Slashdot Mirror

← Back to Stories (view on slashdot.org)

GPG Programmer Werner Koch Is Running Out of Money

Posted by timothy on from the open-secret dept.

New submitter jasonridesabike writes "ProPublica reports that Werner Koch, the man behind GPG, is in financial straits: "The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive. Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded." (You can donate to the project here..)

31 of 222 comments (clear)

  1. Latest update by Anonymous Coward · · Score: 5, Informative

    From the linked article:

    Update, Feb. 5, 2015, 5:55 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation's Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations have also poured into Werner Koch's website donation page to the tune of nearly $50,000 so far.

    1. Re:Latest update by CronoCloud · · Score: 4, Funny

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      Well that's good to hear.
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1

      iEYEARECAAYFAlTUChMACgkQnludVzJNqF2p2ACdFew+WZRFx3tgIWLSizrfZuc/
      k1EAoK35K6UURyN3CXW5eUEP4bVas9BP
      =UQA4
      -----END PGP SIGNATURE-----

    2. Re:Latest update by gwolf · · Score: 4, Informative

      You should really update your key. A 1024D key with a SHA1 primary signing algorithm is no longer considered safe.

      (Data point: We did quite a work in Debian to migrate to 2048R with SHA256)

    3. Re:Latest update by chihowa · · Score: 4, Interesting

      It's funny that you should mention that. Werner Koch still uses a 1024D key for email. In fact, nearly everyone at g10code.com either has no key listed or uses 1024D. Most of the people involved in the development of GnuPG use ancient 1042D keys.

      It's not just GnuPG, though. Phil Zimmermann only uses 1024D.

      Perhaps there's something we're missing?

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    4. Re:Latest update by gwolf · · Score: 4, Insightful

      Interesting thing you mention. Well, our migration was prompted by some theoretical advances; if you look at our slides at DebConf14 you will see some references to papers presented at the EuroCrypt 2012 conference talking about the relative strengths of different keys.

      I don't contest that Zimmerman and Koch know how to communicate securely and what it takes, but maybe we are talking about a different threat model. One thing is identity assurance just for the sake of identity assurance, but in Debian we use it as a core infrastructural part: Get hold of my GPG key, and you have potential root access to thousands of computers. Of course, there are human checks in place, and it's quite unlikely you'd get away with yours... But it's possible.

    5. Re:Latest update by swillden · · Score: 4, Informative

      Holy Hell, I hope you mistyped something!

      He didn't, and he's right, and there's nothing wrong with what he's doing.

      The key in question isn't a login authentication credential used to access large numbers of machines. It's the key used by Debian systems to verify that they trust software packages from Debian. Note that all Debian software packages are installed as root, and run scripts as root during the installation process. Many Debian software packages include binary code that is run as root during normal usage.

      This means that an attacker with the signing key and access to the download servers can create packages that run whatever code he likes on every machine that installs them, as root. If he picks packages that every running Debian system has to have, he can control all well-maintained machines within a few days. That would be hundreds of thousands, maybe millions, of machines, not thousands.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. Re:Wrong Koch by Anonymous Coward · · Score: 5, Funny

    That guy sucks. I will give him money when he gives me that back door I've been asking for.

  3. No, he's not by Ydna · · Score: 4, Interesting

    Looking at the list of donors page, it has this curious summary:

    In 2015 we received 2535 donations of 87299 € .
    In this year we received 2826 donations of 97255 € .

    I'm not sure how to read that as this year is 2015. But if this is all for one person, they don't seem to be hurting for funds now.

    --

    "The great thing about multitasking is that several things can go wrong at once." -me

    1. Re:No, he's not by Rinikusu · · Score: 3, Insightful

      Sub taxes, sub equipment, for a one man operation he could certainly be doing better in the private industry pushing dick pills and dick pics.

      --
      If you were me, you'd be good lookin'. - six string samurai
    2. Re:No, he's not by pz · · Score: 4, Insightful

      And subtract retirement, and insurance payments, etc., after all that, no one is going to get rich on EUR 90K per year. Not going to starve, but not going to get rich, either.

      To present some perspective, as an employer in the US (yes, I realize things are probably different in Germany), if my personnel budget is USD 90K, that means my employee is getting only USD 61K in salary. The rest goes to various overheads that I pay to support the position.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    3. Re:No, he's not by Enigma2175 · · Score: 3, Informative

      PGP has brought incredible value to people, and thus its inventor should be rewarded properly.

      However, this person is not the inventor of PGP, Phil Zimmermann is. Koch just wrote an open source program that complies with the OpenPGP RFC. This is certainly valuable and I do think that the community receives sufficient benefit from this program to support it financially, but Koch isn't an inventor, he is a programmer that implemented a public standard.

      --

      Enigma

  4. Re:Hal Finney by cheesybagel · · Score: 4, Informative

    Wrong. PGP was created by Phil Zimmermann and Hal Finney was the second developer they hired. GnuGP is an open-source reimplementation of the PGP standard written by Werner Koch.

