GPG Programmer Werner Koch Is Running Out of Money

New submitter jasonridesabike writes "ProPublica reports that Werner Koch, the man behind GPG, is in financial straits: "The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive. Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded." (You can donate to the project here..)

Wrong Koch

[penguinoid]

Too bad, I know of two of his relatives who have more money then they know what is morally correct to do with.

Re:Wrong Koch

That guy sucks. I will give him money when he gives me that back door I've been asking for.

Re:Wrong Koch

[bobbied]

Too bad, I know of two of his relatives who have more money then they know what is morally correct to do with.

You mean donating $100 million to help build up a hospital in New York isn't morally a good thing?

http://freebeacon.com/blog/koch-brother-donates-money-to-hospital-liberals-protest-not-a-parody/

Another $100 Million for Cancer Research at MIT.

Another $25 Million for Cancer Research at MD Anderson in Huston TX.

Then there are donations to the Arts, National Museums and believe it or not *environmental* projects which are on record...

Yea, these Koch brother guys are the surge of the earth all right, spending all that money on such bad things...

Re:Wrong Koch

[riverat1]

They also gave money to the Berkeley Earth project. That one didn't quite turn out like they wanted.

They also tried to give money to the Florida State University Economics Department with some provisos:

First, the curriculum it funded must align with the libertarian, deregulatory economic philosophy of Charles Koch. Second, the Charles Koch Foundation would at least partially control which faculty members Florida State University hired. And third, Bruce Benson, a prominent libertarian economic theorist and Florida State University economics department chairman, must stay on another three years as department chairman — even though he told his wife he’d step down in 2009 after one three-year term.

So much for academic freedom.

Re:Wrong Koch

Academic freedom on a US campus? Yah, ok.

Re:Wrong Koch

Correct, their donations have no moral basis; they are only doing this because one of them had cancer and they are hoping to ensure their own survival. Gates on the other hand is fighting malaria and other diseases that are of moral concern because people don't need to worry about them.

Re:Wrong Koch

As someone who has spent a lot of time working around Ph.D. academics, let me clue you in. EVERY US university of any appreciable size whores itself out like this to some collection of rich benefactors/organizations. Mainly because half of the degrees it awards are outright worthless for a career (hard to get alumni donations from the Literature major that has spent the past 10 years since graduation working their way up to local Starbucks manager, or worse, gotten a humanities Ph.D.) and the other half are for jobs that congress and corporations can't outsource fast enough.

Most American universities have long since ceased being about education, and are now primarily indoctrination camps spreading the propaganda and ideology of the highest bidder.

Re:Wrong Koch

Gates is using his money to protect US intellectual property. To get money from him they have to agree to not use cheaper copies of patented drugs. The patented drugs usually cost over 10x as much.

Re:Wrong Koch

[macsimcon]

Right, and all those donations don’t even add up to a fraction of the nearly $1B they plan on spending to influence the 2016 election.

If a Nazi donated $100 to a soup kitchen, does that forgive Auschwitz? And don’t lecture me on Godwin!

Re:Wrong Koch

The goodness of their philanthropy does not excuse their usurpation of the 'Democratic Republic', the USA. They are part of the reason the US is now a Corporate Oligarchy!

Re:Wrong Koch

[WarSpiteX]

Dude, you're posting on Slasbergers with people who read The Fountainhead as teenagers and it totally blew their minds, and been assburgers types they can't grow out of the mindset.

Re:Wrong Koch

I love how everyone claims to have a monopoly on morality.

Re:Wrong Koch

[rogoshen1]

Hey man, if you ever fall in a freezing pond, and are hoisted out in a prone position...

Re:Wrong Koch

There are three brothers.

One donates money to art galleries and museums.

The other two ... fuck anyone and anything else because money pretty much sums it up.

Re:Wrong Koch

You're saying the guys who opposed the wars, the drug war, restrictions on gay marriage, extra judicial asset forfeiture, and corporate welfare have too much influence on politics? Jeenyus!

Re: Wrong Koch

[macsimcon]

Listen buddy, I don't understand your prison lingo, but I'm straight...

Re:Wrong Koch

[epine]

Dude, you're posting on Slasbergers with people who read The Fountainhead as teenagers and it totally blew their minds, and been assburgers types they can't grow out of the mindset.

Funny, in my experience it's the people who aren't blessed with Asperger's syndrome who are particularly prone to pontificate on the basis of choir-pleasing ass-pluck.

Perhaps we should really rename it obsessive factual reality disorder.

Furthermore, a great many people who read The Fountainhead at a young age and found it mind blowing went into politics. How I wish more of these people had enough Asperchlorians in their bloodstream to balance their own chequebooks.

Re:Wrong Koch

Got a source on that? I'd like to cite it to a few people.

Re:Wrong Koch

[CronoCloud]

You forgot the friendly closing:

Sincerely, The NSA

That would have made it slightly funnier.

Re:Wrong Koch

[zapadnik]

Actually it is Billionaires like Warren Buffet, Bill Gates, Thomas Steyer, and the Wall Street cronies who are all Democratic Party donors because the the Democratic Party has no problem with using political control over the economy. The Establishment Republicans are bad, but at least have a veneer of Free Market principles (which means, citizens free from Government interference, which is what this is really about).

The Tea Partiers are the only real ones in the US who oppose the revolving door of cronyism and government corporatism. Of course, the media doesn't want you to know this, which is why so many Slashdotters get in a lather based on propaganda rather than listening to the economic arguments of the Tea Partiers, Thomas Sowell, Milton Friedman, etc who all oppose the distortion of the marketplace that Government brings, with the distortion of the political space that corporatism (which is only possible through Big Government) brings.

The only solution is Limited Government. A Limited Government can't hurt its citizens, can't fund massive deficits and can't enable cronyism. This is what the US Founding Fathers wanted, and why the Tea Party was actually formed (most Slashdotters believe the Tea Party is what the Extreme Left says they are, and confuses prudent fiscal conservatism with social conservatism when they are not the same at all).

Re: Wrong Koch

[macsimcon]

Another right-wing canard to debunk. Oh well here goes...

For every Soros who is spending money to promote "collectivism" (code used by Ayn Rand-loving sociopathic troglodytes who haven't had a date this century) , there are ten or more Adelsons and Kochs promoting their fascism. It isn't even close dude.

I think it's great that the Koch brothers give to charity, but at those levels, it's like someone who earns $40K per year giving $100 in total to charity each year. Not exactly a sacrifice.

It's even worse because that worker earning $40K per year can't pay for all of their necessities for life on that salary, where the Kochs have already paid for everything they'll ever need.

Re: Wrong Koch

I really don't get your hate for the cave people, most randers here have only seen the inside of a basement.

Re:Wrong Koch

Correct, their donations have no moral basis; they are only doing this because one of them had cancer and they are hoping to ensure their own survival. Gates on the other hand is fighting malaria and other diseases that are of moral concern because people don't need to worry about them.

Since when is "hoping to ensure your own survival" an immoral (or amoral) thing? The people whose lives their cancer research funding will ultimately help to save should be thanking them every day for being profoundly selfish enough to use their money into funding the research that saved their lives.

That Bill Gates is funding malaria research is nice, when he's healthy. But if you think that he wouldn't direct some money into cancer research if he was suddenly told he has pancreatic cancer, you're a naive, silly little man.

Re:Wrong Koch

Fiscal conservatism as espoused by the Tea Party is like england in the 1800s but this time without a monarchy (much better!!11). where your nobility are the rich "upstairs" and everyone else lives "downstairs".

If you are upstairs; life's great.
If you are downstairs you live a life of poverty and hardship before you get turfed out and die on the side of the road.

