you, and Security Experts will tell you, security really doesnt pay. There isnt really a Business Model around it. There isnt a series of market incentives that turn out to be all that compelling. Host you mentioned operating systems. What is an operating system exactly . Guest so an operating system is, its really the most essential piece of software on any computer. So when i type, you know, a k on my keyboard, it needs to, you know, the chip needs to know that ive done that, and it needs to respond to that in a way thats useful. And the operating system allows the hardware and the software to communicate with each other so that when we try to do things, those things actually happen. And so when i use a word processer, i may be typing, you know, Craig Timberg, but it then goes to an operating system which then communicates with the hardware and allows the Craig Timberg to appear on my screen. So its really the foundational software of everything that we use. Host how many operating systems are widely used today . Guest you know, it depends what you mean by widely used. Theres all sorts of narrow, proprietary operating systems that work, for example, only in a certain kind of machinery or only in a certain kind of, you know, maybe vehicle. But there are several very big ones that youre familiar with. Theres windows, theres the mac os, theres linix, and theres a lot of others that are smaller in their purposes. Host well, Craig Timberg, as you mentioned, your fourth piece in this series was on linus to o have volt . Guest so hes this amazingly bright guy who, as a College Student in helsinki, finland, created an operating system not quite from scratch. He built off the work of some other people. But the thing that he did that was really revolutionary is he made it available to anyone who wanted it. Its a developed model called open source. So he did, you know, the first, i dont know, hundred things you needed to do right to make an operating system work, and then he basically said to the world, okay world, send me your improvements and your updates to this thing, and the world did to the point where hundreds of thousands of Computer Developers eventually were involved in creating this operating system. So he releases it to the public in 1991. Theres about 10,000 lines of code. Here we are, its 2015, so 24 years later, and now theres 19 million lines of code. He didnt write all of that, the hundreds of thousands of people wrote that. But he over all of these years has managed this growth. Its really kind of an amazing story, and what theyve produced is an operating system that manages to at once be very fast, very flexible, incredibly stable. Computers can run for years on linyx, but its also free. Theres no company in the middle thats in charge. Theres lots of companies that sell versions of it, but in the end, its a community project. And its, frankly, one of the most Amazing Stories in the history of the internet. The the issue that i deal with in that story though is that afterall these years and all after all these years and all this growth upon growth upon growth of different people, theres been this consistent conversation about whether its secure enough. And can the thinking of a lot of very smart people is that when it first came out, it was probably a lot more secure than the alternatives you could have gotten from microsoft or apple. But its no longer clear thats true. And theres a sense that the community that built lynix has not always had security as its top priority. They were focused, like the commercial software makers, they were focused on speed and performance and security fell somewhere down on the list. So theres this call literally now to kind of rethink it and try to, try to do major new revisions to the way it works in order to make it more secure because its become so widespread in the world. Host and hes rather dismissive and insulting towards securityminded people, is that correct . Guest its mostly correct. You know, he, you know, i spent several hours with him in his hometown, his new hometown of portland a little while ago, and, you know, he has a knack for saying outrageous things which when youre writing a newspaper story is super helpful because it crystallizes issues nicely. And one of the things hell say is that most security people are crazy, or that most security people think in very black and white terms. Security so hes saying the if you think about security as the first thing you do, you never make anything interesting. That doesnt mean that when there are Security Problems, linus doesnt worry about them and doesnt seek to fix them. It does mean he has not been as very kind of forward looking as some people would like him to be in anticipating Security Problems and putting in systems that would, that would make what he manages, the piece of the operating system called the kernel, way more secure. Theres just a tradeoff here. Theres a tradeoff you have performance and features, you have security, and hes on the performance and features side. The security people are forever saying, fine, its great that its so great, its been so fast, but youre risking real problems down the road now that linyx is not only in the obvious things like, you know, your desktop exciter, but its in every android mobile device in the world, in virtually every supercomputer in the world, its in most of the servers that make the internet work. And so security expers of the world are saying