homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

How do we know open source software doesn't have spyware?
eg oscommerce, WAMP server, MAMBO to name a few

 3:34 pm on Apr 7, 2005 (gmt 0)

How do we know open source software doesn't have spyware?
eg oscommerce, WAMP server, MAMBO to name a few

I'm sure there is no spyware but how can we tell?



 4:24 pm on Apr 7, 2005 (gmt 0)

you can always run a spyware checker.

But truth is you don't know.

Matt Probert

 5:33 pm on Apr 7, 2005 (gmt 0)

If it's open source you can examine the source code before you compile it!

Seriously, crossing the road carries with it a risk of being run over, if you worry about it you never venture out of the house.



 5:36 pm on Apr 7, 2005 (gmt 0)

How do we know open source software doesn't have spyware?

If something is actually open source, that means you can download and review all the code yourself.


 5:44 pm on Apr 7, 2005 (gmt 0)

Read the source code and build the software yourself. (1)

Or, (2) if that's not your thing, find someone who does read source, and verify the cryptographic signature of the software package with them before installing it.

Or, (3) find a user or developer community you trust, one that is inspecting, developing and/or deploying the source code, and verify the crypto signature of the software package with them.

(3) is what nearly everyone does. The community might be something as large as a Linux distribution like Fedora, or more often the authors of the software itself. For people who aren't able to vet the software by hand, it is a matter of locating people who do, evaluating their reputation and trusting their conclusions. The very nature of open source leads to many eyeballs viewing the source, and cheating is difficult.

But even if you build it yourself, how can you be sure that your development tools don't contain spyware, even if they come from the operating system vendor? Check out the classic story of the self replicating compiler back door [jargon.net]...


 6:02 pm on Apr 7, 2005 (gmt 0)

Large open source projects have a large number of knowledgeable people viewing and altering the source code, including many who have no financial relationship with the project or the sponsoring company (if there is one). This "many eyes" concept along with careful control of who can upload and alter packages helps protect against the introduction of spyware into the product source code. With closed source software (especially when offered only as a binary package), you do not have this safeguard.

It depends on what you consider to be spyware, too. I've said in the past that I consider the open source WordPress [wordpress.org] blog package to contain spyware because it has a web bug in the admin section: the Get Firefox icon is called from a remote server, allowing the owner of that server (static.wordpress.org) to compile statistics on where WordPress is installed and how often it is used. I was not the first person to discover this "spyware": it was picked up immediately by beta testers - which goes to show the advantages that the open development model offers.

You get another vital layer of protection with open source too: the ability to fork the project if the development model doesn't go the way you would like, as well as the associated advantage of the license allowing you to make any modification you want, use the program in any way you want, and even redistribute the end result if you desire. (the redistribution must be with an open source license in some cases).

You don't get a guarantee, but open source software is very well protected against spyware, and certainly a lot more than most closed source products.


 6:14 pm on Apr 7, 2005 (gmt 0)

It's not open source you have to worry about, it's free compiled (executable) programs, screen savers, and fritterware.


 9:38 pm on Apr 7, 2005 (gmt 0)

If you have any doubts about software, run a few searches before downloading and installing.

The vast majority of software is clean.

Incidentally, I think you are confusing open source with shareware/freeware. If anything, the chances of open source software being dirty are less than other software for the reasons given above.



 11:46 pm on Apr 7, 2005 (gmt 0)

I thought MS was spyware...certainly this is the case with new forced updates...your machine is being watched from redmond...count on it


 5:40 am on Apr 8, 2005 (gmt 0)

Hi Macbeth:)

You can run a spy software program on your pc. It should tell you all the spyware running on your pc.
There is a website that offers a free scan of your system for spyware. Last time i checked, it was free. Although if there is spyware on your pc, i don't think they will remove it for you. You'll most likely have to purchase their software to get the spyware off your pc. **It removes most or all spyware on your system. So if it's in the software, it should remove it. You'll need the software though. It runs around $30 bucks. I personally use it. It works well.



 6:19 am on Apr 8, 2005 (gmt 0)

For scripted stuff like Mambo, phpBB, OSCommerce, you can read the source code, it's actually not that hard to do once you get used to it.

For compiled stuff, if you download it from an authorized mirror, not some other site with no direct affiliation, often they have md5 checksums you can run against the package. Most Linux distros have this. As far as I know it's not possible to add something to a compiled package and have the md5 checksum match, or at least it's not very easy.

For freeware/shareware, you have no way to know, and as stuffit users on mac recently found out, even previously honest products can change for the worse with a change of ownership/policy, I think it was stuffit anyway.


 6:49 am on Apr 8, 2005 (gmt 0)

There is a heavily promoted version of Netscape 7.2 which is claimed to be slimmed down without any other changes. That is claimed in the read me and the about box.

HAH! Not so. It took three days to figure out how to root out locations and settings that had been changed to set the defaults to the author's web site, search panels, etc.

Believe me, I was not a very happy camper. Not because of the changes themselves, but by the fact that the changes were not disclosed, and thus making appear to be very risky to trust the install package in total.

That is the real problem with open source where there are multiple distribution points. This does not include projects such as FreeBSD where there is one and only one packager.

Unless you have nothing else to do, reading the source code of a complex package is not really an option.

In the situation that I described above, there were a limited number of places to look, but it involved digging around in a mess of jar files to find the changes. And then more forensics to come to some conclusions as to what other files had been changed.


 9:25 am on Apr 8, 2005 (gmt 0)

If you are worried by spyware, consider using ZoneAlarm or a similar firewall that can block internet access by program. I deny internet access to all programs that do not absolutely need it, like browsers and email, etc.


Global Options:
 top home search open messages active posts  

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved