

Once-starving GnuPG crypto project gets a windfall. Now comes the hard part - smacktoward
http://arstechnica.com/security/2015/02/once-starving-gnupg-crypto-project-gets-a-windfall-but-can-it-be-saved/

======
andrewstuart2
> It's encouraging to see the GnuPG project benefitting from similar largess.
> But it also raises the question: how is the money best spent?

However the heck they want to spend it. These are donations. If the guy has
been working so hard just to make the world a better place and he wants to
disappear with the money, I'd be bummed and I imagine lots of other people
would too, but _they were donations_. A "thank you for busting your back for
so long", not a "hey, now you've made it to the big leagues, better saddle up
(the way I want you to, by the way)."

We've been using this software (probably worth many millions a year in the
private sector) for free for how long? At least for libgcrypt, the initial
commit was November 8, _1997_. 17+ years ago.

That said, what are the chances this awesome, passionate developer is going to
deliberately drop this project he's poured blood, sweat, and probably some
tears into? What are the chances that he _doesn 't_ labor over the decision on
how to spend the money, and consult his peers?

I sincerely hope this doesn't turn into some donation-gate fiasco where
everybody's miffed about how the money that was freely donated got spent. This
guy has changed the world and deserves to take the money as thanks and not
added responsibility. He's already been shouldering that responsibility for
years.

~~~
alecco
I'm more concerned he might mismanage the money. He seems like a really nice
guy but seems to have no great business/finance perspective. Still, he is free
to do whatever the fuck he wants with my small donation. I feel like I owe him
a lot more than that.

~~~
sumitviii
Why does he need a great business perspective to spend something which is
nowhere close to what companies using his hard work are earning?

~~~
avn2109
This. The article says Google and Facebook each gave him 50 big ones. Which !=
0, but I can't help but thinking that's like .00001 seconds of Google profits,
given to a project that is probably on the critical path of >50% of their
business.

~~~
tobinfricke
Google's profit was $13G in 2013, according to Wikipedia. Thus $50,000 amounts
to about 2 minutes of their profit stream. You are off by seven orders of
magnitude...

More to the point, how do you figure that GPG is on the "critical path" of 50%
of Google's business?

~~~
Estragon

      > More to the point, how do you figure that GPG is on the 
      > "critical path" of 50% of Google's business?
    

Anywhere they're using a debian-based linux distribution, they're using gpg in
the package management.

~~~
tobinfricke
That's true, but it says nothing about how difficult it would be to replace.

~~~
Estragon
Do you have any idea what be involved in that replacement?

------
mrsteveman1
> Matt Green, a professor specializing in cryptography at Johns Hopkins
> University, said he has looked at the GnuPG source code and found it in such
> rough shape that he regularly assigns chunks of it to his students for
> review. "At the end I ask how they felt about it and they all basically say:
> 'God, please I never want to do something like this again,'"

Reading that reminded me of some comments[1] made by the author of
ObjectivePGP, a very recent effort to create an OpenPGP compatible Objective-C
library:

> Today I regret that I have not made any notes during programming, so that I
> could now quote all my moments or doubt, all WTF? instances (I think that
> some of them are still present in source comments). Many sudden turns of
> events, lots of dead ends and a massive amount of uncertainty await for the
> person implementing this protocol. Now I understand why OpenPGP does not
> have many implementations — the protocol itself is simply quite difficult to
> implement.

and

> Now, with all I have learned during the time I spent working on it, I would
> have written the library in an entirely different way. ... I have even made
> a note in my TODO “Need to rewrite the whole thing!”. This is true, but if I
> keep on rewriting it all the time, I will not finish anything else.

[1] [http://blog.krzyzanowskim.com/2014/07/31/short-story-
about-o...](http://blog.krzyzanowskim.com/2014/07/31/short-story-about-
openpgp-for-ios-and-os-x-objectivepgp/)

~~~
gaius
One wonders why this fancy professor doesn't assign some students to
contribute some patches.

~~~
iso-8859-1
What does "contribute" mean? You can't make the maintainer accept, even if
it's actually a good patch. How could this ever be fair?

------
markokrajnc
Dear Werner - if you are reading this: Please ignore all the articles and
comments about "how is the money best spent"! They don't know what they are
talking about! Instead take 2-3 weeks free and bring your whole family
somewhere in Mediterranean Sea to the long deserved holidays so you can rest
from all the financial burden, take a fresh breath and gather new energy and
motivation for the project! And please again: ignore those comments! Greetings
from Munich!

~~~
ptaipale
Indeed. I notice he has a family to support, otherwise I'd have proposed
"please use half of the money on wine, women and song, and the rest you can
just waste". Whatever he decides to do with the donations, I'll say he's
earned the right to do anything he wants.

