Phase 2 was to be the analysis of the actual cryptography. It was basically a clean bill of health for the boot loader. Phase 1 was an analysis of the bootloader, and it found a few minor bugs worth fixing, but nothing that suggested any deliberate back-doors or other similar security problems. They had a crowd-funding program to get this going, which I contributed to, and the audit was begun by a team assembled by Matthew Green, a highly respected cryptography researcher at Johns Hopkins University, and someone whose blog I subscribe to. But legitimate questions were raised about whether it was in fact secure, and developers arranged to have an audit. Though not exactly Open Source, it was provided free of charge and seemed to do a good job. This is another key piece of software that many people relied upon to provide file and disk encryption. At least for now, though, it looks like GnuPG is on a firm footing, and Werner plans to add a full-time developer which should make it even better. That is a message we all need to keep in mind. Many of them are run by volunteers who spend a lot of unpaid time on them. All of this is good, but look at what Werner said in response: “GnuPG does not stand alone: there are many other projects, often unknown to most people, which are essential to keep the free Internet running. Then Stripe and Facebook each pledged $50,000 in support. In the case of GnuPG this group gave $60,0. This matters because the whole idea of free software is that it can provide freely reusable code to solve problems, and this is a way that code can be supported. Google, Microsoft, Facebook, Amazon, and many others) that contribute funds which can then be allocated to support key infrastructure (like OpenSSL) that so many companies and projects rely on. This is a consortium of top companies (e.g. We made an important step in that direction in response to the Heartbleed problem when the Linux Foundation created the Core Infrastructure Initiative. To really make critical free software work you need a mechanism to channel funding where needed in a predictable way. As the recent flap over ElementaryOS indicates demanding contributions can drive people away as well. Even the most generous person can only do so much, and we have families too. There is a well-known issue of “contribution fatigue” that happens when people are constantly bombarded with requests to give money. But the donation model is not sustainable for most projects. I know I contributed, and I am sure may other people did, and money started to come in. The World’s Email Encryption Software Relies on One Guy, Who is Going Broke Fortunately, Julia Angwin wrote an article on Pro Publica that went viral: He started a donation drive, but by November of 2014 it had raised just 7,000 Euros, which won’t support a family. But then Edward Snowden put GnuPG in the headlines and it became clear that this was an important technology, so Werner decided not to give up just yet. In fact, he had resolved to walk away from the project in 2013 because he has a family, they need to eat, and so on. GnuPG was started in 1997 by German software developer Werner Koch, and he was facing financial problems because donations were falling. That makes it pretty darned important to anyone who is a free software supporter and a privacy advocate. GnuPG is the Gnu Privacy Guard, and is a free software implementation of PGP. There is now more news worth looking at in this respect, so it is time for an update. Previously we looked at the issues around TrueCrypt and Heartbleed, and noted that a fundamental problem was that technologies we rely on to be safe are often developed and maintained by volunteers or people on a shoestring budget.
0 Comments
Leave a Reply. |