- Dec 14, 2015
- 1
When we are talking about Malware we are talking about software made with a lack of integrity for one reason or another. While it's easy to tell people not as technical, "Just don't install and run software from unknown or unscrupulous sources" lets actually analyze how valid this advice really is today. While a good couple of decades ago this was a good rule of thumb, how practical is it today?
Well right off the bat we can say that the majority of software in Linux comes from unknown sources. Most malware attempts in open source is immediately caught by code reviews. But if something slips by.... who gets the blame? A lot of Linux distro/flavors will just issue a "oopsie!" statement to the press, we all shrug it off as it has YET to ever gotten too far before getting caught and the whole incident is forgotten. But in the world of closed source, all our faith is in the integrity of the company whose name is branded to the product. We have no idea how the machine works under the cover, we just hope that there is no secret instructions to wipe us out like Skynet. BUT problems within closed source can live there for YEARS before it is ever caught. It's a lot harder to trace machine code in applications to find malicious doings than it is to find them in source. So closed source requires a level of faith and integrity of the company providing the software. Which is fine. But there has been a on going problem with software companies that makes what we have been telling grandma to keep her computer safe, not all that correct. Software companies that once had a sterling reputation have been for the last couple decades have been outsourcing their software production to the lowest bidder. And when I say lowest, I mean in a MS dev shop, there is no way you can pay for all your developer licences at the prices they are writing software for. There is only two possibilities that can and will occur. The software is written with stolen and/or improperly licensed compilers and developer tools. OR, the company/person willing to go too low is planning to make up the low price to develop the software with unintentional things by the company issuing the contract.
So the first scenario, written with stolen/improper licensed software. This is the typical thing that happens when the software is outsourced and written by people who live in extremely poor countries. Typically there will be one guy who speaks English and has all of the licenses required legitimately and can even provide certificates. The problem occurs because this guy will outsource the work he is getting paid for at... oh lets say $10/hr, to people who have no experience but are desperate to feed their families for $1/hr. This guy actually writing the code might have been digging ditches the day before but is now a hardware driver developer today. Desperation will make you proficient at just getting something done even if you don't know what it is your doing. At $1/hr this person can waste 9 hours trying to solve a 1 hour problem and their boss is still coming out ahead. That's just a free dollar that just came in with you not having to do anything other than secure every contract you can and delegate the work out. If you work in the tech business there is a good chance you have experienced this one. Where things outsourced are coming in on-budget but WAY off of their deadlines. This is where a lot of really low quality, copy and pasted code stems from. The code a lot of times is very unstable and hogs resources like nobodies business. I have nothing against people helping people get a foot in the door to a better living. If this was just a matter of being a good humanitarian, I would be all about it. But unfortunately those who are being "bootstrapped" into computer development are not treated all that fairly nor are given any real guidance to truly learn. Instead they are typically ran on a hamster wheel till they get burned out and/or make a critical mistake and they are tossed out. Many people here in the US would lose their minds with emotion if they ever heard these stories first hand from the people that got ran over by it. Very heart breaking. But the biggest issue is that the software used to develop the software from these people, is almost always bootlegged from VERY unscrupulous sources. With these bootlegged compilers comes viruses and malware that a lot of times is specifically designed to live in compilers and replicate evil doing code into the compiled programs or into the installed packages. I have seen this a couple of times personally where professional commercial software had viruses in them that came from a strain that infects compilers as it's primary target. It's a pretty safe bet that the software came from someone too poor to be able to afford licenses and so they had to download it from pirates and these pirates are specifically targeting these people. I was very skeptical when I was first told this by engineers of a very reputable security company. I actually went out and downloaded multiple closed compilers from numerous pirate sources and every one had a virus in it that would make it seem that it was indeed targeting this crowd. (Can these people catch a break ANYWHERE?)
