The broken free software model: A different kind of heartbleed

The broken free software model: A different kind of heartbleed

Summary: Security breaches, malware, viruses, ransomware, and just poorly written free software makes one wonder, 'Is the free software model really working'? I'd have to say, 'Not really'.

SHARE:

I've used gigabytes, or perhaps terabytes, of free software in my career, but I'm now at a point where I have to say that the free software model isn't working. Not for me, at least. And not for a lot of other people. For many years, I was a big free software proponent. I scowered the dark and the far reaches of the internet to find free software to bring into the light for others to see and to enjoy. Those days are all but over. With the huge numbers of security breaches, malware, viruses, ransomware, and stinkware out there, I'm just not sure that I'm up for it anymore. But, I do have two possible solutions.

I'm not one to just complain and not offer a solution to something. I like alternatives. I like to ponder the "What ifs" in any scenario. But, it's perhaps this same  what if pondering that's caused me to step back a bit from my days of zealous free software fanboyism and really examine what's happening now in this movement.

I recently downloaded a freeware program to benchmark some SSDs that I had in my 'review queue'. The name escapes me and my son, aka The Giant Ginger, is using it today at school, so I won't be able to tell you. The point is that I downloaded and installed a free application that I assumed would be safe and ended up installing the Conduit Search malware. Thank goodness the computer was basically a test system just for exchanging hard drives on for testing. Well, that is until my son grabbed it and took it to school without my consent, that is.

I've read where other people have inadvertently installed Conduit by updating Adobe Flash, downloading other freeware applications, going to porn sites (of course), and clicking on those annoying pop-ups when you hit some private blogs.

Read this

Android app malware rates jump 40 percent

Android app malware rates jump 40 percent

A new report released by Trend Micro says that mobile malware rates are skyrocketing.

In some cases, these malicious programs are more than just annoyances, as we've all read in the cases of ransomware that holds your computer and data for ransom until you pay the !@#$% who programmed it. Conduit is a pain because it hijacks your browser and requires about 30 minutes to fix, if you can fix it at all. 

I suppose the lesson here is to just pay for your software from a reputable vendor and leave freeware alone.

That seems a bit extreme to me and I really like freeware but am tired of the vigilance required to use it and to depend on it. And, yes, I'm going to go there with the Heartbleed/OpenSSL debacle.

Heartbleed's fallout could possibly cause a lot of businesses to reconsider their stance on using free software. I hope that doesn't happen, but it wouldn't surprise me if it did. Nor would it be unreasonable of them to do so.

The fans of free software, which is also sometimes referred to as open source software, although they're not the same things, I'm going to bundle up the terms into the generic 'free software' umbrella. I know it's not correct. Open source software can be commercial, it can be free, or it can be shareware. Free software, as defined by the Free Software Foundation includes certain types of what's called open source software. But enough semantics. Let's assume that we're all on the same page here.

All software is somewhat dangerous because of the potential for security leaks, memory leaks, malformed request hacks, and a host of other problems. The difference in open source software versus proprietary, closed source software is that everyone can see the source code, find those problems and either report/fix them or exploit them.

It's the exploitation of those errors that really bothers me. Heartbleed was a great example of open source software at its worst.

You know the problem. Now, let's get to the solutions.

One solution is to basically do what Apple does for its App Store. There has to be some vetting process for free software, open source software, and even proprietary, closed source software so that those of us who want to use software safely can do so without regret or ransom.

Apple rigorously tests all apps that apply to its App Store. CNET Downloads scans downloadable software for viruses. But what about software that's not on CNET or in the Apple App Store, which would account for a majority of available software?

Think about it. Software from gaming sites, warez sites, freeware sites, software repositories, the Google Play App Store, private app stores, and probably many more isn't safe for you to use without some research, a great deal of vigilance, and a pair of crossed fingers.

My proposal is that someone setup a clearing house for free and open source software. The software will undergo virus scans, malware scans, ransomware scans, and code checks to ensure that innocent downloader's computers aren't clobbered or held for ransom. Sure, there will be a charge for the service, but hopefully it will be nominal or some of the large companies like Dell, HP, IBM, and others will step up and support such an effort.

I'd do it but I have enough on my plate as it is. So, there's an opportunity for someone, or a group of someones, to take this idea and make it work. And the service should certify the software as safe to let users know that it's been checked and approved.

From Wikipedia's Ransomware entry: In June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013—more than double the number it had obtained in the first quarter of 2012.

