Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/28/social-responsible-investing.html

I got a phone call yesterday from someone involved with one of the many
socially
responsible investment houses. It appears that in some (thus far,
small) corners of the socially responsible investment community, they’ve
begun the nascent stages of adding “willingness to contribute to
FLOSS” to the consideration map of social responsibility. This is
an issue that has plagued me personally for many years, and I was
excited to receive the call.

When I graduated high school and read my first book on personal
financial management, I learned how to invest for retirement in mutual
funds. The book mentioned the (then) somewhat new practice of
“socially responsible investing”, which immediately intrigued
me. The author argued, however, that it was silly to make investment
decisions based on personal beliefs. I immediately disagreed with that,
but I discovered that his secondary point was actually accurate: beyond
the Big Issues (weapons manufacturing, tobacco, etc.), it was tough to
find a fund that actually shared your personal beliefs.

Once I did some research, I discovered that it wasn’t actually as bad
as that, because there actually is a pretty good consensus on
what is and is not socially responsible (or, at least, the general
consensus in this regard seems to match my personal beliefs, anyway).
However, I did discover a gaping hole in the social responsible
investment agenda. The biggest social issue in my personal life —
the issue of software freedom — was never on others’ radar screens
as a “socially responsible issue”.

For example, in 1996, when I had my first opportunity to roll a 401(k)
into an investment of my own choosing, I discovered a troubling fact.
Every single socially responsible fund, when I looked at their stocks
held (sorted by percentage), Microsoft was always in the top ten, and
Oracle in the top twenty. Indeed, on most socially responsible axes,
Microsoft and Oracle look good: they treat their employees reasonably
well, they don’t generally build products that actively kill people
(although many of us die inside a little bit every time we use
proprietary software), and, heck, if they use more DRM, they can ship
their software and documentation via the network and won’t even ship as
many CDs to fill up landfills. This kind of thinking about
“socially responsible” ignores how the proprietariness of
the company’s technology negatively impacts people outside of the
company. Nevertheless, for years, I’ve held my nose and put my
retirement money in these funds, content on the compromised idea that at
least I don’t have my retirement savings in oil companies.

I tell this backstory to communicate how glad I was to get the call
from an employee of a socially responsible investment house. This
fellow was actually investigating the FLOSS credentials of various
companies and trying to bring it forward as a criterion when considering
how socially responsible their practices are. He seemed genuinely
interested in bringing this forward as part of a social agenda for his
company. I told him: every great idea starts as a conversation
between two people, and enthusiastically answered his queries.

It was clear FLOSS considerations are new and not widely adopted as a
factor in the socially responsible investing world, but I am glad that
at least someone in that world is thinking about these questions. Of
course, I agree that in grand scheme, FLOSS issues should not be ranked
too highly — certainly issues of environmental
sustainability and human rights have a higher and more immediate social
impact⁰. However, given that
Microsoft so often ends up in the top ten of “good socially
responsible investments”, FLOSS issues are clearly ranked far too
low in the calculation.

Hopefully, this phone call I took yesterday shows we’re entering an era
where FLOSS issues are on the socially responsible criteria list for
investors. I further hope this blog entry doesn’t stop socially
responsible investors and fund managers from contacting me in the future
to get advice on how socially responsible various companies are. I
debated whether to write about this call publicly, but ultimately went
for it, since it’s an issue I think deserves some net.attention. So
many of us, FLOSS fans included, must now must manage our own retirement
accounts, since pension funds have generally given way to self-directed
retirement savings options. If you have a fund with a socially
responsible investment company, take this opportunity to give them a
call or send them a letter to tell them you’d like to see FLOSS issues
on the criteria list. If you don’t yet invest in with a socially
responsible company, consider switching to one, as they clearly will be
the first to add FLOSS-related criteria to their investing agenda.

⁰I have never believed
myself that FLOSS is the most important social justice issue in the grand
scheme. I struggled for years with the question of whether to devote my
career to a social cause that wasn’t top priority; things like human
rights and environmental sustainability certainly deserve more immediate
attention. However, it turned out that my skills, knowledge, background
and talent are clearly uniquely tuned to Computer Science in general and
FLOSS in particular, and therefore I can have the greatest positive impact
focusing on this rather than would-be higher priority causes. If only we
could get people in these other movements to at least see that they are
better off not using Microsoft for their own operations (in my experience,
NGOs and NPOs are more likely to stick with proprietary software than
for-profit companies), but that’s an agenda for another blog entry.

