| HN Mirror

Y	Hacker News new \| ask \| show \| jobs


	by emodendroket 4 days ago
	I have to say, the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons -- including that nobody has the time to inspect the code, let alone ensure that it matches the binaries; and also that GitHub has become a distribution hub for software used by lots of people with no ability or interest in auditing the software they use.

16 comments

embedding-shape 4 days ago

> the principle that open-source software can't do anything nefarious because the source is open just hasn't held up for a lot of reasons

You've been living on such a principle? That sounds insane, why would something not be nefarious just because you can read the code?

The way I was "raised" by FOSS greybeards screaming at me through web forums, was that any software available on 3rd party websites anyone can upload anything to, will be filled with viruses and malware, and this was early 2000s. Surely people still advocate for this mindset today, when it's even more likely?

emodendroket 4 days ago

No, I've not been "living on" such a principle but it was a big claim for "the bazaar."

embedding-shape 4 days ago

Aha, wasn't that argument more about that closed source software is more likely to hide stuff you don't agree with, than FOSS? Not necessarily that FOSS won't have any viruses or malware, but it's at least less likely. That was my take away, but long time ago I read the book admittedly, I might misremember or transformed it automagically over time.

CapsAdmin 4 days ago

This is my takeaway as well. Having the source code open makes it auditable, if not by you, maybe the community.

The free software license specifically gives the software an extra advantage in that changes to the software must be shared openly, if distributed as as binaries.

jankdc 4 days ago

> source code open makes it auditable, if not by you, maybe the community

I think part of why this social engineering works so well is it takes advantage of that "many eyes" trust, where people are prone to delegating the responsibility of checking to the community and not do due diligence on themselves. I know I'm susceptible to it if I see a Github repo with more than 10k stars on it.

embedding-shape 4 days ago

I don't know, I feel like the "numbers" like upvotes, stars, favorites or whatever stops working for me the second I see it being obviously gamed, and when there is a ton of services for buying "higher $number". GitHub stars probably stopped mattering around 2016-17 sometime, I think that's the first time I came across one of those "increase $number" services.

By now (imo), the entire web is gamed and no number can be trusted, I operate completely on a qualitative basis rather than quantitative, basically the only way I can get something out of the web. Ignore all and any numbers as any indication of anything.

emodendroket 4 days ago

I know. But the problem is that in reality the only way to get people to audit software reliably is to pay them to do it, so it's not really true as a general principle that open-source software is more thoroughly vetted.

CapsAdmin 4 days ago

I'd say it's objectively true to say that open source software is easier to audit compared to closed source software, which you can extrapolate to mean that it's less prone to malicious code injection.

It's not perfect, but surely it's easier to audit for malicious code than closed source.

Also, there is no shortage of volunteers looking out for code changes in established open source software. I think it's fair to exclude software that is very new and/or that has no users, which may be closer to equal footing with proprietary software.

Even for established proprietary software, you get volunteers watching out for changes in releases. Though, far less than open source, and more reserved for people who know reverse engineering.

abc123abc123 4 days ago

You'd better read it again, because that claim does not figure in that text. You might mean that with more eyes on the code, more bugs are found, than with no eyes on the code. But that is not what you are saying here.

rectang 4 days ago

Here is the relevant quote from _The Cathedral and the Bazaar_[1], which was given the name _Linus's Law_[2] in honor of Linus Torvalds:

> Given enough eyeballs, all bugs are shallow.

[1] http://www.catb.org/~esr/writings/cathedral-bazaar/cathedral...

[2] https://en.wikipedia.org/wiki/Linus%27s_law

Defletter 4 days ago

> You've been living on such a principle? That sounds insane

Fun fact, I've spent the last few days fretting over whether to add H2 to my FabricMC mod. The problem being that I don't know what class-loading shenanigans could possibly occur if I jar-in-jar include it: what happens if another mod has H2 jar-in-jar included? Will my mod only reference its own version of H2? What implications [if any] would that have? Or will the Fabric Loader pick one? What if another mod has H2 shaded instead? Will the classes clash differently? What if, instead of jar-in-jar including it, I shade and relocate it? Does H2 or JDBC rely on reflection or services that would render it non-functional?

