<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Post Mortem on Crossref</title><link>https://www-crossref-org.pluma.sjfc.edu/categories/post-mortem/</link><description>Recent content in Post Mortem on Crossref</description><generator>Hugo 0.139.4</generator><language>en-us</language><managingEditor>support@crossref.org (Crossref/Cazinc/Benoît Benedetti)</managingEditor><webMaster>support@crossref.org (Crossref/Cazinc/Benoît Benedetti)</webMaster><lastBuildDate>Thu, 24 Mar 2022 00:00:00 +0000</lastBuildDate><atom:link href="https://www-crossref-org.pluma.sjfc.edu/categories/post-mortem/" rel="self" type="application/rss+xml"/><item><title>Outage of March 24, 2022</title><link>https://www-crossref-org.pluma.sjfc.edu/blog/outage-of-march-24-2022/</link><pubDate>Thu, 24 Mar 2022 00:00:00 +0000</pubDate><author>Geoffrey Bilder</author><guid>https://www-crossref-org.pluma.sjfc.edu/blog/outage-of-march-24-2022/</guid><description>&lt;p>So here I am, apologizing again. Have I mentioned that I hate computers?&lt;/p>
&lt;p>We had &lt;a href="https://status-crossref-org.pluma.sjfc.edu/incidents/gwxd1yqdw304" target="_blank">a large data center outage&lt;/a>. It lasted 17 hours. It meant that pretty much all Crossref services were unavailable - our main website, our content registration system, our reports, our APIs. 17 hours was a long time for us - but it was also an inconvenient time for numerous members, service providers, integrators, and users. We apologise for this.&lt;/p>
&lt;p>Like the &lt;a href="https://doi-org.pluma.sjfc.edu/10.64000/sen6x-c2c16" target="_blank">outage last October&lt;/a>, the issue was related to the data center that we are trying to leave. However, unlike last time, our single nearby network admin wasn&amp;rsquo;t in surgery at the time. Tim was alerted in the early hours of his morning and was able get up and immediately investigate.&lt;/p>
&lt;p>Despite having both secondary and tertiary backup connections, neither activated appropriately.&lt;/p>
&lt;p>The problem was with incomplete BGP (Border Gateway Protocol) settings on our primary connection&amp;rsquo;s network provider’s side. We never noticed this because our backup connection had the correct and complete BGP settings. But our backup circuit went down (we don’t know why yet), and when the router with complete settings went down, only the router with the incomplete settings was available and so everything went down.&lt;/p>
&lt;p>We hadn’t yet fully configured the tertiary connection to cut over automatically. This meant cutting over to the tertiary during the outage would have required manual and potentially error-prone reconfiguration. Not something we wanted to do in a hurry with a sleep-deprived network admin.&lt;/p>
&lt;p>It’s not an excuse at all. But we are currently down two people in our infrastructure group. One of our infrastructure staff recently left for a startup, and we are already hiring a new third position. In short, our one-long-suffering sysadmin had to field this all by himself. But hey - &lt;a href="https://www-crossref-org.pluma.sjfc.edu/jobs/2022-03-15-head-of-infrastructure/">we are hiring a Head of Infrastructure&lt;/a>, and if you are interested you can now see the work you&amp;rsquo;d have cut out for you!&lt;/p>
&lt;p>So things are back up and we’ve resolved the incident but we are carefully and cautiously monitoring. We will further analyze what went wrong and post an update when we have a clearer picture.&lt;/p>
&lt;p>I apologize for the downstream pain this outage will have inevitably caused. We realize that many people will now be scrambling to clean things up after this lengthy outage.&lt;/p>
&lt;p>More when I have it… but for now I&amp;rsquo;ll mostly be curled up in a ball.&lt;/p></description></item><item><title>Update on the outage of October 6, 2021</title><link>https://www-crossref-org.pluma.sjfc.edu/blog/update-on-the-outage-of-october-6-2021/</link><pubDate>Wed, 27 Oct 2021 00:00:00 +0000</pubDate><author>Geoffrey Bilder</author><guid>https://www-crossref-org.pluma.sjfc.edu/blog/update-on-the-outage-of-october-6-2021/</guid><description>&lt;p>In &lt;a href="https://doi-org.pluma.sjfc.edu/10.64000/e3xe5-wae58" target="_blank">my blog post on October 6th&lt;/a>, I promised an update on what caused the outage and what we are doing to avoid it happening again. This is that update.&lt;/p>
&lt;p>Crossref hosts its services in a hybrid environment. Our original services are all hosted in a data center in Massachusetts, but we host new services with a cloud provider. We also have a few R&amp;amp;D systems hosted with Hetzner.&lt;/p>