The second scenario, for intentionally pricing below what should be your expense is because you plan to make it up. There is a lot of ways a developer can be paid by two identities for one piece of software. One you can reuse code that belongs to another company. Something these corporations are typically forgetting is yes your competitor is paying less for development by outsourcing, but what is going to happen when you outsource as well to the same people but different company name to do similar work? No brainer. They are going to be using the same source code and both companies will be paying for it. And as far as "trade secrets" goes, forget it. As soon as you outsourced it to a company in a different nation, you should have just thought of that source code as public domain. Trying to fight a legal battle in a foreign country is almost impossible. You would have had better legal standing if you would have just made it open source. But back to the malware topic and the most devious way to double dip is by placing back door routines in the code to fetch private information or making security holes in infrastructures. The information harvested is always sold to the highest bidder.
One last nugget to think on. In the golden olden days there was very little factor for us developers and where a virus/malware could get into our projects. The factors for our written software was OS and compiler. But now days developing typically involves including a lot of libraries. Each one of these libraries are just as vulnerable as any application that uses them to the above scenarios. Many libraries used by companies that make closed source, are closed source as well. When one link in the chain has an issue in it, it will transcend throughout all the links. I may sound a little like a OSS advocate right about now. And to some degree to be honest, I am. I do think that companies should have the right to sell closed source software, but with the world of closed source, we are putting a lot of faith and trust into the integrity of a lot of people we have no clue about. Hard if not impossible to find these people if something goes a muck. So no one will likely be held accountable for problems. I'm not a doomsayer pessimist. I do believe the large majority of people given trust will do the right thing. For example the developers in poor countries if given a choice would prefer to be able to use legitimate software. But the problem is software today spans through so many peoples work, how much and how many faceless people should we trust? And I think we can all pretty much agree that malware thrives in closed source. Again, nothing against closed source, it's just malware has a much longer shelf life in closed source.
So to summarize, does that age old advice we used to give people "don't install and run from unknown sources" mean anything today. In my opinion, a LOT less than what it used to be. That advice in the past would pretty much guaranty you would not get any malware. Now days it just decreases your odds. This is why I've changed my advice to "try to install software with open source if it is at all possible." Again this only decreases odds, but I feel the odds are better from unknown open source than "known" (and ultimately behind the curtain unknown) closed source software.
Well right off the bat we can say that the majority of software in Linux comes from unknown sources. Most malware attempts in open source is immediately caught by code reviews. But if something slips by.... who gets the blame? A lot of Linux distro/flavors will just issue a "oopsie!" statement to the press, we all shrug it off as it has YET to ever gotten too far before getting caught and the whole incident is forgotten. But in the world of closed source, all our faith is in the integrity of the company whose name is branded to the product. We have no idea how the machine works under the cover, we just hope that there is no secret instructions to wipe us out like Skynet. BUT problems within closed source can live there for YEARS before it is ever caught. It's a lot harder to trace machine code in applications to find malicious doings than it is to find them in source. So closed source requires a level of faith and integrity of the company providing the software. Which is fine. But there has been a on going problem with software companies that makes what we have been telling grandma to keep her computer safe, not all that correct. Software companies that once had a sterling reputation have been for the last couple decades have been outsourcing their software production to the lowest bidder. And when I say lowest, I mean in a MS dev shop, there is no way you can pay for all your developer licences at the prices they are writing software for. There is only two possibilities that can and will occur. The software is written with stolen and/or improperly licensed compilers and developer tools. OR, the company/person willing to go too low is planning to make up the low price to develop the software with unintentional things by the company issuing the contract.
