Mac Hacker's Code Is So Good, Corporations Keep Stealing It (theverge.com) 35
Patrick Wardle, founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS, has had his code make its way into a number of commercial products over the years -- "all without the users crediting him or licensing and paying for the work," reports The Verge. Wardle, a Mac malware specialist and former employee of the NSA and NASA, will lay out his case in a presentation today at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University. From the report: The problem, Wardle says, is that it's difficult to prove that the code was stolen rather than implemented in a similar way by coincidence. Fortunately, because of Wardle's skill in reverse-engineering software, he was able to make more progress than most. "I was only able to figure [the code theft] out because I both write tools and reverse engineer software, which is not super common," Wardle told The Verge in a call before the talk. "Because I straddle both of these disciplines I could find it happening to my tools, but other indie developers might not be able to, which is the concern."
One of the central examples in Wardle's case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users but also to uncover the fact that a legitimate application like Shazam was always listening in the background. [...] But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products -- even down to replicating the same bugs that Wardle's code had.
Three different companies were found to be incorporating techniques lifted from Wardle's work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy. The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective-See Foundation. The Verge notes that Wardle's cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.
One of the central examples in Wardle's case is a software tool called OverSight, which Wardle released in 2016. Oversight was developed as a way to monitor whether any macOS applications were surreptitiously accessing the microphone or webcam, with much success: it was effective not only as a way to find Mac malware that was surveilling users but also to uncover the fact that a legitimate application like Shazam was always listening in the background. [...] But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products -- even down to replicating the same bugs that Wardle's code had.
Three different companies were found to be incorporating techniques lifted from Wardle's work in their own commercially sold software. None of the offending companies are named in the Black Hat talk, as Wardle says that he believes the code theft was likely the work of an individual employee, rather than a top-down strategy. The companies also reacted positively when confronted about it, Wardle says: all three vendors he approached reportedly acknowledged that his code had been used in their products without authorization, and all eventually paid him directly or donated money to the Objective-See Foundation. The Verge notes that Wardle's cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.
Re:So? (Score:4, Insightful)
There is a big difference between a company making a for-profit product by ripping off GPL licensed code and not complying with the license and one guy downloading a copy of a movie that (if they hadn't downloaded it) they wouldn't have paid money for anyway.
Re: (Score:1, Troll)
And thank you for another pathetic justification.
In both cases the license isn't being honored. In both cases the person/people creating the software aren't being compensated. Anything beyond those two is nothing but excuses.
Re: (Score:1)
When I pirate The Mandalorian (or whatever) Disney lose nothing, because I was never going to pay for it, and I make no profit from it because how the hell could I?
If I got hold of the source for Disney's streaming service and used it to create my own streaming service to complete with them they would be losing out because I could take their customers.
Re:So? (Score:5, Insightful)
Someone downloads a movie - copyright has been infringed once.
Some company takes another person's code and incorporates it into their product, copyright is infringed by the company every time the product is "conveyed". Sold, downloaded, given, etc.
Re: (Score:2)
Someone downloads a movie - copyright has been infringed once.
If someone downloads the movie with BitTorrent, they are also distributing said movie to others, in whole or in part. So, not one infringement.
Re: (Score:1)
Re: (Score:3)
You profited not in a financial sense, but in that you got entertained with a product produced by the money and work of others.
You could've chosen other entertainment that was available on terms you'd like better - there's tons of free content out there, for example. Instead you chose to benefit off someone else's money and hard work.
Thus, wheth
Re: (Score:1, Flamebait)
You may not accept the difference between commercial and non-commercial violations of copyright, but they are legally different. In some jurisdictions, personal use is legal.
Copyright, and associated licenses are legal fictions. The laws are what creates them and what controls their use/misuse.
Your opinion on the matter doesn't mean shit (nor does mine, or anyone else posting here...)
Re: (Score:3)
Re: (Score:2)
There is a big difference between a company making a for-profit product by ripping off GPL licensed code and not complying with the license and one guy downloading a copy of a movie that (if they hadn't downloaded it) they wouldn't have paid money for anyway.
They would not have paid money for the GPL code either, so what's the loss? If financial loss is your yardstick then both have the same result. Criticizing one and rationalizing the other is contradictory.
Re: (Score:2)
This should be different because the circumstances are different.
