Open Source Software Hijacked To Push Malware 147
jfruhlinger writes "VLC Media Player is a popular, useful, and free-as-in-beer piece of software. Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways. Not only do some of these folks claim that they're the originator of the software (a violation of trademark law and the license), but they often bundle it up with crapware and malware, which is a real dilemma for open source developers who play by the rules."
No It doesn't (Score:5, Insightful)
Re: (Score:3)
If you download and run a program without sandboxing it, then you are trusting its source by definition.
Don't confuse "trusted" with "trustworthy".
Re: (Score:2)
Re: (Score:1)
aptitude install vlc
I just typed that on my Windows XP machine at work and nothing happened. Please advise.
Re: (Score:2)
It doesn't work on my Gentoo Linux boxes either!
(Obviously the parent is just trying to push their pro-Debian agenda!)
Although it does bring up.. how much do/can you trust a repository? An md5 check will tell you that what you grabbed is what you wanted to grab, but whose to say that what your grabbing hasn't been manipulated in some way?
Re: (Score:1)
Most reputable repositories (Off the top of my head I know that the Fedora, Adobe, RPMFusion, and Dell repositories all use package signing keys) use GPG keys to sign and guarantee that a particular package is legit and has not been tampered with. Provided that you can trust the key issuer, if a given package passes its signature check then you know that has not been altered.
Re: (Score:2, Redundant)
I wasn't intentionally trolling, just venting a little annoyance with the attitude that security problems with proprietary software shows how good Open Source is and security problems with OSS also show how good Open Source is. I have a chip on my shoulder about it, sue me.
Re:No It doesn't (Score:4, Interesting)
I can understand your annoyance, I've often felt that one of the reasons linux suffers from so few malware incidents is that the users are generally more technically proficient and security conscious. I always notice where my software is coming from and take care to notice when I'm redirected by a site. I always check to make sure that I don't allow anything to be installed I didn't ask for. Not saying I'm a genius but I've noticed most windows users seem to download and just click okay buttons indiscriminately without reading anything.
Re: (Score:3)
it's all those wizards in the mid to late '90s. they created a culture of clicking through endless meaningless splashes and marketing spiels to get your software. if you ever read those things, you'd still be installing CorelDraw! 5 at this point.
we all got in the habit, the OS was not terribly secure, the internet grew faster than anyone expected, and now suddenly everyone's clicking through installers that fuck their machines.
add to that the fact that most AV programs are so woeful for performance that
Re: (Score:2, Offtopic)
Re: (Score:1)
Provide real world quantifiable evidence that OS is inherently more secure than closed source.
Don't need to, that's not the issue. Amusingly you zeroed right in on it...
And walking around with a chip on your shoulder is just a target for those wishing to knock it off.
Bingo! Nothing like an attractive target, mmm? Every boast about how great and secure OSS is, especially at a time where it isn't appropriate to be pumping the fist in the air, is a dare to somebody to prove it wrong. That whole 'chip on the shoulder' thing applies to OSS zealots, too.
Re: (Score:2)
No, you weren't trolling. And if I'd seen this ten seconds earlier I'd have had points for you. But tone it down a little, okay? It's better to rant after the trolling starts.
(I sincerely believe that Eric Raymond is mistaken with this whole "Linus's law" thing. It applies to some types of bugs, but not to all.)
Re: (Score:2)
But tone it down a little, okay?
You're right, man. Have a good week.
Re: (Score:1)
As pointed out by osmanjuci, users of Unix-like OS's actually have a trusted, and trustworthy source from which to download VLC. As he so rightly pointed out, all I need do is type "aptitude install vlc" and it will be done in moments, downloaded from whichever Debian or Ubuntu repository I happen to have enabled for the computer I am on.
So, no *nix user is likely to download VLC from some disreputable site found on the internet.
But, wait. VLC is cross platform. I think it works on any platform that has
Re:No It doesn't (Score:5, Informative)
Re: (Score:2)
Re: (Score:1)
Yeah, I know it's silly to complain about 'news' headlines, but it sounded like the official distribution had been infected. That is not the case and http://www.videolan.org/vlc/ [videolan.org] is still a safe provider of the software.
Until someone hacks into the server.
Re: (Score:2)
Yes, but *any* OS will be able to get infected if a trusted source gets owned (yes, even Linux)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
To do so only download from your operating systems repository or app store. If you OS doesn't have one, find one that does.
