×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Open Source Software Hijacked To Push Malware

samzenpus posted more than 2 years ago | from the malware-of-the-people dept.

Open Source 147

jfruhlinger writes "VLC Media Player is a popular, useful, and free-as-in-beer piece of software. Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways. Not only do some of these folks claim that they're the originator of the software (a violation of trademark law and the license), but they often bundle it up with crapware and malware, which is a real dilemma for open source developers who play by the rules."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

147 comments

Open Sores is crapware (-1)

Anonymous Coward | more than 2 years ago | (#36755386)

I won't use it, I'm heterosexual.

Re:Open Sores is crapware (0)

Anonymous Coward | more than 2 years ago | (#36755600)

What OS does this gay malware come on?

No It doesn't (5, Insightful)

zero.kalvin (1231372) | more than 2 years ago | (#36755388)

It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.

Re:No It doesn't (2)

mrnobo1024 (464702) | more than 2 years ago | (#36755446)

If you download and run a program without sandboxing it, then you are trusting its source by definition.

Don't confuse "trusted" with "trustworthy".

Re:No It doesn't (0, Troll)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36755464)

And now a rebuttal from the 'thousands of eyes' committee....

Re:No It doesn't (0)

Anonymous Coward | more than 2 years ago | (#36756142)

Thank you to whoever modded this troll.

Re:No It doesn't (1, Redundant)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36756624)

I wasn't intentionally trolling, just venting a little annoyance with the attitude that security problems with proprietary software shows how good Open Source is and security problems with OSS also show how good Open Source is. I have a chip on my shoulder about it, sue me.

Re:No It doesn't (3, Interesting)

amiga3D (567632) | more than 2 years ago | (#36756804)

I can understand your annoyance, I've often felt that one of the reasons linux suffers from so few malware incidents is that the users are generally more technically proficient and security conscious. I always notice where my software is coming from and take care to notice when I'm redirected by a site. I always check to make sure that I don't allow anything to be installed I didn't ask for. Not saying I'm a genius but I've noticed most windows users seem to download and just click okay buttons indiscriminately without reading anything.

Re:No It doesn't (2)

mug funky (910186) | more than 2 years ago | (#36758558)

it's all those wizards in the mid to late '90s. they created a culture of clicking through endless meaningless splashes and marketing spiels to get your software. if you ever read those things, you'd still be installing CorelDraw! 5 at this point.

we all got in the habit, the OS was not terribly secure, the internet grew faster than anyone expected, and now suddenly everyone's clicking through installers that fuck their machines.

add to that the fact that most AV programs are so woeful for performance that people don't care whether they are a bot or not, so long as their machine doesn't slow down.

windows works quite well in spite of this so long as you have a diligent and well resourced IT department. at home i use ubuntu cause i'm a superstar.

Re:No It doesn't (1, Offtopic)

cavreader (1903280) | more than 2 years ago | (#36758458)

Provide real world quantifiable evidence that OS is inherently more secure than closed source. And walking around with a chip on your shoulder is just a target for those wishing to knock it off.

Re:No It doesn't (0)

MobileTatsu-NJG (946591) | more than 2 years ago | (#36758560)

Provide real world quantifiable evidence that OS is inherently more secure than closed source.

Don't need to, that's not the issue. Amusingly you zeroed right in on it...

And walking around with a chip on your shoulder is just a target for those wishing to knock it off.

Bingo! Nothing like an attractive target, mmm? Every boast about how great and secure OSS is, especially at a time where it isn't appropriate to be pumping the fist in the air, is a dare to somebody to prove it wrong. That whole 'chip on the shoulder' thing applies to OSS zealots, too.

Re:No It doesn't (4, Informative)

sortadan (786274) | more than 2 years ago | (#36755472)

Yeah, I know it's silly to complain about 'news' headlines, but it sounded like the official distribution had been infected. That is not the case and http://www.videolan.org/vlc/ [videolan.org] is still a safe provider of the software.

Re:No It doesn't (1)

afxgrin (208686) | more than 2 years ago | (#36755754)

I'm not surprised that VLC player is repackaged/distributed with malware, but the complaint about Google seems invalid as of today at least. I go search VLC media player [google.ca] on Google, and on the first and second page only get the legit software, no keyword ads or anything.

Re:No It doesn't (0)

Anonymous Coward | more than 2 years ago | (#36758492)

Headlines that don't match a story, but generate page views? Who would do such an unspeakable thing?

So what the fuck is a trusted source, then? (0)

Anonymous Coward | more than 2 years ago | (#36755478)

Like it or not, not all users are smart enough to use Debian. If you're on Windows or Mac OS X, how the hell do you know what is a "trusted source" and what isn't?

Fuck, man, there's no guarantee that even the download from the developer's site isn't free of malware or other shit of some sort.

What, are you saying we should trust some fucking "certified malware free" logo image stuck on some software directory's entry for the app in question? Is that what you're saying? I sure fucking hope not.

Re:So what the fuck is a trusted source, then? (0)

Anonymous Coward | more than 2 years ago | (#36755614)

Oh no, no software can be trusted.

New directive - Don't use any software from any source.