I fear he'll anyway just hire some help for himself to work on this stuff...

------
Spooky23
The vitriol in the article is pretty surprising to me. Monday morning
quarterbacking of an open source project is pretty noxious. Is there some
other story that I'm not aware of here?

This guy has sacrificed a lot and built something that is pretty critical to
people all over the world. As a pretty casual, I recall directing direct
answers from the author in hours from the author. If the code is mess, at
least it has been implemented in such a way that the mess is harder to
exploit.

~~~
rodgerd
> The vitriol in the article is pretty surprising to me. Monday morning
> quarterbacking of an open source project is pretty noxious. Is there some
> other story that I'm not aware of here?

The two most recent upsets were GPG deliberately breaking a whole bunch of
compatability, meaning newer versions will not decrypt older files. For people
who use GPG for e.g. securing transferred documents that might be called in
court, it's pretty upsetting, to put it mildly, that the maintainer has told
us we're on our own if we want to be able to access old files[1]. Since this
is one of the core uses for GPG it's generated a lot of angst.

The more obnoxious one for me is going out of his way to break a whole bunch
of GPG integration, complete with acerbic error messages for people who had
been relying on it. Making encryption harder to use will not improve security.

[1] Sure, you can keep old sources around and hope GPG 1.x will still build 10
years from now, but that's a bit of a gamble.

~~~
fensipens
_Removal of PGP-2 support

Some algorithms and parts of the protocols as used by the 20 years old PGP-2
software are meanwhile considered unsafe. In particular the baked in use of
the MD5 hash algorithm limits the security of PGP-2 keys to non-acceptable
rate. Technically those PGP-2 keys are called version 3 keys (v3) and are
easily identified by a shorter fingerprint which is commonly presented as 16
separate double hex digits.

With GnuPG 2.1 all support for those keys has gone. If they are in an existing
keyring they will eventually be removed. If GnuPG encounters such a key on
import it will not be imported due to the not anymore implemented v3 key
format. Removing the v3 key support also reduces complexity of the code and is
thus better than to keep on handling them with a specific error message.

There is one use case where PGP-2 keys may still be required: For existing
encrypted data. We suggest to keep a version of GnuPG 1.4 around which still
has support for these keys (it might be required to use the --allow-weak-
digest-algos option). A better solution is to re-encrypt the data using a
modern key._

[https://gnupg.org/faq/whats-new-in-2.1.html](https://gnupg.org/faq/whats-new-
in-2.1.html)

This only affects data encrypted by PGP-2, the original Phil Zimmerman PGP. If
you are on GPG 1.4 or 2.0 and want to switch over to 2.1 this shouldn't be a
problem.

~~~
acqq
It affects the data encrypted by GPG until that "new and improved" version, as
long as the keys have "older" format. Until recently the GPG was able to use
such "older format" key for both encryption and decryption. Now it can't do
both. And that was even not necessarily known by the users, that they used
something "older": you saw the shorter fingerprint but otherwise everything
worked.

GPG even doesn't inform the users in the runtime that it silently removes
user's "old format" keys from the set of keys they had. They just "dissaper."

The people who use the PGP the longest are the ones most inconvenienced. The
old data, supposed to be backups, can't be read by the new version.

~~~
zaroth
We must maintain perfect backward compatibility back to the beginning of time!
We must have pristine clean and cruft-free code to help ensure mistakes are
easy to catch!

Sounds like the age old, More Taste! Less Filling! Backward compatibility for
insecure algorithms is exactly the code which should be jettisoned. We have
VMs which run Amiga and DOS, if you're terrified of not being able to decrypt
then grab a cup of coffee and get to re-encrypting with a key that doesn't
inline MD5!

You did get the part where this is free software, and you are free to fork it
if you wish?

I tend to think it's the _users_ responsibility, by choosing to use the
package, to actually understand how it works. The maintainer owes you nothing.
It's stated right there in the license.

