In 1997, Werner Koch attended a talk by free software evangelist Richard Stallman. Stallman urged the crowd to write their own version of existing encryption software. Inspired, Koch decided to try. “I figured I can do it.” (Willi Nothers for ProPublica)
CRYPTO for the PEOPLE
GNU PRIVACY GUARD (GPG)
Gnu Email Encryption Relies on One Guy, Who’s Going Broke
by Julia Angwin / Feb. 5, 2015
Update, Feb. 5, 2015: Since this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive. Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded. “I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.” Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.
Now, more than a year after Snowden’s revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he’s made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer. The fact that so much of the Internet’s security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.
Like many who build security software, Koch believes that offering the underlying code for free is the best way to demonstrate that there are no hidden backdoors giving access to spy agencies or others. (Willi Nothers for ProPublica)
Koch’s code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. “If there is one nightmare that we fear, then it’s the fact that Werner Koch is no longer available,” said Enigmail developer Nicolai Josuttis. “It’s a shame that he is alone and that he has such a bad financial situation.” The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail’s lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations — just enough to keep the website online. GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.
Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.
In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. “We can’t export it, but if you write it, we can import it,” he said. Inspired, Koch decided to try. “I figured I can do it,” he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman’s free Gnu operating system. Koch’s software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn’t subject to U.S. export restrictions.
Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines. In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out. For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. “But nothing came,” Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit. But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000. The campaign gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”
“Many people believe that the spirit of the GNU Project is that you should not charge money for distributing copies of software, or that you should charge as little as possible—just enough to cover the cost. This is a misunderstanding. Actually, we encourage people who redistribute free software to charge as much as they wish or can. If this seems surprising to you, please read on. The word “free” has two legitimate general meanings; it can refer either to freedom or to price. When we speak of “free software”, we’re talking about freedom, not price. (Think of “free speech”, not “free beer”.) Specifically, it means that a user is free to run the program, change the program, and redistribute the program with or without changes. Free programs are sometimes distributed gratis, and sometimes for a substantial price. Often the same program is available in both ways from different places. The program is free regardless of the price, because users have freedom in using it. Nonfree programs are usually sold for a high price, but sometimes a store will give you a copy at no charge. That doesn’t make it free software, though.
Price or no price, the program is nonfree because users don’t have freedom. Since free software is not a matter of price, a low price doesn’t make the software free, or even closer to free. So if you are redistributing copies of free software, you might as well charge a substantial fee and make some money. Redistributing free software is a good and legitimate activity; if you do it, you might as well make a profit from it. Free software is a community project, and everyone who depends on it ought to look for ways to contribute to building the community. For a distributor, the way to do this is to give a part of the profit to free software development projects or to the Free Software Foundation. This way you can advance the world of free software. Distributing free software is an opportunity to raise funds for development. Don’t waste it! In order to contribute funds, you need to have some extra. If you charge too low a fee, you won’t have anything to spare to support development.
Will a higher distribution price hurt some users?
People sometimes worry that a high distribution fee will put free software out of range for users who don’t have a lot of money. With proprietary software, a high price does exactly that—but free software is different. The difference is that free software naturally tends to spread around, and there are many ways to get it. Software hoarders try their damnedest to stop you from running a proprietary program without paying the standard price. If this price is high, that does make it hard for some users to use the program. With free software, users don’t have to pay the distribution fee in order to use the software. They can copy the program from a friend who has a copy, or with the help of a friend who has network access. Or several users can join together, split the price of one CD-ROM, then each in turn can install the software. A high CD-ROM price is not a major obstacle when the software is free.
Will a higher distribution price discourage use of free software?
Another common concern is for the popularity of free software. People think that a high price for distribution would reduce the number of users, or that a low price is likely to encourage users. This is true for proprietary software—but free software is different. With so many ways to get copies, the price of distribution service has less effect on popularity. In the long run, how many people use free software is determined mainly by how much free software can do, and how easy it is to use. Many users do not make freedom their priority; they may continue to use proprietary software if free software can’t do all the jobs they want done. Thus, if we want to increase the number of users in the long run, we should above all develop more free software. The most direct way to do this is by writing needed free software or manuals yourself. But if you do distribution rather than writing, the best way you can help is by raising funds for others to write them.
The term “selling software” can be confusing too
Strictly speaking, “selling” means trading goods for money. Selling a copy of a free program is legitimate, and we encourage it. However, when people think of “selling software”, they usually imagine doing it the way most companies do it: making the software proprietary rather than free. So unless you’re going to draw distinctions carefully, the way this article does, we suggest it is better to avoid using the term “selling software” and choose some other wording instead. For example, you could say “distributing free software for a fee”—that is unambiguous.
