Slashdot Mirror
Open Source Software Hijacked To Push Malware
jfruhlinger writes "VLC Media Player is a popular, useful, and free-as-in-beer piece of software. Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways. Not only do some of these folks claim that they're the originator of the software (a violation of trademark law and the license), but they often bundle it up with crapware and malware, which is a real dilemma for open source developers who play by the rules."
It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.
The text in proprietary software can be patched to change attribution, and viruses can be attached to binaries easily enough. It's just a little easier with software for which the source code is available. Either way, don't "shop" in the wrong place.
--Udo.
So? You can also get cracked commercial software (or just shit pretending to be it) and get your viruses that way.
You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.
The Free Software Foundation (FSF) has a very good track record of dealing with these kinds of issues. The Electronic Frontier Foundation (EFF) may also be able to help.
whats linux? oh its that thing on my computer that magically woke up one day and decided it did not like my 1280x1024 resolution and decided for me that 320x240 was enough space and is now stuck there
Two things:
/. editing style, rabblerabble)
1. Agreed with everyone else, in that the summary is written in such a way that one would interpret VLC infected. Bad form on the summary writer's part. (insert rant about
2. This is zero to do with FOSS. Even paid software can be used to shovel-out any form of virii, malware, digital Bubonic Plague, etc. This is about people downloading any and everything that has a link attached, from 'trusted' sources and flashing banner ads.
I'm going to make this real simple, Internet Security 101-style: If you download something and you don't make the MONUMENTAL effort to scan it with whatever virii scanner you're using. You deserve what you get. True, virus scanners are not the be-all/end-all of security, but considering most of these infections are lazily coded, your scanner of choice would probably find the source of the infection, but probably their Twitter, Facebook, Google, and grocery shopping lists, too.
You wouldn't stchup a prostitute without a condom, right? (I hope!) Same thing applies when you 'jack in' to the intertubez.
Consistency is only a virtue if you're not a screw-up.
Goatse alert!
Your Beowulf cluster sucks. Mine writes the malware and injects it into YOU!
Om, nomnomnom...
this is entirely and precisely why distros such as debian go to such lengths to place GPG digital signatures on the downloads; why they go to such lengths to enact extensive GPG key-signing web-of-trust exchanges etc. etc. no software is allowed into the archive that is not GPG digitally-signed by someone who is part of the GPG web-of-trust network (thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document).
the lengths to which for example the debian developers go are sufficiently extreme that it would be an incredibly foolish exercise for any debian developer to even attempt to place spyware or any kind of malware into packages, because they could be identified (via their GPG Digital Signature) and thus banned for life from the debian project.
the lengths to which it would be necessary to go, to circumvent such a system, involve cracking of GPG Digital Signatures or of compromising the Debian Packaging system itself, and switching off the signature-checking system. whilst the average person would not know how to check that this had occurred, it is an extremely remote and unlikely possibility in and of itself; the experienced debian user could boot up off of a live boot or rescue CD and use rkhunter or chkrootkit to verify that the system had not been compromised.
all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system! if you ignore this kind of advice, then you deserve everything that you get.
ok I did not need to see this. kindly please go die in a fire.
What dilemma does this present for developers? It presents an obstacle to overcome, but where's the dilemma?
It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.
Interesting rebuttal. I assume you're responding to this statement, since it's the only statement in the summary where the response "no it doesn't" makes grammatical sense:
Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways.
So you're saying that no, it's not true that it's easier to repackage open-source software vs. proprietary, because people who "download anything from an untrusted source" are idiots. You realize that your response doesn't address the original statement, right? People downloading things are not related to how easy it is to repackage a given piece of software.
It really is easier to repackage software for which you have the source code, surprise surprise. That's not a knock on open-source software, it's a fact of life. You can comment all you want about the nature of what makes a trusted download source for the vast majority of the world's computer users, but that doesn't change the fact that it's easier to repackage open-source software than proprietary.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
It's also that thing that is running a third of all smart phones and projected to be running half of them in a couple of years. In case you missed it, 500,000 Linux powered cell phones ship out everyday and none of them forget the correct resolution. Linux is everywhere and enjoyed by hundreds of millions of people everyday. Sorry to be the one to tell you.
The soylentnews experiment has been a dismal failure.
The article has a link to the developer's blog which outlines the various companies which are abusing VLC by distributing it with malware. I noticed two interesting things about the blog posting:
(1) The developer refers twice to 'our IP' (violate our IP, enforce our IP). That's fine, but I imagine some Linux fanatics will be pissed that the developers consider intellectual property as a real thing and not an abstract constructed to be ignored, as some people want to believe.
