>> you are watching booktv on c-span2 with top nonfiction books and authors every weekend. no tv, television for serious readers. .. and now on c-span we want to introde you to craig timberg, he covers technology for for "the washingn post".

mr. timberg, you've written a series over the past several months called "the net of insecurity." what's the goal of this series? >> guest: well, about this time last year the post executive editor summoned me and my editor to his office and essentially asked us what the hell is wrong with the internet? how can it be so essential to everything in our lives and yet so insecure? this came in the aftermath of the sony hack and quite a few others. and this project is really an attempt to answer that question. >> host: is the openness of the internet, does it make it a security risk? >> guest: yeah. i mean, it's interesting to think about the big questions that the people who designed this thing were thinking about. none of them had to do with, you know, someday creating an iphone or anything like it or someday creating a game you could play over the internet. it was all about connecting people. and they didn't have sort of our contemporary notion of vulnerability the way we think of to it. they were thinking about, they

were thinking about being able to get academics to talk to other academics, maybe share some files. they were a little worried about the cold war and that the russians might try to penetrate the network, but the idea that the internet's users would actually attack other internet users didn't really occur to anybody at that time. so, yeah, the openness is absolutely the essence of the security problem, but it's also what's so amazing about the internet. we would have no internet if it wasn't as open as it is. it was the ability of people to log on and become part of an online community that made the internet what it is today. >> so, craig timberg, at what point did security become a priority for internet developers? >> guest: you could make the case that it never has. [laughter] what you've gotten is a successive wave of moments of dawning awareness. really the first one i deal with in the first piece of the

project was in 1988 when the morris worm gets loose, this computer science student releases this thing online, it crashes hundreds of thousands of computers and costs billions of dollars in damage. and all of these gray beards, all of these guys who had been working on the internet 20 years earlier basically all at once said, oh, my god, what have we done? and that terrified them. and they were appropriately concerned that at the very essence of connectivity and openness there was this danger lurking there. and yet, you know, at that point they weren't in charge anymore. and so the internet is now, it's getting close to being a half century old to, and with each successive wave of new generations in charge, they all plow forward and forget the security nightmares and, in a way, sort of make the same mistakes all over again. >> host: what was the morris worm, and who is robert morris?

>> guest: robert morris was a computer science student, the son of an nsa official, as it turns out. and he wanted to basically see if you could let something loose that would crawl around the internet all by itself. his account of it later became, you know, he'd sort of done a programming error, so instead of just crawling around, it took over machines and replicated itself with a degree of frenzy that he didn't anticipate. it crashed computers all other the world. 1988 was kind of early, so it's not like a lot of things went down, but it did cause a high degree of havoc. he was later convicted for, you know, computer abuse, but he's now, you know, he went on to a successful career as a entrepreneur, he's now a professor at mit, so it didn't turn out all bad for him. the world at that point began to realize once you connect

everything up, all sorts of things can happen. someone in moscow or manila can just reach out and touch me right on a computer sitting in my home. >> host: so was professor morris looking to cause harm when he created this worm? >> guest: it doesn't seem so, no. he was attempting to sort of solve a computer science riddle, could you create something that just crawled around and found its way across the internet by itself in a viral way. and he seemed to have, he overshot the mark a bit, at least that's his account of it later. >> host: craig timberg, you mentioned the gray beards. who were some of the gray beards that created the internet? >> guest: well, the most famous ones are people like vince serf who's now, you know, an executive at google, sat down and wrote a lot of that early code. i guess it wasn't code at that point, but early design with his

colleagues. it was a whole cadre of folks at an institution called arpa which now is called darpa, what they called the blue sky research agency at the pentagon, and they were -- their job was to look around the corner and do, solve problems that didn't have immediate payoff for the u.s. military. so they were trying to figure out, you know, we have these computers, you know, what if we could get these computers to talk to one another. what if we could, what if i could be sitting in palo alto as i am now and immediately be sending a file to a scientist in washington, d.c.? or alternatively, what if i wanted to log on and immediately work on a computer in washington, d.c. that was essentially as if i was there? so they were thinking about leveraging what at that point were a fairly scarce number of computers overall, these giant mainframes. said how can we communicate, how

can we share these resources. and so they built something that was really, you know, frictionless that didn't, that didn't anticipate that we might want to keep some people off of that network. >> host: you used the term in your series, mr. timberg, patch and pray. what is that? >> guest: right. [laughter] so that's a kind of, it's a derogatory term that came about, i think it first emerged in the mid '90s when you would say that, you know, a software developer, a microsoft or an oracle would release these bits of software that were, that weren't really solidding from a security point of view -- solid from a security point of view. they did what they claimed to do, they would print something on your printer, or they would create some imagery or some sound on your computer, but they had all of these holes in them