  5. Re:FOSS Funding by bill_mcgonigle · · Score: 4, Insightful

    Can't he just sell support or something? Isn't there supposed to be viable funding models for FOSS projects?

    He does sell support.

    However, I suspect he's been offered many contracts and never knew about them:

    Please do not send any attachments with ZIP files or any HTML in it. They are all silently discarded. Note, that this includes messages send as plain text plus HTML.

    There is something I'd like to do with GPG that isn't a standard yet. I'll have to remember to scrutinize Thunderbird's settings before sending him a solicitation.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. dear werner, please finish the damn thing by Anonymous Coward · · Score: 5, Funny

    Michelangelo finished the pieta in 2 years. You've had 18!! Look, it's good stuff, and you could probably milk this till retirement. Even Michelangelo realized finally that if he took one more swing at his sculpture, he'd have detracted from it.
    You keep this up, you're gonna turn out just like that Torvalds kid.

  7. Re:Wrong Koch by bobbied · · Score: 5, Informative

    Too bad, I know of two of his relatives who have more money then they know what is morally correct to do with.

    You mean donating $100 million to help build up a hospital in New York isn't morally a good thing?

    http://freebeacon.com/blog/koch-brother-donates-money-to-hospital-liberals-protest-not-a-parody/

    Another $100 Million for Cancer Research at MIT.

    Another $25 Million for Cancer Research at MD Anderson in Huston TX.

    Then there are donations to the Arts, National Museums and believe it or not *environmental* projects which are on record...

    Yea, these Koch brother guys are the surge of the earth all right, spending all that money on such bad things...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  8. Re:Wrong Koch by riverat1 · · Score: 5, Insightful

    They also gave money to the Berkeley Earth project. That one didn't quite turn out like they wanted.

    They also tried to give money to the Florida State University Economics Department with some provisos:

    First, the curriculum it funded must align with the libertarian, deregulatory economic philosophy of Charles Koch. Second, the Charles Koch Foundation would at least partially control which faculty members Florida State University hired. And third, Bruce Benson, a prominent libertarian economic theorist and Florida State University economics department chairman, must stay on another three years as department chairman — even though he told his wife he’d step down in 2009 after one three-year term.

    So much for academic freedom.

  9. Uhhhh by Sycraft-fu · · Score: 5, Insightful

    You realize even taking taxes in to account, most people make a lot less than that and do just fine, right? When you see income reported, it is normally pretax. If you think most people are making more than 90,000 Euro a year, you are really out of touch. That's a lot of damn money, in any country, enough to live well. You aren't rich, but you are doing just fine.

    1. Re:Uhhhh by CRC'99 · · Score: 5, Interesting

      I hate to say it - but most people who do OSS work for the masses don't get paid for it.

      I do packaging for Xen used from hobby users through to Disney - yet I get about $400AUD per year in donations. I also have to go buy my own test hardware (I need UEFI kit atm!).

      I understand exactly what Werner means and the challenges faced - but I too don't see a solution for this. OSS has been linked for too long as a 'free solution' - which means nobody puts a currency value on the software and services that are made available to the world. I think its the mental relationship of OSS being 'free' causes it. Nobody blinks an eye to pay $100 for a Windows license - yet go for a $10 donation to an OSS project and people lose their minds...

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
  10. Re:Wrong Koch by Anonymous Coward · · Score: 5, Insightful

    Correct, their donations have no moral basis; they are only doing this because one of them had cancer and they are hoping to ensure their own survival. Gates on the other hand is fighting malaria and other diseases that are of moral concern because people don't need to worry about them.

  11. Re:Wrong Koch by Anonymous Coward · · Score: 3, Insightful

    As someone who has spent a lot of time working around Ph.D. academics, let me clue you in. EVERY US university of any appreciable size whores itself out like this to some collection of rich benefactors/organizations. Mainly because half of the degrees it awards are outright worthless for a career (hard to get alumni donations from the Literature major that has spent the past 10 years since graduation working their way up to local Starbucks manager, or worse, gotten a humanities Ph.D.) and the other half are for jobs that congress and corporations can't outsource fast enough.

    Most American universities have long since ceased being about education, and are now primarily indoctrination camps spreading the propaganda and ideology of the highest bidder.

  12. Re:Wrong Koch by macsimcon · · Score: 5, Insightful

    Right, and all those donations don’t even add up to a fraction of the nearly $1B they plan on spending to influence the 2016 election.

    If a Nazi donated $100 to a soup kitchen, does that forgive Auschwitz? And don’t lecture me on Godwin!

  13. Re:Wrong Koch by Anonymous Coward · · Score: 5, Informative

    The goodness of their philanthropy does not excuse their usurpation of the 'Democratic Republic', the USA. They are part of the reason the US is now a Corporate Oligarchy!

  14. Re:Wrong Koch by WarSpiteX · · Score: 3, Insightful

    Dude, you're posting on Slasbergers with people who read The Fountainhead as teenagers and it totally blew their minds, and been assburgers types they can't grow out of the mindset.

