Travel Blog: 2024

Thursday, April 04, 2024

XZ

I'm sure many of you reading this have heard about the xz vulnerability. To be very brief, a backdoor was discovered in the xz Linux utility. This is a big deal. First, the fact that it was discovered and reported proves that open source "works". But, the cost was very high. This incident exposes severe cultural problems in open source that Open Research Institute (ORI) has sought to address, with some success. ORI is a non-profit R&D firm that specializes in open source digital radio. Amateur radio is the primary beneficiary of this work. ORI practices a behind-the-scenes supportive and inclusive approach, and has had objective, clear, and continuing success. It creates a vibrant reality. Unfortunately, even ORI projects that directly benefit amateur radio have fallen prey to bullying, powermongering, and targeted harassment from time to time.

An accurate summary article about the xz hack can be found here.

https://theintercept.com/2024/04/03/linux-hack-xz-utils-backdoor/

There are many very important things covered in this article and others written about this hack. Open source work powers virtually all of the internet and a large swath of critical communications infrastructure. The unquestioned importance of open source work in our modern life is one of the reasons why this incident is important. Nearly 100% of internet infrastructure runs on Linux. If you like the internet or use it, you care about xz. Linux is absolutely essential to modern amateur radio. If you care about amateur radio, then you care about Linux.

Secondly, people, out of altruism and volunteerism, motivation and agency, donate their time and talent to make all sorts of open source things. The costly squandering of goodwill and good effort, which was how this hack happened, is another reason why this incident is important. The reason it almost worked is because, like we see with traditional amateur radio organizations, individual people with small amounts of power will actively exploit the good will of many volunteers in order to promote selfish and harmful aims and purposes. These aims and purposes are corrupt. When they are found in our hobby they harm amateur radio. These views are unfortunately very real and they are widely held. These views hurt amateur radio because people take actions based on their unexamined and unconfronted views and prejudices. The way that bad culture harms individuals in amateur radio is similar to the way that the xz hack has hurt the Linux community.

We, as a society, have benefited enormously from open source work. Yet, open source volunteers have tolerated a huge amount of abuse and "yanking the rug out from underneath" for decades. This contemptuous treatment of the goose that laid the golden egg has had predictable results, multiple times. The xz hack is not an unexpected or unusual result. There are important parallels to the way women's unpaid work is treated. We can find a way out of this mess by confronting the root causes of these related symptoms.

The technical is social before it is technical. If the social framework for technical work is broken for many, and I am here to assert that it definitely is, then technical work is stuck at a local maximum *at best*. Sure, it might work quite well for some. Now, if you only care about how you're doing and your personal projects, then this might be enough for you. But, something that is broken and manipulated in your favor yet leaves out others means that a lot of your peers will not have an easy time of it, and they won't be able to help you in the long run. If they haven't already quit a long time ago, they may in the near future, or will simply not have the energy or margin to support you and your work even if they do hang around. This fact of life will harshly limit how far *you* can expect to proceed. After all, you need a lot of peers and a big audience for the project you care about to be recognized or appreciated.

Have you stood by and watched while a bunch of your most enthusiastic and capable peers get run off? We've lost 20% of US women licensees over the past decade alone. Are you even aware of this exodus? If not then please consider why it might negatively affect the adoption of your personal pet project or tech. Women are in control of spending in 70-80% of US households. If your project is ham radio related, and there are statistically significantly fewer women licensees, you have far fewer people that may be inclined to green light either a purchase or be ok with a bunch of time spent away from the family for a hobby that is increasingly unwelcoming to women.

In the writing business, we're told (top to bottom) to "Buy other author's work. Just do it. Every chance you get. Promote their work. Show up for them. We are all in this together." Do you wonder why this is the case? Do you find this to be weird? You shouldn't. Producers and creators tell each other, and have been telling each other for decades, to stand together and support each other, because a rising tide lifts all boats. Otherwise, the entire writing economy fails. Why exactly this (imperfectly) successful method is largely absent in open source, I don't know.

The xz maintainer was targeted and manipulated in a way that's totally acceptable in open source work. The shitty way they were treated is normalized. Those of us at ORI have spoken up against this sort of thing in the past and will continue to speak up against it as long as it is a problem. In some circles, and by some people (several specific people in amateur radio come to mind), the mentality that led to the xz hack has a positive connotation. Attacking anyone that might be a "threat", no matter how twisted the logic, and isolating and targeting the people that want to be collaborative and productive? Actions taken out of jealousy and spite are widely acceptable behavior in amateur radio. This is a behavior that is distinct and deeply inferior to peer review, which can also be painful but follows a different, and in my view, a more productive social contract.