Re:So what the fuck is a trusted source, then? (0)

Anonymous Coward | more than 2 years ago | (#36756138)

Wikipedia

Re:So what the fuck is a trusted source, then? (1)

Lanteran (1883836) | more than 2 years ago | (#36756852)

No, but I'd be surprised if they weren't smart enough to use ubuntu.

Re:No It doesn't (1)

pjbgravely (751384) | more than 2 years ago | (#36755628)

To do so only download from your operating systems repository or app store. If you OS doesn't have one, find one that does.

Re:No It doesn't (3, Informative)

cyberstealth1024 (860459) | more than 2 years ago | (#36757708)

To do so only download from your operating systems repository or app store. If you OS doesn't have one, find one that does.

...because there has never been malware on [computerworld.com] the [engadget.com] Android [zdnet.com] Market [zdnet.com].

and the Amazon App Store has an inherent [wired.com] risk [androidostablets.com]

Re:No It doesn't (3, Informative)

Ocker3 (1232550) | more than 2 years ago | (#36755776)

Exactly. If you do a search for a printer's name, you often get a lot of random driver storage sites that pop up, but who's vetted that software? I always hit the manufacturer first, and for a piece of software I go to a known-good download site (like C-Net) as their business model is based partly on being a trusted source of software. If you aren't downloading VLC from the SourceForge repository, you're opening yourself up to using a hacked and backdoored product.

Re:No It doesn't (2)

Rhodri Mawr (862554) | more than 2 years ago | (#36757606)

CNET is one of the safest places to download software from online. However, the author of the article, the suspiciously named Brian Proffitt, includes the following dubious paragraph on CNET:

"But then there's sites like CNET Download, which also lists FLOSS software (among many other types of applications) for download, directly from CNET's servers. While CNET does not in any way represent that they "own" the software they're offering, nor do I seriously believe they are offering up malware, I can't be sure about the provenance of the Firefox 5 for Windows software they just offered me. Nor am I terribly sanguine about the "free scan for Windows errors" banner and box ads sitting on the download page."

By making this comment on CNET, he undermines his credibility as an analyst and casts into doubt the legitimacy of the whole of his article, which is a shame, as there *are* some relevant points made.

FreeSoftware and Drivers (2)

DrYak (748999) | more than 2 years ago | (#36757950)

Also F/LOSS and Drivers share another characteristic :
both are available for free from the original developper's website.

You *can* find free copies of drivers for your printer at HP.com
You *can* find free copies of vlc on videolan.org

BUT

If you want the full blown Microsoft Office or Photoshop, you have to get them from shady website, because the original are paying.

---

Perhaps, what could even further help opensource, is a package manager for Windows opensource software, making it easy to search for, install and upgrade F/LOSS from trusted sources within a single application.
Something like Steam (or the upcoming application stores for Mac OS X and Windows).

Clueless users only need to get *that* software from the legit source, and then this software takes care of making sure they get the rest from non-malware infested websites.

Re:No It doesn't (-1)

Anonymous Coward | more than 2 years ago | (#36755864)

Open source is for gay faggot dick smokers.

Re:No It doesn't (0)

Anonymous Coward | more than 2 years ago | (#36758308)

(Sent from my Android phone.)

Yes it does (1)

amicusNYCL (1538833) | more than 2 years ago | (#36755978)

It doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source, point and end of discussion.

Interesting rebuttal. I assume you're responding to this statement, since it's the only statement in the summary where the response "no it doesn't" makes grammatical sense:

Unfortunately, its open source nature makes it easier for people with bad intentions to repackage it in nefarious ways.

So you're saying that no, it's not true that it's easier to repackage open-source software vs. proprietary, because people who "download anything from an untrusted source" are idiots. You realize that your response doesn't address the original statement, right? People downloading things are not related to how easy it is to repackage a given piece of software.

It really is easier to repackage software for which you have the source code, surprise surprise. That's not a knock on open-source software, it's a fact of life. You can comment all you want about the nature of what makes a trusted download source for the vast majority of the world's computer users, but that doesn't change the fact that it's easier to repackage open-source software than proprietary.

Re:Yes it does (0)

Anonymous Coward | more than 2 years ago | (#36756236)

Actually his reply was "so what if it's slightly easier to repackage open-source software; it's possible to repackage closed-source software too". Thus, "it doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source".

Moral of the story: closed-source isn't more trustworthy than open-source. If the source isn't trustworthy, it doesn't matter whether it's open-source or closed-source; you're an idiot regardless. Get software from reputable sources.

Re:Yes it does (1)

amicusNYCL (1538833) | more than 2 years ago | (#36756554)

Actually his reply was "so what if it's slightly easier to repackage open-source software; it's possible to repackage closed-source software too". Thus, "it doesn't matter if it is open or close source. You are an idiot if you download anything from an untrusted source".

What? No, that wasn't his reply. His reply was "No it doesn't" followed by a concise definition of what an idiot is.

Moral of the story: closed-source isn't more trustworthy than open-source.

That's right, the "trustworthiness" of each is about the same, but it's still easier to repackage software for which you have the code. In fact, the license for the OSS specifically allows it.