    --


    I'm a little segfault, short and stout.
  15. Re:Wrong Koch by epine · · Score: 5, Funny

    Dude, you're posting on Slasbergers with people who read The Fountainhead as teenagers and it totally blew their minds, and been assburgers types they can't grow out of the mindset.

    Funny, in my experience it's the people who aren't blessed with Asperger's syndrome who are particularly prone to pontificate on the basis of choir-pleasing ass-pluck.

    Perhaps we should really rename it obsessive factual reality disorder.

    Furthermore, a great many people who read The Fountainhead at a young age and found it mind blowing went into politics. How I wish more of these people had enough Asperchlorians in their bloodstream to balance their own chequebooks.

  16. Re: Wrong Koch by macsimcon · · Score: 5, Insightful

    Another right-wing canard to debunk. Oh well here goes...

    For every Soros who is spending money to promote "collectivism" (code used by Ayn Rand-loving sociopathic troglodytes who haven't had a date this century) , there are ten or more Adelsons and Kochs promoting their fascism. It isn't even close dude.

    I think it's great that the Koch brothers give to charity, but at those levels, it's like someone who earns $40K per year giving $100 in total to charity each year. Not exactly a sacrifice.

    It's even worse because that worker earning $40K per year can't pay for all of their necessities for life on that salary, where the Kochs have already paid for everything they'll ever need.

  17. Re:Hal Finney by anagama · · Score: 5, Insightful

    I know it is against the rules to RTFA, but sometimes it is worth it:

    Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. ... The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.

    In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can import it," he said.

    Inspired, Koch decided to try. "I figured I can do it," he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu operating system.

    As a side point, Stallman is endlessly criticized around here, laughed at, etc. But he inspired Koch to do something really important and that should be recognized a little bit. Obviously Koch deserves massive praise (and funding) because he did all the work, but it also struck me how important philosophical and moral principles can be in making the world a better place because they can inspire people to do the work.

    --
    What changed under Obama? Nothing Good
  18. S/MIME called .. it wants it's something something by ModernGeek · · Score: 3, Informative

    I switched to S/MIME because of the easy ability to have a third party sign your key, and the recipients recognize it; utilizing a similar web of trust that we use for SSL. Sure it isn't perfect, but it's a good platform. All the major mail clients support it as well. Unless you're really worried about privacy, it's good enough.

    However, I feel it's the duty of large corporations that profit from the efforts of men like Werner Koch to hire, retain, and support these people, and allow them to freely continue their research. If not through employment, then through grants.

    <joke>I guess he shouldn't have sold all his Radio Shack stock</joke>

    --
    Sig: I stole this sig.
  19. Re:Wrong Koch by I'm+New+Around+Here · · Score: 5, Funny

    Asperchlorians

    My new favorite fake word.

    Not to unseat my favorite real word: quintessential.

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  20. Re:Hal Finney by Andtalath · · Score: 3, Insightful

    He is a smelly hippy.
    However, he is very intelligent and has a solid foundation for what he's saying.

    So while he is somewhat ridicolous, he is also highly fascinating.

  21. Do not mix up FOSS and running a business so fast! by HnT · · Score: 3, Interesting

    Note this part of TFA:

    For almost two years, Koch continued to pay his programmer in the hope that he could find more funding.

    So he is also a business owner making bad decisions and pays employees doing programming for him. Are FOSS projects not usually run by not financially dependent-on-each-other volunteers and on code submissions? It seems to me GPG has failed to establish something other projects have successfully done: a tightly knit community in which the whole project does not rest on the shoulders of one man alone. It seems Mr. Koch was trucking along on government funding alone and had no other source of income, this feels like another bad decision to me. This whole project feels like a very strange mixture of FOSS and running a business based on it while expecting to be paid as if it was a closed source, shareware program.

    By all means, he deserves all the donations he can get but maybe it is high time to take a step back and look at how some things might have been run badly and how to improve on that.

    --
    "Only one thing is impossible for God: To find any sense in any copyright law on the planet." - Mark Twain
  22. Math says "No" by T.E.D. · · Score: 3, Insightful

    You mean donating $100 million to help build up a hospital in New York isn't morally a good thing? Another $100 Million for Cancer Research at MIT. Another $25 Million for Cancer Research at MD Anderson in Huston TX.

    Those gifts were spread out over the last 8 years. The Average American gives about 3% of their income to charity yearly. The Koch's made about $10 Billion last year, so reach that standard, they would have had to give $300 Million last year alone. It only looks like they are giving a lot in absolute terms because they are so ridiculously wealthy.

    The Koch's are hardly alone in being relative skinflints. The percentage of income given to charity actually rises as income drops. For example, the most destitute zip in my town averages about 7.5%, while the richest gives less than 4% (yes, we are a generous state. Also a poor state). So if it is really charitable giving you care about (as your post seems to imply) then the best way to increase it is to find a way to move money away from the top end of our income distribution, and towards the bottom end.

    Math.