Why do you think all circumstances should be treated identically, whether they are the same or not?
Re: (Score:2)
Attribution and credit when not awarded as they should have real damaging consequences.
Digitally copying files that doesn't deprive anyone of anything doesn't.
The two are not the same at all.
Re: (Score:2)
You added an /s to your first sentence, but actually it's correct. The latter harms no one, the former does. Assuming you actually mean copy.
It doesn't apply to a car because stealing a car is depriving the owner of a car, not making an extra copy i.e. sharing.
You literally just used the "You wouldn't download a car" argument and worse thought it was a good argument.
As for your lost sale argument, studies consistently show pirates spent the most on content, so most likely your book just sucks.
Re: (Score:2)
Depends on how lazy they are (Score:2, Funny)
Way (way) back in my university OS design class, the semester project was to simulate an interactive operating system. I was helping a friend debug his scheduler code and noticed this:
unsigned int slice; /* A fruit-flavored soft drink. */
Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)
Re:Depends on how lazy they are (Score:5, Informative)
I forget the full story and I couldn't find it but some author saw his application running at some sort of trade show with all the original naming and author info stripped out, and the company showing it off was claiming it was entirely theirs. He pressed a magic key combo on the keyboard and up popped a hidden about screen identifying him as the original author. Awkward.
You can definitely hide things big or small in the code to help prove ownership. As the original article hints even bugs can help indicate it's more than mere coincidence.
Re: (Score:2)
He pressed a magic key combo on the keyboard and up popped a hidden about screen identifying him as the original author. Awkward.
Easter Egg burn -- nice.
Re:Depends on how lazy they are (Score:5, Insightful)
unsigned int slice;
Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)
Neither the variable name nor the comment would be preserved by the compiler. So this would provide no evidence of copying.
Re: (Score:2)
unsigned int slice; /* A fruit-flavored soft drink. */
Had someone appropriated his code and not reviewed/scrubbed it, it would have been obvious who the original author was. :-)
Neither the variable name nor the comment would be preserved by the compiler. So this would provide no evidence of copying.
Sure, but they'd be in the source, unless edited. So not something found with a de-compiler, but in a code repository.
Re: (Score:2)
I wrote a chat system for a major bank in Australia (which bank? Don't ask). I was not working for that bank at the time.
A couple of years later, they said they didn't want to pay support fees any more as they had written their won.
Really? So I had a look at their one (via the browser). They had literally transliterated my code form one language into another, even keeping the variable names.
Not impressed.
Meanwhile, in Bizarro World... (Score:5, Interesting)
This happens all the time: some corporation ships code with incorrect licensing, infringing on the original author's rights and violating the terms of Free Software licenses. In such situations, we normally think of the corporation's code as containing the original author's code as a contaminant; the corporation is never at risk and the author is always open for exploitation.
Maybe we should flip that around and consider the corporate code to be questionably licensed and open for the community to use. The author should not be at risk, and the corporation should be exploited.
Re: Meanwhile, in Bizarro World... (Score:2)
People only follow rules that are enforced (Score:3)
There's a rule in my neighborhood that says you have to get approval from the HOA before you can replace your fence, even if you're using the same design. Nobody ever actually does that, and nobody tries to actually enforce the rule.
If you want a rule to be followed, you have to enforce it, through DRM or lawsuits or some other mechanism. Whining doesn't work, nobody cares.
Re: (Score:2)
1) Rules apply evenly
2) Rules that aren't enforced are removed
Adding rules might make sense then . . . . since (rinse and repeat)
Re: (Score:2)
If we did that, there would be a lot of starving lawyers!
Re: (Score:2)
If we did that, there would be a lot of starving lawyers!
Man, there's just NO downside to this, is there?
What's next? (Score:3)
First NSA, and then NASA... What's next, NASCAR?
Truly a talented family (Score:2)
The Verge notes that Wardle's cousin Josh Wardle created the popular Wordle game, which was purchased earlier this year by The New York Times.
And his other cousin John Wardle played bass for Public Image Ltd. Truly a talented family.
Obj-C-Objective See-Obj-AI (Score:2)
Wardle next paradigm is to automate and robo code/reverse engineer drudgery. Finally OSS has a payback pathway to remunerate stolen/copy-waste in commerce.