P.S. The scare quotes do not help your argument. The old keys are technically
weak. That happens with crypto from time to time. If you can't plan for that,
might as well keep it cleartext.

~~~
gaius
_We must maintain perfect backward compatibility back to the beginning of
time!_

Actually, if you are writing archiving software, yeah. Especially for official
or legal records.

------
copsarebastards
> But it also raises the question: how is the money best spent?

No, it fucking doesn't raise that question. As far as I am concerned the money
is already spent. And that's the way it should be, because Werner Koch has
already devoted years of his life to developing this stuff.

------
zvrba
Don't bother, donate to the NetBSD team instead:
[http://www.netpgp.com/faq.html](http://www.netpgp.com/faq.html)

WK has unreasonable opinions, e.g., see this thread:
[http://www.reddit.com/r/programming/comments/2uw2gt/the_worl...](http://www.reddit.com/r/programming/comments/2uw2gt/the_worlds_email_encryption_software_relies_on/cod1u7t?context=3)

Having tried to integrate PKCS#11 support into GnuPG (rejected with bogus and
dodgy arguments, see threads documented here:
[http://zvrba.net/software/gpg_pkcs11.html](http://zvrba.net/software/gpg_pkcs11.html)),
I can testify that the codebase is messy and complex.

Just ditch it and make something from scratch. I have more faith in the
competence of NetBSD-associated people than in WK.

------
copsarebastards
> The main problem with the code, he said, is it hasn't been properly
> maintained over the years.

Maybe this is because it was being maintained by a single underfunded
developer. I'm not sure how the fact that we're now funding that programmer
enough that he can hire a second developer (as was his stated intent) that
this brings up questions of whether the money is well spent.

Ars Technica? More like Talking-out-their-arse Technica. Non-technical people
writing about code critiques they can only understand second-hand is pretty
much worthless.

------
gcv
TFA says the GnuPG code is pretty rough. Has anyone (with crypto knowledge)
looked at it? Confirmations and denials welcome.

~~~
tptacek
libgcrypt is pretty rough, yes.

The plus side is that GnuPG by design has a relatively limited attack surface.
It's tough to conduct a side-channel attack that requires thousands of message
stimulus-response tests to get a single key or message bit, given that each
iteration of that attack will (in typical GPG usage) require manual
intervention.

As long as your crypto isn't "online", GPG is still a pretty safe bet. You
can't say the same thing about a lot of newer crypto libraries.

However, if you're doing something like encrypting a session cookie, you
should use Nacl, not GPG.

~~~
hellbanner
Can you expound on your last point?

~~~
girvo
If you assume the rest of his comment is true (I'm no crypto expert but it
seems intuitive enough for me, and he _is_ a crypto expert!), having something
like a session cookie (which can be attacker controlled) encrypted with GPG
(which means it's now "online", without manual intervention) has now increased
the attack surface considerably; it gives up the neat offline part of GPG and
makes it easier to attack.

That's how I understood it anyway!

~~~
tptacek
Yep.

------
justizin
$60k is hardly a windfall, but it is a lifeboat.

~~~
lacksconfidence
Its actually 120k in direct donations, 60k from CII, 50k from facebook and
another 50k from stripe. Even at just under 300k it still isn't much for a
development team.

~~~
JamesSwift
Facebook and Stripe each pledged 50k per year, not one time. So assuming they
keep their end of it, that is 100k/yr guaranteed for the project.

~~~
justizin
Didn't catch that, yeah, that is more like a windfall. :)

------
mikkom
The power of internet sometimes still amazes me.

One article. 180keur in donations in a day.

~~~
bpodgursky
Honestly... given that likely millions of people read about this yesterday, I
think it's showing of how ineffective internet donations can be that it was a
worldwide top story and only generate a few hundred thousand dollars.

If only one project can be in the spotlight a day, there aren't that many
projects that can get a respectable amount of funding this way.

~~~
smacktoward
I imagine if there were a concerted fundraising campaign behind it, they could
raise much more. The money they got off the story is just the lowest of the
low-hanging fruit.

According to TFA, he's raised nearly $300K so far; rather than using that all
to hire coders, it might be worth taking $100K of that, setting up a
foundation, and hiring a full-time fundraising/development person. A good one
should be able to bring in enough to pay for themselves and ensure a steady
stream of ongoing cash, which would be much better than having to rattle the
tin cup when things get dire.

~~~
acqq
If I understood correctly, if given as salaries, half of the received money
will go to taxes (for Germany, like most of Europe, it's typical tax to the
salaries) as the developer handles everything through his company. And
everything donated through paypal will also be additionally charged.

[https://g10code.com/about.html](https://g10code.com/about.html)

It's certainly more than the developer expected or made in previous years, but
all together it's not as much as it appears to be.

------
mirimir
The Ars article ends with:

    
    
        "A real audit of the [GnuPG] code would be great," Green said. "The problem
        is it would be really expensive and I'm not sure it's worth it."
    

I wonder what Green means as the alternative to auditing the GnuPG code. Doing
nothing? Or could he be arguing that it would be better to start from scratch?
Is there a replacement in the wings? Or even as a glint in someone's eye?