Re:Yes it does (1)

oakgrove (845019) | more than 2 years ago | (#36756258)

What i want to know is What difference does it make if something is closed or open to malware authors? I could package some malware up and put it on a website and call it MicrosoftSecurityEssentialsSetup.exe all day long and as soon as you click on it and click okay on the uac prompt, you're done. This has nothing to do with how easy it is to package vlc or anything else.

Re:Yes it does (1)

drooling-dog (189103) | more than 2 years ago | (#36756350)

It really is easier to repackage software for which you have the source code, surprise surprise.

That may be true, but there's also never any reason to download FOSS from an untrusted source (except for not knowing any better). With cracked proprietary software, untrusted sources are the only sources.

Re:Yes it does (1)

amicusNYCL (1538833) | more than 2 years ago | (#36756566)

That may be true, but there's also never any reason to download FOSS from an untrusted source (except for not knowing any better). With cracked proprietary software, untrusted sources are the only sources.

What's your definition of a trusted source?

Re:Yes it does (1)

jedidiah (1196) | more than 2 years ago | (#36757496)

The project homepage.

SourceForge.

The "repository" maintained by your operating system.

This is in stark contrast to some website with a strange name and ads all over the place where you can hardly find the link to what you're actually supposed to be downloading through all the 3rd party links to who knows where. Given what some windows download sites look like, it's little wonder that some people are starting to flee to the "walled garden".

Re:Yes it does (1)

amicusNYCL (1538833) | more than 2 years ago | (#36759048)

I don't understand, what do I type into my IE to get to the project homepage? I don't think I have SourceForge or a repository installed. I'll just go to Google and type a vague description that makes sense to me.

Given what some windows download sites look like, it's little wonder that some people are starting to flee to the "walled garden".

Are you trying to imply that people who choose a "walled garden" approach are admitting that they are incompetent of handling something like their online security that is apparently supposed to be so rudimentarily simple?

Re:Yes it does (1)

jedidiah (1196) | more than 2 years ago | (#36757474)

Actually, this is nonsense. All you need to repackage software is the binaries. It's probably harder to turn a proprietary binary into adware but it is certainly no more difficult to repackage proprietary software so that it comes with some sort of extra malware payload.

Just recreate the installer. You don't even have to include the real binary.

So how do you know its trusted (1)

Anonymous Coward | more than 2 years ago | (#36756822)

As a novice who wants to get VLC, why is www.videolan.org any more trusted than www.vlcmediaplayer.org?

If you google VLC media player, www.vlcmediaplayer.org is one of the top search results. Of course if you download from here and you have any virus or adware scanner close to being up to date, alarm bells will go off.

If you arr not up to date, welcome to Malware.

Re:So how do you know its trusted (1)

Naurgrim (516378) | more than 2 years ago | (#36757382)

My father, who is pretty savvy, fell victim to this. He's pretty good with computers for someone 73 years old. I had recommended VLC to him, he googled it, and got crapware.

After fixing the problem, we both contacted the VLC developers, who were kind enough to reply. We suggested they seek legal recourse, but although they were aware of the problem, they were not inclined to pursue the matter. Total respect, their code, their choice.

I felt bad that I recommended VLC without specifying videolan.org. Now I do.

Re:So how do you know its trusted (1)

jedidiah (1196) | more than 2 years ago | (#36757532)

> As a novice who wants to get VLC, why is www.videolan.org any more trusted than www.vlcmediaplayer.org?

On Google? It's simple. It's first.

The whole "Official page" thing should also be a hint.

Although the main thing is that it is first.

Re:So how do you know its trusted (0)

Anonymous Coward | more than 2 years ago | (#36759068)

Same, I usually check a combination of wikipedia and Google. Both can be poisoned of course, but it reduces the likelihood.

Re:No It doesn't (2)

whiteboy86 (1930018) | more than 2 years ago | (#36756958)

>> You are an idiot if you download anything from an untrusted source Like 80% of all internet users are "idiots" in this regard, those will have a hard time recognizing legit VLC, most of them even trust .com more then .org, so they can easily fall for this. Those blackhats perpetrators have the cash to pay for AdWords, that is why this is a HUGE problem. It is even more augmented by the fact that Google/AdWords has a helping hand in this.

Re:No It doesn't (0)

Anonymous Coward | more than 2 years ago | (#36758020)

exactly. Insinuating that something is more "vulnerable" because it's open source is wrong and utterly ignorant. Author, please clarify your statement and make it accurate.

Show in the right places (4, Insightful)

udoschuermann (158146) | more than 2 years ago | (#36755412)

The text in proprietary software can be patched to change attribution, and viruses can be attached to binaries easily enough. It's just a little easier with software for which the source code is available. Either way, don't "shop" in the wrong place.

Re:Show in the right places (0)

Anonymous Coward | more than 2 years ago | (#36755656)

The text in proprietary software can be patched to change attribution, and viruses can be attached to binaries easily enough

While that is absolutely true for unsigned binaries, people probably shouldn't be downloading unsigned binaries from random sites and then complaining when they are infested with crap. Once it has a valid digital signing certificate from a trusted publisher (yeah, so maybe you don't trust ones from Adobe), it is known to have not been changed since the vendor or provider compiled and signed it. If you get a binary that is supposed to be VideoLAN and it is signed by some goofy untrusted certificate, you don't run it.