(2) Someone asked in the comments if the developers have tried contacting Google to see if they can remove the companies which are abusing AdWords by running these scams. Google apparently doesn't care, because they make a lot of money out of them regardless of their obvious intent. I really wish people didn't hold them up to be bastions of good in the world.
Besides the obvious point that you can package any type of bloat or malware with closed-source software (spend some time putting together an installation wizard for Windows, and you'll see you can get away with pretty much anything), there's also the fact that F/OSS operating systems almost always have a package manager, which encourages only downloading through trusted sources. So the F/OSS way of doing things is to be careful about trusting where your binaries come from.
sudo apt-get install vlc is not gonna get you anything but a legit version of VLC, unless you setup JOez BaDazzz REPO by following directions on the 5th page of Google's search results.
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
As a novice who wants to get VLC, why is www.videolan.org any more trusted than www.vlcmediaplayer.org?
If you google VLC media player, www.vlcmediaplayer.org is one of the top search results. Of course if you download from here and you have any virus or adware scanner close to being up to date, alarm bells will go off.
If you arr not up to date, welcome to Malware.
No, but I'd be surprised if they weren't smart enough to use ubuntu.
"People don't want to learn linux" hasn't been a valid excuse since '03.
What "rules" prohibit someone from taking an open source project and re-packaging it with an installer that also installs malware? Am I correct in assuming the answer is "nothing?"
Other than the possible trademark infringement, which has nothing to do with the software license.
Comment of the year
This happened to Mixxx DJ Software (http://mixxx.org), there was a web site that was shipping a Windows installer which installed crapware and Mixxx. The best part about it is their crapware would come up in the ads when you searched for Mixxx on Sourceforge!
The site that was promoting this crapware installer used the Mixxx name (trademark), several screenshots featuring the Mixxx logo and included a footer that indicated the contents of the page were copyright of their company 2008...
So we tracked them down and sent them a cease-and-desist email for violating our trademark (misrepresenting themselves as authors and using screenshots which feature the Mixxx brand without our consent)... Simply put we told them they could NOT use our trademark at all, this mean no screens with our logo, no mention of the projects name -> this means to comply with trademark law they will have to alter artwork (covered under the GPLv2) and in doing so will be required rebuild the app and redistribute all of the code also. As far as we are aware they complied and now they are substantially less relavent from a branding perspective and no longer really much of a threat to our user community...
You may not be able to enforce copyright if they comply with the terms of the license the software is distributed under (in this case GPLv2), but you can sure as hell stick it to people who attempt to tarnish your brand with trademark law and certainly make it far less convenient for these scum-balls to do this and still be on the right side of the law.
-G
permitting an MO that doesn't bring the burdens of illegality.
I think that makes it a FOSS issue.
With Linux this isnt such an issue, as everyone knows you just tell the package manager to install vlc and it gets it from a trusted server and even does a hash check to make sure the final copy of the file/s downloaded are correct. Seriously someone should create a windows application manager apt for windows or something. Seriously right now most people using windows who want to install FOSS software are finding it hard to separate malware from the real deal. Windows 8 will have an app store but how receptive Microsoft will be to having FOSS applications listed (and for how long) on their service is up in the air.
You don't need to get the source for VLC or even use an Open Source project. Just learn how to make an installer for the appropriate platform. A .dmg file for OSX, a .deb for use with gDebi or equivalent depending on distro for Linux and a nullsoft installer for windows. You could package it with the most common media player for any of those plaforms and if it is the bundled one, just claim it has some new feature and lie about the version number to get users to install the software and ensure it isn't tidied up properly afterwards during uninstall.
I'm not sure how well that work on platform other than Windows but I've written windows Nullsoft installers and know I could get away with it. As always the lesson is only use trusted sources.
and this is soooo much worse than the malware authors who do this on closed source software ... how? Decompilers are readily available. The only thing they don't give you is the comments and annotations. If you're good enough to write decent malware then decompiling a closed source binary and inserting your payload really isn't an issue and people will trust what you put back into the wild because it's closed and "safe".
Also F/LOSS and Drivers share another characteristic :
both are available for free from the original developper's website.
You *can* find free copies of drivers for your printer at HP.com
You *can* find free copies of vlc on videolan.org
BUT
If you want the full blown Microsoft Office or Photoshop, you have to get them from shady website, because the original are paying.