&lt;p>We know an organisation our size has no business running its own data center, and we have been slowly moving services out of the data center and into the cloud.&lt;/p>
&lt;p>For example, over the past nine months, we have moved our authentication service and our &lt;a href="https://api-crossref-org.pluma.sjfc.edu" target="_blank">REST APIs&lt;/a> to the cloud.&lt;/p>
&lt;p>And, we are working on moving the other existing services too. For example, we are in the midst of moving &lt;a href="https://www-crossref-org.pluma.sjfc.edu/services/event-data/" target="_blank">Event Data&lt;/a> and, our next target, after Event Data, is the content registration system.&lt;/p>
&lt;p>All new services are deployed to the cloud by default.&lt;/p>
&lt;p>While moving services out of the data center, we have also been trying to shore up the data center to ensure it continues to function during the transition. One of the weaknesses we identified in the data center was that the same provider managed both our primary network connection &lt;em>and&lt;/em> our backup connection (albeit- on entirely different physical networks). We understood that we really needed a separate provider to ensure adequate redundancy, and we had already had a third network drop installed from a different provider. But, unfortunately, it had not yet been activated and connected.&lt;/p>
&lt;p>Meanwhile, our original network provider for the first two connections informed us months ago that they would be doing some major work on our &lt;em>backup&lt;/em> connection. However, they assured us that it would not affect the primary connection- something we confirmed with them repeatedly since we knew our replacement backup connection was not yet active.&lt;/p>
&lt;p>But, the change our provider made &lt;em>did&lt;/em> affect &lt;em>both&lt;/em> the backup (as intended) and the primary (not intended). They were as surprised as we were, which kind of underscores why we want two separate providers as well as two separate network connections.&lt;/p>
&lt;p>So both our primary and secondary networks went down while we had not yet activated our replacement secondary network.&lt;/p>
&lt;p>Also, our only &lt;em>local&lt;/em> infrastructure team member was in surgery at the time (He is fine. It was routine. Thanks for asking).&lt;/p>
&lt;p>This meant we had to send a local developer to the data center, but the data center’s authentication process had changed since the last time said developer had visited (pre-pandemic). So, yeah, it took us a long time to even get into the data center.&lt;/p>
&lt;p>By then, our infrastructure team member was out of surgery and on the phone with our network provider, who realized their mistake and reverted everything. This whole process (getting network connectivity restored, not the surgery) took almost two hours.&lt;/p>
&lt;p>Unfortunately, the outage didn’t just affect services hosted in the data center. It also affected our cloud-hosted systems. This is because all of our requests were still routed to the data center first, after which those destined for the cloud were split out and redirected. This routing made sense when the bulk of our requests were for services hosted in the data center. But, within the past month, that calculus had shifted. Most of our requests now are for cloud-based services. We were scheduled to switch to routing traffic through our cloud provider first, and had this been in place, many of our services would have continued running during the data center outage.&lt;/p>
&lt;p>It is very tempting to stop this explanation here and leave people with the impression that:&lt;/p>
&lt;ul>
&lt;li>The root cause of the outage was the unpredicted interaction between the maintenance on our backup line and the functionality of our primary line;&lt;/li>
&lt;li>Our slowness to respond was exclusively down to one of the two members of our infrastructure staff being (&lt;em>cough&lt;/em>) indisposed at the time.&lt;/li>
&lt;/ul>
&lt;p>But the whole event uncovered several other issues as well.&lt;/p>
&lt;p>Namely:&lt;/p>
&lt;ul>
&lt;li>Even if one of our three lines had stayed active, the routers in the data center would not have cut over to the redundant working system because we had misconfigured them and we had not tested them;&lt;/li>
&lt;li>We did not keep current documentation on the changing security processes for accessing the data center;&lt;/li>