Re:Show in the right places (1)

ewanm89 (1052822) | more than 2 years ago | (#36756480)

If the vendor can even afford a valid certificate from microsoft or whoever. Exactly why most windows applications aren't signed, especially opensource ones.

Re:Show in the right places (0)

Anonymous Coward | more than 2 years ago | (#36757048)

Assuming you pay half a fucking billion dollars to get the certificate in the first place.

Get real, nobody signs.

Re:Show in the right places (1)

cyberstealth1024 (860459) | more than 2 years ago | (#36757854)

Can't you just sign applications and installers with a self-signed certificate? Or is Windows smart enough to recognize this (untrusted publisher, yet signed) and warn the user (similar to how browsers deal with untrusted certs)? And assuming that the user *is* notified, how many people are just going to click through and acknowledge the warning and keep on installing/executing the app?

That being said, I do look at digital signatures whenever I'm unsure of the validity of the executable, but if it looks decently legitimate (as it always seems to...), then I continue to run it. As a dev, I also digitally sign my apps at work with a trusted cert.

Re:Show in the right places (0)

Anonymous Coward | more than 2 years ago | (#36758930)

I was asked to work for a "company" that did just that. They replaced the text in in proprietary software to change attribution and sold it cheaper than the author.

Also a problem with commercial software. (2)

wisty (1335733) | more than 2 years ago | (#36755426)

So? You can also get cracked commercial software (or just shit pretending to be it) and get your viruses that way.

Has nothing to do with OSS (4, Insightful)

MobyDisk (75490) | more than 2 years ago | (#36755452)

You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.

Some FOSS allows modifying with adware (1)

Burz (138833) | more than 2 years ago | (#36757190)

permitting an MO that doesn't bring the burdens of illegality.

I think that makes it a FOSS issue.

Re:Has nothing to do with OSS (1)

williamhb (758070) | more than 2 years ago | (#36757628)

You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.

It's a badly written article, but this is potentially a harder problem to tackle for a popular OSS project than for a popular software vendor:

  • It's much easier for the scammers to get open source code to distribute, so popular OSS projects look like low-hanging fruit to scammers
  • If the scammers don't use the trademark in an illegal manner, the scammers can truthfully claim they have a license to distribute the program. For instance, they can dodge GPL violations by only aggregating their adware and spyware. (Their installer secretly installs it, but it's a completely separate program from the OSS software.)
  • There generally are multiple legitimate sources for an OSS project (their own website, mirror sites that reduce the download strain on their website, debian repositories, rpm repositories, etc). It's easier for a scammer to confuse a non-techy that their own website could be a legit source for this.
  • Many OSS projects often don't have an army of international lawyers to pursue the scammers, just a few overworked and underpaid people at FSF and EFF
  • Whereas it'd be easier for a software vendor to show commercial harm to a court or the police, as they can just point to the lost revenues

All goes to show that the life of an OSS project, nobly getting their software to you freely, ain't always as easy as it should be.

Re:Has nothing to do with OSS (0)

Anonymous Coward | more than 2 years ago | (#36758906)

You can do this with any software. Scammers have been selling virus-loaded copies of Microsoft Office since the days of dial-up.

Historical fact - you could purchase a legitimate copy of Microsoft Office and get a malicious macro infection.

Linux literaly was used for this as well (-1, Troll)

dotmatrix5 (2370638) | more than 2 years ago | (#36755488)

A bootable [thoughts.com] linux disk that pretended to be MAC OSX copy but was copying sensitive information from system as it booted and sent it to bad guys (hackers aren't the proper name for that for the sake of hackers that do nothing bad)

Re:Linux literaly was used for this as well (1)

Osgeld (1900440) | more than 2 years ago | (#36755608)

whats linux? oh its that thing on my computer that magically woke up one day and decided it did not like my 1280x1024 resolution and decided for me that 320x240 was enough space and is now stuck there

Re:Linux literaly was used for this as well (1)

oakgrove (845019) | more than 2 years ago | (#36756330)

It's also that thing that is running a third of all smart phones and projected to be running half of them in a couple of years. In case you missed it, 500,000 Linux powered cell phones ship out everyday and none of them forget the correct resolution. Linux is everywhere and enjoyed by hundreds of millions of people everyday. Sorry to be the one to tell you.

Re:Linux literaly was used for this as well (0)

Osgeld (1900440) | more than 2 years ago | (#36756420)

geez leave the basement for a moment, its called a joke and if you were not so busy being the sole defender of linux you might understand that

please carry on captain linux the universe needs more people like you (and since your dense that was called sarcasm)

Re:Linux literaly was used for this as well (0)

Anonymous Coward | more than 2 years ago | (#36756660)

since your dense

Ah, sweet irony.

Re:Linux literaly was used for this as well (0)

Anonymous Coward | more than 2 years ago | (#36757892)

link is goatse. All dotmatrix* posts seem to be.

Contact the FSF (2)

MobyDisk (75490) | more than 2 years ago | (#36755504)

The Free Software Foundation (FSF) has a very good track record of dealing with these kinds of issues. The Electronic Frontier Foundation (EFF) may also be able to help.

