Popular freeware and small utilities

[bononos]

Do you ever wonder how safe it is to install the list of popular must have apps on the pc? Filesharing apps, portable apps, radeonpro, temp monitoring, development tools like visual studio, editors, encoders and games.

They all install using the admin password and sometimes put out alarms on hips software for reading keyboard state, changing protecting file objects etc and I just whitelist them.

Has popular open source software been sifted through for malicious bits? Has there been cases where popular utilities were found to have trapdoors?

 

[PrincessFrosty]

Double edge sword with open source, the source is available for anyone to read, however few people are capable of reading the source and understanding possible malicious pieces of code.

Furthermore of the few that are capable, very few of those are going to be willing to vet all of the code in a large project.

So a lot of people assume that open source stuff is checked but in reality we simply don't know for sure, the safer bets are open source projects that lots of people contribute to, especially any that are forked into different distributions by different people/teams as then we know for sure that coders are definitely reviewing the code.

I'm not aware of any really big apps have deliberately had malicious code hidden in them, but it's certainly possible.

 

[bononos]

Thats the thing. Its an immense amount of work to look for malicious code that I doubt many popular apps are given little more than a cursory scan with av.

Would it be too far fetched to assume security agencies have people helping out on things like libreoffice and gcc?

 

[lxskllr]

Full code audits are rare in open source unless it's a security related program. What you do get though, is a lot of people looking at bits of code a subsection at a time. It's no guarantee of quality, but it's much more reliable than proprietary software that has no method of verification other than probing from the outside.

Popular open source programs get delivered from places other than the developer's site. Using one of them is a good way to get malicious code inserted into the program. When using open source, you should get it from the originating site, or torrent linked from the originating site.

 

[Mushkins]

Double edge sword with open source, the source is available for anyone to read, however few people are capable of reading the source and understanding possible malicious pieces of code.

Furthermore of the few that are capable, very few of those are going to be willing to vet all of the code in a large project.

So a lot of people assume that open source stuff is checked but in reality we simply don't know for sure, the safer bets are open source projects that lots of people contribute to, especially any that are forked into different distributions by different people/teams as then we know for sure that coders are definitely reviewing the code.

I'm not aware of any really big apps have deliberately had malicious code hidden in them, but it's certainly possible.

Even forks are a double-edged sword. Lets use Linux as an example: the "official" Debian source code is considerably vetted and has people looking at it all the time. However PrincessFrosty could easily take that, make malicious changes, make a torrent, and toss up an official looking website in less than a day touting a specialized Debian build focusing on security tools or graphic design tools or music or whatever. Slap the link all over a bunch of forums and the odds of someone with the skills to pick up on the malicious changes actually going through the code, finding them, and sounding the warning bell before it's too late are... slim.

It's crowd-sourced security, it's only going to be as good as the crowd it's being sourced to.