>Very positively surprised by you listening to feedback and changing it, I was about to drop ImageGlass.
I'm sure you'll figure out a better way to financially support the project.
>One thing you should definitely do is promote the Microsoft Store version more directly, I previously didn't know you could even buy ImageGlass. Now I'll do just that. It's hard to notice on the website, and you could also display something when launching the program the first time.
The malware (at the very least) makes the user's machine the exit node of a commercial proxy service, without users' knowledge or consent.
In the repo maintainer's own words (in a "privacy" menu setting that was enabled by default):
>"Share devide IP with Spider.com customers to pass traffic through your device."
>"Learn more about privacy policy at {0}. To opt out an option, you can uncheck it, then click 'Save' or 'Apply' button below. It will be disabled immediately."
>Before this integration, I made an announcement to poll people's reaction on ImageGlass discord server for the first release of IG Moon. There were very little comments, I guessed people were fine with the changes, it's been there for 2 weeks.
I've seen this exact attitude before. It's always interesting to me when a developer like this announces huge changes exclusively through a channel that it turns out most of their users aren't even aware of.
>There’s no point in acting surprised about it. All the planning charts and demolition orders have been on display at your local planning department in Alpha Centauri for 50 of your Earth years, so you’ve had plenty of time to lodge any formal complaint and it’s far too late to start making a fuss about it now. … What do you mean you’ve never been to Alpha Centauri? Oh, for heaven’s sake, mankind, it’s only four light years away, you know. I’m sorry, but if you can’t be bothered to take an interest in local affairs, that’s your own lookout. Energize the demolition beams.
The very first mention of "spider" on that Discord was already the release announcement of a version containing it and got negative reactions: https://i.imgur.com/gLKce8W.png
I skimmed through the dev's messages prior to that (not many) and couldn't find anything else related.
I believe "I made an announcement to poll people's reaction" is intentionally deceptive wording to imply they made a poll beforehand, but they're actually just referring to the release announcement. Same with "There were very little comments" which misses out the fact that all those comments were negative, and there were few comments primarily because it's a small unknown Discord server.
One may often hear the expression "if you're not paying, then you're the product" for websites, but in the case of "free VPN" (or maybe even very low cost ones), it's my understanding that's how they're free to the user: because they're paid by folks who want residential IP egress
I'd guess any such VPN can even put in their ToS "you grant $company the ability to send and receive traffic from your device" which wouldn't raise eyebrows in the same way such a clause in an image viewing binary would
Saying you are responding to user feedback is like punching someone in the face and then saying surprised "Oh, you dont like that? Sorry I wont punch you directly in the face again!"
Reading the issue it seems to have been removed in the latest version.
On a semi-related note: Woof, issues like that make me want to never do open source again. Did that guy make a mistake? Obviously. Was it in good faith? It seemed so. Were people jerks even after he fixed it. Absolutely.
> Did that guy make a mistake? Obviously. Was it in good faith? It seemed so.
Adding unwitting users' computers to a proxy network by default is so obviously and blatantly unethical, it beggars belief. I'm not angry at the creator, because they seem oblivious. I am, however, extremely saddened and frustrated by their obliviousness. Like in no universe is it ever OK to do this even if nobody responds to your discord poll. It takes a real failure in responsible, ethical upbringing to get here. It takes a lack of consideration and empathy for other people to believe that including this isn't an act of aggression towards everyone who encounters the software.
I personally have a very hard time believing they are oblivious. It’s a literal caricature of malware. There is no way one could think it wouldn’t cause this kind of reaction. The best one could hope for is that people don’t notice.
I want to be able to agree with you, but too much of the world is poisoned by toxic "me before you" society. There's a high probability that this person just never learned to recognize and challenge behaviors like this. So, maybe, but also maybe not. Either way it's sad.
> Like in no universe is it ever OK to do this even if nobody responds to your discord poll
As far as I can tell, they didn't even really make a Discord poll.
The first mention of "spider" (or "IP" or "proxy" or any related words) is from the release announcement of a version which already contains Spider, which got negative reactions: https://i.imgur.com/gLKce8W.png
It's very deceptive wording since "I made an announcement to poll people's reaction" is technically true, but it wasn't a poll or before the changes were made as is implied. Same with "There were very little comments", which leaves out the fact the comments they did get were negative and the low quantity is just from it being a small unknown Discord server.
The guy deceptively enlisted thousands of users into a botnet without notification and likely through auto-update mechanisms (such as the Windows app store). That sounds criminal.
And quite distasteful when many people have collaborated on your software. If you deserve some compensation, what about all of them? Will you share whatever you earn from it?
> And quite distasteful when many people have collaborated on your software. If you deserve some compensation, what about all of them? Will you share whatever you earn from it?
Most contributions are from drive by contributor's that may not even use the project.
