Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Communications Encryption GNU is Not Unix Open Source Software The Almighty Buck IT Your Rights Online

GPG Programmer Werner Koch Is Running Out of Money 222

New submitter jasonridesabike writes "ProPublica reports that Werner Koch, the man behind GPG, is in financial straits: "The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive. Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded." (You can donate to the project here..)
This discussion has been archived. No new comments can be posted.

GPG Programmer Werner Koch Is Running Out of Money

Comments Filter:
  • by Anonymous Coward

    from GPG founder Werner Koch

  • Latest update (Score:5, Informative)

    by Anonymous Coward on Thursday February 05, 2015 @07:17PM (#48994433)

    From the linked article:

    Update, Feb. 5, 2015, 5:55 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations have also poured into Werner Koch's website donation page to the tune of nearly $50,000 so far.

    • by CronoCloud ( 590650 ) <cronocloudauron@ ... m minus caffeine> on Thursday February 05, 2015 @07:27PM (#48994521)

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Well that's good to hear.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1

      iEYEARECAAYFAlTUChMACgkQnludVzJNqF2p2ACdFew+WZRFx3tgIWLSizrfZuc/
      k1EAoK35K6UURyN3CXW5eUEP4bVas9BP
      =UQA4
      -----END PGP SIGNATURE-----

      • Re:Latest update (Score:5, Informative)

        by gwolf ( 26339 ) <gwolf AT gwolf DOT org> on Thursday February 05, 2015 @07:58PM (#48994739) Homepage

        You should really update your key. A 1024D key with a SHA1 primary signing algorithm is no longer considered safe.

        (Data point: We did quite a work in Debian to migrate to 2048R with SHA256)

        • Re:Latest update (Score:5, Interesting)

          by chihowa ( 366380 ) on Thursday February 05, 2015 @08:51PM (#48995065)

          It's funny that you should mention that. Werner Koch still uses a 1024D key [mit.edu] for email. In fact, nearly everyone at g10code.com either has no key listed or uses 1024D. Most of the people involved in the development of GnuPG use ancient 1042D keys.

          It's not just GnuPG, though. Phil Zimmermann only uses 1024D [philzimmermann.com].

          Perhaps there's something we're missing?

          • Re:Latest update (Score:5, Insightful)

            by gwolf ( 26339 ) <gwolf AT gwolf DOT org> on Thursday February 05, 2015 @09:16PM (#48995215) Homepage

            Interesting thing you mention. Well, our migration was prompted by some theoretical advances; if you look at our slides at DebConf14 [debconf.org] you will see some references to papers presented at the EuroCrypt 2012 conference talking about the relative strengths of different keys.

            I don't contest that Zimmerman and Koch know how to communicate securely and what it takes, but maybe we are talking about a different threat model. One thing is identity assurance just for the sake of identity assurance, but in Debian we use it as a core infrastructural part: Get hold of my GPG key, and you have potential root access to thousands of computers. Of course, there are human checks in place, and it's quite unlikely you'd get away with yours... But it's possible.

            • Re: (Score:3, Insightful)

              by Frobnicator ( 565869 )

              I don't contest that Zimmerman and Koch know how to communicate securely and what it takes, but maybe we are talking about a different threat model. One thing is identity assurance just for the sake of identity assurance, but in Debian we use it as a core infrastructural part: Get hold of my GPG key, and you have potential root access to thousands of computers.

              Holy Hell, I hope you mistyped something!

              It is 2015. If you've got a single password (your private key) with root access to that many machines, something is terribly wrong over at Debian.

              For THOUSANDS OF MACHINES let me introduce you to the concept of a key vault. You start with your two-factor credentials to the vault, check out temporary credentials for the individual machine's keys or services you need, and use them for the day.

              Do not allow your single private key -- no matter how many bits long it i

              • I assume he means that his GPG key is used to sign packages which get loaded to the Debian repository, which you could potentially use to upload a package with a root-executed file in it...

              • Re:Latest update (Score:5, Informative)

                by swillden ( 191260 ) <shawn-ds@willden.org> on Friday February 06, 2015 @01:22AM (#48996003) Homepage Journal

                Holy Hell, I hope you mistyped something!

                He didn't, and he's right, and there's nothing wrong with what he's doing.

                The key in question isn't a login authentication credential used to access large numbers of machines. It's the key used by Debian systems to verify that they trust software packages from Debian. Note that all Debian software packages are installed as root, and run scripts as root during the installation process. Many Debian software packages include binary code that is run as root during normal usage.

                This means that an attacker with the signing key and access to the download servers can create packages that run whatever code he likes on every machine that installs them, as root. If he picks packages that every running Debian system has to have, he can control all well-maintained machines within a few days. That would be hundreds of thousands, maybe millions, of machines, not thousands.

              • by gwolf ( 26339 )

                Holy Hell, I hope you mistyped something!