One solution (0)

fremean (1189177) | more than 2 years ago | (#36755506)

Shoot them all - preferably with small caliber rounds, many times... Heck, a blunderbuss loaded of bits of broken beer bottle would work nicely.

Flaimbaity Submission is Flamebaity (0)

instagib (879544) | more than 2 years ago | (#36755514)

In other news, in Soviet Russia a Beowulf cluster of hackers downloads malware from YOU! (Which means that you are an insensitive clod.)
My lawn is yellow these days, BTW.

Re:Flaimbaity Submission is Flamebaity (1)

Mashiki (184564) | more than 2 years ago | (#36755716)

Your Beowulf cluster sucks. Mine writes the malware and injects it into YOU!

Hang on a second... (0)

Anonymous Coward | more than 2 years ago | (#36755584)

...this is precisely the antitrust allegations raised against Google, complaining about adwords for trademarked names, only respun to include FLOSS.
Remind me, are we pro- or anti- on this day of the week?

Linux was literally used for this purpose as well (-1, Troll)

dotmatrix7 (2370662) | more than 2 years ago | (#36755616)

A bootable [thoughts.com] linux disk that pretended to be MAC OSX copy but was copying sensitive information from system as it booted and sent it to bad guys (hackers aren't the proper name for that for the sake of hackers that do nothing bad)

Re:Linux was literally used for this purpose as we (2, Informative)

Anonymous Coward | more than 2 years ago | (#36755714)

Goatse alert!

Common Sense. (2)

PessimysticRaven (1864010) | more than 2 years ago | (#36755662)

Two things:

1. Agreed with everyone else, in that the summary is written in such a way that one would interpret VLC infected. Bad form on the summary writer's part. (insert rant about /. editing style, rabblerabble)

2. This is zero to do with FOSS. Even paid software can be used to shovel-out any form of virii, malware, digital Bubonic Plague, etc. This is about people downloading any and everything that has a link attached, from 'trusted' sources and flashing banner ads.

I'm going to make this real simple, Internet Security 101-style: If you download something and you don't make the MONUMENTAL effort to scan it with whatever virii scanner you're using. You deserve what you get. True, virus scanners are not the be-all/end-all of security, but considering most of these infections are lazily coded, your scanner of choice would probably find the source of the infection, but probably their Twitter, Facebook, Google, and grocery shopping lists, too.

You wouldn't stchup a prostitute without a condom, right? (I hope!) Same thing applies when you 'jack in' to the intertubez.

Re:Common Sense. (0)

Anonymous Coward | more than 2 years ago | (#36755768)

Actually it's about VLC being repackaged with malware and still being called VLC.

Re:Common Sense. (0)

Anonymous Coward | more than 2 years ago | (#36756176)

Exactly and this misleads the users because they're thinking that "VLC Media Player" (the real one) is bundled with crapware.

why would you download an infected copy? (0)

Anonymous Coward | more than 2 years ago | (#36755672)

VLC has always been available from the same source, why get it anywhere else? They aren't going anywhere. There's a bigger picture though to open apps getting infected and distributed. I think the responsibility lies on the developers to at least delinquently inform the user through the application how/ where they should get it and how to check its legitimacy. Something like Putty or Truecrypt where security is at stake, banner their websites for YOU, the user to check the md5 hash sum. Most people choose not to do this as it's a hassle and at that point all there is you probably won't get infected, but you aren't doing anything to prevent it either (just like running w/o an AV).

Digital Signatures (from distributions) (3, Insightful)

lkcl (517947) | more than 2 years ago | (#36755720)

this is entirely and precisely why distros such as debian go to such lengths to place GPG digital signatures on the downloads; why they go to such lengths to enact extensive GPG key-signing web-of-trust exchanges etc. etc. no software is allowed into the archive that is not GPG digitally-signed by someone who is part of the GPG web-of-trust network (thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document).

the lengths to which for example the debian developers go are sufficiently extreme that it would be an incredibly foolish exercise for any debian developer to even attempt to place spyware or any kind of malware into packages, because they could be identified (via their GPG Digital Signature) and thus banned for life from the debian project.

the lengths to which it would be necessary to go, to circumvent such a system, involve cracking of GPG Digital Signatures or of compromising the Debian Packaging system itself, and switching off the signature-checking system. whilst the average person would not know how to check that this had occurred, it is an extremely remote and unlikely possibility in and of itself; the experienced debian user could boot up off of a live boot or rescue CD and use rkhunter or chkrootkit to verify that the system had not been compromised.

all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system! if you ignore this kind of advice, then you deserve everything that you get.

Re:Digital Signatures (from distributions) (1)

kevorkian (142533) | more than 2 years ago | (#36757322)

(thus whose physical identity has been identified MULTIPLE times by their peers including showing proof of identity in the form of passports or other physical but trusted identification document)

Citation needed

Re:Digital Signatures (from distributions) (0)

Anonymous Coward | more than 2 years ago | (#36757880)

Ever been to a key signing party? Those guys are pretty serious!

