Lyberta.net

Freedom is what you do with what's been done to you

Free software is not trusted software

Last update: 8 Jan 2019

Well, it’s 2019 now and 50% of free software projects I stumble upon are malware. Clearly, it’s time to start at least talking about this.

So let’s start with a big one: the infamous event-stream that steals your bitcoin wallet. For those who don’t want to read the whole link, basically it was an old package that was not maintained by original author and was given to an attacker who volunteered to “maintain” it. The attacker eventually uploaded malicious code that was not in GitHub repo to npm (Node.js package manager) and it was happily downloaded by unknown (but presumably large) number of people.

Code audit? Digital signatures? Nope. You upload whatever and people run it happily. Wow, guys, wow.

Well, I don’t touch JavaScript myself but here are a few projects I came across in 2018 that are all spyware:

Just to make a point, they are all free software. Of course, I usually do some research before running code on my system so I quickly found the nature of those projects.

The takeaway? I’d say Open Source folks finally reached their goal of convincing businesses and the businesses started releasing their crapware/malware/spyware as free and open source software in turn painting all the efforts to produce decent software in a very bad light. Good job, guys. Don’t think we’ll forgive and forget.

So the new rule is:

Any software marked as Open Source is malware by default unless proven otherwise.

Yep. It’s time to start a war on Open Source. Open Source is the enemy. Open Source is the source (hehe) of shitty software that will steal all your personal data. Open Source is produced exclusively by extremely evil or very stupid people. Open Source is to be eliminated. All Open Source supporters are to be treated the same way as Alt-Right people.

But why the article title mentions free software? Because it has mostly the same flaws. Free software ends with a license agreement. Nobody guarantees that it will not harm you or steal your data. In fact, most free software licenses contain text IN ALL CAPS that specifically mentions this case.

The problem is that 4 fundamental freedoms are the baseline for security. What’s missing is decentralized infrastructure of automated code audit followed by manual checks and digital signing of every file that was audited. The key is decentralized - we don’t want to end up as TLS where all attackers have valid certificates signed by certificate authorities whose number is insane and pushed down the people’s throats as trusted automatically.

It’s a shame that it come to this. Free software movement failed spectacularly and what’s left is a huge pile of malware that technically meets all of the movement goals.

I think it’s time to start new movement. License is not enough. What’s also needed is a digital signature of someone you know and trust. This is the only way forward. Maybe we should call it “Common Sense Software” just to distance ourselves from evil of Open Source and shortsightedness of Free Software.