Re: Wrong Koch

http://www.washingtonpost.com/blogs/right-turn/wp/2014/03/27/democrats-funded-by-billionaires-complain-about-republicans-funded-by-billionaires/

"But if it’s all that terrible to take billionaires’ money then the Democratic candidates and the Senate Majority PAC should give back their billionaires’ cash"

http://www.realclearpolitics.com/articles/2014/04/08/the_lefts_billionaire_outsider_hypocrisy_122196.html

"Who are the Senate Majority PAC’s biggest donors? They include out-of-state billionaires like Hollywood bigwig Steven Spielberg, music mogul David Geffen and former New York City Mayor Michael Bloomberg. “Mayor Mike” donated $2.5 million to the group earlier this year. According to the Center for Responsive Politics, the group’s donor list isn’t short on moneymen funding races in states they don’t live in."

Pot... meet kettle.

Re:Wrong Koch

No, sorry. I promise it's true though. I read it on a Slashdot comment.

Re:Wrong Koch

If he currently donates a million dollars (just as a nice even number), I would expect he would still donate a million dollars. It would just be allocated differently. This is very different than donating little to nothing until you stand to directly benefit. If you don't see the difference, you're a naive, silly little man.

Re:Wrong Koch

[I'm+New+Around+Here]

Asperchlorians

My new favorite fake word.

Not to unseat my favorite real word: quintessential.

Re: Wrong Koch

and the sad thing is that still won't convince him

Re:Wrong Koch

[crispytwo]

Asperchlorians

take note: coined today!

#loveit

Re:Wrong Koch

What do you know of nazis?

Re:Wrong Koch

Didn't they realize, that morality is an "object" bound to relativity? One might even say that, other times, other moralities. But then, what's in time?

Re: Wrong Koch

I think that you meant "scourge" rather than "surge".

Re:Wrong Koch

[Andtalath]

Assburgers is often used as a means of indicating that someone does not in fact have Aspergers Syndrome, but is merely acting like an ass.

Re:Wrong Koch

[johanw]

If you want to see what a healthy combination of as free as possible market and government protection for the underclass does, go visit northern Europe. Both fundamentalists views on the economy (pure communism and libertarianism) lead to disaster.

Re:Wrong Koch

[Sique]

Greece is actually an example of the "low taxes for rich people" approach, not for collectivism. In Greece, allowing rich people and property owners to avoid taxes brought the whole state in financial disarray while at the same time "trickle down" economics just didn't work.

From a taxation point of view, Greece is a libertarian heaven. Your point being?

Re: Wrong Koch

The Koch brothers are not literal fascists; that's meaningless hyperbole. And no one is saying that they deserve tons of karmic merit for their sacrifices, only that they have done things with their money that people of any political persuasion should find laudable.

Re:Wrong Koch

We're not more or less an oligarchy than when the Rockefellers and Asters were running around with their money. Nor is the situation particularly American; European politics is also dominated by moneyed elites; the developing world and Russia even moreso.

Re:Wrong Koch

[Hognoxious]

No, Captain Obvious, because we already knew what he meant.

Re:Wrong Koch

Having monopolies is immoral.

Re:Wrong Koch

[mister_playboy]

No, there are four brothers. The youngest two are twins.

Long story but interesting: http://www.motherjones.com/pol...

Re: Wrong Koch

Incidentally it's also used to describe people with asperger's that DO act like an ass. Which is pretty much every single one of them.

Seen it a million times on a million boards. Some shithead will be trolling the place or spouting racist nonsense and when they finally get banned for it? Wah wah I have Assburgers you should all pity me because I deserve it so much, wah wah.

It's no different than the morons who throw OCD around like it's as common as the air we breathe. "OMG I had to have two showers today I'm so ODD lolz!" No. No you don't. You just smell bad.

Re:Wrong Koch

[Pieroxy]

Are you implying that northern Europe is a disaster? You should visit Greece and Sweden, you'll see a great difference.

Re:Wrong Koch

as a person with similar and probably superior credentials and experience, personally in 3 big 10 universities and anecdotally via colleagues in dozens of lo and hi profile programs around the states: No. I do not agree with your description.

Re:Wrong Koch

[gordo3000]

really? considering almost all their money goes to support folks who push for exactly all those things, I think I'll be using revealed preferences to figure out what they really believe, rather than listening to the PR spin.

Re:Wrong Koch

If a Nazi donated $100 to a soup kitchen, does that forgive Auschwitz? And don’t lecture me on Godwin!

No. It would prove there is a real "soup nazi" beyond the comedic caricature conceived by Jerry Seinfeld, a well-known Jew. ;-)

https://www.youtube.com/watch?v=7WRxEY8o3kc [ youtube.com ]

Re: Wrong Koch

The result? Europe saved Greece's ass: gave them EUR200Bn in the course of 2 years. In comparison, Hungary, a country of comparable population, however much less developed economically due to the former Soviet regime, got EUR20Bn (one tenth) over about a 10 year period. So the liars are rewarded and there is not much support for E-Europe.

Re:Wrong Koch

[Oligonicella]

Love it. Two AC's assigning themselves authority. Each contradicting the other. Neither providing a jot of sourcing. Probably both the same guy.

Re:Wrong Koch

[Oligonicella]

Perhaps you would be so kind as to provide some links to evidence of said "revealed preferences" instead of just typing out talking point PR?

Re:Wrong Koch

Democrats and Republicans send their kids to the same schools, eat at the same parties, get hand outs from the same corp, and are part of the same societies. Give it a rest. Their are those in power (Rothschild, Morgans) influence (Bushs, English Royalty) service to those in influence(public union heads), enforcers (NSA, CIA), suckups (soc sec recipients, public pension recipients, welfare recipients, education hand outs) and the .1% who thinks it is wrong stealing from your neighbor.

Re:Wrong Koch

[Whorhay]

I'm not a fan of the Koch brothers but no one is all evil or all goodness and light. I disagree with the Koch's political spending, but we can still acknowledge the good some of their charitable giving does. As a parent of small children I've noticed that focusing solely on the negative behaviours does nothing to prevent it, while a more balanced approach seems to get better results.

Re:Wrong Koch

[bobbied]

So when it is shown that they actually DO donate to laudable causes, you are upset with them because they didn't give enough of their income? This is not much more than just class envy at this point.

IMHO, it doesn't matter how much money somebody makes legally or what they do with it. I don't care if you have more than me or less than me.

Re:Wrong Koch

Asperchlorians
My new favorite fake word.

Definition: aromatic compounds formed when peeing in the pool after consuming asparagus.

Re:Wrong Koch

You have to review the entire body of actions of the Koch brothers.

Without saying/implying they are good or evil, consider this scenario:

I do something dishonest/unethical and amass $100bln of wealth. I then contribute $10bln of that wealth to genuinely good causes. That $10bln to good causes does not make up for the other $90bln of damage that I have done. A society that believes that it does would be one rife with bank robbers and scammers who then contribute a fraction of their ill-gotten gains to genuinely worthy causes.

Re: Wrong Koch

[Shatrat]

It isn't even close dude.

https://www.opensecrets.org/ov...

Actually it is close, and it's only in the most recent election that Republicans took the lead in fundraising. I expect this is largely driven by the general lack of progress on social issues and the outstanding progress towards a police state we have made.

Re:Wrong Koch

[oldmac31310]

Gates is only doing this in case he contracts malaria!

Re:Wrong Koch

[gordo3000]

wait, you are so ignorant of the candidates the Koch brothers have supported in the last 3 election cycles you actually need someone to show you each candidate and their stance on the above policies? I am including the PAC money and which candidates it is deployed to support as well, of course.

Maybe you should actually start opening your eyes to what different candidates stand for. You seem to have fallen for the theory as compared to the political realities.

Here is what 3 minutes of searching did. Both Tom Cotton and Joni Ernst have said the Koch brothers funding was instrumental in getting them elected.

Both supported and continue to support the wars in Afghanistan and Iraq
Both are strongly against gay marriage

But if you have a list of candidates who were well supported by the Koch political machine that actually opposed the wars, the drug war, restrictions on gay marriage, and civil asset forfeiture, I'll happily reconsider.

