Thursday, April 04, 2024

XZ

 I'm sure many of you reading this have heard about the xz vulnerability. To be very brief, a backdoor was discovered in the xz Linux utility. This is a big deal. First, the fact that it was discovered and reported proves that open source "works". But, the cost was very high. This incident exposes severe cultural problems in open source that Open Research Institute (ORI) has sought to address, with some success. ORI is a non-profit R&D firm that specializes in open source digital radio. Amateur radio is the primary beneficiary of this work. ORI practices a behind-the-scenes supportive and inclusive approach, and has had objective, clear, and continuing success. It creates a vibrant reality. Unfortunately, even ORI projects that directly benefit amateur radio have fallen prey to bullying, powermongering, and targeted harassment from time to time. 

An accurate summary article about the xz hack can be found here.

https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/

There are many very important things covered in this article and others written about this hack. Open source work powers virtually all of the internet and a large swath of critical communications infrastructure. The unquestioned importance of open source work in our modern life is one of the reasons why this incident is important. Nearly 100% of internet infrastructure runs on Linux. If you like the internet or use it, you care about xz. Linux is absolutely essential to modern amateur radio. If you care about amateur radio, then you care about Linux. 

Secondly, people, out of altruism and volunteerism, motivation and agency, donate their time and talent to make all sorts of open source things. The costly squandering of goodwill and good effort, which was how this hack happened, is another reason why this incident is important. The reason it almost worked is because, like we see with traditional amateur radio organizations, individual people with small amounts of power will actively exploit the good will of many volunteers in order to promote selfish and harmful aims and purposes. These aims and purposes are corrupt. When they are found in our hobby they harm amateur radio. These views are unfortunately very real and they are widely held. These views hurt amateur radio because people take actions based on their unexamined and unconfronted views and prejudices. The way that bad culture harms individuals in amateur radio is similar to the way that the xz hack has hurt the Linux community. 

We, as a society, have benefited enormously from open source work. Yet, open source volunteers have tolerated a huge amount of abuse and "yanking the rug out from underneath" for decades. This contemptuous treatment of the goose that laid the golden egg has had predictable results, multiple times. The xz hack is not an unexpected or unusual result. There are important parallels to the way women's unpaid work is treated. We can find a way out of this mess by confronting the root causes of these related symptoms. 

The technical is social before it is technical. If the social framework for technical work is broken for many, and I am here to assert that it definitely is, then technical work is stuck at a local maximum *at best*. Sure, it might work quite well for some. Now, if you only care about how you're doing and your personal projects, then this might be enough for you. But, something that is broken and manipulated in your favor yet leaves out others means that a lot of your peers will not have an easy time of it, and they won't be able to help you in the long run. If they haven't already quit a long time ago, they may in the near future, or will simply not have the energy or margin to support you and your work even if they do hang around. This fact of life will harshly limit how far *you* can expect to proceed. After all, you need a lot of peers and a big audience for the project you care about to be recognized or appreciated. 

Have you stood by and watched while a bunch of your most enthusiastic and capable peers get run off? We've lost 20% of US women licensees over the past decade alone. Are you even aware of this exodus? If not then please consider why it might negatively affect the adoption of your personal pet project or tech. Women are in control of spending in 70-80% of US households. If your project is ham radio related, and there are statistically significantly fewer women licensees, you have far fewer people that may be inclined to green light either a purchase or be ok with a bunch of time spent away from the family for a hobby that is increasingly unwelcoming to women. 

In the writing business, we're told (top to bottom) to "Buy other author's work. Just do it. Every chance you get. Promote their work. Show up for them. We are all in this together." Do you wonder why this is the case? Do you find this to be weird? You shouldn't. Producers and creators tell each other, and have been telling each other for decades, to stand together and support each other, because a rising tide lifts all boats. Otherwise, the entire writing economy fails. Why exactly this (imperfectly) successful method is largely absent in open source, I don't know. 

The xz maintainer was targeted and manipulated in a way that's totally acceptable in open source work. The shitty way they were treated is normalized. Those of us at ORI have spoken up against this sort of thing in the past and will continue to speak up against it as long as it is a problem. In some circles, and by some people (several specific people in amateur radio come to mind), the mentality that led to the xz hack has a positive connotation. Attacking anyone that might be a "threat", no matter how twisted the logic, and isolating and targeting the people that want to be collaborative and productive? Actions taken out of jealousy and spite are widely acceptable behavior in amateur radio. This is a behavior that is distinct and deeply inferior to peer review, which can also be painful but follows a different, and in my view, a more productive social contract. 

