> Meanwhile some people have been writing and testing small, auditable and usable open source crypto, more or less for "free".
With all due respect that is complete bullshit. I do not care that you put quotes around free. Writing "free" will never be considered to include sums in the hundreds of thousands of dollars. More importantly blatant lies like this muddy the debate and set outrageous expectations. The Nacl project gives the following description of funding:
NaCl was initiated by the CACE (Computer Aided Cryptography Engineering)
project funded by the European Commission\'s Seventh Framework Programme
(FP7), contract number ICT- 2008-216499. CACE activities were organized
into several Work Packages (WPs). NaCl was the main task of CACE WP2,
\"Accelerating Secure Networking,\" led by Tanja Lange (at Technische
Universiteit Eindhoven) and Daniel J. Bernstein (at the University of
Illinois at Chicago, currently visiting Eindhoven). CACE nished at the
end of 2010 but NaCl is a continuing project.
...Many of the algorithms used in NaCl were developed as part of
Daniel J. Bernstein\'s High-Speed Cryptography project funded by
the U.S. National Science Foundation, grant number ITR-0716498.
I found the funding information for ITR-0716498. djb is listed as the PI for the project.[^1] I could only find the high level funding of ICT-2008-216499.[^2] (wtf EU?) CACE WP2 is only one component of the project. I would love it if someone with better knowledge of EU funding can find the funding for the WP2 line item. The figures are:
NSF ITR-0716498 funding: (USD) 400,000.00
EU 2008-216499 funding: (EUR) 4,733,078.00 ***NEED WP2 line item***
The tweetnacl implementation lists two more funding sources. As above it was easy to locate the NSF funding but I totally struck out for the nwo funding:
NSF 1018836 funding: (USD) $436,203.00[^3]
NWO grant 639.073.005 funding: ???????????
Don't get me wrong, I have a lot of respect for djb and I think he and his coworkers deserve every fractional euro/dollar of funding that they received but they did not work for free. Most importantly they should not be expected to work for free.
NB: This is the nwo funding site: http://www.nwo.nl/en/funding I think the english version may have a reduced set of features. I can not find the this grant information on the site.
No, "more or less for free" is not close to hundreds of thousands of dollars plus whatever funds came from the EU and NWO.
I have to say I am confused about your reply in the first sentence you seem to acknowledge that the wordingwas related to the cost of "writing and testing" crypto software. However in the second sentence you seem to indicate that your thesis was about the switching costs users face. Which is it? You did not say I get to use nacl "more or less for free" you said that "people have been writing and testing small, auditable and usable open source crypto, more or less for 'free'." That quote seems to be about the cost of creation not the switching costs.
Do you think djb et al produced nacl "more or less for free?"
I mentioned "free" only to point out that there is no financial cost to switching to it. I guess I did not type the sentence with enough care; words are missing. My apologies.
I imagine people would be willing (and are accustomed) to paying for software of similar quality.
But I'm also wondering why this bothered you so much.
Does it make a difference that grants were received?
Is the funding not transparent enough?
The blog article on OpenSSL mentions payments for consulting and "features" to be added to OpenSSL.
Should I be concerned about what those features are, and who is paying for them? Are you concerned?
I'm just nterested in cleaner code than OpenSSL's. NaCl looks cleaner to me.
Maybe I'm wrong. But I'd rather be compiling programs that use libnacl or some other simpler alternative than ones that use libssl.
We all have to make decisions about what software we choose to use, even if we are not cryptographers.
I see nothing wrong with discussing alternatives to OpenSSL. This bug has been a real PITA.
> I mentioned "free" only to point out that there is no financial cost
> to switching to it. I guess I did not type the sentence with enough
> care; words are missing. My apologies.
It speaks highly of your character that you say this to the jerk on the
internet said you were full of shit.
> But I'm also wondering why this bothered you so much.
Because crypto is important. A lot of harmful attitudes/mindsets are
reinforced if people think NaCl was created in the authors spare time
and did not require funding:
- "Why should I donate to GnuPG/OpenSSL/Tor/Mozilla(NSS)? Those NaCl
devs wrote NaCl for free."