Re:Wrong Koch

Everybody knows the backdoor is "Joshua"

A personal appeal

from GPG founder Werner Koch

Hal Finney

Hal Finney is the guy who built GPG; Hal Finney is also the first person to receive a Bitcoin transaction, which was sent by Satoshi Nakamoto.

Re:Hal Finney

[cheesybagel]

Wrong. PGP was created by Phil Zimmermann and Hal Finney was the second developer they hired. GnuGP is an open-source reimplementation of the PGP standard written by Werner Koch.

Re:Hal Finney

[cheesybagel]

s/GnuGP/GnuPG/.

Re: Hal Finney

That has nothing to do with excessively noisy motorcycles

Re:Hal Finney

[anagama]

I know it is against the rules to RTFA, but sometimes it is worth it:

Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. ... The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.

In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can import it," he said.

Inspired, Koch decided to try. "I figured I can do it," he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu operating system.

As a side point, Stallman is endlessly criticized around here, laughed at, etc. But he inspired Koch to do something really important and that should be recognized a little bit. Obviously Koch deserves massive praise (and funding) because he did all the work, but it also struck me how important philosophical and moral principles can be in making the world a better place because they can inspire people to do the work.

Re:Hal Finney

[tigersha]

> Stallman is endlessly criticized around here, laughed at,

Have you ever seen him live? I have.

Besides, he is usually not laughed at here. That is the scary part.

Re:Hal Finney

[Andtalath]

He is a smelly hippy.
However, he is very intelligent and has a solid foundation for what he's saying.

So while he is somewhat ridicolous, he is also highly fascinating.

Re:Hal Finney

This is precisely why I donate to FSF every year. Everybody here should. https://my.fsf.org/donate/

Re:Hal Finney

You talk shit about Stallman, but he gave us Gnu Compiler Collection, and most of the tools that Linux was built upon beyond the kernel, and Emacs. There wouldn't have been a Linux to speak of if it wasn't for Stallman. And, open source as it is now wouldn't have been available, e.g. you wouldn't have Libreoffice, OpenVPN, Keepass, Chrome, Firefox, etc. Other editors like Notepad++ and Visual Studio stole a lot of features from Emacs. Many of the libraries that open source software use are using his license. He pioneered the concept of giving away your code and has been one of the few vocal proponents of doing so.

Re:Hal Finney

"he is usually not laughed at here."

says a chortler laughing at Stallman on slashdot here...

Irony. Not just made of iron.

Re:Hal Finney

So really we should be paying him instead of this Koch character then. Sounds like this prick is trying to steal Stallman's thunder.

Latest update

From the linked article:

Update, Feb. 5, 2015, 5:55 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations have also poured into Werner Koch's website donation page to the tune of nearly $50,000 so far.

Re:Latest update

[CronoCloud]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well that's good to hear.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTUChMACgkQnludVzJNqF2p2ACdFew+WZRFx3tgIWLSizrfZuc/
k1EAoK35K6UURyN3CXW5eUEP4bVas9BP
=UQA4
-----END PGP SIGNATURE-----

Re:Latest update

[gwolf]

You should really update your key. A 1024D key with a SHA1 primary signing algorithm is no longer considered safe.

(Data point: We did quite a work in Debian to migrate to 2048R with SHA256)

Re:Latest update

y0u iNs3n*SI*tiff Cl0d cUrV25519 iS tHe mohSt g00D ALG!

Re:Latest update

[chihowa]

It's funny that you should mention that. Werner Koch still uses a 1024D key for email. In fact, nearly everyone at g10code.com either has no key listed or uses 1024D. Most of the people involved in the development of GnuPG use ancient 1042D keys.

It's not just GnuPG, though. Phil Zimmermann only uses 1024D.

Perhaps there's something we're missing?

Re:Latest update

[gwolf]

Interesting thing you mention. Well, our migration was prompted by some theoretical advances; if you look at our slides at DebConf14 you will see some references to papers presented at the EuroCrypt 2012 conference talking about the relative strengths of different keys.

I don't contest that Zimmerman and Koch know how to communicate securely and what it takes, but maybe we are talking about a different threat model. One thing is identity assurance just for the sake of identity assurance, but in Debian we use it as a core infrastructural part: Get hold of my GPG key, and you have potential root access to thousands of computers. Of course, there are human checks in place, and it's quite unlikely you'd get away with yours... But it's possible.

Re:Latest update

[CronoCloud]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Thanks for the reminder, I had been wondering about that, since the key was almost 8 years old, but hadn't got around to doing it. Better now? 2048 bit RSA key but SHA1 was still the default, had to set a preference in gpg.conf make it SHA256. And yes, I revoked the old key, uploaded the new pubkey to Slashdot and the keyserver. The longer text strings in the SHA256 sig are triggering the Lameness filter, but apparently if the main comment is long enough, the Lameness filter will be satisfied and I won't have to use HTML formatting which would probably mess it up enough to make sig verification difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJU1CrAAAoJEGgrLreJLenhFk8IAKCjdK/BbXY3UTZXmlUurRC0
NDEKiZxmFF5cfzaaZ789cfe50tDTpZr0Ej5aNIkA9M/TOmSycCdekxGRdKv6AdKs
2x1XG3T4L0QgBnFfq2/koxS6kVP5McNuGm/IzQKVR0STnvwAdzB7trhR+7czqBy3
uRK30bIXYUkDEcYH05zzETLzMcSNsEhxIECzBrMwMYJpiVX3G+pR5QXL9ryNc1yU
GH5bEsmkx8xmxrStEAdMW3KvOC28iiRNzySKoyvIaxzD5mBcSkb+M+umfUHRtHNy
BXX0U/az37j0pYtOJS/Dq/UhyMZlE1on86P7eSfnGqMCeSc0hte7AUx8i8I2JFo=
=h5FG
-----END PGP SIGNATURE-----

Re:Latest update

[CronoCloud]

Done, thanks for the reminder.

Re:Latest update

[Frobnicator]

I don't contest that Zimmerman and Koch know how to communicate securely and what it takes, but maybe we are talking about a different threat model. One thing is identity assurance just for the sake of identity assurance, but in Debian we use it as a core infrastructural part: Get hold of my GPG key, and you have potential root access to thousands of computers.

Holy Hell, I hope you mistyped something!

It is 2015. If you've got a single password (your private key) with root access to that many machines, something is terribly wrong over at Debian.

For THOUSANDS OF MACHINES let me introduce you to the concept of a key vault. You start with your two-factor credentials to the vault, check out temporary credentials for the individual machine's keys or services you need, and use them for the day.

Do not allow your single private key -- no matter how many bits long it is -- to have root access to thousands of machines.

Re:Latest update

[iluvcapra]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I use GnuPG to secure some archival things in the cloud.

I'd consider giving some money to it if it was actually usable for its first and
most important function, namely, securing emails. It works perfectly, but it's
deployment is utterly lacking, no major vendors have gotten far enough behind it to
enable it by default, and even knowledgable users don't do something as simple as
sign their emails, to at least advertise to others that they have a key.

Also I live in LA, I can see ICANN from my office window, and there are basically no
opportunities to get your key signed. GPG has no community.

These aren't technical problems with GPG, they're problems with how it's marketed
and how it's positioned in platforms. In my opinion, GnuPG needs users a lot more
than it might need $60k in emergency funds. Get the users and the funding will likely
be obviated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: GPGTools - http://gpgtools.org/

iEYEARECAAYFAlTUP/sACgkQdILWxHwGqZcRfwCcDco8z5LG0gS2JR7LvifOEE1U
eJUAn1ZbFlj9V7t/Es380X6tEen5RBWs
=TrGp
-----END PGP SIGNATURE-----

Re:Latest update

you can put your pubkey on Slashdot, text entry field at the very bottom: https://slashdot.org/users.pl?...

