[ad_1]
In the year In 2016, cyber security professional Patrick Wardle heard a disturbing story: cybercriminals were using malware to secretly spy on people using macOS webcams and microphones. In one particularly inconvenient case, a hacker used malware “Fruit Fly” To hack the webcams of laptops with the aim of spying on children.
Wardle was used to watching these types of programs. Before entering the private sector, he worked as a malware analyst at the National Security Agency, analyzing code used to target Defense Department computer systems. Experienced in playing digital defense, Wardle decided to do something about the threat of spyware: he created it OversightA macOS tool that monitors your webcam and microphone for signs of malware use. “It was really popular, everybody loved it,” he said of the tool released for free by the IT nonprofit. Purpose – see.
However, a few years later, Wardle was investigating some suspicious code for a client and encountered something strange in a tool downloaded onto the client’s device. The device was created by a larger company but offered similar functionality to OverSight, including the ability to control the macOS webcam and microphone. Examining the program, Wardle found a familiar code. Very well known. His overview of the algorithm—including the bugs he was unable to remove—is included in the other program. A developer has copied the tool and stolen the work, making it work for another but similar product.
“An analogy I like to use is defamation: someone copies what you wrote and copied your spelling and grammar mistakes,” Wardle said. “I always say there are many ways to skin the proverbial cat, but this was just plain copyright. [infringement]He said.
The developer was surprised. He immediately contacted the company and tried to warn them that a developer had hacked the code. Unfortunately, Wardle said, it wasn’t the last time he’d find out that a company had picked up his work. Over the next couple of years, he would find evidence that two other major companies had used his algorithm for their own products.
G/O Media may earn commission.
Save up to $300
Galaxy Z Fold4
Today, Samsung unveiled an all-new lineup of Galaxy products. Collect a pair of Buds 2 Pro with Watch5 or Watch5 Pro with Z Fold4 to receive $300 in Samsung Credit.
This week, Wardle gave an account of his experience Black hat, the annual cyber security conference in Las Vegas. With Johns Hopkins University Professor Tom McGuire Wardle He showed How reverse engineering—the process by which a program is taken apart and rebuilt—provides evidence of such theft.
The developer refused to identify the companies that stole his code. He says this is not about revenge. It is the identification of a “systemic problem” affecting the cybersecurity community. To do that, Wardle used some of the lessons he learned trying to inform companies about the theft in his speech this week.
“You reach out to these companies and say, ‘Hey, you guys basically stole from me. You copied my device and re-implemented the algorithm – that’s legitimately very… ah, grey.’ In the European Union there is guidance if you…[do that] It is illegal. But also the optics are just bad. I work for a non-profit organization. Basically you are stealing from a non-profit and putting this in your commercial code and making a profit from it. A bad look,” he said with a laugh.
The responses Wardle received were often mixed. “It depends on the company,” he said. “Some are really good: I’ve received an email from the CEO saying, ‘What can we fix?’ so cool…[With] Others, it’s a three-week internal audit, and then they come back and tell you to walk because they don’t see any internal consistency. In those cases, Wardle had to provide additional evidence about what happened.
Why does this sort of thing even happen in the first place? Wardle said his perspective has changed over time. I went in thinking these were evil corporations out to crush the independent developer. But in all cases, it was a faulty or naïve developer who was primarily responsible. [finding a way to] Control the microphone and the webcam…then he or she would copy my device and steal the algorithm…then nobody in the corporation would say, ‘Hey, where did you get this?’ He doesn’t ask.
In all three cases, after Wardle disclosed the issue to a company, its officials eventually admitted fault and offered to remedy the situation. But to make his case effectively, Wardle often had to present his evidence. He said he had to hire River Engineering to take their own, closed-source software to understand how their code worked and demonstrate similarities to his own. To bolster the case, Wardle has partnered with the nonprofit Electronic Frontier Foundation (EFF), which provides pro-bono legal services to freelance security researchers. “Being on my side gave me a lot of credibility,” he said, noting that other developers would follow suit.
“I’m in a good position because I’m affiliated with the EFF, I have a large audience in the community because I’ve been doing this for a long time,” Wardle said. But if this is happening to me, it is happening to other developers [the same standing]…and in those cases the companies can just tell them to hike. So what I’m trying to do is talk about it and show them, ‘Oh, this isn’t a problem.'”
Given how widespread algorithmic theft is, Wardle believes it is widespread. “I believe it’s a systemic issue because when I started looking, I didn’t just get one, I got a lot. And they [the companies] They were all completely irrelevant.”
“One of the takeaways I try to push is if you’re a corporation, you have to educate your employees or developers. [not to steal]. If they do, it puts the entire organization at legal risk. And, again, the optics look really bad,” he said.
[ad_2]
Source link