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/20/voip-encryption-easy.html

Ian Sullivan showed me
an article
that he read about eavesdropping on Internet telephony calls. I’m baffled at
the obsession about this issue on two fronts. First, I am amazed that
people want to hand their phone calls over to yet another proprietary
vendor (aka Skype) using unpublished, undocumented non-standard
protocols and who respects your privacy even less than the traditional
PSTN vendors. Second, I don’t understand why cryptography experts
believe we need to develop complicated new technology to solve this
problem in the medium term.

At SFLC, I set up the telephony system as VoIP with encryption on
every possible leg. While SFLC sometimes uses Skype, I don’t, of course, because it is (a)
proprietary software and (b) based on an undocumented protocol, (c)
controlled by a company that has less respect for users’ privacy than
the PSTN companies themselves. Indeed, security was actually last on
our list for reasons to reject Skype, because we already had a simple
solution for encrypting our telephony traffic: All calls are made
through a VPN.

Specifically, at SFLC, I set up a system whereby all users have an OpenVPN connection back to the
home office. From there, they have access to register a SIP client to
an internal Asterisk server living inside the VPN network.
Using that SIP phone, they could call any SFLC employee, fully encrypted. That call
continues either on the internal secured network, or back out over the
same VPN to the other SIP client. Users can also dial out from there to any
PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC’s office, but that’s the PSTN’s fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However,
with minimal effort, and using existing encryption subsystems, we have
end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day’s effort of work! I have a
pretty simple idea on how to have an encrypted call to anyone
who happens to have a SIP client and an OpenVPN client. My plan is to
make a public OpenVPN server that accepts connection from any
host at all, that would then allow encrypted “phone the
office” calls to any SFLC phone with any SIP client anywhere on
the Internet. In this way, anyone wishing end-to-end phone encryption
to the SFLC need only connect to that publicly accessible OpenVPN and
dial our extensions with their SIP client over that line. This solution
even has the added bonus that it avoids the common firewall and NAT
related SIP problems, since all traffic gets tunneled through the
OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol)
works, SIP automatically does!

The main criticism of this technique regards the silliness of two
employees at a conference in San Francisco bouncing all the way through
our NYC offices just to make a call to each other. While the Bandwidth
Wasting Police might show up at my door someday, I don’t actually find
this to be a serious problem. The last mile is always the problem in
Internet telephony, so a call that goes mostly across a single set of
last mile infrastructure in a particular municipality is no worse nor
better than one that takes a long haul round trip. Very occasionally,
there is a half second of delay when you have a few VPN-based users on a
conference call together, but that has a nice social side effect of
stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit
rate compression changing packet size such that even encrypted packets
yield possible speech information, since some sounds need larger packets
than others. This problem is solved simply for us with two systems: (a)
we
use µ-law,
a very old, constant bit rate codec, and (b) a tiny bit of entropy
is added to our packets by default, because the encryption is occurring
for all traffic across the VPN connection, not just the phone
call itself. Remember: all the traffic is going together across the one
OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP
traffic from everything else. Indeed, I could easily make (b) even
stronger by simply having the SIP client open another connection back to
the asterisk host and exchange payloads generated
from /dev/random back and forth while the phone call is
going on.

This is really one of those cases where the simpler the solution, the
more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is
what leads us to the kinds of vulnerabilities described in that article.
VoIP isn’t like email, where you always need an encryption-unaware
delivery mechanism between Alice and Bob. I
believe I’ve described a simple mechanism that can allow anyone with an
Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don’t
we just take the easy and more secure route and do our VoIP this
way?

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/20/voip-encryption-easy.html

Ian Sullivan showed me
an article
that he read about eavesdropping on Internet telephony calls. I’m baffled at
the obsession about this issue on two fronts. First, I am amazed that
people want to hand their phone calls over to yet another proprietary
vendor (aka Skype) using unpublished, undocumented non-standard
protocols and who respects your privacy even less than the traditional
PSTN vendors. Second, I don’t understand why cryptography experts
believe we need to develop complicated new technology to solve this
problem in the medium term.

At SFLC, I set up the telephony system as VoIP with encryption on
every possible leg. While SFLC sometimes uses Skype, I don’t, of course, because it is (a)
proprietary software and (b) based on an undocumented protocol, (c)
controlled by a company that has less respect for users’ privacy than
the PSTN companies themselves. Indeed, security was actually last on
our list for reasons to reject Skype, because we already had a simple
solution for encrypting our telephony traffic: All calls are made
through a VPN.