Re:Digital Signatures (from distributions) (0)

Kjella (173770) | more than 2 years ago | (#36758090)

all in all it has to be said, in simpler terms (as many people on comments here have already said) - don't download stuff you can't trust! but if you can't be bothered to check, but are using a stupid operating system into which a package verification system is not built-in from the ground up, then don't use that stupid operating system!

They did make a package system where only vetted, approved software can be. And they called it an App Store. Last I checked slashdot didn't like the idea, so damned if you do and damned if you don't. People here still won't be pleased unless you run Linux.

Dilemma? (1)

Thinine (869482) | more than 2 years ago | (#36755744)

What dilemma does this present for developers? It presents an obstacle to overcome, but where's the dilemma?

Re:Dilemma? (1)

lkcl (517947) | more than 2 years ago | (#36755906)

in the event that you're not asking a rhetorical question: there isn't a dilemma, and there is no obstacle to overcome.

developers release source code (along with an MD5 or SHA-1 checksum) off of an implicitly-trusted (i.e. non-hijacked) web site. that is the limit and scope of their responsibility - period.

distribution managers have a responsibility to then check that checksum, and to ensure that the downloaded source code is not compromised. they are also responsible for compiling that software into a package, which is then digitally signed and uploaded to a distribution server. that is the end of _their_ responsibility.

the distribution server (or, the managers behind the distribution server) have a responsibility to install software which double-checks the digital signature on the uploaded software (and to reject anything that isn't signed). the double-checked package is then placed onto the downloads list. that is the end of _their_ responsibility.

the user installs the operating system: it contains digital-signature checking software. a download happens. the digital signature is checked.

at no point is the developer of the *original* software involved in or in the slightest bit responsible for any of the above, with the sole exception of placing their software onto a web site and making it available.

there is one team who have decided to break this rule: the freeswitch team. they have taken it upon themselves to "take responsibility" for things which they should never have taken responsibility for, and they have ended up quite literally creating an entire software build and software distribution system, and have accidentally created forks of dozens of software packages and are getting themselves into a fucking awful mess as those multiple packages are getting severely out-of-date and could contain quite serious security flaws which the developers of freeswitch simply do not have time to even identify let alone fix.

the freeswitch team's stupidity in crossing the boundary is therefore an exceptionally good case study demonstrating why it is essential that free software developers NOT go outside of the scope of their responsibility, and leave it up to distributions to perform the packaging of (and signing of) the software.

Often bundled with crapware and malware (0)

Anonymous Coward | more than 2 years ago | (#36755866)

You mean like the Bing/Google/Yahoo toolbars? Or was that Paint.NET?

retarded (0)

Anonymous Coward | more than 2 years ago | (#36755940)

Oh, then floss sucks... I will only allow propietary software to provide me malware, from now on.

Observations (1)

atomicbutterfly (1979388) | more than 2 years ago | (#36756496)

The article has a link to the developer's blog which outlines the various companies which are abusing VLC by distributing it with malware. I noticed two interesting things about the blog posting:

(1) The developer refers twice to 'our IP' (violate our IP, enforce our IP). That's fine, but I imagine some Linux fanatics will be pissed that the developers consider intellectual property as a real thing and not an abstract constructed to be ignored, as some people want to believe.
(2) Someone asked in the comments if the developers have tried contacting Google to see if they can remove the companies which are abusing AdWords by running these scams. Google apparently doesn't care, because they make a lot of money out of them regardless of their obvious intent. I really wish people didn't hold them up to be bastions of good in the world.

Re:Observations (0)

Anonymous Coward | more than 2 years ago | (#36756832)

Really? How does Google not care? They contacted the developer back two days after he contacted them to see if they could sort out the issue, which doesn't seem like a long time to me, and their policy on trademark abuse seems quite clear. [google.com]
All we're seeing is the same old re-framing of the old antitrust allegations against Google (which failed), only with a FLOSS twist to it. It would be interesting to follow the money behind the published article, and see where it leads.

Package manager, anyone? (3, Informative)

seandiggity (992657) | more than 2 years ago | (#36756596)

Besides the obvious point that you can package any type of bloat or malware with closed-source software (spend some time putting together an installation wizard for Windows, and you'll see you can get away with pretty much anything), there's also the fact that F/OSS operating systems almost always have a package manager, which encourages only downloading through trusted sources. So the F/OSS way of doing things is to be careful about trusting where your binaries come from.

sudo apt-get install vlc is not gonna get you anything but a legit version of VLC, unless you setup JOez BaDazzz REPO by following directions on the 5th page of Google's search results.

Re:Package manager, anyone? (0)

Anonymous Coward | more than 2 years ago | (#36757964)

How should a user know which sources to trust? For any piece of software that isn't in the official repos, when some webpage (that looks legit and was mentioned by some anonymous coward on a forum) tells me to add "blah something something" to my sources list, that's exactly what I do. Web of trust my ass.

And for Ubuntu, why should I trust the official repos in the first place? Ubuntu is so much committed to free software that the software manager forces a $$$ware section on me.

download the hot new apt for windows! (1)

decora (1710862) | more than 2 years ago | (#36758590)

the hottest software manager on the planet! just one click to download! one click to install!

apt is used the world over by leading government and industry agencies, including the department of defense (military grade), homeland security, IBM, NASA, and the FBI. now, through this special offer, apt is available to you, at no cost!