&lt;li>Our alerting system does not support the kind of escalation logic, and coverage-scheduling that would have allowed us to automatically detect when our primary data center administrator didn’t respond (being in surgery and all) and redirect alerts and warnings to secondary responders; and&lt;/li>
&lt;li>We need to accelerate our move out of the data center.&lt;/li>
&lt;/ul>
&lt;p>What are we doing to address these issues?&lt;/p>
&lt;ul>
&lt;li>Completing the installation of the backup connection with a second provider;&lt;/li>
&lt;li>Scheduling a test of our router’s cutover processes where we will actually pull the plug on our primary connection to ensure that failover is working as intended. We will give users ample warning before conducting this test;&lt;/li>
&lt;li>Revising our emergency contact procedures and updating our documentation for navigating our data center’s security process;&lt;/li>
&lt;li>Replacing our alerting system with one that gives us better control over escalation rules; and&lt;/li>
&lt;li>Adding a third FTE to the infrastructure team to help us accelerate our move to the cloud and to implement infrastructure management best practices.&lt;/li>
&lt;/ul>
&lt;p>October 6th, 2021, was a bad day. But we’ve learned from it. So if we have a bad day in the future, it will at least be different.&lt;/p></description></item><item><title>Outage of October 6, 2021</title><link>https://www-crossref-org.pluma.sjfc.edu/blog/outage-of-october-6-2021/</link><pubDate>Wed, 06 Oct 2021 00:00:00 +0000</pubDate><author>Geoffrey Bilder</author><guid>https://www-crossref-org.pluma.sjfc.edu/blog/outage-of-october-6-2021/</guid><description>&lt;p>On October 6 at ~14:00 UTC, our data centre outside of Boston, MA went down. This affected most of our network services- even ones not hosted in the data centre. The problem was that both of our primary and backup network connections went down at the same time. We&amp;rsquo;re not sure why yet. We are consulting with our network provider. It took us 2 hours to get our systems back online.&lt;/p>
&lt;p>We are going to reprocess content that was in the process of being registered at the time of the outage in order to make sure everything gets registered correctly. This may take a few days to complete.&lt;/p>
&lt;h3 id="why-did-we-have-such-a-complete-outage-and-why-did-it-take-us-so-long-to-fix-it">Why did we have such a complete outage and why did it take us so long to fix it?&lt;/h3>
&lt;ol>
&lt;li>
&lt;p>We still run a significant amount of our infrastructure in a data centre outside of Boston that we manage ourselves. Even though we&amp;rsquo;ve been moving many of our services to the cloud, all our traffic was still routed through the data centre - so when it went down, most of our cloud services were unavailable as well.&lt;/p>
&lt;/li>
&lt;li>
&lt;p>It took us a long time to fix this because our infrastructure team only has two people in it. Only one of them is located near the data centre and was at the doctor’s when the outage occurred. Although we were alerted to the problem immediately, we had to send one of our development team members to the data centre to diagnose and fix the problem.&lt;/p>
&lt;/li>
&lt;/ol>
&lt;p>We have been aware of these weaknesses in our system since I took the role of director of technology in 2019, and we have been putting most of our efforts over the past two years into fixing them.&lt;/p>
&lt;p>We know that an organisation of our size has no business trying to run and maintain a physical data centre ourselves. One of the strengths of cloud-based systems is that they can be administered from anywhere and don&amp;rsquo;t require anyone to physically go to a data centre to replace failed hardware or check that network connections are, in fact, live. We&amp;rsquo;ve been trying to move to the cloud as fast as we can. All new services that we build are cloud-based. At the same time we&amp;rsquo;ve been moving systems out of the data centre - starting with those that put the biggest load on our systems. To further aid this process we have budgeted to add an FTE to the infrastructure team in 2022.&lt;/p>
&lt;p>What is really painful about this event is that we had just completed the last bit of work we needed to do before changing our traffic routing so that it would hit the cloud first instead of the data centre first. This would not have avoided the outage we just experienced, but it would have made it a bit less severe.&lt;/p>
&lt;p>What is even more painful is that we had recently installed a &lt;em>third&lt;/em> network connection with an entirely different provider because we were worried about just this kind of situation. But this third connection wasn’t yet active.&lt;/p>
