this post was submitted on 25 Apr 2025

32 points (86.4% liked)

Linux

9992 readers

333 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.
Be respectful: Treat fellow community members with respect and courtesy.
Quality over quantity: Share informative and thought-provoking content.
No spam or self-promotion: Avoid excessive self-promotion or spamming.
No NSFW adult content
Follow general lemmy guidelines.

founded 2 years ago

MODERATORS

MigratingtoLemmy@lemmy.world

With FOSS, what is to stop scammers from hiding malware or worse in their programs? (lemmy.world)

submitted 1 day ago by applemao@lemmy.world to c/linux@lemmy.world

23 comments fedilink hide all child comments

Something I've wondered. One of those "too good to be true, it probably is" type things. With all the FOSS especially for linux, installing package after package because a web search said it would fix your problem, how is it Linux isn't full of malware and such?

Id like to understand better so I can explain to others who are afraid of FOSS for those reasons. My best response is that since it's open source, people can see what it's doing and would right away notice something malicious. I wouldn't, since I'm not that into code, but others would.

top 23 comments

sorted by: hot top controversial new old

[–] JakenVeina@lemm.ee 0 points 3 hours ago

You're right to think that "since it's open source, people can see what it's doing and would right away notice something malicious" is bullshit, cause it pretty much is. I sure as hell don't spend weeks analyzing the source code of every third party open source package or program that I use. But just like with close-source software, there's a much bigger story of trust and infrastructure in play.

For one, while the average Joe Code isn't analyzing the source of every new project that pops up, there are people whose job is literally that. Think academic institutions, and security companies like Kaspersky. You can probably argue that stuff like that is underfunded, but it definitely exists. And new projects that gain enough popularity to matter, and don't come from existing trusted developers are gonna be subject to extra scrutiny.

For two, in order for a malicous (new) project to be a real problem, it has to gain enough popularity to reach its targets, and the open source ecosystem is pretty freakin' huge. There's two main ways that happens: A) it was developed, at least partially, by an established, trusted entity in the ecosystem, and B) it has to catch the eye of enough trusted or influential entities to gain momentum. On point B, in my experience, the kind of person who takes chances on small, unknown, no-name projects is just naturally the "exceptionally curious" type. "Hmm, I need to do X, I wonder what's out there already that could do it. Hey, here's something. Is it worth using? I wonder how they solved X. Lemme take a look..."

For three, the open source ecosystem relies heavily on distribution systems, stuff like GitHub, NuGet, NPM, Docker, and they take on a big chunk of responsibility for the security and trustability of the stuff they distribute. They do things like code scanning, binary validation, identity verification, and of course punitive measures taken against identified bad actors (I.E. banning).

All that being said, none of the above is perfect, and malicious actor absolutely do still manage to implant malware in open source software that we all rely on. The hope is that with all of the above points, as well as all the ones I've missed, that the odds of it happening are rare, and that when it DOES happen, it's way easier to identify and correct the problems than when we have to trust a private party to do it behind closed doors.

Great recent example, from last year: https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

Me, I see this story as rather uplifting. I think it shows that the ecosystem we have in place does a pretty good job of controlling even the worst malicious actors, cause this story involves just about the worst kind of malicous actor you could imagine. They spent a full 2 years doing REAL open source work to develop that community trust I talked about, as well as maintaining a small army of fake accounts submitting support requests, to put pressure on the project to add more maintainers, resulting in a VERY sophisticated, VERY severe backdoor being added. And they still got found out relatively quickly.

[–] hperrin@lemmy.ca 5 points 7 hours ago* (last edited 7 hours ago)

If it’s open source, then the source code of the malware is also open. Generally, binary blobs aren’t included in open source programs, and when they are with no good explanation, it raises a lot of suspicions.

Closed source is where malware can readily be hidden, which is why there is tons of malware hidden in Windows and Android apps.

[–] jimerson@lemmy.world 5 points 8 hours ago

I believe that as a FOSS developer, in order for your code to be implemented and widely adopted, you'll have first reached a certain level of trust in the community. That, and yes your open source code can be picked through. Malicious code isn't always immediately found, but it does ruin the hard earned reputation of the developer.

Source: just speculation from being a FOSS fan for many years

[–] Kazumara@discuss.tchncs.de 7 points 14 hours ago

Well the packages from the default repo are vetted by your distro maintainers. So if you just install a package from your distro's repo you're still relying on the security of your distro.

If you go outside of that, either to get a FOSS package that wasn't packaged for your distro, or to get a non-FOSS package, you have to do your own due diligence, just as when you're downloading a third party package for Windows or macOS. Either by reputation or by finding someone trustworthy who has actually checked the code.

[–] endeavor@sopuli.xyz 11 points 19 hours ago

Its a lot easier to find a rotten apple in an open box that the seller allows you to inspect before purchase than it is to find one in a sealed crate you are not allowed to touch.

Users find malware even in closed source. The russian malware in capcoma drm is a good example.

[–] morgunkorn@discuss.tchncs.de 55 points 1 day ago

They do try, but many vigilant members of the FOSS community do their best to find out what's being done and prevent it.

You can read this summary of the attempt to inject a malware payload into a widely used compression tool that is used when remotely accessing servers: https://www.theverge.com/2024/4/2/24119342/xz-utils-linux-backdoor-attempt

It was a close call with potentially dramatic consequences, where a bad actor took 2 years to progressively gain reputation and rights to a key FOSS project, and one performance obsessed engineer to find out what they did and undo everything.

The big difference between FOSS and closed source software is that FOSS gives the possibility to audit the code, whereas binary analysis / retro engineering is much harder.

[–] deadcatbounce@reddthat.com 19 points 1 day ago

It's even easier if it's closed source.

[–] just_another_person@lemmy.world 42 points 1 day ago (1 children)

What's to stop Closed Source software from the same?

[+] applemao@lemmy.world -33 points 1 day ago (3 children)

Checks and balances, and money... people won't buy your product if it's malware...unless you make them a captive audience (win11, tencent).

[–] possiblylinux127@lemmy.zip 10 points 20 hours ago* (last edited 6 hours ago)

Lots of companies keep getting in little trouble by doing stuff like hard coding passwords and leaving backdoors

[–] highball@lemmy.world 33 points 1 day ago

That doesn't stop any of them. Windows users still go, willy nilly, traipsing around the internet downloading and installing random things. There is no money, no checks and balances. I'm sure you've read Windows converts complaining, "Linux isn't ready for the average user because it's too hard to install programs, they want to be able to download an installer, then click next next next and have the application installed." They think the security of package management is too much for the average user.

Sure, FOSS could get some bad actors. It would be no different than the closed source community. At least with FOSS, there is still opportunity for people to find and eliminate the bad code. The world runs on Linux and FOSS. The place where you would want to sneak in some bad code the most. You'd have a much bigger impact. And, it does happen on occasion, people notice, and the bad code is removed. Compare that to the much smaller, Windows world, where you need anti-virus checkers and maleware checkers.

It sounds like you have the computing world inverted. You believe Windows and closed source is the most dominant computing paradigm. It's not.

[–] Eldritch@lemmy.world 15 points 1 day ago

So they're the same

[–] possiblylinux127@lemmy.zip 7 points 20 hours ago

Common sense will go a long way

From a technical perspective many Linux distros are moving to reproducible builds

[–] Vopyr@lemmy.world 24 points 1 day ago (1 children)

Nothing? but the very fact that it is open source makes it much easier to detect malware, I guess. But I don't think that closed source is better in this regard, rather worse, because corporations love spyware.

[–] possiblylinux127@lemmy.zip 5 points 20 hours ago

See Solar Winds

[–] slazer2au@lemmy.world 16 points 1 day ago (1 children)

It does happen, the most notable one that I can remember is XZ Utils. The good thing about open source is eventually someone will spot it and call them out.

[–] magic_lobster_party@fedia.io 11 points 22 hours ago

Just an additional note: the xz backdoor is well known because it was found. It was found mostly because it’s foss. It’s doubtful it would’ve been found if it was closed source.

Imagine how many xz-like exploits are live today that hasn’t been detected yet. Is this exploit more prevalent in open source or closed source software?

[–] folekaule@lemmy.world 11 points 1 day ago

They can and do try to share malware, but distros and software hubs take measures to prevent it. You can read about Flathub's approach in Flathub Safety: A Layered Approach from Source to User

[–] hendrik@palaver.p3x.de 11 points 1 day ago* (last edited 1 day ago) (1 children)

Well if you use a Linux distribution, you generally get your software from some central package repository. That's driven by maintainers who look at the software, the updates... They patch the software, make sure it runs smoothly on your system and is tied into other things... They'll also have a look at security vulnerabilities and security in general.

Other than that, there isn't much really "stopping" people from writing malware. We have tons of it. Fake VLC versions, copycats on the iPhone appstore... MS Windows is full of advertisements and features that send data "home". They introduce features which border on being malware all the time.. We have trojans, viruses etc. It's all out there.

Generally, it's a good idea to think before executing random code from the internet. Is it from a trustworthy source? Are other people using a piece of software and they'd have noticed if it deleted all files?

Usually, we have more good people than bad. And people need some motivation. It's unlikely someone invests 10 years of their life to develop a shiny and polished office suite, just so they can run some malware somewhere. There are easier ways to accomplish that. So it generally doesn't happen that way. It's theoretically possible, though.

And in the old way is: Windows, Android etc are way more popular. If someone wants to do something malicious, they likely don't target the 1-2% using a different operating system. They are going to write malware for a more popular operating system. And on the server, where Linux dominates the market, admins execute less random code. They'll know they want MariaDB and where to get it. So it's harder to do an attack this way.

And if I imagine being the attacker... What would be a reason to include malware in a FOSS project? Just to wreck havock and mess with people? That sounds like a 16 yo with too much time on their hands. But we have very few of those in the free software community. So that's a bit unlikely... If someone wants a botnet, there might be easier ways to do it. And for a targeted attack, you wouldn't hide your malware in a random project... So I generally don't see many reasons for someone to combine malware with useful FOSS software.

:(){ :|:& };:

[–] sxan@midwest.social 4 points 1 day ago* (last edited 1 day ago) (1 children)

:(){ :|:& };:

Oh, that was fun! I didn't know Linux had that Easter Egg in the terminal!

[–] possiblylinux127@lemmy.zip 5 points 20 hours ago

Fun fact, a properly configured system shouldn't be impacted by this

[–] jutty@blendit.bsd.cafe 8 points 1 day ago

Not so much what's preventing, but how hard it is to get away with it.

Whatever closed-source software is doing on your system, there is no way to know to begin with, what it is that it is doing. You can only look at the outer effects it has, but you can't examine it much. So even if a closed system is doing all sorts of things, as long as it's stealthy enough, there would be no consequences at all.

This is the very opposite is what you get with FOSS, not to mention the difference on how software is developed, built, distributed and managed in unix systems compared to proprietary ones.

[–] GolfNovemberUniform@infosec.pub -2 points 1 day ago

Nothing. Nobody properly analyzes the code usually. It's just you trust it more because of the fact of it being open.