Ethics matter in tech. It's deeply unethical to simultaneously define "critical internet infrastructure" as also "just a hobby done in your free time". Disappointingly, this works - because people can, and absolutely do, amazing things under bad circumstances when they clearly see an unmet need. Society gets *something for nothing*, by burning people out. We burn people out by letting them publicly stick their necks out, work hard, and publish extremely useful results of all sorts, while failing to back them up, protect them, compensate them, credit them, or include them in the eventual profits or success.

What's the difference between the people society lets burn out and the people society insists on rewarding? Quite often it's their race and gender. In the case of open source maintainers, the people most often taken advantage of are the people that *act* supportive and nurturing (in other words, they "act like a woman"). Blowhard bullies get more of a pass, no matter how absent or infrequent their work. People that altruistically care are frequently a target, or are ditched or ghosted or made to feel inferior in whatever way is convenient to keep them "silently productive".

Eventually corrupt code is published in the supply chain as a result of this cultural dichotomy of value. The missing ingredient? Just like the work of unpaid housewives, donated open source work is not properly valued and can be socially exploited, just as it was in this particular case. Money can't save the day, even though funding does help - but it helps only if it is properly administered. We've seen that when it is not properly administered, money really ruins things. There is a reason we say that the love of money is the root of all evil. Money doesn't help if the social parts are still broken.

What we are talking about beneath the surface is the repeated insistence by larger society to relegate open source work as something very much like "women's work", or unpaid labor that is "owed" because "that's your job so shut up and do it really well" because "we honestly can't get by without it but as long as we can trick you into doing it by humiliation or force then we'll continue to get away with it". Bullies are allowed to show up and produce mediocre work. Male bullies and blowhards especially get rewards that the altruistic people of any gender simply do not ever receive.

The internet is super important. The internet should "just work" and "those nerds don't have much of a life anyway, so why can't they just get this right". It's the exact same situation as "dumb housewife just effing do all this scut work without bothering me so I can get back to focusing on my real job". The long term effects on society of devaluing the work, while expecting it to be done for free, have been studied and are negative. I think we can see the same story in open source. You can literally see the contempt for open source maintainers - with the exact same language directed towards housewives - in github comment after github pull request after github comment.

Treating people badly is a security risk. Failing to value hard and meaningful work gifted to the general public (or a household) is equivalent to treating people badly. This isn't very hard to figure out. It has been incredibly hard to fix, even when the costs are painfully clear.

The bad actors in the case of the xz hack (and yes, this was a long con hack) were able to do this with impunity because they used the same nasty tactics that *work* in many open source projects. Shame and doubt and insinuations that the maintainter is a failure that needs to atone to "the community/household" forever, without real support? This is common.

This has been written about before. It is promulgated by the current open source culture and echoes strongly in amateur radio. Amateur radio is a culture that is extremely homogenous and VERY resistant to change. You all have seen how harshly punished our modest efforts at ORI to be competent, selfless, collaborative, and supportive have been treated. I can assure you, working well and hard, and watching incredibly talented technical volunteers getting kicked in the teeth as a ''reward", is not fun at all.

Bad amateur radio politics are so well known at this point, that amateur radio has been largely written out of emergency communications plans and actively avoided by the professionals in public service communications. Universities are extremely cautious about including us. It's a disaster for an international radio service to have the bottom fall out like this. But, it's happening. It's happening because of the same problems that lead to the xz hack work so well in ham radio technical culture.

These issues really do affect our frequency allocations. We'd have far more frequencies and be much more deeply involved in the regulatory process if we were socially healthy and inclusive.

Being honest about addressing the social problems of ham radio is the key to solving nearly every other problem in the radio service. We can continue to deny this fact and barely survive with flat or negative growth in the US while watching other countries experience steep licensee declines, or we can change course and take full advantage of the best it's ever been for the radio arts.

What are we waiting for?

-Michelle Thompson

Saturday, January 06, 2024

The Technical Part is Never the Hardest Part

Adapted from a presentation at the University of California San Diego for IEEE in November 2023.

