The FOSS fakery problem

by Dj Walker-Morgan

When someone searches for OpenOffice, Firefox, VLC or any other popular open source package on the internet, are they necessarily going to get the genuine article?

The answer, unfortunately, is no, because there are people who are more than happy to use open source to distribute malware. This shouldn't be surprising when you consider there are scareware merchants who are prepared to trick users into believing their systems are infected with viruses to get them to pay for non-functioning anti-virus software which often includes malware. These criminal types have another trick up their sleeve: they can take popular open source programs, compile in their malware or just bundle it into the installer, and then advertise it for sale on the net.

There is the less illegal, but often unethical, practice of taking open source and just selling it without adding any value. Technically, there's nothing illegitimate about charging for open source code as long as you work within the licence. The problem is that many of these companies often bundle the open source code with proprietary software and don't conform to the requirements of licences like the GPL.

The VLC developers have recently spoken out about companies like this who have been selling the VLC video player as if they wrote it. Ludovic Fauvet notes that:

The result is a poor product that doesn’t work as intended, that can’t be uninstalled and that clearly abuses its users and their privacy. Not to mention that it also discredits our work as volunteers and that it’s time-consuming, time that is not invested in the development.

There are some legal protections which can be used. For example, trademarks can be obtained and enforced so that at least the charlatans can't call what they sell by the well known name, and in some case, they can be prevented from purchasing "ad words" which get their ad displayed when someone searches for the program. But that enforcement costs money and time, both things that most open source projects are short of. Currently, the best advice the VideoLAN developers can give is to ask people to let others know that the place for VLC is www.videolan.org.

Trademarks also cause issues for some free software projects. For example, Firefox's trademark is protected by Mozilla, but because that protection imposes limits on what can be done with the trademarks, it is considered incompatible with free software ethics. Hence the creation of IceWeasel and GNU IceCat, which are Firefox, less the trademark elements (and in IceCat's case, with some additional modifications). Even with a trademark, there is a lot of work to be done; in 2009, for example, Mozilla posted about how they had to assert claims against 15 European sites, halt 122 US sites, review 4,300 sites, report a number of sites to consumer protection agencies, recover 50 domains and alert search engines. So, although trademarks can offer the ability to protect, they are extra work both for the holder of the trademark and the legitimate community around the software.

Another application that can be found suffering similar exploitation and abuse is OpenOffice. Searching for OpenOffice gives similar results to searching for VLC and Firefox – there's a good chance you'll get links from a scammer. Simon Phipps wrote that he was "especially worried that there’s no-one protecting OpenOffice.org end-user from these sorts of scams at present or, as far as I can tell, any time in the near future". Currently, the OpenOffice.org trademark is between organisations (Oracle and Apache Software Foundation).

So what solutions could be applied to help projects protect themselves? One obvious solution, changing the licence to forbid malicious redistribution, is unfortunately not available. The Open Source Definition specifically disallows discrimination against fields of endeavour in clause 6, and this has led to issues in the past where projects have added no military use clauses to their licences. A licence can't even simply specify "This Software shall be used for Good, not Evil" as was the case with Douglas Crockford's jsmin.c which caused problems on projects derived from it.

Having eliminated the licence solution, the next stop would be to work with search engine companies to try and eliminate the dubious software. This would still be a time consuming task, but at least the ad words wouldn't work as a way of luring in unsuspecting users. Unfortunately, projects that have gone to companies like Google for help regularly report that the search engine companies are unresponsive.

The open source community could just be left with trying to educate people on where to download applications to avoid malware. Trying to get that message over whilst advocating open source though could end up acting as a mixed message for the average user. And it is the average, typically Windows-using, user we should be concerned about; Linux users aren't affected by this issue because they rely on managed repositories of compiled packages from trusted sources.

Imagine if we could bring the assurance of trusted repositories to Windows, to help guide users away from the scams and the malware. There are services like ninite which allow users to select from a range of commonly downloaded free applications (open source and proprietary) in one easy to reload bundle. But could the open source community go one better?

Consider this a proposal. Why not create an open source and free software App Store for Windows with a backend server which would offer a catalogue of applications that run on Windows (or Mac). Once the user had chosen an application, the software would select the appropriate version they needed, connect them directly to the source of the software and start downloading it for them. An added feature could be to check optional signatures, MD5 hashes or other validation mechanisms to ensure the download is what it should be.

The app store could even be a web site or web application, making it easier to find when searching the web. It would be one bit of software almost nobody could object to having bundled with a new PC, and it could be the first destination that search engines offer when people search for well known open source applications.

The open source scammers, like the scareware scammers, aren't going away but it could be possible to build something that would route around them as much as possible and spread the word about open source at the same time.