...because there has never been malware on [computerworld.com] the [engadget.com] Android [zdnet.com] Market [zdnet.com].
and the Amazon App Store has an inherent [wired.com] risk [androidostablets.com]
Re:No It doesn't (Score:4, Informative)
Re: (Score:2)
"But then there's sites like CNET Download, which also lists FLOSS software (among many other types of applications) for download, directly from CNET's servers. While CNET does not in any way represent that they "own" the software they're offering, nor do I seriously believe they are offering up malware, I can't be
FreeSoftware and Drivers (Score:3)
Also F/LOSS and Drivers share another characteristic :
both are available for free from the original developper's website.
You *can* find free copies of drivers for your printer at HP.com
You *can* find free copies of vlc on videolan.org
BUT
If you want the full blown Microsoft Office or Photoshop, you have to get them from shady website, because the original are paying.
---
Perhaps, what could even further help opensource, is a package manager for Windows opensource software, making it easy to search for, install
Re: (Score:2)
If you want the full blown Microsoft Office or Photoshop, you have to get them from shady website, because the original are paying.
How about actually paying for them if you want to use them? Or finding FOSS alternatives like OpenOffice? You don't have to get them from a "shady website", that's a choice. A morally dubious choice as well in my opinion.
Yes it does (Score:2)
It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.
Interesting rebuttal. I assume you're responding to this statement, since it's the only statement in the summary where the response "no it doesn't" makes grammatical sense:
Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways.
So you're saying that no, it's not true that it's easier to repackage open-source software vs. proprietary, because people who "download anything from an untrusted source" are idiots. You realize that your response doesn't address the original statement, right? People downloading things are not related to how easy it is to repackage a
Re: (Score:2)
Re: (Score:2)
It really is easier to repackage software for which you have the source code, surprise surprise.
That may be true, but there's also never any reason to download FOSS from an untrusted source (except for not knowing any better). With cracked proprietary software, untrusted sources are the only sources.
Re: (Score:2)
That may be true, but there's also never any reason to download FOSS from an untrusted source (except for not knowing any better). With cracked proprietary software, untrusted sources are the only sources.
What's your definition of a trusted source?
Re: (Score:2)
The project homepage.
SourceForge.
The "repository" maintained by your operating system.
This is in stark contrast to some website with a strange name and ads all over the place where you can hardly find the link to what you're actually supposed to be downloading through all the 3rd party links to who knows where. Given what some windows download sites look like, it's little wonder that some people are starting to flee to the "walled garden".
Re: (Score:2)
I don't understand, what do I type into my IE to get to the project homepage? I don't think I have SourceForge or a repository installed. I'll just go to Google and type a vague description that makes sense to me.
Given what some windows download sites look like, it's little wonder that some people are starting to flee to the "walled garden".
Are you trying to imply that people who choose a "walled garden" approach are admitting that they are incompetent of handling something like their online security that is apparently supposed to be so rudimentarily simple?
Re: (Score:2)
http://www.microsoft.com/ [microsoft.com]
Re: (Score:2)
Actually, this is nonsense. All you need to repackage software is the binaries. It's probably harder to turn a proprietary binary into adware but it is certainly no more difficult to repackage proprietary software so that it comes with some sort of extra malware payload.
Just recreate the installer. You don't even have to include the real binary.
Re: (Score:2)
Actually his reply was "so what if it's slightly easier to repackage open-source software; it's possible to repackage closed-source software too". Thus, "it doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source".
What? No, that wasn't his reply. His reply was "No it doesn't" followed by a concise definition of what an idiot is.
Moral of the story: closed-source isn't more trustworthy than open-source.
That's right, the "trustworthiness" of each is about the same, but it's still easier to repackage software for which you have the code. In fact, the license for the OSS specifically allows it.
So how do you know its trusted (Score:1)
As a novice who wants to get VLC, why is www.videolan.org any more trusted than www.vlcmediaplayer.org?
If you google VLC media player, www.vlcmediaplayer.org is one of the top search results. Of course if you download from here and you have any virus or adware scanner close to being up to date, alarm bells will go off.
If you arr not up to date, welcome to Malware.
Re: (Score:2)
My father, who is pretty savvy, fell victim to this. He's pretty good with computers for someone 73 years old. I had recommended VLC to him, he googled it, and got crapware.
After fixing the problem, we both contacted the VLC developers, who were kind enough to reply. We suggested they seek legal recourse, but although they were aware of the problem, they were not inclined to pursue the matter. Total respect, their code, their choice.
I felt bad that I recommended VLC without specifying videolan.org. Now I do
Re: (Score:2)
> As a novice who wants to get VLC, why is www.videolan.org any more trusted than www.vlcmediaplayer.org?
On Google? It's simple. It's first.