Re:Latest update

[stoborrobots]

I assume he means that his GPG key is used to sign packages which get loaded to the Debian repository, which you could potentially use to upload a package with a root-executed file in it...

Re:Latest update

i assume he means that one key will allow modification of the maintained packages, the binaries in which may run as root on systems where said package is installed. so, rather indirect access to root, and *moot* except for intentional backdoors or exploitable bugs. it's the backdoor potential that his key is protecting.

Re:Latest update

[CronoCloud]

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 You're right in that gnupg needs people and groups to get behind it. I started using Linux in 2002 and didn't start using gnupg till 2007. While part of the reason was that I had been using an e-mail client without built in gpg support, another part was I didn't know much about it. I might not have even realized I already had it installed. I do sign e-mail, and I do have my pubkey here on Slashdot and the keyservers. And sometimes, in threads related to e-mail security or pgp/gnupg, I'll even post a signed comment -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJU1FBQAAoJEGgrLreJLenh5HkIANWxqtMDYvF87o9K7qy18oSt 7NylbnZWEOL4NrJ0Uypttm6mRskLOIZCx5/MyGSU2hFwvRvMwsAOcBCoxHLMIoUY v4riY90LnvnKvB4uEVBPKiiUD1HpVsmysLyihCQnXzrwUOIzPk0QiVEdvOGf6unc jm14zTkINsfFUjKxt1YInOQbuDL6Gb8OAiFyEIfjUQ+4cZqlZym0/a70L1HOXJSI rWgYH6LiFMjJ2c5DLmDJHkCOBrAyXk7qSBhFRPO7PopM6oM1RL1UElIYP1qB/4zw G+O2dIhZrTcbwhLXQW1Yf2Oal6tpRNnzGCBqWf3BTlCyw1EjJMbDuLKk1ZFsEQA= =32VS -----END PGP SIGNATURE-----

Re:Latest update

[swillden]

Holy Hell, I hope you mistyped something!

He didn't, and he's right, and there's nothing wrong with what he's doing.

The key in question isn't a login authentication credential used to access large numbers of machines. It's the key used by Debian systems to verify that they trust software packages from Debian. Note that all Debian software packages are installed as root, and run scripts as root during the installation process. Many Debian software packages include binary code that is run as root during normal usage.

This means that an attacker with the signing key and access to the download servers can create packages that run whatever code he likes on every machine that installs them, as root. If he picks packages that every running Debian system has to have, he can control all well-maintained machines within a few days. That would be hundreds of thousands, maybe millions, of machines, not thousands.

Re:Latest update

[El_Muerte_TDS]

Additional update (from the article):

Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project

Re:Latest update

[dryeo]

You want a key that is close but not impossible to break. How else can you feed the right information to others?

Re:Latest update

For THOUSANDS OF MACHINES let me introduce you to the concept of a key vault

What FOSS exists to implement a key vault?

Re:Latest update

[drinkypoo]

Perhaps there's something we're missing?

What you're missing is that if these people wanted to communicate securely, they wouldn't want you to know about it, and they wouldn't be dumb enough to use a key which is associated with their known identity by the world.

Re:Latest update

How does that make any sense? The point of publishing a key is so that communications not initiated by you can be secured. By publishing a known weak key, you would be ensuring that anyone trying to initiate contact with you would think that their communication was secured while it actually isn't. What does that buy you?

What harm would come from knowing that the inventor of PGP uses PGP?

Re:Latest update

[drinkypoo]

What harm would come from knowing that the inventor of PGP uses PGP?

You're not too into this whole computer security thing, are you?

Re:Latest update

[Talderas]

So basically.... the Linux Foundation gave him $60,000 to keep working on the project and told him to shut up and not disclose it until after the pity article to trick people into donating when they otherwise wouldn't have.

Re:Latest update

[gwolf]

Holy Hell, I hope you mistyped something!

It is 2015. If you've got a single password (your private key) with root access to that many machines, something is terribly wrong over at Debian.

Others have replied, but I think I should do so as well: Yes, we don't use a PGP key to log in to thousands of machines, but we use it to validate package uploads that enter the archive. If I sign+upload a malicious binary package, it's just a matter of time until it reaches users.

Of course, there are some caveats: First, I must convince users to use my package. This is, my malicious code should not go in a very uninteresting package, it would go to one that I know that has many users. But, second, it should not attract too much attention, as others would likely find my backdoor. Say, if I wanted to reach maximum number of machines, I could update an "Essential" package, such as base-files. But first, the package is not mine (so my friend Santiago, the package maintainer, would jump at the unexpected upload). And it does not get updates often, so others would probably debdiff it and uncover my betrayal. And third, that would make my malicious package enter the unstable distribution. Were I looking for a real foothold on a large amount of computers, I'd have to wait probably around two years until it reaches a stable release.

That's why I said "thousands" and not "millions" :-)

Re:Latest update

[polymeris]

Pardon the ignorance, but how complex is a library like GPG? How come he still needs to dedicate himself fulltime to it, after almost 20 years? I would have thought, by now, you wouldn't need more than the occasional bug-fix or maybe port to new language standards.

Re:Latest update

The keys and signatures are too fucking big - they should switch over to ECC and the hex keys and signatures at least fit on a single line and are not much longer than mos messages.

The above post looks butt ugly.

Re:Latest update

It's not complex if you know your cryptography.

I really have to wonder what this guy does all day apart from sit on his ass.

I know he's not making GPG more accessible, he probably spends most of his time explaining how to make the damn thing work.

They should either write their own email client or actively partner with someone like the Mozilla Thunderbird project.

Re:Latest update

[CronoCloud]

The inline signatures are smaller if you use SHA1, which is not recommended as that Debian fellow stated. Then Slashdot doesn't mess up the formatting, my previous post is butt ugly because I had to switch to HTML formatting to actually post the thing.

If you're using gpg in e-mail you use MIME so it's not an issue.

Re:Latest update

You certainly seem like you're into something, but it doesn't seem to be computer security.

FOSS Funding

Can't he just sell support or something? Isn't there supposed to be viable funding models for FOSS projects?

Re:FOSS Funding

[bill_mcgonigle]

Can't he just sell support or something? Isn't there supposed to be viable funding models for FOSS projects?

He does sell support.

However, I suspect he's been offered many contracts and never knew about them:

Please do not send any attachments with ZIP files or any HTML in it. They are all silently discarded. Note, that this includes messages send as plain text plus HTML.

There is something I'd like to do with GPG that isn't a standard yet. I'll have to remember to scrutinize Thunderbird's settings before sending him a solicitation.

Re:FOSS Funding

[CronoCloud]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thunderbird won't send HTML messages unless you configure it to do so. It's plain text by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlTUEuwACgkQnludVzJNqF3w5wCfRu8HX2sBa1lR/W6CS4gUao45
K7gAn22FGqPkAX2BH3s0PYa5JqTgM5vy
=H6cw
-----END PGP SIGNATURE-----

Re:FOSS Funding

He does sell support.

Evidently that's not gone well. With things like this and OpenSSL the whole FOSS funding model really is being shown to not be viable, even now that OpenSSL was found to be so buggy and under-resourced it is now being funded mostly by proprietary vendors.

How can people still keep trying to sell the FOSS model under the guise of viability when it is proven to not be so outside of a few enterprise edge cases?

Re:FOSS Funding

Thunderbird won't send HTML messages unless you configure it to do so. It's plain text by default.

Thunderbird won't, but it's likely also not used by the people who want to receive commercial support for the program they are using.

Re:FOSS Funding

Thank $DEITY there is at least one popular e-mail program around that defaults to plaintext.

I'm really tired of programs forging a 'html version' even when the e-mail doesn't use italic/bold/underline/whatever. (And a good nine tenths of them don't. But never mind! Let's bloat the e-mail to 300Â% in size anyway.)