And you commercial software vendors aren't off the hook either. I just saved you until last. I don't want you to bundle other software into your products, especially ones that I have to uncheck. The default behavior should be NOT to install these third-party applications. For example, in commercial software programs that I've downloaded and installed, I've had to uncheck the Ask Toolbar, Norton software, Google Chrome, and OpenOffice (or whatever it's called these days). I will download and install software at will when I want it. It's an invasion of my privacy to automatically install software or to have it pre-checked for my convenience.

Read this

ZDNetGovWeek: Heartbleed worldwide roundup special issue

ZDNetGovWeek: Heartbleed worldwide roundup special issue

It's likely to be the worst vulnerability ever on the Internet. ZDNet's editors have been looking at the problem from all sides, including how to protect yourself and your users. This is our worldwide roundup special issue. Everything you need to know is in here.

I like Google Chrome, but I don't want it bundled with something else. I'm suspicious of it when it's bundled. I don't wear a foil hat, but don't invade my computer with applications that I don't want. I think that vendors who bundle software and automatically check it to install to your system should be boycotted. If you find software, such as a utility that you need that also twists your arm to download and install another program, report it here so that we can see it and boycott the offending vendor.

Sorry, you'll have to find revenue streams somewhere besides bundling software with yours.

I don't mind anyone making money but making money from distributing malware, viruses, stinkware, ransomware, or unwanted software is just wrong.

Legitimate gaming sites post ads on their pages to entice you to click so that they get a pay-per-click out of it and the software hasn't been vetted by the game site nor, I suppose, does it care. They get a few cents for your click and you get malware. Awesome. Boycott those sites.

My solutions to the ongoing and broken software model: Independently vet software and boycott violators who make us download unwanted software.

Topics: Software, Software Development

About

Kenneth 'Ken' Hess is a full-time Windows and Linux system administrator with 20 years of experience with Mac, Linux, UNIX, and Windows systems in large multi-data center environments.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

69 comments
Log in or register to join the discussion
  • "One solution is to basically do what Apple does for its App Store."

    Do you mean like all Linux distros have been doing with repostitories long before the Apple App store existed?

    "I'm going to bundle up the terms into the generic 'free software' umbrella. I know it's not correct."
    It's not just incorrect to lump 'Windows Freeware' with 'Open-source', it's downright misleading!

    Most 'Freeware' is a brain dead version of a commercial Windows product, meant to sell the full version. Other 'Freeware' only purpose, as you found out, is to infect computers with malware.

    Open-source, when obtained from either the project home, or a Linux repo, has been vetted and signed to try to prevent malware. Linux repos, and the Apple App store that is modeled on Linux repos, every once in a while something slips past the vetting process, but for the most, the softeware is safe.

    Shame on you Ken for attempting to paint all open-source with the 'Windows Freeware' brush.
    anothercanuck
    • @anothercanuck

      That's incorrect. Windows freeware can be open source. What about PHP, Apache, MySQL, Perl, etc. that works on Windows. It's unfortunate that there are those who, like I used to be, are such fanboys that they're blinded by the truth.
      khess
      • You are both right ...

        Ken, I agree with you that blindly downloading "free software" off the Internet is extremely dangerous, but I believe canuck's main point that official distributor repos are generally safe is correct. I have used multiple distributor repos for 15 years now and have never ever had a problem.

        Of course heartbleed was a catastrophe, but it got fixed fairly quickly and there has been no indication that it has been effectively exploited. It was more just a pain in the neck for a lot of people having to change passwords everywhere. But those sorts of things have happened in the past with commercial software.

        I certainly don't see any specific problem with mainstream "free software", the problem with ANY software is where you are getting it from. You can end up with the same problems by downloading pirated (contaminated) commercial software.
        George Mitchell
      • What about IE, Outlook, IIS, and Safari?

        Flaws in those, and PHP, Apache, and MySQL, have all been used by hackers, for sure, but just like IIS, IE, Outlook and Safari, the home page downloads for Apache, Firefox, Thunderbird, and Chrome have never been carriers of malware, and they are no prone to compromise than the comercial products.

        You are using one flaw in OpenSSL as your whole basis, so why haven't you written off all software? I ask because, as far as I know, flaws in comercial software has cost world ecomomies uncountable $Billions over the last 3 decades, but for some reason, that appears OK with you.

