How Can You Tell Whether Open-Sourced Programs Are Actually Open-Sourced
#1
I was having this discussion with someone on some other forum where I claimed that generally open-sourced programs do not track you cause their source code is available publicly. That's when I thought, how do you know whether the program your downloading is actually the same as the product's source code that is available.
How do you know whether the ISO image of a Linux distribution you downloaded is the SAME as the source code that is available and that the particular distribution doesn't have any spyware? This kinda seems to me as mind-boggling and I was hoping someone could clear my doubts and provide some tips/pointers.
Reply
#2
If it is open source you can always compile the software yourself.
Also, what you are proposing is not a stupid idea. It has happened in the past, for example with linux mint:
https://www.ghacks.net/2016/02/21/linux-...mpromised/

When downloading these types of things, usually hashes are provided. These hashes will tell you if you have a good copy of the ISO and not one which has been tampered.

What I am not sure about is if the hash you produce after compiling the software should be the same as the one they provide. If someone knows this please tell me.
Reply
#3
Great question! First thing I want to address - a distro is more than a single, compiled, binary. With linux, there are usually two pieces: the kernal, and everything else. You may have seen linux referred to as GNU/Linux - the GNU part references all the other stuff, and linux references the kernel. It's common, however, to refer to the entire OS as linux (although I heard everytime that happens Richard Stallman loses some hair).

To ask your question a different way, how can you be sure that the ISO a distribution provides is the actual ISO they intended to provide? It would be a difficult task to re-create the ISO that the distro folks are distributing. The distro folks will provide a hash for ISO, and you could then verify the hash of that ISO.

enmafia2 brings up a great example with what happened to Mint.  With Linux Mint, when they got hacked I _think_ the hackers also updated the hashes. I could be wrong here. In that scenario, using a distribution channel like BitTorrent would provide an extra layer of protection, as every peer would also need to be compromised, due to Bittorrent verifying the hash of each chunk it downloads the torrent. The hackers would need to start seeding the hacked ISO, and have enough seeders to make it seem attractive to folks downloading the new ISO.

Within the actual distribution, you _could_ try and verify all the binaries that are included. Like the kernel, GRUB/LILO, all the other utils, etc. If the distro is pulling them from a binary distribution platform, that platform will most likely have some sort of validation in place as well. You can do the validation that the package management system performs by hand if you were so inclined.

When it comes to making sure that the actual binary is the binary produced from the source code it's proported to be built from, that's a bit more complicated. A lot depends on what compiler was used, what machine it was built on, and several other factors. Sometimes, Machine A and Machine B can produce a binary that will have the same hash, when compiled from the same code. Othertimes, they won't. Different compilers have different guarantees. For example, the default C# compiler from Microsoft explicity states that they do _not_ provide any guarantees that two binaries compiled from the same code will have the same hash.

Most of the time, for most folks, the validation of binaries provided by the distro's package management system is adequate. If you want to be abolutely, beyond a doubt, 100% sure, you could use a distro like Gentoo, Linux from Scratch, or others where you compile every bit of software from source code, yourself.

You could also try inspecting the binaries and try to match them up to the source code I guess? I'm not sure on this last part - I'm not great with reverse engineering, and it sounds like an extremely complicated task. But maybe some folks find it fun!
Reply
#4
I forgot to include this in my post. Another question around this same topic - how can you be sure that a service provider that claims to be running an open source product, is actually running that product? The short answer is, you can't.

They could be running a modified version of that product, which does a few extra things, or doesn't do some things, and as long as it correctly implemented all the interfaces it needed to, it would be transparant. This question has come up a few times with Signal. How can we be sure that Moxie is running the same code that's available on GitHub? We can't. We can grab the code, build it, and run our own version of Signal. But we can't integrate our server with the "real" server. And we can't know, for sure, that they are running the exact code they claim to be running.
Reply
#5
To answer your second question, why would it matter if the server-side software does the same job but isn't the same? If you're thinking of privacy issues, that os perfectly right and you should never trust your server. That's why encrypting your email is quite important if you don't want anyone else to read it. I personally don't use Signal but I assume it has some E2EE that makes it impossible to read messages intercepted on the server.
Trusting the server to run benign software only is a case of privacy by policy whereas emcryption would be the always better privacy by technology.
Reply
#6
(03-16-2021, 04:38 PM)nextlinemail Wrote: -SNIP-


You could also try inspecting the binaries and try to match them up to the source code I guess? I'm not sure on this last part - I'm not great with reverse engineering, and it sounds like an extremely complicated task. But maybe some folks find it fun!

Awesome response, yeah that's what I supposed. I just didn't know for sure hehe
Btw, people try to reverse engineer closed code. In fact, one example that is close to this thread topic is the analysis of Red Star OS, a.k.a. backdoored fedora or North Korean OS.
Here is a talk about that in case you are interested: https://youtu.be/rMN0wmdFH14
Reply
#7
(03-16-2021, 09:35 AM)enmafia2 Wrote: If it is open source you can always compile the software yourself.
Also, what you are proposing is not a stupid idea. It has happened in the past, for example with linux mint:
https://www.ghacks.net/2016/02/21/linux-...mpromised/

When downloading these types of things, usually hashes are provided. These hashes will tell you if you have a good copy of the ISO and not one which has been tampered.