                It is 2015. If you've got a single password (your private key) with root access to that many machines, something is terribly wrong over at Debian.

                Others have replied, but I think I should do so as well: Yes, we don't use a PGP key to log in to thousands of machines, but we use it to validate package uploads that enter the archive. If I sign+upload a malicious binary package, it's just a matter of time until it reaches users.

                Of course, there are some caveats: First, I must convince users to use my package. This is, my malicious code should not go in a very uninteresting package, it would go to one that I know that has many users. But, second, it shoul

          • by dryeo ( 100693 )

            You want a key that is close but not impossible to break. How else can you feed the right information to others?

          • Perhaps there's something we're missing?

            What you're missing is that if these people wanted to communicate securely, they wouldn't want you to know about it, and they wouldn't be dumb enough to use a key which is associated with their known identity by the world.

        • Done, thanks for the reminder.

    • Additional update (from the article):

      Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project

    • So basically.... the Linux Foundation gave him $60,000 to keep working on the project and told him to shut up and not disclose it until after the pity article to trick people into donating when they otherwise wouldn't have.

    • Pardon the ignorance, but how complex is a library like GPG? How come he still needs to dedicate himself fulltime to it, after almost 20 years? I would have thought, by now, you wouldn't need more than the occasional bug-fix or maybe port to new language standards.

  • Something everyone claims to want, but too cheap to pay for. Thanks, Stallman!

  • No, he's not (Score:5, Interesting)

    by Ydna ( 32354 ) * <andrew.sweger@net> on Thursday February 05, 2015 @07:23PM (#48994489) Homepage

    Looking at the list of donors page, it has this curious summary:

    In 2015 we received 2535 donations of 87299 € .
    In this year we received 2826 donations of 97255 € .

    I'm not sure how to read that as this year is 2015. But if this is all for one person, they don't seem to be hurting for funds now.

    • Re:No, he's not (Score:4, Insightful)

      by Rinikusu ( 28164 ) on Thursday February 05, 2015 @07:31PM (#48994547)

      Sub taxes, sub equipment, for a one man operation he could certainly be doing better in the private industry pushing dick pills and dick pics.

      • Re:No, he's not (Score:5, Insightful)

        by pz ( 113803 ) on Thursday February 05, 2015 @07:52PM (#48994699) Journal

        And subtract retirement, and insurance payments, etc., after all that, no one is going to get rich on EUR 90K per year. Not going to starve, but not going to get rich, either.

        To present some perspective, as an employer in the US (yes, I realize things are probably different in Germany), if my personnel budget is USD 90K, that means my employee is getting only USD 61K in salary. The rest goes to various overheads that I pay to support the position.

        • And then the employee usually has to pay *more* direct from his/her check, both taxes and things like insurance

        • Yep, and $90K for an experienced programmer is a steal. Back in my consulting days i could easily clock $200K a year.

          For some reason I stopped. No idea why,

        • by houghi ( 78078 )

          In Belgium, a company that has an FTE cost of 90K means that the emplyee will get also around 60K as salary, which means around 30K-40K in his pocket to spend.

          Salaries are mostly calculated per month and you normaly have to device by 13.78, (13th month and payed holiday) so that makes a pay of around 2500EUR per month. (what he sees on his paycheck). The average is 3100 EUR [economie.fgov.be]. I excluded Brussels as that is not representative.

          So in Belgium he would also not starve, but also easily get a job that pays more.

          And

        • Running out of money and not getting rich are two different things. If you're on 90k euro a year and you're running out of money, you need to reevaluate your expenditure. I consider myself running out of money when i can only afford a 2.50GBP ready meal instead of spending 4 pounds on a proper meal.
        • by HnT ( 306652 )

          You cannot compare being an employer in the US to being an independent contractor with one employee in Germany. Things are very, VERY different here in terms of insurances and retirement. To give you just one example, the usual figure thrown around by workers in the US is to have at least 1 or 2 million for retirement. This is a figure absolutely no regular European employee will ever lay aside in all their working years unless they have a 1%er position.

          90k Euros a year even as a contractor and after taxes

      • Uhhhh (Score:5, Insightful)

        by Sycraft-fu ( 314770 ) on Thursday February 05, 2015 @08:33PM (#48994971)

        You realize even taking taxes in to account, most people make a lot less than that and do just fine, right? When you see income reported, it is normally pretax. If you think most people are making more than 90,000 Euro a year, you are really out of touch. That's a lot of damn money, in any country, enough to live well. You aren't rich, but you are doing just fine.

        • Re:Uhhhh (Score:5, Interesting)

          by CRC'99 ( 96526 ) on Friday February 06, 2015 @12:32AM (#48995863) Homepage

          I hate to say it - but most people who do OSS work for the masses don't get paid for it.

          I do packaging for Xen used from hobby users through to Disney - yet I get about $400AUD per year in donations. I also have to go buy my own test hardware (I need UEFI kit atm!).

          I understand exactly what Werner means and the challenges faced - but I too don't see a solution for this. OSS has been linked for too long as a 'free solution' - which means nobody puts a currency value on the software and services that are made available to the world. I think its the mental relationship of OSS being 'free' causes it. Nobody blinks an eye to pay $100 for a Windows license - yet go for a $10 donation to an OSS project and people lose their minds...

        • Who is talking about "most people"? This guy seems to have a pretty interesting skill set - it is conceivable that he could do much better applying it to something more lucrative.

        • You realize even taking taxes in to account, most people make a lot less than that and do just fine, right?

          On the other hand, why would someone creating important software that everyone wants to use, be content with "making a lot less and doing just fine"?

          The guy can just give up what he is doing right now and get a better paying job, with no stress trying to get money every year.

        • by Kjella ( 173770 )

          It's more than taxes, for example here in Norway I have 100% sick leave pay from day 1. As self-employed you get 0% for days 1-14 and 65% of some average of past income for day 15-365, if you want more you need expensive insurance. You have to pay your own pension fund. The rule of thumb is usually that that an employee COSTs almost 2x salary all in all.

    • I suspect that the first line is for the donations they were effectively received and the second shows all pledges.

    • by Negatif ( 65194 )

      The article was published earlier today - it looks like a lot of donations have come in after that.

    • Looking at the list of donors page, it has this curious summary:

      In 2015 we received 2535 donations of 87299 € . In this year we received 2826 donations of 97255 € .

      I'm not sure how to read that as this year is 2015. But if this is all for one person, they don't seem to be hurting for funds now.

      My guess is that one is a list of donations for the proceeding 12 months while the other is just for the 2015 calendar year. This would mean that he received almost no donations in the 2014 time period.

    • In the article it says he is looking to pay himself a reasonable salary and to hire one additional full time programmer to assist with the development. Basically he wants to get back to the situation he had pre 2012 before his funding ran out and he had to lay off his staff. It sounds like after this he probably is OK for the time being. Though he is going to need to maintain similar levels of funding going forward if he is going to be able to hire staff.

      It seems to me that the more interesting question

    • It's either this year (2015) in which cast the number of donations increased by just under 300 over these first 6 days of February. If it's this year (past 365 days) then it means that over the past year, excluding January, there were a bit under 300 donations totalling to just under 10,000.

  • by Anonymous Coward on Thursday February 05, 2015 @07:57PM (#48994735)

    Michelangelo finished the pieta in 2 years. You've had 18!! Look, it's good stuff, and you could probably milk this till retirement. Even Michelangelo realized finally that if he took one more swing at his sculpture, he'd have detracted from it.
    You keep this up, you're gonna turn out just like that Torvalds kid.

  • like...really, really watch very closely.
  • Ah hell why not (Score:2, Informative)

    by gatkinso ( 15975 )

    20 euro for you

  • by fred911 ( 83970 ) on Thursday February 05, 2015 @09:54PM (#48995359)

    How soon we forget someone who stood up. Someone who should be honored for his contributions to free speech, expression and privacy,

      Besides, isn't PGP Snowden used?

  • by ModernGeek ( 601932 ) on Friday February 06, 2015 @01:10AM (#48995969)

    I switched to S/MIME because of the easy ability to have a third party sign your key, and the recipients recognize it; utilizing a similar web of trust that we use for SSL. Sure it isn't perfect, but it's a good platform. All the major mail clients support it as well. Unless you're really worried about privacy, it's good enough.

    However, I feel it's the duty of large corporations that profit from the efforts of men like Werner Koch to hire, retain, and support these people, and allow them to freely continue their research. If not through employment, then through grants.

    <joke>I guess he shouldn't have sold all his Radio Shack stock</joke>

  • Interested users could even set up regular donations.
  • by HnT ( 306652 ) on Friday February 06, 2015 @05:59AM (#48996649)

    Note this part of TFA:

    For almost two years, Koch continued to pay his programmer in the hope that he could find more funding.

    So he is also a business owner making bad decisions and pays employees doing programming for him. Are FOSS projects not usually run by not financially dependent-on-each-other volunteers and on code submissions? It seems to me GPG has failed to establish something other projects have successfully done: a tightly knit community in which the whole project does not rest on the shoulders of one man alone. It seems Mr. Koch was trucking along on government funding alone and had no other source of income, this feels like another bad decision to me. This whole project feels like a very strange mixture of FOSS and running a business based on it while expecting to be paid as if it was a closed source, shareware program.

    By all means, he deserves all the donations he can get but maybe it is high time to take a step back and look at how some things might have been run badly and how to improve on that.

To spot the expert, pick the one who predicts the job will take the longest and cost the most.

Working...