High or low fees, and the GNU GPL
Except for one special situation, the GNU General Public License (GNU GPL) has no requirements about how much you can charge for distributing a copy of free software. You can charge nothing, a penny, a dollar, or a billion dollars. It’s up to you, and the marketplace, so don’t complain to us if nobody wants to pay a billion dollars for a copy. The one exception is in the case where binaries are distributed without the corresponding complete source code. Those who do this are required by the GNU GPL to provide source code on subsequent request. Without a limit on the fee for the source code, they would be able set a fee too large for anyone to pay—such as a billion dollars—and thus pretend to release source code while in truth concealing it. So in this case we have to limit the fee for source in order to ensure the user’s freedom. In ordinary situations, however, there is no such justification for limiting distribution fees, so we do not limit them. Sometimes companies whose activities cross the line stated in the GNU GPL plead for permission, saying that they “won’t charge money for the GNU software” or such like. That won’t get them anywhere with us. Free software is about freedom, and enforcing the GPL is defending freedom. When we defend users’ freedom, we are not distracted by side issues such as how much of a distribution fee is charged. Freedom is the issue, the whole issue, and the only issue.”
comment by walterbell:
“The basic recipe for software biz success is the same whether proprietary or libre. ~80% of revenue comes from ~20% of customers and features. Ship something into the market somehow anyhow so you can identify the critical 20%. Then you can commoditize (open) the remaining 80% of features to reduce costs and help the long tail to become self-supporting. Pricing and defending and growing the revenue features is then like any other business, i.e. strategic conflict with other mice who will come after your cheese.”Open” is as much a state of mind and development practices as it is a license. JIRA shipped with full source code while remaining proprietary. This removed customer concerns about JIRA going out of business, no need for source escrow. Customers ended up making modifications to the source, which then influenced the Atlassian roadmap. Conversely, one can have an open-source license, but a dev culture that rejects external input, e.g. Calibre. If a vendor focuses on business goals first, then creates a culture to support those goals, license choices will become clearer.
There are useful history lessons among these links:
1) Free Software Business mailing list archives (1993 to early 2000s), http://www.crynwr.com/cgi-bin/ezmlm-cgi?iis:0:201311#b
2) Self-publishing docs+screencasts with 90% royalties, earned railstutorial over six figures in a market where most technical books are lucky to earn $10K. Relevant to OSS biz models: https://news.ycombinator.com/item?id=7350265 & screencast toolchain: https://news.ycombinator.com/item?id=8932387
3) Bootstrapping 101, http://discuss.bootstrapped.fm/ & http://www.startupsfortherestofus.com/
4) ISV (Stardock) 2014 report, http://www.stardock.com/press/CustomerReports/Stardock2014.p…
Resources on business models:
5) The Business Model: Theoretical Roots, Recent Developments, Future Research, 2010,https://noppa.aalto.fi/noppa/kurssi/23e21090/luennot/23E2109…
6) Free Software and OSS Business Models, 2008, http://www.springer.com/cda/content/document/cda_downloaddoc…
7) Any good book on organized crime / unregulated business. Boundary conditions inform risk management, i.e. early recognition of failure scenarios to be avoided.”
Tech giants, chastened by Heartbleed, finally agree to fund OpenSSL
IBM, Intel, Microsoft, Facebook, Google, and others pledge millions to open source.
by Jon Brodkin / Apr 24 2014
The important role OpenSSL plays in securing the Internet has never been matched by the financial resources devoted to maintaining it. The open source cryptographic software library secures hundreds of thousands of Web servers and many products sold by multi-billion-dollar companies, but it operates on a shoestring budget. OpenSSL Software Foundation President Steve Marquess wrote in a blog post last week that OpenSSL typically receives about $2,000 in donations a year and has just one employee who works full time on the open source code. Given that, perhaps we shouldn’t be surprised by the existence of Heartbleed, a security flaw in OpenSSL that can expose user passwords and the private encryption keys needed to protect websites.OpenSSL’s bare-bones operations are in stark contrast to some other open source projects that receive sponsorship from corporations relying on their code. Chief among them is probably the Linux operating system kernel, which has a foundation with multiple employees and funding from HP, IBM, Red Hat, Intel, Oracle, Google, Cisco, and many other companies. Workers at some of these firms spend large amounts of their employers’ time writing code for the Linux kernel, benefiting everyone who uses it.
That’s never been the case with OpenSSL, but the Linux Foundation wants to change that. The foundation today is announcing a three-year initiative with at least $3.9 million to help under-funded open source projects—with OpenSSL coming first. Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Qualcomm, Rackspace, and VMware have all pledged to commit at least $100,000 a year for at least three years to the “Core Infrastructure Initiative,” Linux Foundation Executive Director Jim Zemlin told Ars. To be clear, the money will go to multiple open source projects—OpenSSL will get a portion of the funding but likely nowhere close to the entire $3.9 million. The initiative will identify important open source projects that need help in addition to OpenSSL. The initiative came together quickly once the foundation began approaching the companies involved. “Before I could even get my last word out most folks were like, ‘absolutely,’” Zemlin said. “We should have done this three years ago to be honest.”