experts of the world are say, well, if its going to be everywhere, be its going to basically emerge as the dominant operating system of what ive come to think of kind of the connected world, you know, this uke verse where everything is electioned to everything else, then maybe we need to put a little more energy into thinking around the corner on this a bit. The Security Experts would love it if the big division makers would think five years out and ten years out. How do we avoid the next generation of disasters from befalling us online. Host well, how does security affect internet speed, internet agility . Guest well, thats the kind of Million Dollar question, if you will. There are some security features that certain Security Experts would like to create and make universal that do have a real consequence. They do make your computer work more slowly, and they do sometimes make stuff that used to work not work. Probably all of the viewers out there have had the experience of, you know, theres some program you used for years, and it just works. And then you get an update on your computer or phone, and it doesnt work. My first smartphone was an android, and verizon did one of these over the air update, and the next day the computer stopped working. Its called bricking the device. Its extremely unpleasant. And as you add in layers of security, theres always the danger that stuff gets slower, buggier. Thats not the right terms, but things get glitchier maybe. And so the essential debate is how much can we accept a little slower, a little less agile, a little less feature rich if it means for a dramatically more secure feature where its harder, for example u for a Foreign Government to hack into the office of Personnel Management and take a bunch of data. Ashley madison. Com was apparently running linyx on its servers. So and in a world where everything is going to be online, where pretty soon theres going to be more devices running it than there are humans in the world. At a certain point you think, well, maybe we need to pay a higher price in terms of speed, in terms of performance, in terms of features in order that in the future the internet be a safer place for all of us to live an ever larger portion of our lives. Host as you researched this series and now ebook available at the Washington Post. Com or on amazon, did you start to get worried . [laughter] guest ive been covering Technology Since summer of 2012, i guess, and every month i get more worried. [laugher] its just, its, it is a really perilous world. I peel like im forever learning things that scare me, and ill come home and terrorize my kids, and ill put stickers on their cameras, their laptop computer and things like that. And, you know, i do think that on some level that insecurity is the price of having the kind of robust online world we have in the same way that automobile fatalities are the price of having a highway system, that airplane crashes are the price to move from continent to continent in a relatively seamless way. But you do come away with an impression that we could do better and that if, you know, if security, if lets say its number eight in the Decision Making choices of software makers, if it moved up to, like, number three, that might be a really good thing. I dont know how you would get to that place. I dont know what, you know, what organization has the power to enable that kind of change. Theres a lot of people who think that the u. S. Government, for example, or other governments in the world could potentially use their massive procurement power to insist things be more secure. Oh, were only going to buy computers that run an operating system thats really locked down, and that creates more incentives for that kind of technology to spread more widely in the world. And i think some of that is beginning to happen. But its a deeply vexing problem, right . We want these things, we want these experiences. You know, when my son is lost on the streets of washington, d. C. And, you know, and sends me a text, i want to get that text. I want to know how to, you know, find him. So at the same time, i would like it if not everybody could find him, you know . [laughter] the tensions are just, theyre already certainly permanent. Weve entered a new world of connectivity. Its not going to go away barring some kind of unimaginable catastrophe. And so i guess what id say its incumbent upon us to take these issues more persistently seriously, to occasionally pay more for security to demand that companies sometimes do better, to maybe demand that our government take it more seriously than it historically has. Host well, were 20 years in from a lot of the writing of your series. You wrote about the late 80s and the to 90s. Were 20 years in, and cybersecuritys become a pretty big business, hasnt it . Guest yeah. [laughter] theres a lot of money spent on cybersecurity. I dug up this number, but its well into the billions of dollars a year. So theres a difference between, you know, if youre a big Company Making your computers safer and making the whole system safer. Theres a little bit of a tragedy of the commons problem here in that banks, for example, now spend a lot of money on internet security. And when they get hacked, it tends to not go as badly as it does when some other kinds of Companies Get hacked because they make those kinds of investments. But, you know, what about the rest of us . And while its nice that my bank is more likely to