&lt;p>We already have a long list of tickets that we’ve created to address problems we faced in recovering from this outage. The list will undoubtedly grow as we complete a postmortem over the next few days. I will report back when we have more detail of what happened and have a solid plan for how to avoid anything similar in the future.&lt;/p>
&lt;p>We know that an outage of this severity and duration has caused a lot of people who depend on our services extra work and anxiety. For this, we apologise profusely.&lt;/p>
&lt;p>But at least we didn’t need to use an &lt;a href="https://twitter.com/cullend/status/1445156376934862848" target="_blank">angle grinder&lt;/a>.&lt;/p></description></item><item><title>Lesson learned, the hard way: Let’s not do that again!</title><link>https://www-crossref-org.pluma.sjfc.edu/blog/lesson-learned-the-hard-way-lets-not-do-that-again/</link><pubDate>Wed, 08 Sep 2021 00:00:00 +0000</pubDate><author>Isaac Farley</author><guid>https://www-crossref-org.pluma.sjfc.edu/blog/lesson-learned-the-hard-way-lets-not-do-that-again/</guid><description>&lt;h2 id="tldr">TL;DR&lt;/h2>
&lt;p>We missed an error that led to resource resolution URLs of some 500,000+ records to be incorrectly updated. We have reverted the incorrect resolution URLs affected by this problem. And, we’re putting in place checks and changes in our processes to ensure this does not happen again.&lt;/p>
&lt;h2 id="how-we-got-here">How we got here&lt;/h2>
&lt;p>Our technical support team was contacted in late June by Wiley about updating resolution URLs for their content. It&amp;rsquo;s a common request of our technical support team, one meant to make the URL update process more efficient, but this was a particularly large request. Shortly thereafter, we were provided with nearly 1,200 separate files by Atypon on behalf of Wiley in order to update the resolution URLs of ~9 million records. We manually spot checked over 50 of these files, because, prior to this issue, our technical support team did not have a mechanism to automatically check for errors. That labor intensive review did not turn up any problems. That is, those 50 samples had no errors with the headers, like were found later.&lt;/p>
&lt;p>Among the files we didn’t check, there were headers included in the files with different owning &lt;code>fromPrefix&lt;/code> and acquiring &lt;code>toPrefix&lt;/code> members’ DOI prefixes. In a URL update request, the prefixes should always be the same.&lt;/p>
&lt;p>And still other files included requests to update records with DOIs that had never even been registered. Here are some examples:&lt;/p>
&lt;p>&lt;sub>H:email=support@crossref.org;fromPrefix=&lt;strong>10.5555&lt;/strong>;toPrefix=&lt;strong>10.5555&lt;/strong>&lt;br>
10.5555/doi1 &lt;a href="http://www.newurl.com/whatever" target="_blank">http://www.newurl.com/whatever&lt;/a>&lt;br>
10.5555/doi2 &lt;a href="http://www.newurl.com/whatever2" target="_blank">http://www.newurl.com/whatever2&lt;/a>&lt;/sub>&lt;/p>
&lt;p>In the example above, these fictional DOIs are both under prefix 10.5555. Thus, the result of this request will ONLY be that the resolution URLs of DOI 10.5555/doi1 and 10.5555/doi2 are updated in the metadata.&lt;/p>
&lt;p>&lt;sub>H:email=support@crossref.org;fromPrefix=&lt;strong>10.5555&lt;/strong>;toPrefix=&lt;strong>10.9876&lt;/strong> &lt;br>
10.5555/doi1 &lt;a href="http://www.newurl.com/whatever" target="_blank">http://www.newurl.com/whatever&lt;/a>&lt;br>
10.5555/doi2 &lt;a href="http://www.newurl.com/whatever2" target="_blank">http://www.newurl.com/whatever2&lt;/a>&lt;/sub>&lt;/p>
&lt;p>In this second example, these fictional DOIs are both under prefix 10.5555, but because the &lt;code>toPrefix&lt;/code> in the header differs from the &lt;code>fromPrefix&lt;/code>, the result of this request will be that the resolution URLs of 10.5555/doi1 and 10.5555/doi2 are updated in the metadata AND the owning prefix of both records will be transferred from prefix 10.5555 to prefix 10.9876.&lt;/p>
&lt;p>We kicked off the URL update request on 30 June and all legitimate DOIs whose files were free of errors were updated by 7 July (yes, it takes about a week to update the resolution URLs for ~9 million records).&lt;/p>