        So, how do you justify lumping all open-source programs into the same group as malware infested 'Freeware', while giving that other software a pass? After all, you don't say you are going to stop using IE, do you?

        I stand by my position.
        anothercanuck
      • Open source and freeware are different

        PHP, Apache, MySQL and Perl are good examples of open source, and do none of the egregious things you are concerned about.

        Open source is a category of free that is safe.

        Windows freeware has SELDOM been safe. Open source projects for multiple platforms, especially those that were primarily targeted at Linux, are generally safe, and often safer than commercial applications for windows.
        dimonic
        • I have to say that dimonic hits the nail on the head

          The article really goes into left field when you start lumping the heartbleed bug in with windows freeware.

          I've been using Windows freeware for about 15 years, and have to say that WINDOWS FREEWARE is getting increasingly sneaky about adding those little extra installations for ad-ware (really malware).

          However, about 1.5 years ago I switched to using a system that mainly uses repositories for software distribution. This model lets you hook into the repository of the software you want to install and continually get updates. If you pay for support of a piece of software, you get to use the "enterprise" repository. This model is MUCH more secure, since sites like download.com aren't adding in adware and other such things. And since the repository is maintained by the creator, then you're MUCH less likely to be getting something bad for your computer.

          Yes, that last paragraph outlined how refreshing of an experience it has been to use free software on Linux. And YES, the Linux repository concept DOES work for paid-for applications. ANY software maker can set up his/her own repository to distribute their software and any updates. So while it's similar to an app store, the fact that anyone can have an "app store" for their software makes the whole package thing a really wonderful solution. Microsoft is attempting to emulate the package idea, but unless they emulate the Linux model, and not the Android one, they're never going to get very far.
          Technical John
        • Not sure asinine comment "Windows freeware has SELDOM been safe."

          is accurate.
          ScanBack
          • The Windows platform has long been plagued with PUPS

            PUPS is an industry term that stands for Potentially Unwanted Programs thats been around since the nineties. The term covers bloatware installed from by the PC manufacturer as well unnecessary applications added to any program installer, trojans, etc. IE was first distributed as a PUP on other application CDs and installers before it was included in the OS with Win98. Some PUPS are included in the installers of other more popular programs with the authorization of the original vendor or distributor and others are repackaged installers by unauthorized distributors.

            These PUPS range from the unneeded space wasters, to apps that could inadvertently, browsers hijackers and malware. I wouldn't exactly say the comment that "Windows freeware has SELDOM been safe." is asinine. It is perhaps more accurate to say its seldom been safe to search for download and try Windows freeware. However, the problem has absolutely nothing to do with freeware as some paid software includes PUPS as well. There are even some programs you can download from the official vendor that comes with PUPS but you can use a third party vendor like ninite.com and get it without the PUP.

            This article is only pointing out a problem that is at least 20 years old and trying to make it seem like news by linking it to the recent heartbleed news which has nothing to do with the subject of the article. This article has nothing to do with Heartbleed. Ken was prompted to write the article after his son spread a PUP with a piece of freeware he had not fully vetted a process that has been necessary to do for over twenty years when searching for and trying out free, demo and even paid software on Windows. It's really no different than writing an article on boats but making a few Miley Cyrus twerking references just to build SEO for an article has nothing to do with Miley Cyrus or twerking.
            techadmin.cc@...
      • not quite true

        If you meant open source as free, there are not every open source software that comes free. Second, as suggested, if you download from anywhere, despite of being an administrator for Windows and Linux machines for 20 years, I too smell the mislead here. Please don't suggest that not all freewares but open source softwares are not available through sourceforge site.
        ashwinipn
      • Freeware vs open source

        I couldn't even make halfway through this crap. Freeware DOES NOT equal open source in any way, shape or form.
        PHP, apache, mysql, Perl are all open source and, yes, they're free to use. Their code is freely and legally viewed as well.
        Adobe flash, Oracle's Java and Adobe reader are free to use. This DOES NOT mean that you are legally allowed to open up that code and take a look.
        Your entire "article" is based on ignorance. If you go out, install something just because it's free, and get a virus or install malware, that's your fault. Period.
        Don't blame open source because you made a mistake.
        tmsbrdrs
    • The microsoft way for 20 years.

      Security breaches, malware, viruses, ransomware, and just poorly written software.

      Sounds like every version of windows before 7... and to some degree after 7. considering you paid for those shouldn't you be more angry at Microsoft? I was just reading (on zdnet) about an IE8 remote exploit bug that has been reported for 8 months and still not fixed.. doesn't sound like OSS is the only one with issues here right?
      frankieh
  • Real Problems

    The real problems are the lack of QA and greed. FOSS suffers from not enough people available who can competently do QA while proprietary suffers from not being willing to spend money on QA. The net effect is the same: buggy software. Greed comes trying to earn a few extra bucks by installing scumware along with the application. The repository/app store system you are describing does not fully eliminate the first problem; only ensures the application has been vetted and nothing serious was found. It should, however, eliminate the second problem.

    The real problem is how do you QA an application, particularly when you do not have the source code as a third party. Also, you referred to the FOSS applications supplying the source code potentially allowing the black hats access to bugs. I think this is semi-theoretical in that only a few organizations will have the resources to have people pore through lines of code to find an exploitable bug - NSA for one. Most of the bug discoveries are likely to happen by some either deliberately or accidentally stumbling on to it. Windows exploits prove one does need access to the source code to find security problems.
    Linux_Lurker
    • I agree with you, but

      This article is only dealing with your second point, malware injection, and Mr. Hess is attempting to spread misinformation.

      The Freeware in this case, as the article says, was downloaded from "the dark and the far reaches of the Internet".

      There is no need to go look in the dark and far reaches of the Internet for Open source. It's avaialble, along with the names and emails of the programmers, from its home page. The only thing common to Freeware and Open-source is the price.
      anothercanuck
      • besides... what he downloaded wasn't open source.

        It was a trojan.

        No source code provided.
        jessepollard
      • @anothercanuck

        Wrong again. I don't just download from those places. I searched for free software to tell people about. Did you actually read this post? You know the words on the page are different sometimes from the ones in your head.
        khess
        • Obviously you weren't sufficiently knowledgeable about those places.

          You got a trojan didn't you.

          You are completly confusing the concept of open source and freeware.
          jessepollard
        • How does one search for free software?

          I for one, only accept free software from developers I KNOW through the GPL community. If one just searches for stuff that is free without knowing the people they are getting it from, you can get all kinds of malware, because its out there, lots of it. The whole key is knowing who your dealing with and those of us in the Linux community do that by gathering in certain places on the web and freely exchanging information that tells us who is who in the development community. We know who we can trust and who we can't. You might get an occasional vulnerability that way because everybody, even honest developers, make mistakes sometimes. But you are NOT going to get malware that way. If you are getting malware, it is because YOU are not effectively vetting the sources of your software.
          George Mitchell
        • No, you don't just download from dark places.

          Yes, I did the article, or didn't you notice my quotes from the article.

          Here's another one: your words: "I know it's not correct."
          Which I assumed to mean its not correct to lump all open-source and freeware together, or am I wrong? Did I understand? Does it appear I read the article?

          But then you go ahead and do it anyways. Its like equating buying a stereo from a big box store to buying one out of the back of a van in an alley.
          anothercanuck
    • And Proprietary Software Is Always Better?

      How about Word 2013? To insert a picture from a scanner (from one Microsoft web page, which I believe is not totally correct):
      ---------
      Insert a picture from a scanner
      You might be used to scanning directly into Word. We’ve taken scanning out of Word 2013, but you can now Scan images into OneNote and then paste them into Word. Here’s how:

      In OneNote, open or create the page where you want to insert the scan.
      Click anywhere on the page where the scan should appear.
      Click Insert > Scanned Image.
      Choose a scan resolution by clicking either Web Quality (best choice if you care for on-screen display only) or Print Quality (best choice if you’ll want to print the scanned image). Your scanner model may also show you additional options before you start the scan.
      Click Insert.
      Right-click the scanned image in OneNote, and then click Copy.
      Return to your Word document.
      In your document, right-click where you want to insert the picture, and then click Paste.
      --------

      Isn't that so much easier than something like Libre Office:
      1. Click Insert
      2. Click Image
      3. Click Scan
      4. Click Request
      5. scan the image using the scanner interface that automatically pops up.

      Get real
      rich3page
      • Sorry, but a single example doesn't prove a point

        So Microsoft has removed some functionality from a proprietary program which still exists in a similar FOSS program. Not exactly overwhelming proof of anything! I'm sure there would be at least as many (and I suspect a lot more) examples of functionality in the Office suite that is not available in LibreOffice.

        And I bet you are the first in line to complain about MS Office being bloated with little used features, immediately after complaining when Microsoft removes one!
        CageySee