What I am not sure about is if the hash you produce after compiling the software should be the same as the one they provide. If someone knows this please tell me.
Looks like I'll be compiling the software myself now.
Reply
#8
(03-16-2021, 04:38 PM)nextlinemail Wrote: Great question! First thing I want to address - a distro is more than a single, compiled, binary. With linux, there are usually two pieces: the kernal, and everything else. You may have seen linux referred to as GNU/Linux - the GNU part references all the other stuff, and linux references the kernel. It's common, however, to refer to the entire OS as linux (although I heard everytime that happens Richard Stallman loses some hair).

To ask your question a different way, how can you be sure that the ISO a distribution provides is the actual ISO they intended to provide? It would be a difficult task to re-create the ISO that the distro folks are distributing. The distro folks will provide a hash for ISO, and you could then verify the hash of that ISO.

enmafia2 brings up a great example with what happened to Mint.  With Linux Mint, when they got hacked I _think_ the hackers also updated the hashes. I could be wrong here. In that scenario, using a distribution channel like BitTorrent would provide an extra layer of protection, as every peer would also need to be compromised, due to Bittorrent verifying the hash of each chunk it downloads the torrent. The hackers would need to start seeding the hacked ISO, and have enough seeders to make it seem attractive to folks downloading the new ISO.

Within the actual distribution, you _could_ try and verify all the binaries that are included. Like the kernel, GRUB/LILO, all the other utils, etc. If the distro is pulling them from a binary distribution platform, that platform will most likely have some sort of validation in place as well. You can do the validation that the package management system performs by hand if you were so inclined.

When it comes to making sure that the actual binary is the binary produced from the source code it's proported to be built from, that's a bit more complicated. A lot depends on what compiler was used, what machine it was built on, and several other factors. Sometimes, Machine A and Machine B can produce a binary that will have the same hash, when compiled from the same code. Othertimes, they won't. Different compilers have different guarantees. For example, the default C# compiler from Microsoft explicity states that they do _not_ provide any guarantees that two binaries compiled from the same code will have the same hash.

Most of the time, for most folks, the validation of binaries provided by the distro's package management system is adequate. If you want to be abolutely, beyond a doubt, 100% sure, you could use a distro like Gentoo, Linux from Scratch, or others where you compile every bit of software from source code, yourself.

You could also try inspecting the binaries and try to match them up to the source code I guess? I'm not sure on this last part - I'm not great with reverse engineering, and it sounds like an extremely complicated task. But maybe some folks find it fun!
Seems like I'll be doing a lot of verification. I might just head over to GitLab/GitHub and download the source code and compile it and run that. Atleast that way what happened in that article the user above mentioned, won't happen to me.
Reply
#9
(03-17-2021, 03:17 PM)InfinityDark Wrote:
(03-16-2021, 09:35 AM)enmafia2 Wrote: If it is open source you can always compile the software yourself.
Also, what you are proposing is not a stupid idea. It has happened in the past, for example with linux mint:
https://www.ghacks.net/2016/02/21/linux-...mpromised/

When downloading these types of things, usually hashes are provided. These hashes will tell you if you have a good copy of the ISO and not one which has been tampered.

What I am not sure about is if the hash you produce after compiling the software should be the same as the one they provide. If someone knows this please tell me.
Looks like I'll be compiling the software myself now.


The problem is that, if you don't trust the publisher with the content of their program, why would you trust them with the hash ?
They could give you the right hash, it doesn't mean that the program is clean. Even if it is open source.
Yeah, compiling ourselves is better, but let's be real for a moment, no one will go through hundred of thousands of lines of codes before compiling, so, in the end, you just trust the publisher.

Open source is better, but it doesn't mean that the code is clean, and you will probably not go through all the code to verify it, so, there's always a part of trust.
Avoid the bad open source programs who have already been analyze by other people, and only compile code from people you trust.

Or, if the length of the program permit it, review it yourself.
But keep in mind that, it is not because a software has his code on github, that you can trust it.
Reply
#10
(03-20-2021, 07:00 AM)Wipe_TS Wrote: But keep in mind that, it is not because a software has his code on github, that you can trust it.

Exactly that, a lot of pieces of software have been open source and had vulnerabilities or had problems for years.
An example is CVE-2021-3156 in Sudo, it has there for 10 years and nobody noticed.

* CVE-2021-3156: https://nvd.nist.gov/vuln/detail/CVE-2021-3156
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Can you do anything with a botnet you create? purpledevil 4 2,791 06-17-2021, 06:36 PM
Last Post: Incog
  Share how you learned your most important hacking skills ! justjess2021 8 5,721 05-14-2021, 01:30 AM
Last Post: justjess2021
  Can you name a few open source tools for offline password cracking? ShadowRaider 2 7,162 06-30-2020, 01:54 AM
Last Post: poppopret
  Can ColoCrossing spoof IP header now? feeder986 2 7,224 03-10-2019, 05:25 PM
Last Post: Insider