&lt;p>On 9 July, Peter Strickland of the International Union of Crystallography, one of 22 members affected by this mistake, contacted us to enquire how/why much of their content was resolving to incorrect URLs and why ownership of their content appeared within our &lt;a href="https://search-crossref-org.pluma.sjfc.edu/" target="_blank">search interface&lt;/a> to be Wiley. Peter was rightly concerned. We were, too. Our technical support team quickly elevated this issue, because, frankly, this is not the first time our finicky URL update process has caused unwanted metadata updates, albeit not quite at this volume.&lt;/p>
&lt;h2 id="how-we-investigated-the-problem">How we investigated the problem&lt;/h2>
&lt;p>We rallied our internal team. We investigated and discovered that we believed that some ~600,000 DOIs were erroneously included and updated in the requested 1,200 files. We later extended that estimate to include other conditions, in order to be as cautious as we could, to over 1 million DOIs. In the end, we determined that the incorrect files attempted updates of 1,228,041 DOIs. Due to the errors in the files (i.e., erroneous headers and non-registered DOIs), we only actually updated and then reverted 520,512 DOIs. The other 700,000+ DOIs were never updated (because of errors in the original files provided to us) or simply had never been registered with us.&lt;/p>
&lt;p>Prior to this mistake, Crossref had never reverted a member’s metadata update before. To be clear, and as I said above, we have had other URL update mistakes over the years, like this one; they were just smaller in scale. We knew there were holes in our process that needed to be plugged. And we knew we needed a better solution for members to manage these updates themselves without our manual intervention. So, while there were mistakes made in the files supplied to us, this was our error and we’re fixing it; more on that below.&lt;/p>
&lt;p>For this situation, we quickly realized that reversion of the metadata update was the best option for us, albeit we did not have an existing process in place to execute that reversion. That’s because we only keep the current version of each metadata record. We couldn’t back out of the change; we couldn’t simply restore these records to the metadata registered with us as of late June, because we no longer had an easily accessible, central record of those previous resolution URLs. What we did have was a record of all the previous submissions made against each DOI, so our technical team, focused their efforts there.&lt;/p>
&lt;h2 id="how-we-fixed-all-those-records">How we fixed all those records&lt;/h2>
&lt;p>We had two errors to correct: the ownership transfers (those records that had inadvertent and mismatched from/to prefixes) and the incorrect resolution URLs. We reverted all of the ownership transfers on 9 July and then double and triple checked that ownership during the week of 12 July to ensure we didn’t miss anything.&lt;/p>
&lt;p>The resolution reversion was more complicated. We invested in creating a patch to identify the records that had been updated by our team, and then extract the last legitimate resolution URL registered with us by the owning member in order to revert the metadata for each record. In order to provide confidence that this mistake was contained, we also built a check into the patch to ensure that those DOIs that did have their ownership temporarily transferred were not updated during the few days that ownership was incorrect. That check helped us determine that none of the 520,512 DOIs were incorrectly updated beyond this mistaken URL update request.&lt;/p>
&lt;p>The technical team built and tested this patch. The tests turned up gaps in the patch, so we refined it during the week of 2021 July 12. We kicked off the reversion of these records on Monday, 19 July at 20:05 UTC and the patch completed all reversions at 20:14 UTC, Thursday, 22 July.&lt;/p>
&lt;p>In the end, we successfully reverted all of the resolution URLs for those 520,512 DOIs we identified; provided &lt;a href="https://status-crossref-org.pluma.sjfc.edu/incidents/5cn1m2nw88rd" target="_blank">daily updates&lt;/a> and apologies to the 22 affected members; together we worked some longer hours; and persevered.&lt;/p>
&lt;figure>&lt;img src="https://www-crossref-org.pluma.sjfc.edu/images/blog/2021/wiley-urls-slack.png"
alt="Ed updates everyone internally on the situation and thanks all the people who worked together to resolve the issue" width="80%">&lt;figcaption>
&lt;p>Ed updates everyone internally on the situation and thanks all the people who worked together to resolve the issue&lt;/p>
&lt;/figcaption>
&lt;/figure>
&lt;h2 id="next-up">Next up&lt;/h2>
&lt;p>We don&amp;rsquo;t want this to ever happen again. Like, never. We clearly need to make changes to our internal processes to prevent this in the future.&lt;/p>