Also, I'm really tired of seeing the 'attachment' icon on pretty much every e-mail I get. Even though all they have is a lousy 'html version' that's no better than the plaintext one.

Re:FOSS Funding

[CronoCloud]

Claws-mail defaults to plain text too...because it can't send HTML e-mail by design. It can display it just fine, but never sends it.

Also, I'm really tired of seeing the 'attachment' icon on pretty much every e-mail I get.

You would see the attachment icon if I sent an e-mail to you, I use PGP/MIME and sign all e-mail, the signature appears as an attachment.

Re:FOSS Funding

[rdnetto]

Kmail defaults to plain text as well. In fact, a lot of its design seems to indicate that its authors use mailing lists quite heavily...

Can't even pay for music

[Rinikusu]

Something everyone claims to want, but too cheap to pay for. Thanks, Stallman!

Open Source

Open source software is generally accompanied with the idea that it should be given away, although the two aspects are technical unrelated.

Often the people behind it end up underfunded with only the occasional VC passing by raking it in.

Such is life in the give-away world!

Re:Open Source

No shit! HOW DARE HE ask for money for this project! What a fucking shill!

No, he's not

[Ydna]

Looking at the list of donors page, it has this curious summary:

In 2015 we received 2535 donations of 87299 € .
In this year we received 2826 donations of 97255 € .

I'm not sure how to read that as this year is 2015. But if this is all for one person, they don't seem to be hurting for funds now.

Re:No, he's not

[Rinikusu]

Sub taxes, sub equipment, for a one man operation he could certainly be doing better in the private industry pushing dick pills and dick pics.

Re:No, he's not

To be fair, this hit reddit about 8 hours ago, and the funding has been rolling in since. Still, if you've ever used GPG, kick the guy a few dollars. It's pretty likely that this influx of money is going to be a very short term thing, and it would be nice if development costs were covered for at least another few years.

Re:No, he's not

This news was posted earlier today on Hacker News. Slashdot is so late in posting this that he's well funded now. Stripe and Facebook have already pledged $50k/year for him. Others too. So he's good now.

Re:No, he's not

Well this story got publicized on reddit and elsewhere, with people going to his site and donating. Maybe this is all the recent spike.

Re:No, he's not

Hey, I contributed to FOSS too, does that mean I shouldn't have to work for the next two years as well?!

Re:No, he's not

[geantvert]

I suspect that the first line is for the donations they were effectively received and the second shows all pledges.

Re:No, he's not

[Negatif]

The article was published earlier today - it looks like a lot of donations have come in after that.

Re:No, he's not

[pz]

And subtract retirement, and insurance payments, etc., after all that, no one is going to get rich on EUR 90K per year. Not going to starve, but not going to get rich, either.

To present some perspective, as an employer in the US (yes, I realize things are probably different in Germany), if my personnel budget is USD 90K, that means my employee is getting only USD 61K in salary. The rest goes to various overheads that I pay to support the position.

Re:No, he's not

Second line is probably trailing twelve months.

Re:No, he's not

Is your contribution an essential part of the security infrastructure for virtually every linux distribution?

Re:No, he's not

Some of mine are. But I work free software and open source only part time, I have a day job.

Re:No, he's not

Equipment? For what? Public github?

Re:No, he's not

Or last year, as in last 365 days until today.

Re:No, he's not

The article was published to several other news aggregators before it reached slashdot. FTFA:

Update: ... Meanwhile, since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000.

Re:No, he's not

From his comment, I'd say dick equipment.

Re:No, he's not

If you took the time to look at the previous years you would see - 30,000, 24,000 - ridiculously small numbers to try to live by in Europe (and support a family). I assume he must have done some consulting gigs or savings to get by with those.

Re:No, he's not

after all that, no one is going to get rich

Why should he?

Serious question, since this is Slashdot, and the first few posts are whining about those dastardly rich Koch brothers.

Re:No, he's not

Dude, everybody pays taxes. And what "equipment" are you talking about? A cool new laptop every two years? 1K/yr. Internet access for a year? less than 1K/yr. Some posh loft downtown? Ok that could get expensive.

IMO, 90K/yr is way overpaid for a part time gig. The dude probably spends less than 10h/wk on this project (if he doesn't then I he's doing something very, VERY wrong).

Re:No, he's not

He's 53
How much family is he still supporting?

Re:No, he's not

[i.r.id10t]

And then the employee usually has to pay *more* direct from his/her check, both taxes and things like insurance

Re:No, he's not

PGP has brought incredible value to people, and thus its inventor should be rewarded properly.

Re:No, he's not

In maoist* Germany, people have kids at age 40 and 42.

*In the guise of GREEN* and LINKS*

Re:No, he's not

[sg_oneill]

Yep, and $90K for an experienced programmer is a steal. Back in my consulting days i could easily clock $200K a year.

For some reason I stopped. No idea why,

Re:No, he's not

If he has children, they are now probably iin secondary school or at university. Those are expensive years for a parent.

Re:No, he's not

[houghi]

In Belgium, a company that has an FTE cost of 90K means that the emplyee will get also around 60K as salary, which means around 30K-40K in his pocket to spend.

Salaries are mostly calculated per month and you normaly have to device by 13.78, (13th month and payed holiday) so that makes a pay of around 2500EUR per month. (what he sees on his paycheck). The average is 3100 EUR. I excluded Brussels as that is not representative.

So in Belgium he would also not starve, but also easily get a job that pays more.

And this is just the taxes, so no infra structure cost. It will include insurance and most likely100% public transport or mileage for 50% for car usage to and from work.

Re:No, he's not

[geantvert]

You are probably right.

Re:No, he's not

[Ginger+Unicorn]

Running out of money and not getting rich are two different things. If you're on 90k euro a year and you're running out of money, you need to reevaluate your expenditure. I consider myself running out of money when i can only afford a 2.50GBP ready meal instead of spending 4 pounds on a proper meal.

Re:No, he's not

[HnT]

You cannot compare being an employer in the US to being an independent contractor with one employee in Germany. Things are very, VERY different here in terms of insurances and retirement. To give you just one example, the usual figure thrown around by workers in the US is to have at least 1 or 2 million for retirement. This is a figure absolutely no regular European employee will ever lay aside in all their working years unless they have a 1%er position.

90k Euros a year even as a contractor and after taxes and insurances translates to netting roughly 40k-50k Euros in a country where the estimated net salary is 2k a month and many, many people have to make do with significantly less than that. I would say average rent is somewhere between 500 and 800 a month not accounting for utilities.

Programmer median salary is 42k a year, senior developer median is 55k. Employees also give up almost half their pay for insurances, taxes etc.

You do the math. 90k a year is pretty great in Germany and definitely in the top 10% or 5%.

Re:No, he's not

You're comparing net and gross salaries.

Re:No, he's not

i made 48eu as a life science post doc in freiburg. everyone I knew saved for retirement, especially with the recent increase in pensioner age in germany. I had a 50% effective tax rate. in conclusion, what the fuck are you talking about?

doesn't seem so great to me to expect him to run a business off 90k in a banner year. he only got these donations after begging, unlikely anyone could believe his last 5 years were anywhere near as lucrative.

Re:No, he's not

[jittles]

Looking at the list of donors page, it has this curious summary:

In 2015 we received 2535 donations of 87299 € . In this year we received 2826 donations of 97255 € .

I'm not sure how to read that as this year is 2015. But if this is all for one person, they don't seem to be hurting for funds now.

My guess is that one is a list of donations for the proceeding 12 months while the other is just for the 2015 calendar year. This would mean that he received almost no donations in the 2014 time period.

Re:No, he's not

[usuallylost]

In the article it says he is looking to pay himself a reasonable salary and to hire one additional full time programmer to assist with the development. Basically he wants to get back to the situation he had pre 2012 before his funding ran out and he had to lay off his staff. It sounds like after this he probably is OK for the time being. Though he is going to need to maintain similar levels of funding going forward if he is going to be able to hire staff.