be able to keep track of how much money i have and where my money is going, we arent seeing those kinds of investments being made on the really core parts of the system that i wrote about most often in the series, the operating systems, the way that different routers talk to each other, the way really the internet is fast, really a mesh of computers that are talking to each other constantly at this amazing speed. And theres, one of the most amazing revelations of doing this kind of reporting is that theres really nobody in charge of this, right . It was made by humans, but its now, its really beyond the comprehension of any one human. And so that makes it harder to work on the deep, systemic problems that come up again and again. Again, an individual bank, you know, the university can do a much better job. They hire the right people, they make the right kinds of investments in hardware and software, and maybe they have to train everybody to do a better job. But still, i dont know, my sense is its not getting way better. It seems like there are more and more hacks all the time. They seem to be more severe all the time. And so the only thing i can conclude is that for all of the individual attention that some people in institutions can pay to this problem, all the money thats brought to bear, that theres some very deep problems that arent getting dealt with in part because no one necessarily perceives them as their problem. Theres giant internet thing out there. It connects all of us. And we have some means to protect ourselves if were sophisticated, but whos protecting the larger commons . Whos protecting the public park, if you will, the road network that were all now sharing . Its knotts clear to me that its not clear to me that anybody is. Host and as you mentioned, there are a lot of doors when you think about the fact that an hvac contractor was the door into the target, into the target hack. Guest right. Host so guest yeah, i mean host go ahead. Guest these systems end up being so much more incredibly complex than lay people understand. Thats a good example, the target hack comes into a flaw, an hvacs connection with the target computer system. Its amazing, right . And theres people out who spend their entire professional lives spent breaking these things that everyone else is trying to keep fixed. So theres a lot of incentive to find holes in all of these systems. Host mr. Timberg, you talk about bgps, and in that part of the series you ask the question why did potentially sensitive pentagon data once flow through beijing . Whats the answer to that question . Guest right. [laughter] you know, the answer we dont really mow the answer of why know the answer of why this incident happened. This was a bgp hijack, let me explain that a little bit. You know, when im on my phone and i connect up with, verizon is my network, my phone sends a signal to verizon over the cellular networks, then verizon sends it around the world. Once the communication gets to the ll of these the level of these very big actors, verizon to China Telecom or verizon to google or amazon or whatever, the transmission happens at a really sophisticated level, and so these giant, you could maybe think of them as these giant mighty rivers, like the mississippis of the internet. That data is transmitted using a protocol called bgp which was built a couple of decades ago now. But it turns out like all of this stuff its, these are rivers that can be diverted if you mow what youre doing. If you know what youre doing. So there was a time a few years ago when all of this data from the United States suddenly and mysteriously suddenly all flowed through these giant computers in beijing. And that included a bunch of military data. Now, it is certainly the case that most of the time when these crazy things happen online that its an accident. It isnt like when giant, these giant rivers of data get moved around that people are leaving up signs that say, oh, yeah, this is the beijing this is the chinese government, weve just taken all your stuff or, hey, were hackers, weve just taken all your stuff. It just is sort of happens, and people who watch these things can see it happened, but they cant really see why it happened. So we dont know why a bunch, you know, a big hunk of internet information including a large amount of military data just suddenly flowed through china a few years ago. We may never know why it happened. Host why are you at stanford . Guest im doing a night journalism fellowship which is just about the nicest thing that can ever happen to a journalist. They picked 20 people from around the world, and they let us take classes, and our spouses can take classes, and we do research into issues. So im here this academic year. But i arrived im not supposed to be working, but i arrived with the last piece of this series to complete, the one that was about the operating system. And so i had to spend a little time distracted. But stanfords an amazing place, and the Night Program is an amazing program. Host are you doing research on Technology Issues . Guest no. Im actually doing research on some of the vexing business problems with journalism. As you may have heard, its not been a great decade or so for [laughter] for the industry. And so im looking at the kinds of disruptions that technology has brought to the traditional Business Models and whether theres a way to do it better in particular when we cover the world. I used to be a foreign