The whole "Official page" thing should also be a hint.
Although the main thing is that it is first.
Re: (Score:1)
Re: (Score:3)
Show in the right places (Score:5, Insightful)
The text in proprietary software can be patched to change attribution, and viruses can be attached to binaries easily enough. It's just a little easier with software for which the source code is available. Either way, don't "shop" in the wrong place.
Re: (Score:2)
Re: (Score:1)
Can't you just sign applications and installers with a self-signed certificate? Or is Windows smart enough to recognize this (untrusted publisher, yet signed) and warn the user (similar to how browsers deal with untrusted certs)? And assuming that the user *is* notified, how many people are just going to click through and acknowledge the warning and keep on installing/executing the app?
That being said, I do look at digital signatures whenever I'm unsure of the validity of the executable, but if it looks
Re: (Score:1)
No, and it shows that you don't really understand what a self-signed certificate is. The whole certificate system is based on three entities, namely, the "certificate authority", the "sender" (software provider/signer) and "receiver". The idea is to certify that the "sender"'s authenticity. In laymans terms, the "certificate authority" tells the "receiver" that the "sender" is who he claims he is. The premise is that the "re
Re: (Score:1)
I do understand what a self-signed cert is. I've played around with them a little bit in testing, but it has been a while. I primarily use a "real" cert with a commonly trusted CA. Let me rephrase:
Browsers pop up an alert if the site's certificate isn't signed by a trusted CA (e.g. I visit your website which uses your self-signed certificate, but I haven't imported your personal CA root certificate. I obviously don't trust your certificate.) screenshot: http://www.unitone.name/images/firefox_3_ssl_cert [unitone.name]
Re: (Score:1)
You don't need to illustrate how those warnings look. I am intimately familiar with them.
If it doesn't, that a gaping security hole right there. Hell would have been raised by everyone and his cousin by now. Even Microsoft isn't that dumb.
Knowing users... Sure...
Re: (Score:1)
gotcha. Thanks for the clarification and expertise! I'm [obviously] a noob in the area of digitally signed applications. :)
Re: (Score:2)
Can't you just sign applications and installers with a self-signed certificate?
> 2011.
> Can't into Java.
I seriously hope you understand this.
Also a problem with commercial software. (Score:3)
So? You can also get cracked commercial software (or just shit pretending to be it) and get your viruses that way.
Re: (Score:2)
Has nothing to do with OSS (Score:5, Insightful)
You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.
Some FOSS allows modifying with adware (Score:2)
permitting an MO that doesn't bring the burdens of illegality.
I think that makes it a FOSS issue.
Re: (Score:2)
You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.
It's a badly written article, but this is potentially a harder problem to tackle for a popular OSS project than for a popular software vendor:
Contact the FSF (Score:3)
The Free Software Foundation (FSF) has a very good track record of dealing with these kinds of issues. The Electronic Frontier Foundation (EFF) may also be able to help.
Flaimbaity Submission is Flamebaity (Score:1)
In other news, in Soviet Russia a Beowulf cluster of hackers downloads malware from YOU! (Which means that you are an insensitive clod.)
My lawn is yellow these days, BTW.
Re: (Score:2)
Your Beowulf cluster sucks. Mine writes the malware and injects it into YOU!
Common Sense. (Score:2)
1. Agreed with everyone else, in that the summary is written in such a way that one would interpret VLC infected. Bad form on the summary writer's part. (insert rant about
2. This is zero to do with FOSS. Even paid software can be used to shovel-out any form of virii, malware, digital Bubonic Plague, etc. This is about people downloading any and everything that has a link attached, from 'trusted' sources and flashing banner ads.
I'm going to make this r
Re: (Score:2)
Digital Signatures (from distributions) (Score:4, Insightful)
this is entirely and precisely why distros such as debian go to such lengths to place GPG digital signatures on the downloads; why they go to such lengths to enact extensive GPG key-signing web-of-trust exchanges etc. etc. no software is allowed into the archive that is not GPG digitally-signed by someone who is part of the GPG web-of-trust network (thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document).
the lengths to which for example the debian developers go are sufficiently extreme that it would be an incredibly foolish exercise for any debian developer to even attempt to place spyware or any kind of malware into packages, because they could be identified (via their GPG Digital Signature) and thus banned for life from the debian project.
the lengths to which it would be necessary to go, to circumvent such a system, involve cracking of GPG Digital Signatures or of compromising the Debian Packaging system itself, and switching off the signature-checking system. whilst the average person would not know how to check that this had occurred, it is an extremely remote and unlikely possibility in and of itself; the experienced debian user could boot up off of a live boot or rescue CD and use rkhunter or chkrootkit to verify that the system had not been compromised.
all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system! if you ignore this kind of advice, then you deserve everything that you get.
