Vital email security researcher may call it quits over lack of funds

Vital email security researcher may call it quits over lack of funds

One of the most troubling problems in computer security at virtually every level is the chronic underfunding of the developers who work on it. This was driven home with particular vengeance in 2014 as multiple security bugs in critical standards were found (and in some cases, ruthlessly exploited). These episodes exposed the fact that while multi-billion dollar corporations build products that rely on standards like OpenSSL, they only rarely contribute back to these standards in a meaningful fashion. Now, its secure email that’s facing a critical loss — one of the most important developers, Werner Koch, has effectively given notice that he’ll cease developing secure email tools if he can’t find funding for his work.

ProPublica has the details on this story, which traces Koch’s work on Gnu Privacy Guard and the Windows secure email client, GPG4Win. Since 1997, Koch has maintained and improved his own secure email software. He credits a talk by Richard Stallman for giving him the idea — at the time, the Pretty Good Privacy software package wasn’t available for export, which led RMS to challenge European programmers to create their own implementation.

Koch, speaking at an event.

Since then, Koch has worked at very low wages to create and maintain an email privacy tool that huge corporations have leveraged and that people like Edward Snowden depended onto contact Greenwald and other journalists, often without much in the way of compensation or recognition. A crowd-funded campaign he set up to help fund his work had made just $47,000 out of a $137,000 target as of December, his own website currently shows it funded at 80,707€. How much of that has poured in over the past few days is unclear.

Refuting the “many eyes” myth and the comprehensive need for better security

One of the standard talking points for why open source code is supposedly better than its closed-source equivalent is that open source software supposedly has many more eyes looking over it, correcting bugs, and contributing to a better final product. In many cases, this may be true — but one of the lessons of Heartbleed is that eyeballs have to be lookingfor bugs before they get caught. That means comprehensive software audits, which takes time and costs money — money that in many cases, these fundamental programs haven’t had.

Funding alone can’t keep a project available, but the Internet depends on a number of core standards that aren’t the responsibility of large nonprofits or well-funded open-source foundations, but are funded practically as out-of-pocket shoestrings. Once upon a time, the NSA and other government agencies might have had a role to play in helping to secure these standards, but it’s doubtful that such help would be received with anything but a gimlet eye in the current regime — especially since the NSA apparently exploited the Heartbleed bug for years.

Still, it’s obvious that something needs to change. Funding Werner Koch’s own GPG is a great first step, but private donations aren’t going to give us more than a band-aid solution to a larger problem. Securing these software packages and standards needs to be something that corporations and individuals recognize as a common interest and a pursuit well worth funding.