Re:download the hot new apt for windows! (1)

seandiggity (992657) | more than 2 years ago | (#36758812)

the hottest software manager on the planet! just one click to download! one click to install!

apt is used the world over by leading government and industry agencies, including the department of defense (military grade), homeland security, IBM, NASA, and the FBI. now, through this special offer, apt is available to you, at no cost!

Might be worth the malware to finally get a nice package manager on Windows ;)

"Play by the rules" (1)

Blakey Rat (99501) | more than 2 years ago | (#36756934)

What "rules" prohibit someone from taking an open source project and re-packaging it with an installer that also installs malware? Am I correct in assuming the answer is "nothing?"

Other than the possible trademark infringement, which has nothing to do with the software license.

Re:"Play by the rules" (0)

Anonymous Coward | more than 2 years ago | (#36757554)

What "rules" prohibit someone from taking an open source project and re-packaging it with an installer that also installs malware? Am I correct in assuming the answer is "nothing?"

Other than the possible trademark infringement, which has nothing to do with the software license.

The original VLC is GPLv2. At the very least, the rule is: the re-packagers must release the source or cease the distribution (although they can continue to use the modified version themselves, if so they wish).

Re:"Play by the rules" (1)

Blakey Rat (99501) | more than 2 years ago | (#36757756)

Yeah but that doesn't say anything about "you can't have your installer also install malware."

My point is that if you don't want something to happen, put it in the license. If it's not in the license, it's fair game.

Defend your trademark! (3, Informative)

Anonymous Coward | more than 2 years ago | (#36757074)

This happened to Mixxx DJ Software (http://mixxx.org), there was a web site that was shipping a Windows installer which installed crapware and Mixxx. The best part about it is their crapware would come up in the ads when you searched for Mixxx on Sourceforge!

The site that was promoting this crapware installer used the Mixxx name (trademark), several screenshots featuring the Mixxx logo and included a footer that indicated the contents of the page were copyright of their company 2008...

So we tracked them down and sent them a cease-and-desist email for violating our trademark (misrepresenting themselves as authors and using screenshots which feature the Mixxx brand without our consent)... Simply put we told them they could NOT use our trademark at all, this mean no screens with our logo, no mention of the projects name -> this means to comply with trademark law they will have to alter artwork (covered under the GPLv2) and in doing so will be required rebuild the app and redistribute all of the code also. As far as we are aware they complied and now they are substantially less relavent from a branding perspective and no longer really much of a threat to our user community...

You may not be able to enforce copyright if they comply with the terms of the license the software is distributed under (in this case GPLv2), but you can sure as hell stick it to people who attempt to tarnish your brand with trademark law and certainly make it far less convenient for these scum-balls to do this and still be on the right side of the law.

-G

Re:Defend your trademark! (1)

Billly Gates (198444) | more than 2 years ago | (#36758942)

I can upload it to a server in China or India where the trademark is not observed and simply name it a higher version to fool the users to download my Mixx software instead of yours. That wont change unfortunately.

Windows needs a package manager and repo system (1)

EEPROMS (889169) | more than 2 years ago | (#36757444)

With Linux this isnt such an issue, as everyone knows you just tell the package manager to install vlc and it gets it from a trusted server and even does a hash check to make sure the final copy of the file/s downloaded are correct. Seriously someone should create a windows application manager apt for windows or something. Seriously right now most people using windows who want to install FOSS software are finding it hard to separate malware from the real deal. Windows 8 will have an app store but how receptive Microsoft will be to having FOSS applications listed (and for how long) on their service is up in the air.

Re:Windows needs a package manager and repo system (1)

Billly Gates (198444) | more than 2 years ago | (#36758946)

It has .MSI files. Most real software products use it rather than a winzip or .exe as the file offers AD integration and group policy support as well which is really cool for enterprise users.

I always download .MSI files because if the installation fails I can recover easier ... back in the days of XP.

Wish they'd fix it. (0)

Anonymous Coward | more than 2 years ago | (#36757482)

We are all actually just waiting for the VLC crew to fix it again after they did a RealPlayer on it.

The new plugin system is hopelessly confusing and half the options don't do anything. The new transport bar is annoying. It's missing a heap of newer codecs that it needs. And it fails very ungracefully.

They are trying too hard (1)

brim4brim (2343300) | more than 2 years ago | (#36757492)

You don't need to get the source for VLC or even use an Open Source project. Just learn how to make an installer for the appropriate platform. A .dmg file for OSX, a .deb for use with gDebi or equivalent depending on distro for Linux and a nullsoft installer for windows. You could package it with the most common media player for any of those plaforms and if it is the bundled one, just claim it has some new feature and lie about the version number to get users to install the software and ensure it isn't tidied up properly afterwards during uninstall. I'm not sure how well that work on platform other than Windows but I've written windows Nullsoft installers and know I could get away with it. As always the lesson is only use trusted sources.