Re: (Score:1)
(thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document)
Citation needed
Re: (Score:2)
(thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document)
Citation needed
http://www.debian.org/events/keysigning [debian.org]
Re: (Score:1)
all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system!
They did make a package system where only vetted, approved software can be. And they called it an App Store. Last I checked slashdot didn't like the idea, so damned if you do and damned if you don't. People here still won't be pleased unless you run Linux.
Re: (Score:1)
An app store is fine, what is wrong with the Apple app store concept is that they work hard to prevent their customers from installing software from other sources. For example, C-Net has been mentioned as a trustworthy source of software downloads. Yet they cannot offer free software for iphones (unless the iphone is jailbroken, a precarious and risky procedure that is rarely done and shouldn't be necessary in the first place).
Re: (Score:2)
Re: (Score:2)
if you ignore this kind of advice, then you deserve everything that you get.
Are you talking to the people reading this, or the people that actually need the advice you're offering? I suspect those two groups are for the most part mutually exclusive.
Re: (Score:2)
this is entirely and precisely why distros such as debian go to such lengths to place GPG digital signatures on the downloads; why they go to such lengths to enact extensive GPG key-signing web-of-trust exchanges etc. etc.
And Microsoft has gone to considerable lengths to promote and strongly encourage [microsoft.com] the usage of code signing [microsoft.com] for installers of Windows software. In fact many if not most of the larger Open Source projects that have a large Windows community sign their code too.
The problem is that people are use to ignoring the security warnings from Microsoft, compared to most administrators (or root/sudo users) read and heed [thefreedictionary.com] security warnings in Linux and *BSD package management.
Re: (Score:2)
I read that the window skinning download sites are polluted with malware. The good thing about mandatory driver signing in 64-bit Vista and later is that it protects sites like DriverGuide.com etc. from suffering the same fate.
Dilemma? (Score:2)
Re: (Score:2)
in the event that you're not asking a rhetorical question: there isn't a dilemma, and there is no obstacle to overcome.
developers release source code (along with an MD5 or SHA-1 checksum) off of an implicitly-trusted (i.e. non-hijacked) web site. that is the limit and scope of their responsibility - period.
distribution managers have a responsibility to then check that checksum, and to ensure that the downloaded source code is not compromised. they are also responsible for compiling that software into a pa
Observations (Score:2)
The article has a link to the developer's blog which outlines the various companies which are abusing VLC by distributing it with malware. I noticed two interesting things about the blog posting:
(1) The developer refers twice to 'our IP' (violate our IP, enforce our IP). That's fine, but I imagine some Linux fanatics will be pissed that the developers consider intellectual property as a real thing and not an abstract constructed to be ignored, as some people want to believe.
(2) Someone asked in the comments
Package manager, anyone? (Score:4, Informative)
sudo apt-get install vlc is not gonna get you anything but a legit version of VLC, unless you setup JOez BaDazzz REPO by following directions on the 5th page of Google's search results.
download the hot new apt for windows! (Score:2)
the hottest software manager on the planet! just one click to download! one click to install!
apt is used the world over by leading government and industry agencies, including the department of defense (military grade), homeland security, IBM, NASA, and the FBI. now, through this special offer, apt is available to you, at no cost!
Re: (Score:2)
the hottest software manager on the planet! just one click to download! one click to install!
apt is used the world over by leading government and industry agencies, including the department of defense (military grade), homeland security, IBM, NASA, and the FBI. now, through this special offer, apt is available to you, at no cost!
Might be worth the malware to finally get a nice package manager on Windows ;)
"Play by the rules" (Score:2)
What "rules" prohibit someone from taking an open source project and re-packaging it with an installer that also installs malware? Am I correct in assuming the answer is "nothing?"
Other than the possible trademark infringement, which has nothing to do with the software license.
Re: (Score:2)
Yeah but that doesn't say anything about "you can't have your installer also install malware."
My point is that if you don't want something to happen, put it in the license. If it's not in the license, it's fair game.
Defend your trademark! (Score:3, Informative)
This happened to Mixxx DJ Software (http://mixxx.org), there was a web site that was shipping a Windows installer which installed crapware and Mixxx. The best part about it is their crapware would come up in the ads when you searched for Mixxx on Sourceforge!
The site that was promoting this crapware installer used the Mixxx name (trademark), several screenshots featuring the Mixxx logo and included a footer that indicated the contents of the page were copyright of their company 2008...