Video of the talk can be found here: https://youtu.be/BhxrxITHB_o

When we think about technology and society, and how our technology should serve people, we often think of efficiency, entertainment, and productivity increases. We tend to believe that technological advancement is inherently good, and we set things up to where not much stands in the way of claimed technical progress. Many engineers produce highly technical work, throw it over a wall, and expect it to be used as intended and for positive purposes.

However, the technical part is never the hardest part. The people part is always the hardest part. And if you do not design with this in mind, what you work on can fail to achieve your goals, or even worse, do much more harm than good.

I’m Michelle Thompson and I’m an engineer, executive, and entrepreneur.

Let’s address something right away. The technical part is actually very hard. People spend years in training and many more years more employed doing difficult technical work before achieving even modest success in science or engineering. There is very little worth doing that is easy. The technical challenges we tackle are highly complex. Failures, setbacks, and roadblocks are ahead of you, all the time. It’s easy to think that’s the whole story. But, it isn’t.

This is a talk about advice on how to be a better engineer or scientist. And the first and most important bit of advice I have for you is Do Not Give Advice. Unless it is asked for. And unless you can give it as a gift. Listen carefully to the person you want to help by giving them advice. Are you being asked for a Solution or are you being asked for Sympathy? If it’s not clear, then ask. If it’s sympathy, and in a professional context, then provide it. Ask them to keep explaining until they have complained themselves out. And then keep this confidence to yourself. There are exceptions to this, such as mandated reporting of abuse, illegal behavior, or self harm.

Are you being asked for a solution? Do you have something productive to say? Then offer your solution as a gift. Gifts have no strings. Advice given with an expectation of control or compliance is not advice, it’s management.

The purpose of a system is what it does. Not what it was designed to do. Not what you want it to do. Not what you need it to do. Not what it is expected to do. Not what you hope it does. The purpose of a system is what it actually does. That is the purpose.

It can be very difficult to listen to people that are telling you that your system or procedure or rule or code or product hurts them, or others. You may believe that it’s their own fault, that they are using it wrong, don’t deserve to have access to the product or design in the first place, or do not understand what you have created or enforced. That’s fine, and there’s space for disagreement. Not every system serves everyone.

However, the purpose of a system is what it does. When people bring proof to you that your system is doing something harmful to them, it is much more likely that they are right, than you are wrong. A good engineer prioritizes fixing the system instead of attacking the messengers, users, members, or customers. There are times to defend the status quo from unnecessary changes. Be very sure you are defending a status quo for solid reasons. Be willing to do an honest review. Document what you see, even if changes are not possible. The next design will be much better informed. Science publication often ignores negative results. However, these results are incredibly valuable. Do the thankless work of recording what you see. You will benefit yourself and others.

The purpose of a system is always emergent. The effects and consequences and repercussions of a system really do not care about your intentions or assumptions that drove the design. Don’t argue with ground truth. Learn from it.

And, there are always unintended consequences. A good engineer looks for these, anticipates these, and welcomes these. They will teach you what you should be looking at to fix the current design, and what you should be starting off with on the next design.

Things worth doing are rarely easy. Exceptions are things like brushing your teeth. If it’s worth doing, other people probably haven’t already done it to death. And, not all hard work is worth you doing it.

A system is defined not by the rules but how they are enforced. Rules that are enforced capriciously or only against one particular group indicate corruption or a police state.

There’s a big difference between rules and boundaries. Rules are things we expect others to do or not do. We expect rules to result in changes or modifications to other people’s behaviors. There are penalties for disobeying rules that are usually enforced by some sort of external authority.

Boundaries are conditions that are enforced by ourselves. We notify others that we have a boundary condition, like if you yell at me again, I will leave the room. Or, if you don’t pay me on time again, I will quit. Boundaries provide a clear description of what an individual will do if certain behaviors continue, but do not attempt to control or coerce changes in behavior in others. The choice to change the behavior is entirely up to them. The repercussions are enforced by the individual affected on what they can control, which is themselves.

In situations where rules are not enforced or do not help you at all, boundaries give you control and agency. Boundaries reduce harm and provide a framework for surviving difficult situations. What boundaries do you have? What would you do if you saw something illegal, immoral, or unethical? What would you do if you found out you were being treated differently than others? What if that difference caused harm to you or others? Is there a situation in your life where you really wished someone had behaved differently? Is there something you wished that you could have done differently in the past? These are opportunities for developing boundaries that will make your future self happier and more capable as a designer and problem solver. We can’t make our best designs when we are afraid or stressed out.

