This is a good example of how the current ad-funded economics of the web create perverse incentives. Here you have a web site that produced incalculable good for the free-software community (which is basically everyone who programs, now, even if they’re just leeches who don’t contribute) for a decade; and yet those users do not have control over the site, and the people who do have control over the site are taking advantage of their control in order to hurt the users. And they’re so desperate to get a little bit of revenue that they’re grasping at straws like installing malware for pay.
We need to replace centralized services like SourceForge, DNS, and Google with decentralized systems that no person or small group can subvert in this way, like email, BitTorrent, and Bitcoin; or, failing that, with democratically-governed noncommercial organizations like Debian. Otherwise, problems like this will get worse and worse.
If you think DNS is a centralized service, you have a different definition of centralized than most people I know.
DNS is distributed, but it has a center, and its reliability depends on that center. The recent ICANN moves to require accurate whois info are a good example — because the central authority has decided to prioritize (to be generous) accountability over stability, we are all going to experience stability problems as random domains get randomly canceled throughout the next year, and lots of us are going to get phished. BitTorrent doesn’t have problems like this, and email only has them insofar as it depends on DNS.
Centralization and decentralization are both trust models. PGP, Bitcoin, and BitTorrent are all decentralized in different ways, and require each user to form an opinion as to who they trust or distrust. I’ll compare the CA PKI also.
BitTorrent comes the closest to providing meaningful guidance as to how to do this, because essentially if you connect to a tracker, you are accepting the tracker owner’s advice to trust everyone connected to it (since you’re leaking your IP and what you’re downloading to them). This trust has been violated for essentially everybody who used BitTorrent to transfer music, movies, or television shows during the period of years when enforcement was at its most active; the impact, for the unlucky people who got specific attention, was to receive copyright threats or fines via their ISPs.
Bitcoin involves trusting the owners of the mining servers, who cannot be readily identified even to the extent of determining whether they are a stable set. The impact of violated trust is theft of enormous amounts of money via Sybil attack. It’s worth noting that it’s unlikely this has ever happened, yet.
The PGP model overwhelms people with complexity but does technically serve the purpose of being a basis for people to build their own trust structures atop; also, its function is such that the worst-case outcome is still far better than it is with Bitcoin. I’m confident that people who have spent years embracing it do, in fact, know how to make reasonable decisions with it. Personally, I’m not sufficiently immersed in the PGP culture to understand whether this has ever been violated in a large way, or whether anyone would be surprised if it were, since a benefit to that level of engagement is that you know exactly what the impact of violation would be, every time you extend trust, which in some sense makes it an informed decision.
Compare the CA PKI. This is a centralized system - power flows from the OS and browser vendors to the root CAs, and from them downward to their customers. The impact of violated trust is impersonation of a website owner, which can easily be used to steal money or personal details, trick a user into installing malware, inject advertisements to steal the revenue from them, or pretty much do any bad computer thing. As most people would probably agree, it’s kind of awful every time this is violated, which has been about once a year for the past few years. The impact of these violations has been unclear. Having OS vendors as the ultimate root of trust does not prevent CAs from violating that. It does mean that it is theoretically possible over time to incentivize honest behavior; the distributed systems lack this characteristic (unless you believe proof-of-work does that, but I don’t).
None of these is by any stretch of the imagination a good architecture. I find myself sympathizing with decentralized models, but it’s difficult to elucidate why. In an ideal architecture, one would be able to understand the incentives of the parties being trusted, in perpetuity. Since the parties being trusted are other humans, and human experience is quite varied, and nobody stays the same forever, it is doubtful that this is attainable pre-singularity. I’d like to see more focus on approximating it, and less FUD about why some specific party is allegedly more worthy of trust than some other.
Your comment is very insightful. Thank you!
With regard to this:
BitTorrent comes the closest to providing meaningful guidance as to how to do this, because essentially if you connect to a tracker, you are accepting the tracker owner’s advice to trust everyone connected to it (since you’re leaking your IP and what you’re downloading to them).
It’s worth noting that “trust” is not a sufficiently fine-grained concept to express what we are talking about here, which accounts for the apparent contradiction between what you wrote and what I wrote. “Trust”, or “reliance” as some people are trying to rebrand it to be less confusing, is invariably for some purpose — Alan Karp’s example is, “I trust my bank with my money but not with my kids; I trust my relatives with my kids but not my money.”
In BitTorrent you rely on (or “trust”) the tracker to only transmit your IP address to people who will not use it to do you harm, and as you point out, BitTorrent is not well-designed for sharing information in violation of the law, since the default policy is to allow anyone to find out what information you’re sharing with it. But you don’t rely on the tracker or any subset of the swarm to send you correct data, only the original .torrent file (or file hash), and you don’t rely on anybody in the swarm to be generous with their upstream bandwidth — that’s handled by tit-for-tat, except for the very limited extent provided by optimistic unchoking.
Me, I sympathize with decentralized models because they allow you to choose who to rely on (or “trust”), rather than baking that decision into the architecture of the system.