You should become (0)

Anonymous Coward | more than 2 years ago | (#36757544)

suspicious when starting the VLC player, the only thing you see is a very large cock.

really (1)

Mick R (932337) | more than 2 years ago | (#36757864)

and this is soooo much worse than the malware authors who do this on closed source software ... how? Decompilers are readily available. The only thing they don't give you is the comments and annotations. If you're good enough to write decent malware then decompiling a closed source binary and inserting your payload really isn't an issue and people will trust what you put back into the wild because it's closed and "safe".

VLC Android (0)

Anonymous Coward | more than 2 years ago | (#36758190)

I had a similar problem looking for a version of VLC for Android. There are a lot of search results, but they all look shady. Is there a legit one in the Android marketplace?

Re:VLC Android (1)

Zugok (17194) | more than 2 years ago | (#36758894)

No, official vlc for android yet but they are working on it (http://ivoire.dinauz.org/blog/index.php?post/2011/02/02/VLC-on-Android) but in the mean time if you are up for it, you can always compile it yourself (http://wiki.videolan.org/AndroidCompile). I can't say I have had much luck working on the phone.

WHY DO I CALL IT OPEN SORES? (-1)

Anonymous Coward | more than 2 years ago | (#36758586)

See article & topic posted here as news... says it ALL for me!

In fact, a couple times this week I've debate this with others here!

Yes, I even use Linux in KUbuntu 10.10 here myself on a 2nd rig to "see how the other 1/2 lives" & it works, but, it's still NOT Windows 7 on a number of grounds! Those mainly being:

---

1.) Drivers of as high a quality as Windows has, for hardwares for PC's-Server

2.) Availability of games for home users

3.) MOST IMPORTANTLY, the # of unpatched bugs present in the KERNEL ALONE is 4++x that of Windows Server 2008 too!

---

* Yes - Despite all those "Open 'SORES'" eyes allegedly poring over Linux' sourcecode which is the minority of its users no questions asked, most do NOT even code, let alone professionally (which this article even backs a point of mine, that closed source is harder to go after for finding vulnerabilities in it because it's closed source) That for YEARS here on /. I heard complete b.s. on that it's "more secure than Windows"?

Heck, that's b.s.!!!

(ANDROID shows that Linux was enjoying "Security-By-Obscurity" only, because once ANDROID, a Linux variant, took a HUGE share of the mobile phone market? You see that what's ontop of & built around the Linux core/kernel makes it terribly more vulnerable moreso still!)

E.G. #1-> The Linux 2.6x mainstream kernel ALONE has more unpatched bugs in it than nearly ALL of what Microsoft gives you for business & development purposes per SECUNIA.COM data on that stuff...

E.G. #2-> Plus, Phishers & Spammers prefer to attack & abuse LAMP setups more too!)

What really shows the quality difference though? Well, Open "sores" is GIVEN AWAY, & still can't overtake Microsoft... that says a LOT in & of itself!

FREE should win... but not when the free imitation's not as good on ALL GROUNDS as the paid model closed source stuff is... clearly (or is the majority of the worlds' PC's @ 94% of the market using MS stuff wrong? I know not & I cite why above, in part @ least...)

APK

P.S.=> Too bad though on this, but that's the PRICE PAID on being "Open 'SORES'" though - too bad, because VLC is a NICE piece of work too, when NOT abused thus... apk

itWorld Guys (1)

mehemiah (971799) | more than 2 years ago | (#36758754)

seriously, this is just like those people who sell paint.net I single this out because its not under an OSI license. Its not about license its about people downloading things they know nothing about. people don't research everything they download. Its hard to do good research when there are things like astroturfing [wikipedia.org] so it actually looks like the walled garden model of protecting your users is starting to look valid. Linux distros count as a walled garden if we are to call the community the gardeners who approve the software in the repositories. I would like to point out Fedora resisting to put SQLninja in their repositories as gardeners that people have been pissed at. I dont like the truth of what I'm saying. GNU/Linux and open source is about putting the power of the computer into the users hands, getting away from the priests that curate our computing experience. This freedom can't happen if the people in the bazaar can't be trusted either, we must encourage people to think for them selves but teach them the way to discern the truth so they can tell the good venders from the bad ones. ... hmm, I think thats what lulsec is doing but this post has gone on long enough.

Same issue for Gimp for Windows (1)

Billly Gates (198444) | more than 2 years ago | (#36758932)

I do not remember which version but I reconized it as Gimp 3.02 for Windows when Gimp 2.x was on my Fedora 12 installation. I downloaded it and installed it and it tried to install some malware toolbars. I clicked cancel and ran a virus scan. Prettry clever and very cheap to do I may add for the average Joe to simply recompile it and create a website. FREE MONEY. With money for each installation of gatorsoft/claria or god know whats you can make money fairly easily. This was before Gimp 3.02 was out for win32 so it tricked me and probably others thinking this was the most modern version.

I wished I would have thought of it first, but I realized that is kind of slimy to do. I did more Google searching to find the real GIMP package from Gnome for Win32. When it comes to FOSS software other than Linux it is a good practice to run an anti virus scan. If you trust the host that is one thing, but I can see the average Joe thinking OpenOffice is OpenOffice.com ... not OpenOffice.org.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...