While administrator access is needed to execute a Bashware attack, this is fairly easily obtained, and the technique can be used to disguise malicious operations from antivirus software and other security tools. Researchers from Check Point Research point out that the danger stems from the fact that "existing security solutions are still not adapted to monitor processes of Linux executables running on Windows."
There's many business models surrounding free/libre open source software: support (pay for help, or additional features), premium (pay for more advanced software), hosting (pay for using the software on someone else's servers), donation (two versions of the same app, pay because you want to be nice to the developers), etc. Not all of those business models align the interests of the developer and the customer/user in the same way: support-based models for example, benefit developers who introduce certain mistakes or delay introducing features. (In the short term. In the long run, it opens a door for competitors...) Which of those align the interests of both?
The original submission also asks if any of these models are "morally questionable" -- and if there's other business models that have proven successful for open source software. Leave your best thoughts in the comments. What's the best business model for an open source developer?
Developers who mistyped the package name loaded the malicious libraries in their software's setup scripts. "These packages contain the exact same code as their upstream package thus their functionality is the same, but the installation script, setup.py, is modified to include a malicious (but relatively benign) code," NBU explained. Experts say the malicious code only collected information on infected hosts, such as name and version of the fake package, the username of the user who installed the package, and the user's computer hostname. Collected data, which looked like "Y:urllib-1.21.1 admin testmachine", was uploaded to a Chinese IP address. NBU officials contacted PyPI administrators last week who removed the packages before officials published a security advisory on Saturday."
The advisory lays some of the blame on Python's 'pip' tool, which executes arbitrary code during installations without requiring a cryptographic signature.
Ars Technica also reports that another team of researchers "was able to seed PyPI with more than 20 libraries that are part of the Python standard library," and that group now reports they've already received more than 7,400 pingbacks.
But he said he has changed his mind after seeing Facebook dig in behind the patent clause -- which was recently added to the Apache Software Foundation's list of disallowed licenses... [H]e writes that he cannot, in good conscience, require users of the very widely used open source WordPress software to inherit the patent clause and associated legal risk. So he's made the decision to ditch React.
Facebook can revoke their license if a React user challenges Facebook's patents.
TorrentFreak reports the miner is being tested for about 24 hours -- as a possible way to earn enough revenue to remove advertising from the site.