Neither those nor the maintainer are entitled to compensation, but open source is a cruel environment where people want to use what you made but they wouldnt give you a dime unless they had to
Everyone knows their value prop going in: unless you are able to monetize the complement like RedHat or Google, payment is in experience, reputation, and a fun challenge.
Hell no it was not in good faith - if this makes you think that you shouldn't do open source because of people having malware patched into their system to profit some guy, please, never do it.
How do you conclude that quietly integrating malware into an image viewer was done "in good faith"? Because the author didn't twirl their mustache when they did it and claimed surprise that people were mad?
This is not a 'good faith' action. It is a way to try to monetize your users bandwidth in a way that exposes them to liability. It is so far across the line that it is sad that that needs to be explained.
For the poster you're responding to, I get the impression that their main goal is to avoid dealing with angry users, so people not noticing the change would have been a feature, not a bug.
I was struck by the stark difference in tone among so few commenters. There were firm, constructive, factual feedbacks, and aggressive, inflammatory personal attacks (“how can anyone trust you?”). Laid bare like that, it is so obvious which approach is better and most effective. Obviously the maintainer made a terrible decision, but there’s a right way and a wrong way to suggest correction.
We need more martinlindhes in open source and fewer Yakabuffs.
Well, it's a good question. How can you trust someone who thought this was okay? Even if they're just too ignorant to realize what they were doing, that's also a good reason not to trust them. What else will they think is a good idea?
These are all legitimate questions, but when you phrase them that way and address them to the maintainer, consider how the message will be received. He is likely to consider it an attack, and will be tempted to mount a defense. Now, instead of a constructive problem-solving discussion, you have a destructive battle—one that does not move things forward towards the goals: removing the change and preventing further bad decisions.
There is no constructive criticism possible and no possible further relationship. If I'd been a user of this project, I'd be reformatting my PC and restoring from backups, and the nasty message I'd leave on github would only be intended to warn others away from this toxic person's code.
If someone conspired to enroll my computer in a botnet, constructive problem solving would not be the first thing on my mind, and in fact I don't see how it could be my responsibility. If I fuck up very badly and people are mad and unconstructive, that's unpleasant but the problem is my fuckup, not people being mad about it in the wrong way.
It seems to me that it's up to the author to explain why the project can still be trusted, they can't just do this and expect that people will still trust them just because they reverted it.
everyone makes a mistake at some point and the fact that the dev used the ip hijacking service's name in the commit message to me signals that he wasn't aware of how shady it is
Even if he was, a comment like "I don't think this is acceptable and will fork" is a lot more appropriate than "don't talk shit"
When I install a new software I am always a bit uncomfortable about the potential trojan.
The only thing that prevent it is if the software owner has more to gain by keeping it clean, and this is, unfortunately, not always obvious.
I used ImageGlass in the past, I'll think twice before installing it again, and that will probably never happen as there not a huge utility or value there.
I'm reminded of the recent incident where the developer of the NPM "colors" and "faker" libraries put show-stopping bugs in those libraries in order to cry out for people to give him money. Both incidents reinforce my opinion that it's very hard to make a living making free software. Maybe a takeaway for free software developers is the need to have clear, realistic plan of how they're going to earn money and if it's going to be through their free software, to be very upfront about that with users. These two developers' attempts to get money may have been born out of frustration, yet their methods were underhanded and abused users' trust in them and their products.
Sorry for being unable to sympathise with these developers but: if you want to make money out of it, make your users pay for it. How is this rocket science? It's not even incompatible with the principle of open source.
One thing is adding a paid plan after you decide you want to monetise your software, it's unpopular but understandable, another is bundling malware or adding malicious logic to get some money or "protest" because companies aren't paying you. They knew this is how open source worked, and being a twat because they don't like those terms anymore just ruins their reputation and all the goodwill they've built.
The malware DLL has "https://locator.blueswan.io" in it, and various texts referring to "bs-worker" or Blueswan-worker. It's more like an internal codename.
Fun fact: the DLL also has various "C:\Users\akabos" strings, that being the "CTO" of this enterprise: https://ru.linkedin.com/in/akabos
Irfanview was always held in very high regard by my Windows using friends, not open source but freeware that's been around for at least a decade; a quick google just now seems to show that people still think it's great. https://www.irfanview.com/
If I remember correctly I've started using it in 2000s so it's around way more than that! Great piece of software that I install as one of the first things on a new Windows machine.
>Preferably something lightweight and open source.
If you're already on windows (imageglass doesn't look cross-platform), why not use the built in photo viewer? It's pretty lightweight. It's not open source, but if it's already part of the operating system I don't think that's something to worry about.
I've searched long and hard for a fast and gpu-accelerated image viewer for Windows and settled on Pictureflect Photo Viewer last summer. Not open source, but it has both free and paid versions (with not much difference, mainly thumbnails and video playback) and it's available both on Windows Store and from their website.