It seems to me that the more interesting question is how many of the other important open source projects are in the same position? Is there a better way to fund them? I mean this guy made his funding goals by getting the media to talk about the situation back in December. That doesn’t seem like a sustainable model.

Re:No, he's not

Bullshit it's a serious question. Maybe if you're an MBA looking to get rich off someone else's work. If you don't understand why, then you are no true nerd, and do not belong here.

Re:No, he's not

lets whining about this rich bastard that is not worth the money others throw at him commence. C'mon - this is /. we know we can do better and we know we can roll our own but we will not and we will whine and course because we are who we are.

Re:No, he's not

[johnnys]

What he said. GPG is a very useful tool. I've used it for a while so I kicked in some money.

Re:No, he's not

An excellent point! Perhaps a kind of clearing-house web page listing all such Free Software projects, where you can donate right there by various methods might be a good idea.

At work, for example, we have VLC rolled out on every client (about 20k). Payments made to VideoLAN.org? Yeah....zero!

But we employ people and pay them actual salary to verify our 'compliance' with Microsoft licensing and send the corrected numbers to the finance people, so they can write an even bigger check to Redmond.

I like the Free Software licenses like GPL2 and so on, but it doesn't account for greed and relies exclusively on more or less enlightened people, who voluntarily put their money where their mouth is. That in this case, out of all possible sponsors, it had to be Facebook to make a name for themselves in 'support' of GnuPG, ought to drive the blood of shame to all of us!!

Re:No, he's not

According to the article, he's got an 8-year old.

Re:No, he's not

[Oligonicella]

Is this a nerd version of an SJW? You're not ____ , therefore you don't understand ____ and must not speak or question?

Nawh. You're a troll. Bet you're the same guy who says "Music should be free! Artists should do tours to make their money."

Re:No, he's not

[Talderas]

It's either this year (2015) in which cast the number of donations increased by just under 300 over these first 6 days of February. If it's this year (past 365 days) then it means that over the past year, excluding January, there were a bit under 300 donations totalling to just under 10,000.

Re:No, he's not

[Enigma2175]

PGP has brought incredible value to people, and thus its inventor should be rewarded properly.

However, this person is not the inventor of PGP, Phil Zimmermann is. Koch just wrote an open source program that complies with the OpenPGP RFC. This is certainly valuable and I do think that the community receives sufficient benefit from this program to support it financially, but Koch isn't an inventor, he is a programmer that implemented a public standard.

Re: No, he's not

please go back and read the history on it. encryption was illegal to import so he decided to fork it and write his own and give it away. he may not have created the original, but gpg has stood the test of time.

this guy is one of many unsung heroes in the computer world. sadly most take these guys/gals ;) for granted. i have been guilty of this as well.

Re:Werner *Koch*

[sjames]

He is more likely to get money from the ducks I think.

dear werner, please finish the damn thing

Michelangelo finished the pieta in 2 years. You've had 18!! Look, it's good stuff, and you could probably milk this till retirement. Even Michelangelo realized finally that if he took one more swing at his sculpture, he'd have detracted from it.
You keep this up, you're gonna turn out just like that Torvalds kid.

usability

If more people used it, he would get more money. I am pretty good at writing user documentation. I thought about writing some for gpg4win, so non-techies could use it. But then I took a look at it more closely, and it seemed hopeless.

Re:usability

[CronoCloud]

Remember that Werner's native language isn't English. I think the PDF version of the Documentation is fairly good. The HTML version...could use a bit more work on the navigation interface.

http://www.gpg4win.org/documen...

Donor List = Watch List?

[turkeydance]

like...really, really watch very closely.

Perhaps he should make his software easier to use.

[bhspencer]

Like so many encryption schemes it is still too difficult for the man in the street.

Koch might hire you with the new money

[raymorris]

Take another look, knowing that Koch now has funds to pay a decent writer.

Uhhhh

[Sycraft-fu]

You realize even taking taxes in to account, most people make a lot less than that and do just fine, right? When you see income reported, it is normally pretax. If you think most people are making more than 90,000 Euro a year, you are really out of touch. That's a lot of damn money, in any country, enough to live well. You aren't rich, but you are doing just fine.

Re:Uhhhh

[CRC'99]

I hate to say it - but most people who do OSS work for the masses don't get paid for it.

I do packaging for Xen used from hobby users through to Disney - yet I get about $400AUD per year in donations. I also have to go buy my own test hardware (I need UEFI kit atm!).

I understand exactly what Werner means and the challenges faced - but I too don't see a solution for this. OSS has been linked for too long as a 'free solution' - which means nobody puts a currency value on the software and services that are made available to the world. I think its the mental relationship of OSS being 'free' causes it. Nobody blinks an eye to pay $100 for a Windows license - yet go for a $10 donation to an OSS project and people lose their minds...

Re:Uhhhh

[MightyYar]

Who is talking about "most people"? This guy seems to have a pretty interesting skill set - it is conceivable that he could do much better applying it to something more lucrative.

Re:Uhhhh

the commies (that includes Merkel, who once was a youth commie and now bows to commie agendas like destroying our nuclear power) have fucked up germany while sucking up to New York, so that they can stay in power.

This is the result.

I sit next to a guy with a physics PHD. He worked on x ray satellites. He could not get a job in industry for ten months and is now doing a job which could be done by anyone who learned some hacking in their bedrooms.

Germany these days is run by progressivists communists and maoists, especially in media and in Berlin. As usual, the German populace is obedient to their new masters. 95% cowards.

Re:Uhhhh

[gnasher719]

You realize even taking taxes in to account, most people make a lot less than that and do just fine, right?

On the other hand, why would someone creating important software that everyone wants to use, be content with "making a lot less and doing just fine"?

The guy can just give up what he is doing right now and get a better paying job, with no stress trying to get money every year.

Re: Uhhhh

Well in fairness you Viking wannabes used to march in goosestep with your Nazi masters that you loved so much. Didn't work out very well, did it?

Thanks for all the war reparations by the way. It's been fun making your entire country our botch since 1945.

Re:Uhhhh

[Kjella]

It's more than taxes, for example here in Norway I have 100% sick leave pay from day 1. As self-employed you get 0% for days 1-14 and 65% of some average of past income for day 15-365, if you want more you need expensive insurance. You have to pay your own pension fund. The rule of thumb is usually that that an employee COSTs almost 2x salary all in all.

Re:Uhhhh

[ACE209]

That Angela "Marktkonforme Demokratie" Merkel is communist, is news to me.

Re:Uhhhh

Who is talking about "most people"? This guy seems to have a pretty interesting skill set - it is conceivable that he could do much better applying it to something more lucrative.

In which case he should get a lucrative position in industry and maintain gnupg as a hobby while continuing to fund gnupg through those close to EUR90K per year donations. Nobody said you are entitled to live solely off your F/LOSS contributions. Maybe RedHat Inc. will hire this guy and offer him a bully pulpit as they granted SystemD's creator.

Re:Uhhhh

"He could do much better" doesn't mean anything like "running out of money".

Re:Uhhhh

[MightyYar]

Are you looking for a pedantic argument? I'm not really interested in that. It's pretty clear that they guy is not happy with the current financial situation (which has since been relieved, apparently).

Re:Uhhhh

[MightyYar]

It sounds like the funding came in after his plea, so I can't really fault him. The strategy worked, apparently.

Now somebody shoot him in the leg.

Then like that Indiana girl scout, he'll be raking in the dough. Bonus points if he had it happen while walking seven miles uphill in the snow to get to his computer.

Then none of us have to worry about anything else in the world except the next episode of Downtown Abbey.

He could get a job

He could actually go out an get a job if he wants.

If we send scratch to Koch

Is that known as "scratching the Koch"? How do we know Koch won't blow the wad on hookers?