Because Heartbleed inspired the campaign, OpenSSL will be the “first project under consideration to receive funds from the Initiative,” the foundation’s announcement today said. OpenSSL “could receive fellowship funding for key developers as well as other resources to assist the project in improving its security, enabling outside reviews, and improving responsiveness to patch requests.” Security audits, “computing and test infrastructure, travel, [and] face-to-face meeting coordination” will be among the potential benefits for OpenSSL and other projects. The funding will not come with strings attached, Zemlin said. “We definitely want to help them, but it has to be done under their community norms,” he said. “The folks at OpenSSL are guys who have dedicated most of their adult careers to super hard software development that is, I would argue, in some ways thankless work.” Details are still to be worked out between the initiative members and OpenSSL, but one likely outcome is having enough money to let more developers work on the project full time. “Just as The Linux Foundation has funded Linus Torvalds to be able to focus 100 percent on Linux development, we will now be able to support additional developers and maintainers to work full-time supporting other essential open source projects,” the foundation said. The Linux Foundation believes that open source developers should be their own bosses, regardless of who provides their funding. “Linus Torvalds does not listen to Jim Zemlin. That’s intentional,” Zemlin said. Anyone can donate to the Core Infrastructure Initiative, which should be online at this link sometime today.
Better late than never
The companies pledging money here might have avoided a big mess if they donated years ago. The Heartbleed vulnerability would have been bad enough if it had been contained to Web servers, but it affected numerous other products too. IBM had to warn its business customers that some of its products were put at risk by the Heartbleed flaw. So did Cisco, VMware, Dell, Intel, and NetApp. According to Marquess’ post last week, “There should be at least a half-dozen full-time OpenSSL team members, not just one, able to concentrate on the care and feeding of OpenSSL without having to hustle commercial work. If you’re a corporate or government decision maker in a position to do something about it, give it some thought. Please. I’m getting old and weary and I’d like to retire someday.” When asked about the Linux Foundation initiative, Marquess told Ars, “We know about this in general terms, and it looks promising, but I do not have enough details to comment at this time.” Donations have picked up since Heartbleed, bringing in another $9,000. In addition to donations, OpenSSL Software Foundation consultants have work-for-hire agreements with commercial customers at a rate of $250 an hour. This has brought in nearly $1 million in some years, but this money doesn’t necessarily help improve OpenSSL for all users. The payments compensate the consultants for their time and are for projects that may or may not benefit the OpenSSL community at large.
“Lacking any other significant source of revenue, we get most of ours the hard way: we earn it via commercial ‘work-for-hire’ contracts,” Marquess wrote. “The customer wants something related to OpenSSL, realizes that the people who wrote it are highly qualified to do it, and hires one or more of us to make it happen. For the OpenSSL team members not having any other employment or day job, such contract work is their only non-trivial source of income.” Some of these contracts end up helping everyone by speeding up the rate at which certain problems are fixed. In some cases, features are added, which is “a win-win for everyone as the entire OpenSSL community typically benefits along with the sponsor of the work,” Marquess wrote. Other projects are “unlikely to be of general interest, such as porting to specialized proprietary environments or assisting with customer modifications to OpenSSL.” Worse, projects related to FIPS validation (the Federal Information Processing Standard, a government security requirement) are “of benefit to a much smaller segment of the user community and has significant outsourced costs. It also arguably has a negative impact on the OpenSSL code base and diverts scarce manpower from improving OpenSSL proper.”
The OpenSSL team has faced criticism. As we reported this week, OpenBSD founder Theo de Raadt has created a fork of OpenSSL called LibreSSL. He argues that OpenSSL is full of “discarded leftovers” and unreadable code. Separately, a developer who prefers to remain anonymous told Ars he became frustrated in his attempts to contribute code to OpenSSL. “OpenSSL rarely accepts code contributions,” the developer wrote in an e-mail. “The work just sits in the RT [request tracker] system. I’ve got patches for bug fixes and documentation changes that have *never* even been considered.” Such problems may be attributable to OpenSSL’s lack of resources. As for why OpenSSL never developed the kind of community support it needs, Zemlin said, “I don’t have a good answer for that. Obviously in Linux you have a very charismatic leader in Linus Torvalds.” OpenSSL has a “smaller community of people who have very specialized expertise. In retrospect, everything is obvious,” he noted. “The whole point of this is to take a lesson in that and go beyond OpenSSL.” Zemlin doesn’t know what other projects will get funding after OpenSSL. He mentioned Mod_SSL, the Open Crypto Audit Project, and GPG as potential ones to look at, but he noted that members of the new initiative will meet to discuss which ones to fund. While the Linux Foundation is providing administration, there will be a steering group including backers “as well as key open source developers and other industry stakeholders.” The point isn’t to “randomly hand out cash to random open source projects,” but to figure out which are most crucial to the Internet and computer users, Zemlin said. “I suspect there are a whole bunch of these that are really important to Internet security and stability and could use some help.”