Specifically, at SFLC, I set up a system whereby all users have an OpenVPN connection back to the
home office. From there, they have access to register a SIP client to
an internal Asterisk server living inside the VPN network.
Using that SIP phone, they could call any SFLC employee, fully encrypted. That call
continues either on the internal secured network, or back out over the
same VPN to the other SIP client. Users can also dial out from there to any
PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC’s office, but that’s the PSTN’s fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However,
with minimal effort, and using existing encryption subsystems, we have
end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day’s effort of work! I have a
pretty simple idea on how to have an encrypted call to anyone
who happens to have a SIP client and an OpenVPN client. My plan is to
make a public OpenVPN server that accepts connection from any
host at all, that would then allow encrypted “phone the
office” calls to any SFLC phone with any SIP client anywhere on
the Internet. In this way, anyone wishing end-to-end phone encryption
to the SFLC need only connect to that publicly accessible OpenVPN and
dial our extensions with their SIP client over that line. This solution
even has the added bonus that it avoids the common firewall and NAT
related SIP problems, since all traffic gets tunneled through the
OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol)
works, SIP automatically does!

The main criticism of this technique regards the silliness of two
employees at a conference in San Francisco bouncing all the way through
our NYC offices just to make a call to each other. While the Bandwidth
Wasting Police might show up at my door someday, I don’t actually find
this to be a serious problem. The last mile is always the problem in
Internet telephony, so a call that goes mostly across a single set of
last mile infrastructure in a particular municipality is no worse nor
better than one that takes a long haul round trip. Very occasionally,
there is a half second of delay when you have a few VPN-based users on a
conference call together, but that has a nice social side effect of
stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit
rate compression changing packet size such that even encrypted packets
yield possible speech information, since some sounds need larger packets
than others. This problem is solved simply for us with two systems: (a)
we
use µ-law,
a very old, constant bit rate codec, and (b) a tiny bit of entropy
is added to our packets by default, because the encryption is occurring
for all traffic across the VPN connection, not just the phone
call itself. Remember: all the traffic is going together across the one
OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP
traffic from everything else. Indeed, I could easily make (b) even
stronger by simply having the SIP client open another connection back to
the asterisk host and exchange payloads generated
from /dev/random back and forth while the phone call is
going on.

This is really one of those cases where the simpler the solution, the
more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is
what leads us to the kinds of vulnerabilities described in that article.
VoIP isn’t like email, where you always need an encryption-unaware
delivery mechanism between Alice and Bob. I
believe I’ve described a simple mechanism that can allow anyone with an
Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don’t
we just take the easy and more secure route and do our VoIP this
way?

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/20/voip-encryption-easy.html

Ian Sullivan showed me
an article
that he read about eavesdropping on Internet telephony calls. I’m baffled at
the obsession about this issue on two fronts. First, I am amazed that
people want to hand their phone calls over to yet another proprietary
vendor (aka Skype) using unpublished, undocumented non-standard
protocols and who respects your privacy even less than the traditional
PSTN vendors. Second, I don’t understand why cryptography experts
believe we need to develop complicated new technology to solve this
problem in the medium term.

At SFLC, I set up the telephony system as VoIP with encryption on
every possible leg. While SFLC sometimes uses Skype, I don’t, of course, because it is (a)
proprietary software and (b) based on an undocumented protocol, (c)
controlled by a company that has less respect for users’ privacy than
the PSTN companies themselves. Indeed, security was actually last on
our list for reasons to reject Skype, because we already had a simple
solution for encrypting our telephony traffic: All calls are made
through a VPN.

Specifically, at SFLC, I set up a system whereby all users have an OpenVPN connection back to the
home office. From there, they have access to register a SIP client to
an internal Asterisk server living inside the VPN network.
Using that SIP phone, they could call any SFLC employee, fully encrypted. That call
continues either on the internal secured network, or back out over the
same VPN to the other SIP client. Users can also dial out from there to any
PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC’s office, but that’s the PSTN’s fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However,
with minimal effort, and using existing encryption subsystems, we have
end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day’s effort of work! I have a
pretty simple idea on how to have an encrypted call to anyone
who happens to have a SIP client and an OpenVPN client. My plan is to
make a public OpenVPN server that accepts connection from any
host at all, that would then allow encrypted “phone the
office” calls to any SFLC phone with any SIP client anywhere on
the Internet. In this way, anyone wishing end-to-end phone encryption
to the SFLC need only connect to that publicly accessible OpenVPN and
dial our extensions with their SIP client over that line. This solution
even has the added bonus that it avoids the common firewall and NAT
related SIP problems, since all traffic gets tunneled through the
OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol)
works, SIP automatically does!

