[Note: This situation changed since I wrote this in 2014/2015]
I’m Jason Firth.
I want to talk a bit about a trend I’ve been seeing.
First, some background to understand where I’m coming from.
Downloading a piece of software on the Internet is a real gamble.
Of course, some software contains viruses meant to destroy your PC, but that’s a relatively small amount. To really understand where the software that will really harm you comes from, you need to follow the money. Some people make money stealing proprietary secrets from companies, or credit card numbers, or passwords for paid accounts on services like netflix. Other people make money selling advertising displayed through unscrupulous means. Still other people make their money controlling “botnets”, which are large numbers of computers (computers owned by normal people) infected with worms that take control which allow buyers to send specially crafted packets to servers intended to tie up resources like bandwidth and memory in order to prevent that server from operating, in an attack called a “Distributed Denial of Service”, or DDoS.
There are a few ways you can be infected (called ‘vectors’). In 1999, my first website was hosted on a free web host, and I visited my own website to learn it was trying to install a spyware program on my PC (I soon after started paying for ad-free hosting). In 2000, the ILOVEYOU worm moved through e-mail, and the e-mail program outlook at the time would automatically run the infection script when the e-mail was viewed. 2004, the sasser worm could infect a PC that was simply connected to the Internet, without the owner of the computer doing anything wrong. Along the way, programs that were (or appeared to be) useful eventually started being bundled with a new kind of worm, that served advertising content even when the program wasn’t running. Some applications installed this software without any indication that it was doing anything. Others would try to hide their request to install behind deceptive wording or deceptive button placement. Either way, once installed, the new program would display advertising on your PC even when you weren’t using the application that installed the ad program — in fact, sometimes even after the original program was uninstalled.
My first job was as a registered apprentice helpdesk support analyst for a school board. One of the challenges they faced at the time was removing the programs installed by peer to peer file sharing programs (it was a more innocent time before such computers were completely locked down). These programs would cause web advertisements to appear, and used resources that the old Pentium 133MHz machines with 32MB of RAM couldn’t really afford to give up.
If you want to be assured that software from the Internet is safe, you have only a few options. You can download only from trusted proprietary sources like Microsoft. You can just not download anything at all. A third option for a long time was Free and Open Source software. This software is written by hobbyists or by companies who want to build an open platform, and is licensed so that everyone who wants to use it can use it, and anyone can access the source code and use it, but only if they release any modifications for use by others. (There are other free licenses which are broader, but we’ll discuss this one for now). These programs didn’t usually come with problem software, because anyone could check the code, and compile a clean version from scratch.
Unfortunately, something has changed. The largest distributor of open source software, called Sourceforge, changed owners a few years back, and now they encourage top projects to try to install this problem software on their users computers.
I’ve contributed to open source projects over the years. I’ve written documentation, I’ve written code, I’ve even started projects. I believe in the idea. To see big projects that people like me have put their heart and soul into and to have it used to try to unscrupulously infect other people’s computers, I consider that criminal, and I consider it a tragedy.
I consider it criminal because any consent could only be possibly be gained through deception, because no reasonable person would allow such software to be installed on their computer. “Hey, want me to put advertising on every webpage you visit, even the ones without advertising? Want me to randomly pop up advertising all the time? Want all this to happen even when you’re not using my program?” — of course the answer is ‘No’. I’ve seen them get an “I agree” click by using deceptive language (“Click if you don’t want to unagree that we won’t not install the software”), or by using deceptive button placement (“next next next next next I agree to be infected with a virus”). I don’t consider this access to one’s computer legitimately authorized, and thus taking over people’s computer is a cyber-crime. Governments around the world appear to agree with me, because laws are being passed all the time to make it perfectly clear for the courts that this sort of behaviour isn’t acceptable.
As for why I consider it a tragedy, imagine the passion of people contributing to their favourite open source projects, working for no compensation. Their reward? To have the project maintainer try to take over their computer for monetary gain. That’s tragic. It really is the tragedy of the commons here, where someone realized they could burn it all to the ground to make a buck. That’s very sad.
Anyway, back to instrumentation next time. I just had to vent about the end of an era: The era where you could at least trust an open source project.
Thanks for reading!