So we tracked them down and sent them a cease-and-desist email for violating our trademark (misrepresenting themselves as authors and using screenshots which feature the Mixxx brand without our consent)... Simply put we told them they could NOT use our trademark at all, this mean no screens with our logo, no mention of the projects name -> this means to comply with trademark law they will have to alter artwork (covered under the GPLv2) and in doing so will be required rebuild the app and redistribute all of the code also. As far as we are aware they complied and now they are substantially less relavent from a branding perspective and no longer really much of a threat to our user community...
You may not be able to enforce copyright if they comply with the terms of the license the software is distributed under (in this case GPLv2), but you can sure as hell stick it to people who attempt to tarnish your brand with trademark law and certainly make it far less convenient for these scum-balls to do this and still be on the right side of the law.
-G
Re: (Score:1)
I can upload it to a server in China or India where the trademark is not observed and simply name it a higher version to fool the users to download my Mixx software instead of yours. That wont change unfortunately.
Windows needs a package manager and repo system (Score:2)
Re: (Score:1)
It has .MSI files. Most real software products use it rather than a winzip or .exe as the file offers AD integration and group policy support as well which is really cool for enterprise users.
I always download .MSI files because if the installation fails I can recover easier ... back in the days of XP.
They are trying too hard (Score:1)
really (Score:1)
itWorld Guys (Score:2)
Same issue for Gimp for Windows (Score:1)
I do not remember which version but I reconized it as Gimp 3.02 for Windows when Gimp 2.x was on my Fedora 12 installation. I downloaded it and installed it and it tried to install some malware toolbars. I clicked cancel and ran a virus scan. Prettry clever and very cheap to do I may add for the average Joe to simply recompile it and create a website. FREE MONEY. With money for each installation of gatorsoft/claria or god know whats you can make money fairly easily. This was before Gimp 3.02 was out for win
The opposite is more likely true... (Score:2)
On the other hand, if there is a piece of commercial software that you must get your hands on but cannot afford. And the only way for many is get it is via some u
Re: (Score:2)
And specifically, what software might that be? I cannot think of one that a person must have that they cannot afford, and for which there is no free or very inexpensive alternative. Not a one.
Can't afford MS Office? OpenOffice/LibreOffice. Photoshop? GIMP or Paint.net.
A
And the solution is .. (Score:2)
And the solution is .. go directly to the Download [videolan.org] site ...
Haha, I don't think the author gets Linux... (Score:1)
lolwat?
Tux Paint "Plus" (Score:2)
Someone released a package of Tux Paint [tuxpaint.org] for Windows labeled "Tux Paint Plus", suggesting that it was somehow better. Upon further investigation, we discovered the "Plus" was simply a browser toolbar it injected without asking.
OTOH, I'm now utilizing OpenCandy [tuxpaint.org] to help "monetize" the project (read: pay for my coffee addiction and business cards to hand random parents at the park). At least it's (1) optional, and (2) I control which apps it suggests to users when they invoke the Tux Paint installer. (And no, t
Any evidence of this with Wireshark? (Score:1)
How scary would a combo Wireshark + root kit or botnet be? A lot of companies download Wireshark, stick it on old laptops, park them on various parts of their network, and remote desktop into it as a cheap troubleshooting solution. Get malware on those boxes and the bad guys now can see inside everything that crosses the network, inside all the firewalls. Yikes!!
Re: (Score:2)
whats linux? oh its that thing on my computer that magically woke up one day and decided it did not like my 1280x1024 resolution and decided for me that 320x240 was enough space and is now stuck there
Re: (Score:2)
Re: (Score:1)
geez leave the basement for a moment, its called a joke and if you were not so busy being the sole defender of linux you might understand that
please carry on captain linux the universe needs more people like you (and since your dense that was called sarcasm)
Re: (Score:1)
No, that'd be XFree86. Upgrade to Xorg already, sucker.
Re: (Score:2)
thanks for your input but that was Xorg you fuckwit know-it-all troll
Re: (Score:1)
So nice of you to be a dick about a joke, especially after ragging on someone else about that same thing right in this same thread. You might want to do something about that anger issue of yours. And learn how to spell and capitalize.
Re: (Score:1)
Re: (Score:2, Informative)
Goatse alert!
Re: (Score:2)
No, official vlc for android yet but they are working on it (http://ivoire.dinauz.org/blog/index.php?post/2011/02/02/VLC-on-Android) but in the mean time if you are up for it, you can always compile it yourself (http://wiki.videolan.org/AndroidCompile). I can't say I have had much luck working on the phone.