The main criticism of this technique regards the silliness of two
employees at a conference in San Francisco bouncing all the way through
our NYC offices just to make a call to each other. While the Bandwidth
Wasting Police might show up at my door someday, I don’t actually find
this to be a serious problem. The last mile is always the problem in
Internet telephony, so a call that goes mostly across a single set of
last mile infrastructure in a particular municipality is no worse nor
better than one that takes a long haul round trip. Very occasionally,
there is a half second of delay when you have a few VPN-based users on a
conference call together, but that has a nice social side effect of
stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit
rate compression changing packet size such that even encrypted packets
yield possible speech information, since some sounds need larger packets
than others. This problem is solved simply for us with two systems: (a)
we
use µ-law,
a very old, constant bit rate codec, and (b) a tiny bit of entropy
is added to our packets by default, because the encryption is occurring
for all traffic across the VPN connection, not just the phone
call itself. Remember: all the traffic is going together across the one
OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP
traffic from everything else. Indeed, I could easily make (b) even
stronger by simply having the SIP client open another connection back to
the asterisk host and exchange payloads generated
from /dev/random back and forth while the phone call is
going on.

This is really one of those cases where the simpler the solution, the
more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is
what leads us to the kinds of vulnerabilities described in that article.
VoIP isn’t like email, where you always need an encryption-unaware
delivery mechanism between Alice and Bob. I
believe I’ve described a simple mechanism that can allow anyone with an
Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don’t
we just take the easy and more secure route and do our VoIP this
way?

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/20/voip-encryption-easy.html

Ian Sullivan showed me
an article
that he read about eavesdropping on Internet telephony calls. I’m baffled at
the obsession about this issue on two fronts. First, I am amazed that
people want to hand their phone calls over to yet another proprietary
vendor (aka Skype) using unpublished, undocumented non-standard
protocols and who respects your privacy even less than the traditional
PSTN vendors. Second, I don’t understand why cryptography experts
believe we need to develop complicated new technology to solve this
problem in the medium term.

At SFLC, I set up the telephony system as VoIP with encryption on
every possible leg. While SFLC sometimes uses Skype, I don’t, of course, because it is (a)
proprietary software and (b) based on an undocumented protocol, (c)
controlled by a company that has less respect for users’ privacy than
the PSTN companies themselves. Indeed, security was actually last on
our list for reasons to reject Skype, because we already had a simple
solution for encrypting our telephony traffic: All calls are made
through a VPN.

Specifically, at SFLC, I set up a system whereby all users have an OpenVPN connection back to the
home office. From there, they have access to register a SIP client to
an internal Asterisk server living inside the VPN network.
Using that SIP phone, they could call any SFLC employee, fully encrypted. That call
continues either on the internal secured network, or back out over the
same VPN to the other SIP client. Users can also dial out from there to any
PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC’s office, but that’s the PSTN’s fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However,
with minimal effort, and using existing encryption subsystems, we have
end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day’s effort of work! I have a
pretty simple idea on how to have an encrypted call to anyone
who happens to have a SIP client and an OpenVPN client. My plan is to
make a public OpenVPN server that accepts connection from any
host at all, that would then allow encrypted “phone the
office” calls to any SFLC phone with any SIP client anywhere on
the Internet. In this way, anyone wishing end-to-end phone encryption
to the SFLC need only connect to that publicly accessible OpenVPN and
dial our extensions with their SIP client over that line. This solution
even has the added bonus that it avoids the common firewall and NAT
related SIP problems, since all traffic gets tunneled through the
OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol)
works, SIP automatically does!

The main criticism of this technique regards the silliness of two
employees at a conference in San Francisco bouncing all the way through
our NYC offices just to make a call to each other. While the Bandwidth
Wasting Police might show up at my door someday, I don’t actually find
this to be a serious problem. The last mile is always the problem in
Internet telephony, so a call that goes mostly across a single set of
last mile infrastructure in a particular municipality is no worse nor
better than one that takes a long haul round trip. Very occasionally,
there is a half second of delay when you have a few VPN-based users on a
conference call together, but that has a nice social side effect of
stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit
rate compression changing packet size such that even encrypted packets
yield possible speech information, since some sounds need larger packets
than others. This problem is solved simply for us with two systems: (a)
we
use µ-law,
a very old, constant bit rate codec, and (b) a tiny bit of entropy
is added to our packets by default, because the encryption is occurring
for all traffic across the VPN connection, not just the phone
call itself. Remember: all the traffic is going together across the one
OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP
traffic from everything else. Indeed, I could easily make (b) even
stronger by simply having the SIP client open another connection back to
the asterisk host and exchange payloads generated
from /dev/random back and forth while the phone call is
going on.