---
Perhaps, what could even further help opensource, is a package manager for Windows opensource software, making it easy to search for, install and upgrade F/LOSS from trusted sources within a single application.
Something like Steam (or the upcoming application stores for Mac OS X and Windows).
Clueless users only need to get *that* software from the legit source, and then this software takes care of making sure they get the rest from non-malware infested websites.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
the hottest software manager on the planet! just one click to download! one click to install!
apt is used the world over by leading government and industry agencies, including the department of defense (military grade), homeland security, IBM, NASA, and the FBI. now, through this special offer, apt is available to you, at no cost!
seriously, this is just like those people who sell paint.net I single this out because its not under an OSI license. Its not about license its about people downloading things they know nothing about. people don't research everything they download. Its hard to do good research when there are things like astroturfing so it actually looks like the walled garden model of protecting your users is starting to look valid. Linux distros count as a walled garden if we are to call the community the gardeners who approve the software in the repositories. I would like to point out Fedora resisting to put SQLninja in their repositories as gardeners that people have been pissed at. I dont like the truth of what I'm saying. GNU/Linux and open source is about putting the power of the computer into the users hands, getting away from the priests that curate our computing experience. This freedom can't happen if the people in the bazaar can't be trusted either, we must encourage people to think for them selves but teach them the way to discern the truth so they can tell the good venders from the bad ones. ... hmm, I think thats what lulsec is doing but this post has gone on long enough.
No, official vlc for android yet but they are working on it (http://ivoire.dinauz.org/blog/index.php?post/2011/02/02/VLC-on-Android) but in the mean time if you are up for it, you can always compile it yourself (http://wiki.videolan.org/AndroidCompile). I can't say I have had much luck working on the phone.
"I just can't sit while people are saying nonsense in a meeting without saying it's nonsense" J Watson, Sci Am 288:(4)51
I do not remember which version but I reconized it as Gimp 3.02 for Windows when Gimp 2.x was on my Fedora 12 installation. I downloaded it and installed it and it tried to install some malware toolbars. I clicked cancel and ran a virus scan. Prettry clever and very cheap to do I may add for the average Joe to simply recompile it and create a website. FREE MONEY. With money for each installation of gatorsoft/claria or god know whats you can make money fairly easily. This was before Gimp 3.02 was out for win32 so it tricked me and probably others thinking this was the most modern version.
I wished I would have thought of it first, but I realized that is kind of slimy to do. I did more Google searching to find the real GIMP package from Gnome for Win32. When it comes to FOSS software other than Linux it is a good practice to run an anti virus scan. If you trust the host that is one thing, but I can see the average Joe thinking OpenOffice is OpenOffice.com ... not OpenOffice.org.
http://saveie6.com/
Given that FOSS software is readily available from official website, downloading from anywhere else is just plain stupid. An argument can be made for people behind firewall or somehow cannot access any mirror, but it is otherwise true. Many project publish checksum of their tar balls and binaries, against which you can verify the downloaded item.
On the other hand, if there is a piece of commercial software that you must get your hands on but cannot afford. And the only way for many is get it is via some untrusted source illegally. That has to carry to much higher risk of malware.
I have no data to back up this claim, but it seems plausible.
The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
And the solution is .. go directly to the Download site ...
No, that'd be XFree86. Upgrade to Xorg already, sucker.
lolwat?
thanks for your input but that was Xorg you fuckwit know-it-all troll
Someone released a package of Tux Paint for Windows labeled "Tux Paint Plus", suggesting that it was somehow better. Upon further investigation, we discovered the "Plus" was simply a browser toolbar it injected without asking.
OTOH, I'm now utilizing OpenCandy to help "monetize" the project (read: pay for my coffee addiction and business cards to hand random parents at the park). At least it's (1) optional, and (2) I control which apps it suggests to users when they invoke the Tux Paint installer. (And no, there are no ads in Tux Paint itself -- it's not "adware"... I've come up with the term "adverstaller" in my attempt to describe it.)
How scary would a combo Wireshark + root kit or botnet be? A lot of companies download Wireshark, stick it on old laptops, park them on various parts of their network, and remote desktop into it as a cheap troubleshooting solution. Get malware on those boxes and the bad guys now can see inside everything that crosses the network, inside all the firewalls. Yikes!!
So nice of you to be a dick about a joke, especially after ragging on someone else about that same thing right in this same thread. You might want to do something about that anger issue of yours. And learn how to spell and capitalize.