X
Business

The broken free software model: A different kind of heartbleed

Security breaches, malware, viruses, ransomware, and just poorly written free software makes one wonder, 'Is the free software model really working'? I'd have to say, 'Not really'.
Written by Ken Hess, Contributor

I've used gigabytes, or perhaps terabytes, of free software in my career, but I'm now at a point where I have to say that the free software model isn't working. Not for me, at least. And not for a lot of other people. For many years, I was a big free software proponent. I scowered the dark and the far reaches of the internet to find free software to bring into the light for others to see and to enjoy. Those days are all but over. With the huge numbers of security breaches, malware, viruses, ransomware, and stinkware out there, I'm just not sure that I'm up for it anymore. But, I do have two possible solutions.

I'm not one to just complain and not offer a solution to something. I like alternatives. I like to ponder the "What ifs" in any scenario. But, it's perhaps this same  what if pondering that's caused me to step back a bit from my days of zealous free software fanboyism and really examine what's happening now in this movement.

I recently downloaded a freeware program to benchmark some SSDs that I had in my 'review queue'. The name escapes me and my son, aka The Giant Ginger, is using it today at school, so I won't be able to tell you. The point is that I downloaded and installed a free application that I assumed would be safe and ended up installing the Conduit Search malware. Thank goodness the computer was basically a test system just for exchanging hard drives on for testing. Well, that is until my son grabbed it and took it to school without my consent, that is.

I've read where other people have inadvertently installed Conduit by updating Adobe Flash, downloading other freeware applications, going to porn sites (of course), and clicking on those annoying pop-ups when you hit some private blogs.

In some cases, these malicious programs are more than just annoyances, as we've all read in the cases of ransomware that holds your computer and data for ransom until you pay the !@#$% who programmed it. Conduit is a pain because it hijacks your browser and requires about 30 minutes to fix, if you can fix it at all. 

I suppose the lesson here is to just pay for your software from a reputable vendor and leave freeware alone.

That seems a bit extreme to me and I really like freeware but am tired of the vigilance required to use it and to depend on it. And, yes, I'm going to go there with the Heartbleed/OpenSSL debacle.

Heartbleed's fallout could possibly cause a lot of businesses to reconsider their stance on using free software. I hope that doesn't happen, but it wouldn't surprise me if it did. Nor would it be unreasonable of them to do so.

The fans of free software, which is also sometimes referred to as open source software, although they're not the same things, I'm going to bundle up the terms into the generic 'free software' umbrella. I know it's not correct. Open source software can be commercial, it can be free, or it can be shareware. Free software, as defined by the Free Software Foundation includes certain types of what's called open source software. But enough semantics. Let's assume that we're all on the same page here.

All software is somewhat dangerous because of the potential for security leaks, memory leaks, malformed request hacks, and a host of other problems. The difference in open source software versus proprietary, closed source software is that everyone can see the source code, find those problems and either report/fix them or exploit them.

It's the exploitation of those errors that really bothers me. Heartbleed was a great example of open source software at its worst.

You know the problem. Now, let's get to the solutions.

One solution is to basically do what Apple does for its App Store. There has to be some vetting process for free software, open source software, and even proprietary, closed source software so that those of us who want to use software safely can do so without regret or ransom.

Apple rigorously tests all apps that apply to its App Store. CNET Downloads scans downloadable software for viruses. But what about software that's not on CNET or in the Apple App Store, which would account for a majority of available software?

Think about it. Software from gaming sites, warez sites, freeware sites, software repositories, the Google Play App Store, private app stores, and probably many more isn't safe for you to use without some research, a great deal of vigilance, and a pair of crossed fingers.

My proposal is that someone setup a clearing house for free and open source software. The software will undergo virus scans, malware scans, ransomware scans, and code checks to ensure that innocent downloader's computers aren't clobbered or held for ransom. Sure, there will be a charge for the service, but hopefully it will be nominal or some of the large companies like Dell, HP, IBM, and others will step up and support such an effort.

I'd do it but I have enough on my plate as it is. So, there's an opportunity for someone, or a group of someones, to take this idea and make it work. And the service should certify the software as safe to let users know that it's been checked and approved.

From Wikipedia's Ransomware entry: In June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013—more than double the number it had obtained in the first quarter of 2012.

And you commercial software vendors aren't off the hook either. I just saved you until last. I don't want you to bundle other software into your products, especially ones that I have to uncheck. The default behavior should be NOT to install these third-party applications. For example, in commercial software programs that I've downloaded and installed, I've had to uncheck the Ask Toolbar, Norton software, Google Chrome, and OpenOffice (or whatever it's called these days). I will download and install software at will when I want it. It's an invasion of my privacy to automatically install software or to have it pre-checked for my convenience.

I like Google Chrome, but I don't want it bundled with something else. I'm suspicious of it when it's bundled. I don't wear a foil hat, but don't invade my computer with applications that I don't want. I think that vendors who bundle software and automatically check it to install to your system should be boycotted. If you find software, such as a utility that you need that also twists your arm to download and install another program, report it here so that we can see it and boycott the offending vendor.

Sorry, you'll have to find revenue streams somewhere besides bundling software with yours.

I don't mind anyone making money but making money from distributing malware, viruses, stinkware, ransomware, or unwanted software is just wrong.

Legitimate gaming sites post ads on their pages to entice you to click so that they get a pay-per-click out of it and the software hasn't been vetted by the game site nor, I suppose, does it care. They get a few cents for your click and you get malware. Awesome. Boycott those sites.

My solutions to the ongoing and broken software model: Independently vet software and boycott violators who make us download unwanted software.

Editorial standards