An abbreviated timeline of the last year of my life:

For a view of my mental state after a year of scrapping for work, consider a dream I had the night after I got the news. In my dream, the offer was generous---at the top of my expected salary range. But there was a catch: I would be paid entirely with sugar. I mean they would ship bags of sugar to my house.1 As I considered the offer in my dreams, it occurred to me that I could use one bag for consuming, but I'd need to find a way to sell the rest.2

Thankfully the actual offer turned out to be easily convertible to other goods and services so I will be part of the OpenSSL Foundation team soon. What will I be doing? Well, here's the OpenSSL mission:

We believe everyone should have access to security and privacy tools, whoever they are, wherever they are or whatever their personal beliefs are, as a fundamental human right.

OpenSSL already provides security and privacy tools. Using the openssl command, it's possible to:

This is just a sample of the security and privacy tools OpenSSL already offers free of charge. Anybody can use the OpenSSL software library and even modify it under a permissive, open source license to build code that looks like:

Launch Control Center vestibule blast door. (National Park Service)

So mission accomplished, right? Unfortunately OpenSSL, like all software, has bugs. Generally bugs are minor and don't cause problems. But a decade ago researchers discovered the Heartbleed bug in OpenSSL.3 This bug hid in the code for over two years, so it's fortunate that white hat researchers found it first. As a result, The Linux Foundation invested in OpenSSL developers and a security audit to maintain it as a core part of the internet's infrastructure.

Modern cryptography depends on the difficulty of computing the prime factorization of huge numbers. In a 1977 Mathematical Games column entitled "A new kind of cipher that would take millions of years to break", Martin Gardner published an encrypted message with a $100 price for deciphering it. He wrote "It is this practical impossibility, in any foreseeable future, of factoring the product of two large primes that makes the M.I.T. public-key cipher system possible." In 1994, or 17 years after the message was published, a team of volunteers using 1600 computers solved the riddle in 8 months. In 2015, Nat McHugh broke the code in 4 hours. In the future, quantum computers might use Shor's algorithm to break much stronger algorithms in a fraction of that time. Just today Google announced a new quantum computer which sounds like science fiction, but could bring us a step closer to technological breakthrough.4

In other words, improvements in computer technology, can make previously unbreakable code start to look like this:

Janky lock wrench situation

The National Institute of Standards and Technology (NIST) recently published four post-quantum encryption (PQE) algorithms that might thwart decryption from quantum computers and OpenSSL has begun work on implementing them. Continuing to develop the library increases the odds that privacy and security tools will continue to be available in the future.

I'm usually suspicious of organizations claiming their specific concern is "a human right". It's too easy to pull out that trump card to move to the front of the concern line. The right to security and privacy, however, has roots in English common law and was expressed in the Fourth Amendment of the US Constitution:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

We tend to keep our private information in electronic documents rather than physical papers, which the founders could not have anticipated. The government needs a warrant to search my papers and, by analogy, the files I send across the internet should enjoy similar protection.

Footnotes:

  1. This dream was almost certainly inspired by this story about a truck-load of rice.

  2. At the moment I can buy 4 pounds of sugar for $3.14 at Walmart. That's 78.5¢ a pound. Depending on my exact expected salary, I'd receive between 150,000 to 200,000 pounds of sugar. Depending on the type of sugar my salary would be between 300,000 and 800,000 cups. In cubic meters: 71 to 198. A 40 foot High Cube shipping container has a max capacity of 72 m3 so my employer would need to deliver at least 1 shipping container of granulated sugar or up to 3 shipping containers of powdered sugar a year to employ me. As my daughter pointed out, we could make and sell candy to get rid of all that sugar. In the meantime, I believe I could park the container on my driveway, though there might be a city ordinance against parking literal tons of sugar at my house.

  3. To my mind this vulnerability benefited from exceptional branding. Attackers could access private data by exploiting a memory leak in the implementation of the heartbeat extension.

  4. To be clear, this isn't really of any practical use and there's some question whether it's genuine progress toward any application at all.