- "How hard could it be to implement a crypto library? Nacl was a side project. The Nacl devs 'have day jobs in
academia' and created nacl in their spare time. They did it for free, so they obviously didn't need to spend money on
testing environment, research material or hire/consult experts. On the other hand look at SelfiesMadeEa.sy they
raised serious cash and had to quit their jobs because they tackle hard problems."
- "Obama and the rest of gubmint are taxing me to death. Government should be pay for the military and maybe some
roads; not waste money on liberal academics in ivory towers, maplethorpe and those pinkos from NEA or some stupid
robot/telescope that cant do metric conversions."
- "OMG NSA is evil. USA does nothing but invade countries and privacy."
> Does it make a difference that grants were received?
No it does not make a (negative/harmful) difference that grants were received. I think it is a shining example of
modern civil society; you have the US, NL and the EU teaming up to fund strong crypto by top notch folks from a
number of countries. Governments should fund research, applied and basic, and they should be encouraged to fund
more of it.
Somewhat tangential: Knowledge of the grants also seeks to eliminate the
idiocy in the latter two examples above. People need to be reminded that
big government is not always an evil force, governments can be a force
for good. I do not know if you saw my other comment about tor funding
but tor had revenue of \$2+ million in 2012 and 60% came from US
government. I don't know where you are from but I bet you have met a
simple minded moron wearing a tea party costume or trendy European
threads that will not stop complaining about the evil Obama surveillance
administration. Blow their minds and ask them to wrap their heads around
the:
- $800k from DoD for "Basic and Applied Research and Development in
Areas Relating to the Navy Command, Control, Communications,
Computers, Intelligence, Surveillance, and Reconnaissance"
or
- $350k from State for "Programs to Support Democracy, Human Rights
and Labor" and "New America Foundation: International Programs to
Support Democracy, Human Rights"
> Is the funding not transparent enough?
If this is in regards to the lack of numbers from NWO or the EU I am
sure that I am at fault. (I also think one of djb's EU grant numbers
might have a digit transposed) I imagine that the dutch version of
nwo.nl is easier to use.
> The blog article on OpenSSL mentions payments for consulting and
> "features" to be added to OpenSSL.
> Should I be concerned about what those features are, and who is paying
> for them? Are you concerned?
I think we should be concerned that OSF is not doing a better job
highlighting sponsors and attracting new ones. It should be easier for
someone with check writing authority at big.corp.com to stumble across
the sponsors information and think to themselves "hey, we should drop
some petty cash on these folks. We use the product and I bet the
marketing folks would appreciate the bump in visibility for a fraction
of the cost of our latest failed social network branding efforts." If I
was OSF I would look at the \$2 million tor brought in and ask myself
"maybe we could do a better job of sponsor outreach? Tor is important to
these people that wrote checks and tor uses libssl-dev, I wonder if
there is an opportunity?"
With all due respect that is complete bullshit. I do not care that you put quotes around free. Writing "free" will never be considered to include sums in the hundreds of thousands of dollars. More importantly blatant lies like this muddy the debate and set outrageous expectations. The Nacl project gives the following description of funding:
I found the funding information for ITR-0716498. djb is listed as the PI for the project.[^1] I could only find the high level funding of ICT-2008-216499.[^2] (wtf EU?) CACE WP2 is only one component of the project. I would love it if someone with better knowledge of EU funding can find the funding for the WP2 line item. The figures are: The tweetnacl implementation lists two more funding sources. As above it was easy to locate the NSF funding but I totally struck out for the nwo funding: Don't get me wrong, I have a lot of respect for djb and I think he and his coworkers deserve every fractional euro/dollar of funding that they received but they did not work for free. Most importantly they should not be expected to work for free.[^1]: http://www.nsf.gov/awardsearch/showAward?AWD_ID=0716498
[^2]: http://cordis.europa.eu/projects/rcn/85344_en.html
[^3]: http://www.nsf.gov/awardsearch/showAward?AWD_ID=1018836
NB: This is the nwo funding site: http://www.nwo.nl/en/funding I think the english version may have a reduced set of features. I can not find the this grant information on the site.