~~~
Dosenpfand
Yes, there's NetPGP: [http://www.netpgp.com/](http://www.netpgp.com/)

~~~
mirimir
That is interesting. I wonder if Enigmail would support NetPGP as an
alternative.

------
xvilka
Hopefully GnuPG developer[s] will also address Mailpile complaints[1]. And
JSON-friendly interface as a part of it.

[1]
[https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_Gnu...](https://www.mailpile.is/blog/2014-10-07_Some_Thoughts_on_GnuPG.html)

------
A_COMPUTER
If he keeps doing what he does every day, except with financial security,
these donations have done their purpose as far as I'm concerned.

------
secfirstmd
Whats amazing, is that lives will be saved because of these donations. Human
rights defenders, journalists, activists etc...

------
qween
Overall a bad article, but the issues it brings up are important:

> The financial strain Koch has endured underscores a cruel irony that has
> only recently come to light.

No, that's like saying that women being treated lesser than men "has only
recently come to light". Open source, even (especially!) the core, important
stuff is blasphemously underfunded, and it always has been. Everyone knows
this, even those who deny it.

Furthermore, the psychology is uncomfortably close to the psychology of
misogyny: historical precedent, deeply rooted social structures (in this case
driven by software economics), by and large nobody wants to pay the
significant costs of fixing it, and every now and then a truckload of goodwill
is dumped on the fire to douse it so we can all forget about the broken system
we're working with until the next time it breaks.

~~~
sokoloff
I don't think you're going to find a lot of sympathy in drawing parallels
between gender equality issues and open-source issues. (And you're likely to
get blowback for stepping on a third rail type of issue, whether fair or not.)

The crucial difference, and I believe flaw in your argument, is that female
developers being paid less than male developers to do the same job is much
more clear-cut evidence of some kind of bias than a developer on an open
source project being paid less than a developer on a closed-source project.

The latter is enough apples to oranges that you might as well be wondering why
an entry-level doctor gets paid more than an entry-level airline pilot.

------
higherpurpose
miniLock [1] seems like a good alternative to PGP for both file encryption and
email. It's just so new and it should have more audits.

[1] - [http://minilock.io/](http://minilock.io/)

They've recently launched Peerio as well which is kind of a closed email-like
system with easy to use end-to-end encryption based on miniLock.

[https://peerio.com/](https://peerio.com/)

~~~
tptacek
From the team that brought you Cryptocat.

~~~
jMyles
I'm ready to show my ignorance. Cryptocat bad? I had been using it to help
people get their feet wet for OTR. What must I read?

~~~
tptacek
Just use OTR. ChatSecure on iOS is fine. Cryptocat is not safe.

~~~
redthrow
Is there anything bad about telling people to ignore PGP/GnuPG altogether and
use OTR/TextSecure?

~~~
e12e
You can't use OTR for email. Well not in a meaningful way, anyway.

I think the article[ed:1] misses the point, btw. Yes, managing keys might be
tricky - but it's not really rocket science. The thing that's hard is managing
trust -- which key one trusts etc. The CA system for web is completely broken.
I had some hope for cacert.org -- I think that model (perhaps expanded to
include recommending signing gpg-keys as well as x509 certs) has a lot of
merit.

I think web of trust is the only thing that _can_ work for managing trust. But
it needs to be accessible. Have post offices and banks sign gpg keys on when
people come in with valid id. Cacert is a different take -- I like to look on
it as a "strucutred eternal keysigning party". I trust that model a lot more
than the classic CA model. But as it is based on the CA model, it suffers the
same problems with centralized trust. Centralized trust is great for
organizations, it's not so great for individuals.

I think the best model would be a world-wide web of trust for gpg, helped by
formal and informal signing organizations (ie: like cacert, signinparties --
and with the help of banks, governments, DMV and similar institutions that
traditionally help with issuing IDs). Then there should be support for
anchoring DNS/CAs (and CAs for openssh) with gpg. So that if you trust someone
is a representative of an organization linked to a domain name, you can trust
them to autorize a CA for that name (there's technical details here, but I
think the idea should be clear enough).

CAs go away, everyone can sign their own certs -- and there's an easy way to
link x509 and gpg trust.

People will still lose their keys, and get invalid keys signed etc -- key
management _is_ hard. But the really confounding thing is trust -- and knowing
how to determine which keys are "proper" keys for a given entity. That's
really trust management, not (just) key management.

[ed:1 whops, that was the other article on making key management easy ;-) But
I suppose this comment is relevant wrt how to make encryption more readily
available...]

~~~
woah
Web of trust is a complete joke. It is literally a system where people who are
unqualified to do so confirm identity based on a government id.

~~~
e12e
As opposed to the CA system, where machines who are unqualified to do so
confirm identity based on an email?