Ah hell why not

[gatkinso]

20 euro for you

Re:Ah hell why not

[AnonymusCowMoo]

+20 more

Re:Ah hell why not

Let me also chuck in a small +5. This is an important project after all.

Re:Ah hell why not

[gatkinso]

Now get back to work, you.

Phil Zimmerman

[fred911]

How soon we forget someone who stood up. Someone who should be honored for his contributions to free speech, expression and privacy,

  Besides, isn't PGP Snowden used?

Kinda makes you wonder

Kinda makes you wonder if his last name runs donors off.

To a lot of the people who would like to support a lot of this stuff but without any full knowledge of the subject, the Koch name now is pretty toxic alone due to the the brothers and all their misdeeds.

Re:Kinda makes you wonder

Why? Which brothers? Koch is an extremely common surname in German-speaking countries. I would not directly associate the name with any specific person and I doubt many other people will.

Re:Perhaps he should make his software easier to u

[CronoCloud]

It's not that hard to use, there are GUI tools for gpg use on all platforms. Heck, I created my old key using GPA (gnu privacy assistant) a GUI interface to gnupg, since I couldn't get enough entropy on the command line. (As an aside, I created that key on a Playstation 2 Linux kit) I was/am no genius either. GPG4Win uses Kleopatra to interface with gpg, which is nice. Take a look at the PDF documentation on the gpg4win website

http://www.gpg4win.org/documen...

Hahah! Well played, NS4.

rawr! i'm metadata monster!

Re:A better place for it

Why shouldn't there be a standard system API available for all application to use to verify and sign themselves and their parts? This could follow the chain up from UEFI secure boot to ensure the correct daemons are run, the daemons could verify that the correct system started them. It's really unreasonable to expect every application and utility and package to come up with their own way of doing this!

and?

that can happen with free, open source software.

nothing to see here.

Re:A better place for it

[armanox]

Except if you put it in systemd, then it becomes confined to Linux. Side note, GPG gets used across quite a few platforms (I see OS X, Windows, and VMS listed on the binaries page, and seems to be good on other Unix systems too), so it makes for a great utility for others to be able to use to verify whatever.

Me too!

[dark.nebulae]

I'm running out of money too, if anyone wants to send some to me that would be great!

- Bill Gates

S/MIME called .. it wants it's something something

[ModernGeek]

I switched to S/MIME because of the easy ability to have a third party sign your key, and the recipients recognize it; utilizing a similar web of trust that we use for SSL. Sure it isn't perfect, but it's a good platform. All the major mail clients support it as well. Unless you're really worried about privacy, it's good enough.

However, I feel it's the duty of large corporations that profit from the efforts of men like Werner Koch to hire, retain, and support these people, and allow them to freely continue their research. If not through employment, then through grants.

<joke>I guess he shouldn't have sold all his Radio Shack stock</joke>

+4

A new high for Slashdot

Its funny listening to all the spastic...

[Karmashock]

... political retards foam at the mere mention of someone named Koch. Never mind the guy is a big name in computer security and has nothing what so ever to do with it. This is supposed to be slashdot. Not the huffington post or whereever your fucktards came from.

On topic, I definitely think someone should partner with him. If he wants to go it alone and stay solo then... there is a price for that. Being alone means you're alone. However, his name and experience would lend some value to one of the larger encryption pushes. I'm sure one of the bigger tech companies that feels they need to boost their credibility in security could fund him for a song.

We'll see what happens. I wish the fellow well and more importantly hope that strong encryption becomes a bigger part of the way everything is done going forward.

Patreon?

[aklinux]

Interested users could even set up regular donations.

Too bad

I feel sorry for him. However, donating money to him would probably mean dire consequences. I have a family, I can't take those risks.

Do not mix up FOSS and running a business so fast!

[HnT]

Note this part of TFA:

For almost two years, Koch continued to pay his programmer in the hope that he could find more funding.

So he is also a business owner making bad decisions and pays employees doing programming for him. Are FOSS projects not usually run by not financially dependent-on-each-other volunteers and on code submissions? It seems to me GPG has failed to establish something other projects have successfully done: a tightly knit community in which the whole project does not rest on the shoulders of one man alone. It seems Mr. Koch was trucking along on government funding alone and had no other source of income, this feels like another bad decision to me. This whole project feels like a very strange mixture of FOSS and running a business based on it while expecting to be paid as if it was a closed source, shareware program.

By all means, he deserves all the donations he can get but maybe it is high time to take a step back and look at how some things might have been run badly and how to improve on that.

Corporations make billions from "open source"

Cry me a river. This guy has been working for free while corporations have been making billions by exploiting "open source" (remember, it's not free software, it's open source!). That's the one flaw in the "open source" - why would anyone give away their labor while corporations exploit what they do to make billions?

Re:Corporations make billions from "open source"

why would anyone give away their labor while corporations exploit what they do to make billions?

Because they want to solve a problem not only for themselves, but for everybody?
Because they want the software to be used and adopted widely, to form a community around it that will help with the maintenance?
Because money isn't necessarily the motivator or the endgame for everyone on the planet?

Yes they are

"The Koch brothers are not literal fascists;"

Yes they are.

You may be thinking they aren't literal *NAZI*s, which may be (probably is) true, but go look up the definition of facist, and Kochs are facists, literally. Or do you not know what literally means?

Re:Yes they are

[zapadnik]

Actually, the most useful definition of "Fascism" is the economics one:
"State control of the Fruits of Production, while the Means of Production remain in Private Hands".
Fascism is a Far Left ideology.

Contrast this with the Extreme Left of Communism where:
"State Control of the Fruits of Production, and the State controls the Means of Production".

It is a complete lie of the Extreme Left that Fascism is somehow politically "Right" (well, it is just to the Left of communism, so is right from their point of view, but far left from everyone else's).

This is why the Nazis were Nationalist *Socialists*, and the Italian Fascists came from the Socialist Party. Fascism is a type of socialism that is not the opposite of communism, it is its rival.

Now according to this definition it is Obama who is taking the US in a fascist direction - at least according to Standford University Economics Professor Thomas Sowell:
http://www.youtube.com/watch?v...

Don;'t fall for the deception of the Communists. Understand that Fascism is a form of socialism, and nothing to do with the political Right (which is anti-Collectivist and thus cannot be socialist).

I gave him $10USD, who the fuck cares?

[EmagGeek]

I gave the guy $10. I doubt the NSA gives a shit who donates money.

Fact is people use his software to help blow the whistle on tyranny and oppression all around the world. Regardless of what you think of him, his business practices, or even if you're retarded enough to think he has something to do with the Brothers Koch, the fact remains that keeping these tools alive to further the cause is more important than your petty political or armchair-MBA opinions.

community to the rescue

[hammarlund]

This story should be marked as SOLVED! http://news.softpedia.com/news...

Merchant banker

Meanwhile, since our story was posted, donations have also poured into Werner Koch's website donation page to the tune of nearly $50,000 so far.

Enough to make Monty Python's merchant banker puke a little. Won't somebody think of the threat to impoverish those poor bankers?

ok2rta

So when can we log into Slashdot, among other sites, using our GPG key (GPGAuth etc.)?

Re:S/MIME called .. it wants it's something someth

S/MIME is a standard. GPG is software which supports PGP/MIME, S/MIME, and other standards. I think you may be confused.

Math says "No"

[T.E.D.]

You mean donating $100 million to help build up a hospital in New York isn't morally a good thing? Another $100 Million for Cancer Research at MIT. Another $25 Million for Cancer Research at MD Anderson in Huston TX.

Those gifts were spread out over the last 8 years. The Average American gives about 3% of their income to charity yearly. The Koch's made about $10 Billion last year, so reach that standard, they would have had to give $300 Million last year alone. It only looks like they are giving a lot in absolute terms because they are so ridiculously wealthy.

