undefined | Better HN

0 pointsdark-star1y ago0 comments

It's a common theme:

- build an open-source thing

- wait till thousands or millions of people are using it

- change the license and close down the source

- implement malicious code

- push an update

- profit! you now have your malware running on millions of systems

0 comments

jeroenhd1y ago

Should be added that the malicious part is often done by a third party that takes over an open source project when the original developer doesn't have the time/energy/money to maintain their open source/free work. Many Chrome extensions end up being sold for thousands or just hundreds of dollars because there's no money in them and the dev isn't all that interested.

Society as a whole could easily avoid this by funding open source/free utilities to the point where malware makers need to spend significant cash to outbid yearly community support, but unfortunately maintaining anything available online for free is a thankless job that barely covers the electricity required to maintain the code.

In this case too, the developers behind the theme seemed to want to monetise their work, which had attained almost 4 million installs, in the past, but found themselves with a rather unwilling customer base. I don't know if they snapped and uploaded something malicious or if they're intentionally making it hard for forks to copy their work, but either way the lesson learned is that if you want to make money you should just abandon your free projects and start something else.

hombre_fatal1y ago

Every time piracy or Youtube ads come up, HNers grandstand on how they don't even pay a dime to the content creators making the hundreds of hours of videos they watch.

GGs if you want a buck for the VSCode theme you made.

skyyler1y ago

I proudly block ads while giving directly to the people that make the stuff I like.

I know I'm in the minority, but I block ads because of memetic hygiene. I don't want to deprive artists but I'm not sitting through adslop for a podcaster's sake.

1 more reply

izzydata1y ago

I fundamentally disagree with making money from ads. I have no problem giving money to people who make things.

Der_Einzige1y ago

tobyhinloopen1y ago

> Society as a whole

As long as we won't have to pay 2 USD for an extension!

notpushkin1y ago

The closing down step is optional. Just don’t build on a public CI, and inject malicious code in your builds, xz-style.

not_wyoming1y ago

Are you contending that's what happened here? This is not a leading question, I genuinely do not know and am trying to learn more.

pickledoyster1y ago

yup, many mobile app developers do this (inject any SDK that'd pay them) too. Doesn't need to be open source, though

DANmode1y ago

Mobile app devs are often scum,

but no need to single them out.

Plenty of bait and switch later free apps turned freemium, or malicious, out there.

oneeyedpigeon1y ago

This is a good description of the problem. I'm not sure why it's been downvoted, except that "common" is overstating it a bit.

mightysashiman1y ago

reminds me of mx player on android (nova launcher also?)

talkingtab1y ago

Hey! Isn't that the Microsoft business model? Doesn't MS control VS Code? (google microsoft antitrust).

j / k navigate · click thread line to collapse