All recommendations point to using/creating a mod specifically for that library and depending on it. As luck would have it, one already exists on Modrinth. Except... I'm then requiring anyone who trusts my mod to also install this other mod that I have no control over. I just looked at the source code and it looks fine, but that's if you trust that the published jars are the exact result of that source code: maybe there's something malicious in the Gradle Wrapper binary. This mod could at any time become malicious and how would I detect that?

Guess what? I asked around and was summarily told to stop worrying, that it's fine. We on this website need to realise that we're a minority: NO ONE is routinely (or even occasionally) scrutinising the source code of the stuff they install from third-party websites. I have never, not once, seen anyone hash a downloaded file to check that it matches what's on the website. At the very most, I've seen people find the Github repo, see that it has a lot of stars, and then assume it's safe.

embedding-shape 4 days ago

It's worth remembering that mod development/ecosystem has a very different engineering approach compared to software engineering in companies, or even FOSS at large. If you asked around in a modding community about software development, you'd get very different responses compared to the in-house company Slack or whatever.

Defletter 4 days ago

Of course, it's a largely hobbyist venture, which also inadvertently makes it more difficult to audit. But the software engineering aspect was not really the point, just the context: the vast majority of people will just blindly install anything (regardless of whether it's open or closed source), clicking through the installation wizard, accepting the prompts for admin privileges, etc, without a care. But even within the minority of us end users who know what "open source" even means, there's a shocking amount of people who assume that an open source project is necessarily safer because, well, the source is publicly available... someone must've already done an audit, therefore it's safe.

ForOldHack 4 days ago

It does not just sound insane, it is insane...

"He reverse-engineered an actual attack. The project contained scripts that enabled code injection and crypto-wallet theft. His post (highly recommended):"

https://www.linkedin.com/pulse/como-identifiquei-um-golpe-em...

"The execp package (version 0.0.1) is an infamous, malicious dependency frequently used in recent supply-chain attacks and job interview scams. Threat actors embed this 9-year-old package into seemingly innocent "technical assessments" or projects. When you run npm install, it quietly executes arbitrary shell commands in the background to compromise your machine."

tuwtuwtuwtuw 4 days ago

> You've been living on such a principle?

I have not, but in case you missed it, this principle has been used by open source proponents for decades. I'm an open source developer myself, but always found it odd.

nixosbestos 4 days ago

No, it's really not, and really hasn't been. Do people truly have such poor reasoning and logic skills?

"Closed source software is inscrutable, impossible for me to fix, impossible for me to review the source" is absolutely a distinct statement from "it is impossible to hide malware in open-source software". I've literally never heard someone claim the latter.

(edit for coherency, thanks graemep)

emodendroket 4 days ago

I would say that it's not just an academic argument that's being made about what is technically possible but a stronger claim about what is likely. If the claim is just you technically _could_ do it, sure, that's true by definition.

birksherty 4 days ago

> "it is impossible to hide malware in open-source software"

No nobody said "exactly that". But many times I've seen people claiming to trust open source as it is safer and people can check and build themselves. Seen it too many times. But reality is different than what is claimed.

thwarted 4 days ago

It's safer in the same sense as if you're paranoid about your date being a serial killer, you meet them in a public venue. It doesn't mean your date isn't a serial killer, but the risk profile is different because other people can be involved/witness/have context.

You didn't use the word "safe", you used the relative term "safer", and on average, it is harder to hide ill intent in open source software, there's a greater chance it will eventually be discovered. The blast radius is larger for open source (because the barrier to using it is lower), which increases the number of people impacted, but an increase in the number of people impacted also increases the chance of discovery and motivation to address it once discovered.

emodendroket 4 days ago

I would wager a policy of only installing commercial software from well known vendors has a better success rate.

graemep 4 days ago

I think you mean open source in the second bit in quotes.

tuwtuwtuwtuw 4 days ago

I genuinely don't understand what you are trying to say.

fsflover 4 days ago

This is not the argument at all. It's just easier to discover malware in closed software.

spicyusername 4 days ago

The choice is between code you can validate and code you can't, not code that has malware and code that doesn't.

swatcoder 4 days ago

That's not a distinction that people really benefit from.