Ethics matter in tech. It's deeply unethical to simultaneously define "critical internet infrastructure" as also "just a hobby done in your free time". Disappointingly, this works - because people can, and absolutely do, amazing things under bad circumstances when they clearly see an unmet need. Society gets *something for nothing*, by burning people out. We burn people out by letting them publicly stick their necks out, work hard, and publish extremely useful results of all sorts, while failing to back them up, protect them, compensate them, credit them, or include them in the eventual profits or success. 

What's the difference between the people society lets burn out and the people society insists on rewarding? Quite often it's their race and gender. In the case of open source maintainers, the people most often taken advantage of are the people that *act* supportive and nurturing (in other words, they "act like a woman"). Blowhard bullies get more of a pass, no matter how absent or infrequent their work. People that altruistically care are frequently a target, or are ditched or ghosted or made to feel inferior in whatever way is convenient to keep them "silently productive".

Eventually corrupt code is published in the supply chain as a result of this cultural dichotomy of value. The missing ingredient? Just like the work of unpaid housewives, donated open source work is not properly valued and can be socially exploited, just as it was in this particular case. Money can't save the day, even though funding does help - but it helps only if it is properly administered. We've seen that when it is not properly administered, money really ruins things. There is a reason we say that the love of money is the root of all evil. Money doesn't help if the social parts are still broken. 

What we are talking about beneath the surface is the repeated insistence by larger society to relegate open source work as something very much like "women's work", or unpaid labor that is "owed" because "that's your job so shut up and do it really well" because "we honestly can't get by without it but as long as we can trick you into doing it by humiliation or force then we'll continue to get away with it". Bullies are allowed to show up and produce mediocre work. Male bullies and blowhards especially get rewards that the altruistic people of any gender simply do not ever receive. 

The internet is super important. The internet should "just work" and "those nerds don't have much of a life anyway, so why can't they just get this right". It's the exact same situation as "dumb housewife just effing do all this scut work without bothering me so I can get back to focusing on my real job". The long term effects on society of devaluing the work, while expecting it to be done for free, have been studied and are negative. I think we can see the same story in open source. You can literally see the contempt for open source maintainers - with the exact same language directed towards housewives - in github comment after github pull request after github comment. 

Treating people badly is a security risk. Failing to value hard and meaningful work gifted to the general public (or a household) is equivalent to treating people badly. This isn't very hard to figure out. It has been incredibly hard to fix, even when the costs are painfully clear.

The bad actors in the case of the xz hack (and yes, this was a long con hack) were able to do this with impunity because they used the same nasty tactics that *work* in many open source projects. Shame and doubt and insinuations that the maintainter is a failure that needs to atone to "the community/household" forever, without real support? This is common. 

This has been written about before. It is promulgated by the current open source culture and echoes strongly in amateur radio. Amateur radio is a culture that is extremely homogenous and VERY resistant to change. You all have seen how harshly punished our modest efforts at ORI to be competent, selfless, collaborative, and supportive have been treated. I can assure you, working well and hard, and watching incredibly talented technical volunteers getting kicked in the teeth as a ''reward", is not fun at all. 

Bad amateur radio politics are so well known at this point, that amateur radio has been largely written out of emergency communications plans and actively avoided by the professionals in public service communications. Universities are extremely cautious about including us. It's a disaster for an international radio service to have the bottom fall out like this. But, it's happening. It's happening because of the same problems that lead to the xz hack work so well in ham radio technical culture. 

These issues really do affect our frequency allocations. We'd have far more frequencies and be much more deeply involved in the regulatory process if we were socially healthy and inclusive.

Being honest about addressing the social problems of ham radio is the key to solving nearly every other problem in the radio service. We can continue to deny this fact and barely survive with flat or negative growth in the US while watching other countries experience steep licensee declines, or we can change course and take full advantage of the best it's ever been for the radio arts. 

What are we waiting for? 

-Michelle Thompson


No comments: