Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Programming Desktops (Apple)

Mac Hacker's Code Is So Good, Corporations Keep Stealing It (theverge.com) 35

Patrick Wardle, founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS, has had his code make its way into a number of commercial products over the years -- "all without the users crediting him or licensing and paying for the work," reports The Verge. Wardle, a Mac malware specialist and former employee of the NSA and NASA, will lay out his case in a presentation today at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University. From the report: The problem, Wardle says, is that it's difficult to prove that the code was stolen rather than implemented in a similar way by coincidence. Fortunately, because of Wardle's skill in reverse-engineering software, he was able to make more progress than most. "I was only able to figure [the code theft] out because I both write tools and reverse engineer software, which is not super common," Wardle told The Verge in a call before the talk. "Because I straddle both of these disciplines I could find it happening to my tools, but other indie developers might not be able to, which is the concern."

One of the central examples in Wardle's case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users but also to uncover the fact that a legitimate application like Shazam was always listening in the background. [...] But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products -- even down to replicating the same bugs that Wardle's code had.

Three different companies were found to be incorporating techniques lifted from Wardle's work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy. The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective-See Foundation.
The Verge notes that Wardle's cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.
This discussion has been archived. No new comments can be posted.

Mac Hacker's Code Is So Good, Corporations Keep Stealing It

Comments Filter:
  • ... it's difficult to prove that the code was stolen rather than implemented in a similar way by coincidence.

    Way (way) back in my university OS design class, the semester project was to simulate an interactive operating system. I was helping a friend debug his scheduler code and noticed this:

    unsigned int slice; /* A fruit-flavored soft drink. */

    Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)

    • by The MAZZTer ( 911996 ) <megazzt.gmail@com> on Thursday August 11, 2022 @06:38PM (#62782054) Homepage

      I forget the full story and I couldn't find it but some author saw his application running at some sort of trade show with all the original naming and author info stripped out, and the company showing it off was claiming it was entirely theirs. He pressed a magic key combo on the keyboard and up popped a hidden about screen identifying him as the original author. Awkward.

      You can definitely hide things big or small in the code to help prove ownership. As the original article hints even bugs can help indicate it's more than mere coincidence.

      • He pressed a magic key combo on the keyboard and up popped a hidden about screen identifying him as the original author. Awkward.

        Easter Egg burn -- nice.

    • by ShanghaiBill ( 739463 ) on Thursday August 11, 2022 @07:34PM (#62782166)


      unsigned int slice; /* A fruit-flavored soft drink. */

      Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)

      Neither the variable name nor the comment would be preserved by the compiler. So this would provide no evidence of copying.

      • unsigned int slice; /* A fruit-flavored soft drink. */

        Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)

        Neither the variable name nor the comment would be preserved by the compiler. So this would provide no evidence of copying.

        Sure, but they'd be in the source, unless edited. So not something found with a de-compiler, but in a code repository.

    • I wrote a chat system for a major bank in Australia (which bank? Don't ask). I was not working for that bank at the time.
      A couple of years later, they said they didn't want to pay support fees any more as they had written their won.
      Really? So I had a look at their one (via the browser). They had literally transliterated my code form one language into another, even keeping the variable names.

      Not impressed.

  • by MostAwesomeDude ( 980382 ) on Thursday August 11, 2022 @06:10PM (#62781998) Homepage

    This happens all the time: some corporation ships code with incorrect licensing, infringing on the original author's rights and violating the terms of Free Software licenses. In such situations, we normally think of the corporation's code as containing the original author's code as a contaminant; the corporation is never at risk and the author is always open for exploitation.

    Maybe we should flip that around and consider the corporate code to be questionably licensed and open for the community to use. The author should not be at risk, and the corporation should be exploited.

    • The problem is someone writes GPL lib, then someone else writes a program that uses the lib and releases it in public domain and the original gpl guy says nothing because they probably donâ(TM)t know, then someone else comes along and just set sees the public domain thing and takes it. Think about ask the repositories in use: do you actually check ask the source they are using down the dependency rabbit hole to check all the code odds actually has the right licence, or do you just assume everything su
  • by Tony Isaac ( 1301187 ) on Thursday August 11, 2022 @07:14PM (#62782112) Homepage

    There's a rule in my neighborhood that says you have to get approval from the HOA before you can replace your fence, even if you're using the same design. Nobody ever actually does that, and nobody tries to actually enforce the rule.

    If you want a rule to be followed, you have to enforce it, through DRM or lawsuits or some other mechanism. Whining doesn't work, nobody cares.

  • by null etc. ( 524767 ) on Friday August 12, 2022 @01:45AM (#62782682)

    First NSA, and then NASA... What's next, NASCAR?

  • The Verge notes that Wardle's cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.

    And his other cousin John Wardle played bass for Public Image Ltd. Truly a talented family.

  • Wardle next paradigm is to automate and robo code/reverse engineer drudgery. Finally OSS has a payback pathway to remunerate stolen/copy-waste in commerce.

Keep up the good work! But please don't ask me to help.

Working...