I Blame The Agency

userpic=keyboardThis week, everyone’s been upset with the NSA because of all the recent disclosures. So I thought I would share with you a story of something good that came from the NSA (well, at least most people think it is good). What prompted this story was a wonderful infographic on the history of programming languages. This great infographic shows the most popular languages, groups them by era (although it completely omits the 1960s and such wonderful languages as Algol 68 and my fave, PL/I). Below is the Infographic… and the story. [Credit: Infographic by Veracode Application Security]

Infographic by Veracode Application SecurityIf you look to the year 1987, you’ll see a youngish fellow in a Hawaiian shirt. That fellow is Larry Wall, and the language we’re talking about is the #10 language, perl. Yes, you have NSA to blame to perl.

Back in the mid-1980s, I was working for a little company in Santa Monica called System Development Corporation. Coworkers of mine were Larry, his brother-in-law Mark, and his other brother-in-law Jon. We were all working on this little program called BLACKER. The job of BLACKER was to build was is now called a VPN — basically, developing a way to layer one network on top of another (at different classifications). We were attempting to do this at a very high level of assurance — specifically, at the A1 level of the Trusted Computer Security Evaluation Criteria (TCSEC). Better known as the Orange Book, the TCSEC was developed by the NSA (the part that cares about computer security) to permit product evaluations, to encourage the introduction of security features, and to encourage the production of systems with greater confidence in those features. If you’ve heard of the Common Criteria, that’s a successor criteria to the TCSEC, and you’ll find aspects of the TCSEC in current security control catalogs such as NIST SP 800-53.

In an A1 system, there were many features and assurances required, such as Mandatory Access Control, Audit, Identification and Authentication, and Object Reuse. Assurance came from a very detailed design, formal methods, and control over that design from a technique called Configuration Management. I was one of the folks designing the operating system for one of the BLACKER components; Larry was our systems guy. Larry, Mark, and I were sharing an office; we were also carpooling together.

Larry was tasked with developing a Configuration Management system to support meeting A1. If you know Larry, you know he believes that the best programmers are lazy, impatient, and have excessive hubris. The CM system had to be able to support development at two locations (Santa Monica and Paoli), and produce CM reports. It had to allow people to review changes, and managers to approve them.

So what did Larry do? First, he decided to modify USENET News to handle the CM submissions. Having written rn, he worked up a version that supported synchronization of articles across the coasts and appending to an article. Now CM submissions could be posted to a local newsgroup, managers could review and approve the submissions. But how to produce reports? Awk (at the time) was not up to the task, as it couldn’t march through directories. The result: perl (originally to be named Pearl, after Larry’s wife Gloria, who is a pearl, but renamed perl and bacronymed to “Pathetically Eclectic Rubbish Lister”). Perl was developed to march through the CM directories and produce CM reports.

I was the first actual user of perl. I combined the use of perl and a menuing system I had worked on (Q-Menu) to drive our data dictionary. People could edit the nroff source of the data dictionary, and this would then be automatically extracted to form the include files used by the Pascal system that development was using. Single point documentation.

This, by the way, is why I’m perl’s paternal godparent, and Mark is perl’s maternal uncle. It is also why I wrote the history chapter in the original Camel book (and came up with the true footnote to history).

So, when people rag on the NSA, remember there are a bunch of people there who are working hard to ensure more secure computer systems for everyone, and that over 30 years ago, this work gave the world perl.



2 Replies to “I Blame The Agency”

  1. But has anyone been arguing that the NSA does nothing useful or that it is totally bad?

    Does the fact that the NSA may have done numerous useful things totally excuse the actions that Edward Snowden revealed?

    I’m not sure what one has to do with the other.

    This is a fascinating bit of history, however. Thanks for sharing it.

    1. There are two different issues here, which people aren’t seeing. I also think people are pointing the finger at the wrong place.

      What NSA is doing is, under the current laws, legal. They are going through the court they are supposed to, they are not wiretapping domestic conversations (note that under the current law, VoIP is not wiretapping), they are only requesting metadata, etc.

      Whether it is right is a different question. There, the blame belongs on the lawmakers who passed the laws in the first place (before the Obama administration), and those lawmakers who kept those laws in place. The blame goes on those leaders who choose the safe option (the spying to prevent attacks) instead of the choice that is truer to the notions of freedom.

      We need to have our laws catch up with technology, and what’s happened here is a clear example of that. You have laws, rules and regulations designed in the era of hardwired phones that don’t adapt to even having this metadata available, or the ability to search it.

      My point was more that people hear “NSA” and think only of the spying (when it is really CIA that spies). The public side of NSA works to improve cybersecurity, encourage vendors to make more secure products, develop mechanisms to secure communications between defense components. They collect SIGINT, but by law only related to non-citizen communications. There are people that don’t like that — they think the privacy laws should apply to all equally. But the bill of rights really only applies to US citizens — it is one of the privileges of citizenship.

      So, are the actions of NSA excusable? If NSA acted within the constraints of the law, I believe so. They are Department of Defense — they were working to defend the country within the law.

      Are the actions of those who directed the NSA without disclosing any of it excusable? That’s a different question — and probably one we cannot answer without all the data. I think it will raise a discussion that should be had on what the balance between privacy and security should be in the nation.

Comments are closed.