This is really one of those cases where the simpler the solution, the
more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is
what leads us to the kinds of vulnerabilities described in that article.
VoIP isn’t like email, where you always need an encryption-unaware
delivery mechanism between Alice and Bob. I
believe I’ve described a simple mechanism that can allow anyone with an
Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don’t
we just take the easy and more secure route and do our VoIP this
way?

Post Syndicated from Bradley M. Kuhn original http://ebb.org/bkuhn/blog/2008/06/20/voip-encryption-easy.html

Ian Sullivan showed me
an article
that he read about eavesdropping on Internet telephony calls. I’m baffled at
the obsession about this issue on two fronts. First, I am amazed that
people want to hand their phone calls over to yet another proprietary
vendor (aka Skype) using unpublished, undocumented non-standard
protocols and who respects your privacy even less than the traditional
PSTN vendors. Second, I don’t understand why cryptography experts
believe we need to develop complicated new technology to solve this
problem in the medium term.

At SFLC, I set up the telephony system as VoIP with encryption on
every possible leg. While SFLC sometimes uses Skype, I don’t, of course, because it is (a)
proprietary software and (b) based on an undocumented protocol, (c)
controlled by a company that has less respect for users’ privacy than
the PSTN companies themselves. Indeed, security was actually last on
our list for reasons to reject Skype, because we already had a simple
solution for encrypting our telephony traffic: All calls are made
through a VPN.

Specifically, at SFLC, I set up a system whereby all users have an OpenVPN connection back to the
home office. From there, they have access to register a SIP client to
an internal Asterisk server living inside the VPN network.
Using that SIP phone, they could call any SFLC employee, fully encrypted. That call
continues either on the internal secured network, or back out over the
same VPN to the other SIP client. Users can also dial out from there to any
PSTN DID.

Of course, when calling the PSTN, the encryption ends at SFLC’s office, but that’s the PSTN’s fault, not ours. No technological solution — save using a modem to turn that traffic digital — can easily solve that. However,
with minimal effort, and using existing encryption subsystems, we have
end-to-end encryption for all employee-to-employee calls.

And it could go even further with a day’s effort of work! I have a
pretty simple idea on how to have an encrypted call to anyone
who happens to have a SIP client and an OpenVPN client. My plan is to
make a public OpenVPN server that accepts connection from any
host at all, that would then allow encrypted “phone the
office” calls to any SFLC phone with any SIP client anywhere on
the Internet. In this way, anyone wishing end-to-end phone encryption
to the SFLC need only connect to that publicly accessible OpenVPN and
dial our extensions with their SIP client over that line. This solution
even has the added bonus that it avoids the common firewall and NAT
related SIP problems, since all traffic gets tunneled through the
OpenVPN: if OpenVPN (which is, unlike SIP, a single-port UDP/IP protocol)
works, SIP automatically does!

The main criticism of this technique regards the silliness of two
employees at a conference in San Francisco bouncing all the way through
our NYC offices just to make a call to each other. While the Bandwidth
Wasting Police might show up at my door someday, I don’t actually find
this to be a serious problem. The last mile is always the problem in
Internet telephony, so a call that goes mostly across a single set of
last mile infrastructure in a particular municipality is no worse nor
better than one that takes a long haul round trip. Very occasionally,
there is a half second of delay when you have a few VPN-based users on a
conference call together, but that has a nice social side effect of
stopping people from trying to interrupt each other.

Finally, the article linked above talks about the issue of variable bit
rate compression changing packet size such that even encrypted packets
yield possible speech information, since some sounds need larger packets
than others. This problem is solved simply for us with two systems: (a)
we
use µ-law,
a very old, constant bit rate codec, and (b) a tiny bit of entropy
is added to our packets by default, because the encryption is occurring
for all traffic across the VPN connection, not just the phone
call itself. Remember: all the traffic is going together across the one
OpenVPN UDP port, so an eavesdropper would need to detangle the VoIP
traffic from everything else. Indeed, I could easily make (b) even
stronger by simply having the SIP client open another connection back to
the asterisk host and exchange payloads generated
from /dev/random back and forth while the phone call is
going on.

This is really one of those cases where the simpler the solution, the
more secure it is. Trying to focus on “encryption of VoIP and VoIP only” is
what leads us to the kinds of vulnerabilities described in that article.
VoIP isn’t like email, where you always need an encryption-unaware
delivery mechanism between Alice and Bob. I
believe I’ve described a simple mechanism that can allow anyone with an
Asterisk box, an OpenVPN server, and an Internet connection to publish to the world easy instructions for phoning them securely with merely a SIP client plus and OpenVPN client. Why don’t
we just take the easy and more secure route and do our VoIP this
way?