The technical is social before it is technical. Nothing technical exists in a vacuum or apart from people.

Do not trivialize use cases. Poor use cases lead to poor implementations of otherwise excellent technology. Use cases need to involve actual humans. Use cases need to involve a variety of humans. If you do not do this, if you do not have or listen carefully to feedback, your design may end up hurting people.

Your intentions and expectations of how the design is going to be used is not a replacement for what you get from listening to current and future users. You get to decide what’s worth listening to, but in order to get good feedback, you have to put in the work to make it possible for people to give it to you in the first place.

You will be constantly confronted with unethical behavior. There may be no repercussions for unethical or illegal behavior. You will have to decide what you are going to do about it. Choose carefully.

This can be very hard. Your job or funding or relationships or reputation may be on the line. Everyone else might be doing it. People will make fun of regulatory processes, safety requirements, end users, management, and so on. Stick up for the right way to do things, especially when no one is watching.

Money or power doesn’t change people.

An influx of money or power simply reveals who they really are.

Good governance is the entire game. Be part of good governance, even when it’s hard, or when people in charge fail to follow their own rules.

Do you recognize this image?

This is from a very famous and effective 1940s advertising campaign. How did it come about? Most of the US fire fighters went off to fight in World War II. Research revealed that 9 of 10 forest fires could be prevented, if people made small behavioral changes. An advertising campaign was designed and deployed to get people to make small changes.

It worked. The resulting fire prevention saved a lot of lives and property.

There were, of course, unintended consequences. Fires serve a purpose in the ecosystem. Decades of fire suppression lead to fuels imbalance and wildfires that were difficult to control and fight.

Similar to this ad campaign, only you can prevent toxic behavior that wrecks technical work. It’s you. You’re it.

You will have human resources. You will have great managers. You will have wonderful co-workers. If you want a clean and healthy job site, it’s something you must actively maintain. Suppressing toxic behavior also has unintended consequences. Those consequences will have to be recognized and adapted to in order to make further progress.

It’s not always about who you are talking to. It is about who is listening. Bystanders are in the long run more important than targets. Especially when the target is invincibly ignorant, or you can’t win.

Do not forget your indirect audience. Seeing someone stand up to a bully, or stick up for ethical funding procedures, or speak out against falsifying test data, is crucial to future health and success, even if you are attacked or punished for speaking up.

Assholes will win. If you find yourself in a situation where repercussions are not enforced for bad behavior, quit. Do not be afraid to quit. Even if it doesn’t directly affect you. Even if the bad behavior benefits you. Why? It eventually will. You just haven’t been affected yet.

Get used to thinking, “Not on my watch”. Encourage others that are also ethical engineers. Add them to your network. Take them to lunch. Develop strong ties with them. This will pay off.

What do you do when you have the situation where you have to confront that “This wasn’t what I was hired for”?

Likely you will do wildly different things than what is in your degree. You will have to adapt, learn, and come up to speed on new things all the time.

If you are hired for (or to develop) specific expertise, and you are not being listened to, are routinely overruled, or your work erased, deleted, or trivialized, find another job and quit.

Kindness is contagious. However, the incubation period is indeterminately long.

Ambush meetings? Just say no.

What is an ambush meeting? It’s when the true topic of discussion is kept hidden until you show up. The organizer may also hide who will actually be at the meeting.

Call it what it is and consider not participating. This may have repercussions, but going along with it will result in worse treatment.

Ambush meetings clearly communicate that you are not valued as a colleague, employee, or collaborator.

A related topic is pull-asides. If you are approached in the hallway and asked to commit to something, no matter how innocent it sounds, thank the person and tell them you will go think about it and get back to them later. Do not agree to anything when caught off guard in a pull-aside. These have no written agenda, no paper trail, no acknowledgement of extra duties or responsibilities. Do not let your helpful and generous nature be taken advantage of, whether it’s intentional or not. Be courteous but clear. Meetings need to be transparent, have agendas, and happen on equal terms.

Listen first. You will never make a catastrophic mistake by listening.

Eavesdropping is not listening.

Remember whatever you happen to hear.

It’s ok to say “That is none of my business”, and keep an opinion to yourself.

All of this advice comes from hard-earned experience, and has served me and others very well. Your experiences and your stories are just as valid. If you find what I have said useful, please share it. If you would like to talk more about what I have shared, please get in touch. I’d love to hear from you.