No, thank you. :)
That’s absolutely true, that whether to trust or not isn’t the only question. I tried to touch on that with examples, but it wasn’t my central point. I appreciate your clarifying. Agreed that BitTorrent assures that any file you do get, will be correct, and that your bandwidth won’t be wasted too badly, and those are properties enforced by technology in this case rather than by social means. And the money/kids thing is hilarious, and no doubt true for most people.
I question the wisdom of trying to dump the “trust” brand without having a replacement that’s better, but I suppose I’m not the one it matters to.
I agree with you that choosing who to trust is often desirable, but that doesn’t seem like the only concern to me. I definitely feel like I have a lot to learn about this before I understand it. :)
The problem with the term “trust” is that, in the sense we use it in security, it has a subtle clash with the normal meaning of the term; in particular, security “trust” is a necessary evil to be minimized, while regular “trust” is what makes our lives livable and enjoyable. Security “trust” makes each of these statements true, but only some of them are true in everyday life:
“Everyone on the internet trusts the DNS to enable them to connect to web sites.”
“Everyone on the internet trusts the NSA with whatever they transmit unencrypted.”
“You trust your browser vendor to choose who can certify the identity of web sites.”
“You trust the Chinese government to certify the identity of web sites.”
“You trust the technician who repairs your laptop.”
“Of the people in the coffee shop on the open Wi-Fi with you, you trust the ones who are in possession of a remote root exploit for your laptop.”
This is a very unfortunate terminology clash. In regular language, “to rely on” or “to be vulnerable to” more accurately express relationships like these than “to trust”.
Perhaps this makes it clearer where our instinctive worries about centralized systems come from. Decentralized systems allow you to choose who to be vulnerable to; centralized systems coerce you into being vulnerable to one party in particular, regardless of whether or not you think they are trustworthy. We have all been coerced into being vulnerable to someone against our will — our parents, if nobody else — and while it usually works out okay, we’ve also probably all been burned by that at one time or another.
That’s all very true. I feel like using the word trust makes the conflict there obvious, between what you’re actually relying on vs. what you would consider reasonable if it were presented in those terms. So it’s meant to raise awareness.
But I have little stake in the “how do we communicate about this” question, and am not the best one to opine on it.
It’s centralized in so far as the root servers are in the hands of the blessed few.
The search engines (primarily google) broke the decentalised model.
Prior to that, Internet protocols were written to assume that you can’t scale to handle the Internet. People thought you couldn’t scale up so protocols were written to allow colloboration between consenting (mostly equal) partners. Google did the “redundant array of small servers” things and managed to index pretty much the entire internet.
Since then, effort in decentralised internet protocols has withered and single-use websites - if need be running at internet scale - have flourished. We’ve got a hundred walled gardens to walk in, and they’re really nice, but few bits of common land.
Decentralisation and protocol consensus are hard, and will always lag featurewise and experiencewise to single-site endeavours. But there is probably some appetite for them (e.g. Diaspora versus Facebook). Hard to monetise though…
Imagine an IETF RFC for a social graph server. Post once to that and all the right people see the update in their UI of choice. That’s what we have/had with dns, email, usenet, ftp, telnet, etc, but we’re not doing that any more.
Since they’re trying to pass it as something made to help the project rather than just make money off it, I wonder if the author knew and/or agreed to the hijacking of his project (if I steal something nobody uses it’s still stealing).
I hope this invites people to go delete all their content on sourceforge, even if they don’t use it anymore.
I was just going to comment on the fact that they claim they are just mirroring, which made me wonder how the malware got there, but then I decided to have a second look and found this:
Mirrored projects are sometimes used to deliver easy-to-decline third-party offers, and the original downloads are always available.
(emphasis mine). WTF? I was given them the benefit of the doubt, but have since added relevant SF domains to my blacklist.
So I came back from work, booted up my Windows VM I use for testing this sort of stuff and oh man the hypocrisy is strong.
Simply said, they are editing their most popular hijacked projects and removing the sourceforge installer!
I had the doubt they were doing this already when I made my first comment, just by noticing the “last updated” times. If they feel so sure about their choices and want to push that their installers are ok, why take them out without saying anything?
Here’s a screen of one of their installers icons and the current Gimp-win installer from Sourceforge
Here’s their installer. I applaud them for not auto checking the “I agree” button like most of this trash installers do, but I don’t get why have “Decline” / “Accept” buttons if they do the same thing (proceed to next offer) anyway!
I clicked the Accept button for both offers without checking the “agree” box and it installed the software without all the trash, so.. dunno, maybe the end user might be spared some trouble.
Another thing, I closed the setup in the middle and it created a “Continue installation” shortcut on desktop… I don’t know how to feel about that.
I fell prey to this (for a different app but also on SourceForge) last year when trying to find an image editor for my wife’s Windows laptop. After trying everything I could think of, I ended up wiping it and re-installing :-(
For older coders who might still have a SourceForge.net account, here’s the page for deleting your account: https://sourceforge.net/auth/disable/
It says “disable” but an op in their support channel confirmed that it’s actually “delete” and my user page is 404ing now.