that people could get into and eventually use that to take control of your computer. so the sort of historical moment here is the mid '90s. the worldwide web has been created, there's this amazing rise of uptake and connectivity all over the world, and, you know, there are companies that serve that emerging market which was huge and powerful and very lucrative companies got, you know, had amazing profits for many years, many decades. but it took outsiders to point out that their stuff wasn't really locked down. so you end up with a rise of these hacker groups that would go in, and they would find problems. they would reveal problems, and then the software companies would eventually fix the problem. so that's the patch part of the brain. and then the hackers would come in, and they'd find more problems, and they would get patched again, and again they would pray that there would be no more problems. this just went on and on and on

and still goes on today. lots of software we use all the time has lots of problems, and the people that make those types of software hope that it turns out okay, but often it doesn't. >> host: so we still put security as a secondary issue when it comes to developing software, using the internet? >> guest: i think secondary would be really generous, frankly. in all of the pieces, you see with the internet being five pieces in the project, it's now been released as an e-book on amazon and on "the washington post" web site, and in each of these pieces you see this wrestling with conflicting demands, right senate -- right? early architect was worried about connectivity. later on people are worried about making money, producing products that consumers are going to buy and use in large numbers. the last piece is about, you

know, a very popular and, frankly, amazingly good operating system called lin new york stock exchange. it's not enough to make a piece of software if it isn't perfectly safe. the dilemma is they want it to be useful, to be fast, toffeetures that are going to appeal -- toffeetures that are going to appeal to all of us. and these individual decisions about do we make this thing more fast or more safe or more awesome. the fast and awesome pretty much always win for decades and decades and decades now. and the marketplace is rewarding those decisions, right? which you pay, you know, three times as much for a smartphone that was radically more secure but also was radically more difficult to use, that crashed some of the time, that maybe you

want to go to a web site and looked at, you know, play a song, but it won't play the song because the security features think that there's a danger that you could be hacked from something coded in the digitization of the song, right? as consumers, hundreds of millions, billions of us now, we're forever choosing things other than security. we're choosing the speed, the performance, the features. and so security, i don't know, i think it's maybe somewhere between 5-10 on the list of priorities of most software developers for whatever else they say. they will tell you, and security experts will tell you, security really doesn't pay. there isn't really a business model around it. there isn't a series of market incentives that turn out to be all that compelling. >> host: you mentioned operating systems. what is an operating system exactly? >> guest: so an operating system is, it's really the most essential piece of software on

any computer. so when i type, you know, a k on my keyboard, it needs to, you know, the chip needs to know that i've done that, and it needs to respond to that in a way that's useful. and the operating system allows the hardware and the software to communicate with each other so that when we try to do things, those things actually happen. and so when i use a word processer, i may be typing, you know, craig timberg, but it then goes to an operating system which then communicates with the hardware and allows the craig timberg to appear on my screen. so it's really the foundational software of everything that we use. >> host: how many operating systems are widely used today? >> guest: you know, it depends what you mean by "widely used." there's all sorts of narrow, proprietary operating systems

that work, for example, only in a certain kind of machinery or only in a certain kind of, you know, maybe vehicle. but there are several very big ones that you're familiar with. there's windows, there's the mac os, there's linix, and there's a lot of others that are smaller in their purposes. >> host: well, craig timberg, as you mentioned, your fourth piece in this series was on linus to o have volt? >> guest: so he's this amazingly bright guy who, as a college student in helsinki, finland, created an operating system not quite from scratch. he built off the work of some other people. but the thing that he did that was really revolutionary is he made it available to anyone who wanted it. it's a developed model called open source. so he did, you know, the first,

i don't know, hundred things you needed to do right to make an operating system work, and then he basically said to the world, okay world, send me your improvements and your updates to this thing, and the world did to the point where hundreds of thousands of computer developers eventually were involved in creating this operating system. so he releases it to the public in 1991. there's about 10,000 lines of code. here we are, it's 2015, so 24 years later, and now there's 19 million lines of code. he didn't write all of that, the hundreds of thousands of people wrote that. but he over all of these years has managed this growth. it's really kind of an amazing story, and what they've produced is an operating system that manages to at once be very fast, very flexible, incredibly

stable. computers can run for years on linyx, but it's also free. there's no company in the middle that's in charge. there's lots of companies that sell versions of it, but in the end, it's a community project. and it's, frankly, one of the most amazing stories in the history of the internet. the the issue that i deal with in that story though is that afterall these years and all -- after all these years and all this growth upon growth upon growth of different people, there's been this consistent conversation about whether it's secure enough. and can the thinking of a lot of very smart people is that when it first came out, it was probably a lot more secure than the alternatives you could have gotten from microsoft or apple. but it's no longer clear that's true. and there's a sense that the community that built lynix has not always had security as its

