After my open source code was stolen by a big company: someone admitted, someone told me to get out

Finishing | Chu Xingjuan

It is very annoying for many people that the code that they have worked so hard to write is quietly used by others for commercial use. Recently, industry veteran cybersecurity expert Patrick Wardle shared with Black Hat about his open source code being used by at least three independent companies without being told.

Code “stolen” by at least three different companies

Patrick Wardle is a very good macOS security researcher and the organizer of Apple’s focused OBTS security conference. He is also the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools specifically for macOS, which means that much of Wardle’s software code is now free to download and modify, but it also allows his own code to be used by some without permission. Tech companies took it, and he only discovered it years later.

Known as a Mac malware expert, Wardle worked as a malware analyst at the National Security Agency. During this time, he analyzed code that attacked DoD computer systems and created OverSight, a macOS tool that can see if cameras and microphones are being manipulated by malware, which he released for free through Objective-See.

It was 2016, and the media revealed that cybercriminals were using malware to surreptitiously spy on people through users’ macOS webcams and microphones. One of the hackers used a piece of malware called “Fruitfly” to hijack the laptop’s webcam in order to spy on children. After months of analyzing the new virus, Patrick Wardle decrypted some of the code and set up a server to intercept traffic from infected computers.

However, a few years later, while Wardle was analyzing suspicious code for a customer, it found the problem in a tool on the customer’s own device. Developed by a major tech company, the tool offers similar functionality to OverSight, including monitoring macOS webcams and microphones.

By sifting through the program, Wardle found code he was very familiar with, and his entire “supervised” algorithm, including bugs he didn’t remove, was included in this program. He finally realized that some developer had reverse-engineered his tool, stole his work, and reused it in a product with a different name but nearly the same functionality.

“It’s like someone copied what you wrote and copied your spelling and grammar mistakes,” Wardle said. Later, Wardle’s customers immediately contacted the company, alerting their developers to stealing Wardle’s code.

This isn’t the last time Wardle has seen companies use his code. Later, Wardle discovered that two other large companies also used his algorithm in their own products. Wardle did not name the companies.

“You reach out to these companies and say: ‘Hey, you guys, you mostly stole my stuff. You reverse-engineered my tool and re-implemented the algorithm — which is legally very… Uh, it’s grey. But in the EU, there’s a rule that it’s illegal for you to do that. I have a nonprofit and you actually stole information from the nonprofit and put it into your own commercial code , and then profit from it. It’s very inappropriate,” Wardle said. “But these companies are responding differently.”

“Some of the replies were friendly, I once got a reply email from a CEO acknowledging it and asking how to fix it. But someone first replied that it would take three weeks for an internal investigation, then told me they didn’t see it Any code that does the same, let me go,” Wardle said. When it came to the latter, Wardle had to ask for more evidence.

Proving theft of code is hard

But in fact, it is very difficult to prove that the other party’s code is stolen. Wardle said he had to use his own closed-source software and reverse-engineer it to understand how those companies’ code worked and to prove that it was similar to his own. In addition, Wardle works with the non-profit Electronic Frontier Foundation (EFF), which provides pro bono legal services to independent security researchers.

Wardle was able to figure out if it was code theft because he wrote both tools and reverse-engineered software himself, and having both expertise made it easier for him to find evidence. However, there are not many developers who have this kind of technical background like Wardle and have a certain influence in the community at the same time, and are often weak in maintaining rights and interests.

Last year, a developer named Brendan Gregg disclosed that the open source code related to the DTrace project he wrote was “stolen” by Sun. It was earlier in 2005, and Gregg was busy writing and releasing DTrace-related high-level performance tools, only to find that Sun released fewer related tools than he himself.

Gregg is not a Sun employee and has no knowledge of the inner workings of the company, but he also provides training and consulting support for Sun. Once, Sun demonstrated a new product based on DTrace for him, that is, in the process, Gregg found that some of these tools were scripts written by himself, and these tools were very immature. , there are many strange combinations in it, and the personal style is strong. Gregg also found that Sun had also removed his name as an author. But in the end Gregg didn’t get any compensation either.

Compared to Sun’s behavior, Apple and Oracle’s approach makes Gregg a lot more comfortable. Gregg said that a few years later, Apple added dozens of his tools to OS X, and kept the author’s name, copyright and CDDL open source license intact, and even improved and enhanced the function. Years later, Oracle has adopted the same approach to absorbing open source results in Oracle Solaris 11 and the BSD community in FereBSD.

In fact, there are many cases of misappropriating other people’s open source code for their own benefit. Last year, the Trump-backed social media platform Truth was sued by Mastodon founders. According to Eugen Rochko, founder of Mastodon, the app claims to have pulled a lot of code from its own open-source projects. At that time, netizens found that the interface of the Truth beta version was basically the same as that of Mastodon, and that part of the code of the site was no different from that of other social networks.

The Trump Media & Technology Group (TMTG) has also previously called Truth “proprietary software” and tried to hide the fact that Truth is based on Mastodon. After this incident was exposed, its related stock prices plummeted.

concluding remarks

In fact, open source software itself allows other platforms to use its own code, but open source software licenses require users to make their source code and any modifications made available to the public. But many companies use the code without any explanation.

Wardle believes that the essence of this phenomenon is that the developer’s task is to find some kind of solution, such as monitoring microphones and cameras, and then they find the corresponding tools to reverse engineer and steal the algorithm, and the purpose of the company is the solution, It doesn’t ask where the code came from.

“I believe it’s a systemic problem because when I started looking, I found not just one, but several companies that were completely unrelated.” Wardle believes code theft is widespread.

In response, Wardle suggested that for software developers, anyone writing code (whether open source or closed) should assume that it will be stolen, and learn techniques that will help them detect this. For companies, managers should educate employees or developers not to steal and give them a serious understanding of the legal norms surrounding reverse engineering a product for commercial gain, otherwise the entire organization will be exposed to legal risk.

The occurrence of such incidents is also constantly reminding people that it is necessary to standardize the use of open source software code, otherwise it will not benefit the company’s reputation and actual interests.

The text and pictures in this article are from InfoQ