&lt;p>Here’s what’s ahead:&lt;/p>
&lt;ul>
&lt;li>
&lt;p>We are building &lt;a href="https://gitlab.com/crossref/user_stories/-/issues/651" target="_blank">a checker&lt;/a> that we can run URL update files through to automate and our checks. This means we will be able to check every single file in a large batch, rather than relying on manual and labor intensive spot-checking;&lt;/p>
&lt;/li>
&lt;li>
&lt;p>As said above, one compounding issue in this mistake was the mismatched from/to prefixes in the file headers. Our technical support team uses the same file headers to transfer ownership/stewardship of a record or set of records between members AND to update resolution URLs. These two tasks are almost never legitimately completed in the same file. That is, there is usually a lag between ownership transfers and resolution URL updates (most members will request an ownership transfer and then a month or two later update their URLs). Because of this, simply &lt;a href="https://gitlab.com/crossref/user_stories/-/issues/650" target="_blank">decoupling these two tasks&lt;/a> (feel free to follow our work at this link) would help eliminate a glaring risk, so we’re working on that too;&lt;/p>
&lt;/li>
&lt;li>
&lt;p>Lastly, we’re researching ways we can &lt;a href="https://gitlab.com/crossref/issues/-/issues/1444" target="_blank">streamline resource resolution URL updates&lt;/a>. You can also monitor our progress on this one. No promises or specifics yet, but we’re eager to reduce toil on our technical support team, avoid problems like this one, and provide members safe and straightforward ways to better update your metadata.&lt;/p>
&lt;/li>
&lt;/ul>
&lt;p>Thanks for the support of the whole Crossref team and our community - and for reading this far! Never a dull moment&amp;hellip;&lt;/p></description></item><item><title>Accidental release of internal passwords, &amp; API tokens for the Crossref system</title><link>https://www-crossref-org.pluma.sjfc.edu/blog/accidental-release-of-internal-passwords-api-tokens-for-the-crossref-system/</link><pubDate>Fri, 04 Oct 2019 00:00:00 +0000</pubDate><author>Geoffrey Bilder</author><guid>https://www-crossref-org.pluma.sjfc.edu/blog/accidental-release-of-internal-passwords-api-tokens-for-the-crossref-system/</guid><description>&lt;h2 id="tldr">TL;DR&lt;/h2>
&lt;p>On Wednesday, October 2nd, 2019 we discovered that we had accidentally pushed the main Crossref system as part of a docker image into a developer’s account on Docker Hub. The binaries and configuration files that made up the docker image included embedded passwords and API tokens that could have been used to compromise our systems and infrastructure. When we discovered this, we immediately secured the repo, changed all the passwords and secrets, and redeployed the system code. We have since been scanning all of our logs and systems to see if there has been any unusual activity that could be related to the exposure of the container.&lt;/p>
&lt;p>Please note that no external data e.g. member passwords or personal information were exposed; our source code contains only internal passwords and ‘secrets’ such as API tokens.&lt;/p>
&lt;p>Thankfully, the way in which these secrets were exposed (in compressed, binary files which were, in turn, in a Docker image) means that they were probably overlooked by the automated exploitation tools which focus on scanning source code. And, so far, we have seen nothing that would indicate that these passwords and secrets have been exploited. We will, of course, inform our members directly (and update this blog) if that changes.&lt;/p>
&lt;h2 id="more-than-you-probably-want-to-know">More than you probably want to know&lt;/h2>
&lt;p>If you are continuing to read this, my guess is that you might have questions like:&lt;/p>
&lt;ol>
&lt;li>Why are you doing something as silly as embedding secrets and passwords in your code?&lt;/li>
&lt;li>And wait a minute… I thought Crossref code was open source?&lt;/li>
&lt;li>And why is the director of strategic initiatives announcing this?&lt;/li>
&lt;/ol>
&lt;p>Let me answer these questions in random order.&lt;/p>
&lt;p>In March 2019 I took over Crossref’s technical teams when Chuck Koscher announced that he would be retiring at the end of the year. I’m now the director of technology &amp;amp; research.&lt;/p>
&lt;p>A few months earlier we had already concluded that a major portion of the Crossref system had accumulated 20 years of technical debt and that we were going to spend a significant portion of 2019 and 2020 paying down that debt.&lt;/p>
&lt;p>Specifically, a lot of the code that runs Crossref was inherited from a third party who developed it back in the early 2000s. This means that, even though any new systems that we’ve developed since 2007 have been open-source, the code for the oldest parts of the system has remained closed because it contained potentially proprietary code as well as a lot of deprecated coding practices. Also - the architecture, the tooling, and the development processes behind the Crossref system had not changed much in those twenty years. It was fantastic architecture, tooling, and code for its time. But architectures that scale to millions of records need to change to handle hundreds of millions of records. Processes that work for configuring one service need to change when you are managing dozens of services. And support tools that work for a few hundred members break down when you are dealing with tens of thousands of members.&lt;/p>
&lt;p>These parts of the Crossref system were decidedly not &lt;a href="https://en.wikipedia.org/wiki/Twelve-Factor_App_methodology" target="_blank">12 factor&lt;/a>. We were not using &lt;a href="https://en.wikipedia.org/wiki/DevOps" target="_blank">DevOps&lt;/a> or &lt;a href="https://en.wikipedia.org/wiki/Site_Reliability_Engineering" target="_blank">SRE&lt;/a> working practices to run them. And the bulk of that part of the system is still being run in a traditional data center.&lt;/p>
&lt;p>But since March we have been slowly fixing that. In incremental steps. Some of which are visible as a side effect of the security incident that precipitated this blog post. For example, one of our first moves was to move our development to &lt;a href="https://gitlab.com/crossref" target="_blank">Gitlab&lt;/a>. Even though a big chunk of the base Crossref code is still closed source, we saw moving to Gitlab as a priority because Gitlab offers a fantastic suite of tools to help automate and manage our deployments. Similarly, we have been Dockerizing the Crossref system so that it is easier to scale and run in different environments. And as part of this effort, we have spent a lot of time on the issue of how to best handle secrets. We knew our secrets management in this part of the codebase was horrible. We have been developing some experiments and infrastructure for handling these secrets securely. But we haven’t finished this work yet. And so the system slipped out into a public repo too early. Ironically, this too illustrates a fundamental change in the way we develop things. &lt;a href="https://www-crossref-org.pluma.sjfc.edu/truths/">Our default is to be open and transparent&lt;/a>. This case is currently an exception. An exception we want to eliminate, but one we are not ready to do yet. We have to audit and scrub the code first.&lt;/p>
&lt;p>Yes, this incident has been embarrassing. But not nearly as embarrassing as the fact that Crossref has succumbed to a technology industry cliche. That we spent so much time growing and focusing on new features for our members, that we neglected some of the creaking infrastructure of our infrastructure.&lt;/p>
&lt;p>And I should be clear about two things:&lt;/p>
&lt;p>First, not all of our code is like this. We have, for a long time, been building open source software and using modern best practices for secrets management in our newer subsystems and services. The problems described above are confined to twenty-year-old-code that we didn’t write in the first place and that we had been avoiding refactoring.&lt;/p>
&lt;p>And second, the technology team has been marvelous at responding to the challenge we face. They have adopted new processes and tools. They are learning new techniques. We are steadily chipping away at these problems.&lt;/p>
&lt;p>It is generally considered bad practice to praise or reward technology teams for fire-fighting instead of fire prevention, but this may be the exception that proves the rule.&lt;/p>
&lt;p>I was blown away by how the technology, product, and support teams worked together. When we discovered this problem, I sat at my desk in rural France and watched as staff from the UK, and all three US time zones shut down this problem in just a couple of hours. Obviously, I wish we hadn’t had the problem in the first place, but seeing their response did a great deal to encourage me that we are on the right track.&lt;/p>
&lt;p>In any case, it looks like we’ve been lucky. And we’ll be working even harder to refactor our code, tools, and processes so that this kind of thing doesn’t happen again.&lt;/p></description></item></channel></rss>