top priority. they were focused, like the commercial software makers, they were focused on speed and performance and security fell somewhere down on the list. so there's this call literally now to kind of rethink it and try to, try to do major new revisions to the way it works in order to make it more secure because it's become so widespread in the world. >> host: and he's rather dismissive and insulting towards security-minded people, is that correct? >> guest: it's mostly correct. you know, he, you know, i spent several hours with him in his hometown, his new hometown of portland a little while ago, and, you know, he has a knack for saying outrageous things which when you're writing a newspaper story is super helpful because it crystallizes issues nicely. and one of the things he'll say is that most security people are

crazy, or that most security people think in very black and white terms. security -- so he's saying the if you think about security as the first thing you do, you never make anything interesting. that doesn't mean that when there are security problems, linus doesn't worry about them and doesn't seek to fix them. it does mean he has not been as very kind of forward looking as some people would like him to be in anticipating security problems and putting in systems that would, that would make what he manages, the piece of the operating system called the kernel, way more secure. there's just a trade-off here. there's a trade-off you have performance and features, you have security, and he's on the performance and features side. the security people are forever saying, fine, it's great that it's so great, it's been so fast, but you're risking real problems down the road now that

linyx is not only in the obvious things like, you know, your desktop exciter, but it's in every android mobile device in the world, in virtually every supercomputer in the world, it's in most of the servers that make the internet work. and so security expers of the world are saying -- experts of the world are say, well, if it's going to be everywhere, be it's going to basically emerge as the dominant operating system of what i've come to think of kind of the connected world, you know, this uke verse where everything is electioned to everything else, then maybe we need to put a little more energy into thinking around the corner on this a bit. the security experts would love it if the big division makers would think five years out and ten years out. how do we avoid the next generation of disasters from befalling us online. >> host: well, how does security affect internet speed, internet

agility? >> guest: well, that's the kind of million dollar question, if you will. there are some security features that certain security experts would like to create and make universal that do have a real consequence. they do make your computer work more slowly, and they do sometimes make stuff that used to work not work. probably all of the viewers out there have had the experience of, you know, there's some program you used for years, and it just works. and then you get an update on your computer or phone, and it doesn't work. my first smartphone was an android, and verizon did one of these over the air update, and the next day the computer stopped working. it's called bricking the device. it's extremely unpleasant. and as you add in layers of security, there's always the danger that stuff gets slower, buggier. that's not the right terms, but things get glitchier maybe.

and so the essential debate is how much can we accept a little slower, a little less agile, a little less feature rich if it means for a dramatically more secure feature where it's harder, for example u for a foreign government to hack into the office of personnel management and take a bunch of data. ashley madison.com was apparently running linyx on its servers. so and in a world where everything is going to be online, where pretty soon there's going to be more devices running it than there are humans in the world. at a certain point you think, well, maybe we need to pay a higher price in terms of speed, in terms of performance, in terms of features in order that in the future the internet be a safer place for all of us to

live an ever larger portion of our lives. >> host: as you researched this series and now e-book available at "the washington post".com or on amazon, did you start to get worried? [laughter] >> guest: i've been covering technology since summer of 2012, i guess, and every month i get more worried. [laugher] it's just, it's, it is a really perilous world. i peel like i'm forever learning things that scare me, and i'll come home and terrorize my kids, and i'll put stickers on their cameras, their laptop computer and things like that. and, you know, i do think that on some level that insecurity is the price of having the kind of robust online world we have in the same way that automobile fatalities are the price of having a highway system, that airplane crashes are the price to move from continent to

continent in a relatively seamless way. but you do come away with an impression that we could do better and that if, you know, if security, if let's say it's number eight in the decision making choices of software makers, if it moved up to, like, number three, that might be a really good thing. i don't know how you would get to that place. i don't know what, you know, what organization has the power to enable that kind of change. there's a lot of people who think that the u.s. government, for example, or other governments in the world could potentially use their massive procurement power to insist things be more secure. oh, we're only going to buy computers that run an operating system that's really locked down, and that creates more incentives for that kind of technology to spread more widely in the world. and i think some of that is beginning to happen. but it's a deeply vexing problem, right? we want these things, we want these experiences.

you know, when my son is lost on the streets of washington, d.c. and, you know, and sends me a text, i want to get that text. i want to know how to, you know, find him. so at the same time, i would like it if not everybody could find him, you know? [laughter] the tensions are just, they're already certainly permanent. we've entered a new world of connectivity. it's not going to go away barring some kind of unimaginable catastrophe. and so i guess what i'd say it's incumbent upon us to take these issues more persistently seriously, to occasionally pay more for security to demand that companies sometimes do better, to maybe demand that our government take it more seriously than it historically has. >> host: well, we're 20 years in from a lot of the writing of your series. you wrote about the late '80s and the 'to 90s. we're 20 years in, and cybersecurity's become a pretty big business, hasn't it?