So the first scenario, written with stolen/improper licensed software. This is the typical thing that happens when the software is outsourced and written by people who live in extremely poor countries. Typically there will be one guy who speaks English and has all of the licenses required legitimately and can even provide certificates. The problem occurs because this guy will outsource the work he is getting paid for at... oh lets say $10/hr, to people who have no experience but are desperate to feed their families for $1/hr. This guy actually writing the code might have been digging ditches the day before but is now a hardware driver developer today. Desperation will make you proficient at just getting something done even if you don't know what it is your doing. At $1/hr this person can waste 9 hours trying to solve a 1 hour problem and their boss is still coming out ahead. That's just a free dollar that just came in with you not having to do anything other than secure every contract you can and delegate the work out. If you work in the tech business there is a good chance you have experienced this one. Where things outsourced are coming in on-budget but WAY off of their deadlines. This is where a lot of really low quality, copy and pasted code stems from. The code a lot of times is very unstable and hogs resources like nobodies business. I have nothing against people helping people get a foot in the door to a better living. If this was just a matter of being a good humanitarian, I would be all about it. But unfortunately those who are being "bootstrapped" into computer development are not treated all that fairly nor are given any real guidance to truly learn. Instead they are typically ran on a hamster wheel till they get burned out and/or make a critical mistake and they are tossed out. Many people here in the US would lose their minds with emotion if they ever heard these stories first hand from the people that got ran over by it. Very heart breaking. But the biggest issue is that the software used to develop the software from these people, is almost always bootlegged from VERY unscrupulous sources. With these bootlegged compilers comes viruses and malware that a lot of times is specifically designed to live in compilers and replicate evil doing code into the compiled programs or into the installed packages. I have seen this a couple of times personally where professional commercial software had viruses in them that came from a strain that infects compilers as it's primary target. It's a pretty safe bet that the software came from someone too poor to be able to afford licenses and so they had to download it from pirates and these pirates are specifically targeting these people. I was very skeptical when I was first told this by engineers of a very reputable security company. I actually went out and downloaded multiple closed compilers from numerous pirate sources and every one had a virus in it that would make it seem that it was indeed targeting this crowd. (Can these people catch a break ANYWHERE?)
The second scenario, for intentionally pricing below what should be your expense is because you plan to make it up. There is a lot of ways a developer can be paid by two identities for one piece of software. One you can reuse code that belongs to another company. Something these corporations are typically forgetting is yes your competitor is paying less for development by outsourcing, but what is going to happen when you outsource as well to the same people but different company name to do similar work? No brainer. They are going to be using the same source code and both companies will be paying for it. And as far as "trade secrets" goes, forget it. As soon as you outsourced it to a company in a different nation, you should have just thought of that source code as public domain. Trying to fight a legal battle in a foreign country is almost impossible. You would have had better legal standing if you would have just made it open source. But back to the malware topic and the most devious way to double dip is by placing back door routines in the code to fetch private information or making security holes in infrastructures. The information harvested is always sold to the highest bidder.
One last nugget to think on. In the golden olden days there was very little factor for us developers and where a virus/malware could get into our projects. The factors for our written software was OS and compiler. But now days developing typically involves including a lot of libraries. Each one of these libraries are just as vulnerable as any application that uses them to the above scenarios. Many libraries used by companies that make closed source, are closed source as well. When one link in the chain has an issue in it, it will transcend throughout all the links. I may sound a little like a OSS advocate right about now. And to some degree to be honest, I am. I do think that companies should have the right to sell closed source software, but with the world of closed source, we are putting a lot of faith and trust into the integrity of a lot of people we have no clue about. Hard if not impossible to find these people if something goes a muck. So no one will likely be held accountable for problems. I'm not a doomsayer pessimist. I do believe the large majority of people given trust will do the right thing. For example the developers in poor countries if given a choice would prefer to be able to use legitimate software. But the problem is software today spans through so many peoples work, how much and how many faceless people should we trust? And I think we can all pretty much agree that malware thrives in closed source. Again, nothing against closed source, it's just malware has a much longer shelf life in closed source.
So to summarize, does that age old advice we used to give people "don't install and run from unknown sources" mean anything today. In my opinion, a LOT less than what it used to be. That advice in the past would pretty much guaranty you would not get any malware. Now days it just decreases your odds. This is why I've changed my advice to "try to install software with open source if it is at all possible." Again this only decreases odds, but I feel the odds are better from unknown open source than "known" (and ultimately behind the curtain unknown) closed source software.