The Koch's are hardly alone in being relative skinflints. The percentage of income given to charity actually rises as income drops. For example, the most destitute zip in my town averages about 7.5%, while the richest gives less than 4% (yes, we are a generous state. Also a poor state). So if it is really charitable giving you care about (as your post seems to imply) then the best way to increase it is to find a way to move money away from the top end of our income distribution, and towards the bottom end.

Math.

Open-source security is a joke

[sn0wflake]

Quote: "If there is one nightmare that we fear, then it's the fact that Werner Koch is no longer available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he has such a bad financial situation." If it's so open-source then why does it rely on a single person? This reminds me of the Heartbleed bug with underfunded developers. Open-source doesn't mean more security.

Re:Perhaps he should make his software easier to u

lol, you created it on a PS2 and you'd like to think of yourself as an average user?

Re:Perhaps he should make his software easier to u

[CronoCloud]

Maybe not an average user, but I had zero experience with Linux or GnuPG before that, and I figured out how to do it.

Re:A better place for it

It's available on FreeBSD (as both a package and part of ports (what the package is based on)), but due to its reliance on GNUTLS, its dependency count skyrockets. The software ends up depending on 30 other applications. Honest. Here you go:

ports/security/gnutls pulls in the following (and this tree is not accurate, i.e. security/nettle could be what pulls in security/libtasn1, etc. -- you get the idea). Official one-liner descriptions of the packages are listed:

* ports-mgmt/pkg -- acceptable (universally needed at this point anyway on FreeBSD)
* devel/gmake -- acceptable
* devel/pkgconf -- acceptable
* security/nettle -- what the fuck? -- Low-level cryptographic library
* security/libtasn1 -- what the fuck? -- ASN.1 structure parser library
* dns/libidn -- okay, so international domain name support; what if I don't want this? (I disable it everywhere else)
* security/p11-kit -- what the fuck? -- Library for loading and enumerating of PKCS#11 modules
* security/trousers -- what the fuck? -- The open-source TCG Software Stack
* print/indexinfo -- acceptable
* math/gmp -- what the fuck? -- Free library for arbitrary precision arithmetic
* perl -- acceptable to me, but not acceptable to others
* security/ca_root_nss -- acceptable
* devel/libffi -- why?! This is usually only something a PL (ex. Ruby, Python) needs. Perl doesn't depend on this -- Foreign Function Interface
* devel/automake -- acceptable (grudgingly)
* devel/autoconf -- acceptable (grudgingly)
* devel/libtool -- acceptable (grudgingly)
* devel/automake-wrapper -- acceptable (given reliance on devel/automake)
* devel/m4 -- acceptable
* misc/help2man -- acceptable
* devel/autoconf-wrapper -- acceptable (given reliance on devel/autoconf)
* devel/gmake-lite -- acceptable, but hilarious considering it just pulled in devel/gmake, but this is a universal FreeBSD ports problem right now (nobody has added proper Mk framework support for gmake, so port X requires gmake-lite while port Y requires gmake, and both will get installed, rather than just saying "okay if something needs gmake then there's no need for gmake-lite" -- been this way for months now...)

And now security/gnupg itself (which as I said depends on GNUTLS which I just covered):

* security/libgpg-error -- acceptable, but I don't understand why this is a separate library in itself
* security/libassuan -- what the fuck? -- IPC library used by GnuPG and gpgme
* security/libgcrypt -- acceptable
* security/libksba -- what the fuck? -- KSBA is an X.509 Library
* devel/npth -- what the fuck? -- New GNU Portable Threads
* converters/libiconv -- acceptable, but only if you want NLS; some of us don't (and the number is surprisingly large)
* security/pinentry -- what the fuck? -- Collection of simple PIN or passphrase entry dialogs
* security/pinentry-tty -- what the fuck? -- Console version of the GnuPG password dialog

Translation: if someone took GPG and made it use OpenSSL or LibreSSL, a substantial amount of this clusterfuck would disappear. But that would violate the Stallman Way(tm), so what folks end up with is the above. I still have no clue what "trousers" is -- oh sorry, it's apparently spelled TrouSerS. Yes really.

This mess is the main reason I avoid use of GPG.

"It makes a great utility for others to be able to use to verify whatever" I don't really agree with. For example, let's talk about SpamAssassin: for whatever reason, this program prefers (borderline requires, i.e. if you aren't using GPG you will get flack in support tickets) use of GPG in some way relating to downloading anti-spam rulesets. Why is this necessary for something like anti-spam rulesets? If it's to verify integrity of, say, rules/tarball/whatever, then MD5/SHA1/SHA256 works just fine for that. Exactly what about an anti-spam rulesets warrants extreme security through GPG? What problem is trying to be solved here?

The above dependency chaos is one of many reasons why BSD folks try and re

Re:A better place for it

[armanox]

Interesting - I wonder why GNUTLS is a depedency (I'm building it from source on IRIX right now, no GNUTLS (currently built) on there). On the GPG website libksba is listed as optional, and npth is listed as 'you don't need it but probably want it'.

I'm all for replacing a lot of GNU software because of issues like that. Tying to build it manually ends up being a nightmare, because a lot of it depends on other GNU software they you may not want on there for various reasons.

Re:A better place for it

Hmm, now I wonder why too! Part of me thought "maybe GNUTLS is included with GPG" (as in you can alternately have it link to a shared library version, or you can just include it right into GPG statically), but looking at the git repo for GPG I don't see any sign of it.

You can verify my claims of dependencies here:

http://www.freshports.org/security/gnupg/
http://www.freshports.org/security/gnutls/

All that said: it looks like the gnupg port has an option for GNUTLS dependency (it defaults to being enabled). For whatever reason I never noticed this before, probably because it's the first menu option (I often miss this). Before and after disabling GNUTLS, dependency counts:

Before: 30
After: 13

Much more manageable, although I'd still love to get that down smaller if at all possible. Getting rid of libksba would be nice, especially if it's optional. As you can see here, it's labelled a hard dependency (both for compiling and running):

https://svnweb.freebsd.org/ports/head/security/gnupg/Makefile?revision=376062&view=markup

If it's truly optional, I should be able to submit some patches that provide those knobs (for toggling both libksba and libnpth). I still have no idea what the pinentry stuff is about, but it looks to me like it should be optional: https://www.gnupg.org/related_software/pinentry/index.en.html

I think it may be that the FreeBSD port is just "bloated by default" (similar to what I find on a lot of Linux systems), and lacks knobs to slim it down. But hopefully that gives you some idea why I've avoided GPG for a while, and why it's important port/package maintainers not let things get too out of hand.

Looks like I'll have to do some experimenting. And thanks -- this good /. convo has gotten me considering fixing all that and getting a "slim" GPG going for FreeBSD.

Re:A better place for it

Slight bummer, but not too bad: despite what the docs may say, both libksba and npth are hard requirements. If you're able to build this on IRIX without those libraries, then maybe you're using an older GPG version (I'm testing 2.1.1), not sure.

configure will bail out if it cannot find libksba or npth on your system. The autoconf script has no flag to tell it to ignore these; the code explicitly throws error messages and bails if they're missing. Reference for my statements:

libkbsa requirement: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=configure.ac;h=f07f345b470046af4414fd39c22cc149f112134a;hb=refs/heads/STABLE-BRANCH-2-0#l1530
npth requirement: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=configure.ac;h=f07f345b470046af4414fd39c22cc149f112134a;hb=refs/heads/STABLE-BRANCH-2-0#l1539

As for pinentry: apparently that's needed for gpg-agent to "work securely", but if a person doesn't plan on using gpg-agent, I don't see why this is a requirement. configure does support --disable-agent. However, GPG won't build with --disable-agent -- it appears there's a bug in tests/openpgp/Makefile* that "hard-depends" on gpg-agent existing for it to work, so the build process fails near the very end. :/