Approximately nobody can read other people's code for intent or quality, let alone to surface malware meant to be hidden in it.

For almost everyone, the only hope is that somebody else validated the code you want to use before you choose to use it and successfully interfered with its distribution upon finding an issue. That's why the culture of automatic-updating package managers and bloated dependency graphs are so dangerous and why inserting delays into package managers can make such a difference in exposure to supply chain attacks for those that are intent to use them.

It's true that open source provides the transparency that makes any kind of third-party validation possible, but closed source benefits from commercial vendors staking their brand on what they release. It's a tradeoff, not a straightforward win for one side.

spicyusername 4 days ago

    That's not a distinction that people really benefit from.

    Approximately nobody can read other people's code for intent or quality

I can't disagree more.

The problem the article is describing seems to have little to do with open source. There were GitHub repositories that had links added in their READMEs to a zip file containing compiled binaries.

GitHub is not a curated software repository. It's essentially no different from some random stranger linking to some binaries on a forum. (There are communities that seem to have no concerns about running unknown binaries from strangers in forum threads, but I wouldn't recommend it.)

doctorpangloss 4 days ago

there are numerous OSS maintainers who have turned GitHub into a religion. the maintainers of bevy and brew come to mind. it is a "curated software repository" and so much more, it's practically a way of life for these guys.

BonerWiener 4 days ago

> I have to say, the principle that open-source software can't do anything nefarious because the source is open

No is saying this. I think you have misunderstood the principles of open source. I'd rather be able to verify the code i am running, then it being locked down, propreitery.

I have the possibilty to audit FOSS. Cant do it for propreitery software

emodendroket 4 days ago

And how often do you do it?

nkrisc 4 days ago

Never heard of that principle. I have heard people say that if an open source project was doing something nefarious it would be easier for someone to discover it.

moomin 4 days ago

Ironically, one of the promises of AI: enough eyeballs.

The catch is the eyeballs can also be used to generate exploits.

ffacu 4 days ago

I think that this is becoming increasingly true only for large, well-known repositories, where the maintainers have a lot to lose by doing anything shady. I don't think the React team could get away with doing something like that, for example.

megous 4 days ago

What's opensource about this?

  - Application.cmd or Launcher.cmd
  - loader.exe or luajit.exe or another_name.exe
  - random_name.cso or random_name.txt
  - lua51.dll

All of the content are binaries or launcher scripts.

atmosx 4 days ago

Not true. If statistics offer a “measure” of reality, my guess is that “OS doing nefarious things” must fall between 0,005% and 0,007%. In any case compared to the extracted value it’s … nothing.

kgwxd 4 days ago

That's not a principle anyone, that knows anything about software, holds.

prmoustache 4 days ago

Why the hell do you think this is related to open-source software?

flykespice 4 days ago

The xz backdoor should've been a wake up call for everyone subscribing to the classic cargo cult that "malware can't exist in open-source software". All the payload was submitted through auditable code that was cleverly concealed from review.

toofy 4 days ago

this issue was found specifically because these things are open source.

the ethos of open source is that bugs and malicious code are more likely to be spotted.

we’re discussing this on hn right now strictly because the code is open, the abusive code was found because it is open.

abusive people will make abusive software. the problem lies in the fact that despite absolutely having the resources, microsoft won’t do anything about it, not in the fact that we can see the abuse.

the problem is microsoft, yet again.

Yokohiii 4 days ago

If all projects on github were closed source with public "trust me bro" binaries the situation would be of course much better.

birksherty 4 days ago

"Trust me bro" is what people say about open source everywhere when it's not true.

Yokohiii 4 days ago

No clue what that means.

emodendroket 3 days ago

I would imagine what it means is that in practice open source just gives a false sense of security that someone must have looked at it.

LtWorf 4 days ago

It held up before github became a platform for grifters and having stars attracted VCs.

djent 4 days ago

strawman