>> guest: yeah. [laughter] there's a lot of money spent on cybersecurity. i dug up this number, but it's well into the billions of dollars a year. so there's a difference between, you know, if you're a big company making your computers safer and making the whole system safer. there's a little bit of a tragedy of the commons problem here in that banks, for example, now spend a lot of money on internet security. and when they get hacked, it tends to not go as badly as it does when some other kinds of companies get hacked because they make those kinds of investments. but, you know, what about the rest of us? and while it's nice that my bank is more likely to be able to keep track of how much money i have and where my money is going, we aren't seeing those kinds of investments being made on the really core parts of the

system that i wrote about most often in the series, the operating systems, the way that different routers talk to each other, the way really the internet is fast, really a mesh of computers that are talking to each other constantly at this amazing speed. and there's, one of the most amazing revelations of doing this kind of reporting is that there's really nobody in charge of this, right? it was made by humans, but it's now, it's really beyond the comprehension of any one human. and so that makes it harder to work on the deep, systemic problems that come up again and again. again, an individual bank, you know, the university can do a much better job. they hire the right people, they make the right kinds of investments in hardware and software, and maybe they have to train everybody to do a better job.

but still, i don't know, my sense is it's not getting way better. it seems like there are more and more hacks all the time. they seem to be more severe all the time. and so the only thing i can conclude is that for all of the individual attention that some people in institutions can pay to this problem, all the money that's brought to bear, that there's some very deep problems that aren't getting dealt with in part because no one necessarily perceives them as their problem. there's giant internet thing out there. it connects all of us. and we have some means to protect ourselves if we're sophisticated, but who's protecting the larger commons? who's protecting the public park, if you will, the road network that we're all now sharing? it's knotts clear to me that -- it's not clear to me that anybody is. >> host: and as you mentioned, there are a lot of doors when you think about the fact that an hvac contractor was the door into the target, into the target hack.

>> guest: right. >> host: so -- >> guest: yeah, i mean -- >> host: go ahead. >> guest: these systems end up being so much more incredibly complex than lay people understand. that's a good example, the target hack comes into a flaw, an hvac's connection with the target computer system. it's amazing, right? and there's people out who spend their entire professional lives spent breaking these things that everyone else is trying to keep fixed. so there's a lot of incentive to find holes in all of these systems. >> host: mr. timberg, you talk about bgps, and in that part of the series you ask the question why did potentially sensitive pentagon data once flow through beijing? what's the answer to that question? >> guest: right. [laughter] you know, the answer -- we don't really mow the answer of why -- know the answer of why this incident happened. this was a bgp hijack, let me

explain that a little bit. you know, when i'm on my phone and i connect up with, verizon is my network, my phone sends a signal to verizon over the cellular networks, then verizon sends it around the world. once the communication gets to the ll of these -- the level of these very big actors, verizon to china telecom or verizon to google or amazon or whatever, the transmission happens at a really sophisticated level, and so these giant, you could maybe think of them as these giant mighty rivers, like the mississippis of the internet. that data is transmitted using a protocol called bgp which was built a couple of decades ago now. but it turns out like all of this stuff it's, these are rivers that can be diverted if you mow what you're doing. -- if you know what you're doing. so there was a time a few years ago when all of this data from

the united states suddenly and mysteriously suddenly all flowed through these giant computers in beijing. and that included a bunch of military data. now, it is certainly the case that most of the time when these crazy things happen online that it's an accident. it isn't like when giant, these giant rivers of data get moved around that people are leaving up signs that say, oh, yeah, this is the beijing -- this is the chinese government, we've just taken all your stuff or, hey, we're hackers, we've just taken all your stuff. it just is sort of happens, and people who watch these things can see it happened, but they can't really see why it happened. so we don't know why a bunch, you know, a big hunk of internet information including a large amount of military data just suddenly flowed through china a few years ago. we may never know why it happened. >> host: why are you at

stanford? >> guest: i'm doing a night journalism fellowship which is just about the nicest thing that can ever happen to a journalist. they picked 20 people from around the world, and they let us take classes, and our spouses can take classes, and we do research into issues. so i'm here this academic year. but i arrived -- i'm not supposed to be working, but i arrived with the last piece of this series to complete, the one that was about the operating system. and so i had to spend a little time distracted. but stanford's an amazing place, and the night program is an amazing program. >> host: are you doing research on technology issues? >> guest: no. i'm actually doing research on some of the vexing business problems with journalism. as you may have heard, it's not been a great decade or so for -- [laughter] for the industry. and so i'm looking at the kinds of disruptions that technology has brought to the traditional business models and whether there's a way to do it better in particular when we cover the world. i used to be a foreign