Gwenview is pretty great, if there are builds for your platform then I highly recommend it. It's always been the perfect balance of well-designed and feature-filled for my uses.
Heh, I installed ImageGlass when Windows 10 somehow broke their image preview utility, and I don't think I've ever updated it since (or received any notification to update).
If I remember correctly, I still think Windows Photo Viewer was much better than ImageGlass. All I want to do is quickly browse through a couple of photos in a folder.
I'm surprised I haven't seen more people point out that the licence says "THERE IS NO WARRANTY FOR THE PROGRAM" and therefore "he can do whatever he wants to (your computer with) his software!?!1".
That argument wasn't convincing when it was made in support of the recent vulnerability added to the "colors" NPM package, but I can still imagine people claiming that hijacking users' IP addresses is not harmful enough to count as malware.
It's one thing to say "there is no warranty" in order to free oneself from the burdens of maintenance and onerous, abusive liability that could arise from the product one is giving to others.
It's quite another thing to say "there is no warranty" under the idea that you shouldn't trust me, since I could suddenly decide to turn around and start taking advantage of you and your naïve trust in me.
I find the first kind of attitude acceptable and reasonable. The second is basically an anti-good-will, pro-aggressor view of the world, which I emphatically reject and hope becomes increasingly unpopular.
Microsoft's "Windows Update Delivery Optimization" steals more bandwidth in a day[1] than this project could hope to steal in its entire lifetime AND this project removed that feature. Let's point our pitchforks in a more productive direction...
committing .dll files along with the GPL license violates the license in any case, im sure that's not stopping anyone from doing it but it's frustrating to see the GPL just dropped into repos as some kind of meaningless window dressing.
The copyright owner can of course violate their own license. I'm not sure how external contributions factor into that however. Maybe you could make the case that he is bound by his own license if he accepted external contributions which were implicitly licensed under it?
Are you sure this is literally true? My understanding of the GPL is that it requires you to publish source on request. It doesn't make it an automatic violation to publish, say, a binary-only installer package.
Would anyone who installed the backdoored ImageGlass application be able to hit up the author with a GPL request for the backdoor spider dlls? They seem to be binary-only, probably from that spider dot com backdoor SDK. Would it get the ImageGlass author in hot water?
That is very much wrong and I wonder where you possibly got that from, since the text of the license is so easy to find and says:
> For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require
I am the CEO at Spider.com. We vet all of our users, you likely know who our customers are, they are large fortune 500 companies. Businesses that need pricing on Amazon products or positions in Search Engine results. The large enterprises with all this data don't make it easy to gather at scale. So by using a few queries from thousands of different IPs we can use the collective wisdom of the crowd. Secret shoppers have exist for about 500 hundred years and pre-date the Internet. You use this service every time you shop at a grocery store. The price of a bag of rice or can of beans will be reasonable to competing grocery stores.
The great news is we are not processor or memory heavy. In fact we don't compute anything local on machines and the bandwidth we use is the equivalent to downloading a few images. We sponsor projects to help developers and keep software free. We all know that software takes hundreds of hours to develop and maintain, so symbiotic relationships are good for the community.
We always require disclosure and being upfront with users. We require an informed decision on the part of the software's user. I am happy to answer questions about how Spider works. I can assure you we are GDPR compliant, we don't care about collecting user data we only gather data that is publicly available online about products and companies from public facing websites.
DISCLAIMER: I am not the developer, nor am in any way involved with ImageGlass.
Wow, this thread is like 35 minutes old and people are already jumping to conclusions, bashing the developer, bringing out the torches to burn them at stake.
Really disappointed seeing this on HN...
Perhaps the title itself is insinuating, and people are not patient enough to dig any deeper. Perhaps someone can add [quickly reverted] or something to the title?
That being said, I really wonder why people 100% believe other people act in bad faith. Looking into that Github issue (https://github.com/d2phap/ImageGlass/issues/1252 ), it feels more like the dev was not aware of the issues with the bad actor in question, and was also very quick to revert the issue and pull the affected release from Github. This is the best someone can do under this situation, and I'm sure they must have felt quite stressful... Maybe they are, even now, feeling the stress if they stumble upon this thread.
If the dev reads this: You did a great job fixing the issue, congrats!
Toxicity like this kills many projects and dreams, by the way.
EDIT: My argument rests on the assumption that the dev was acting in good faith. If it is proven to be otherwise, I will gladly retract my statement and apologize.
You are congratulating them on adding malware and then removing it.
Actions have consequences and this is a natural consequence, not a punishment. Trust was broken and users are not bound to prove the dev was in bad faith. The dev broke the trust and they can try and prove adding malware was done in good-faith if they wish. If the dev didn't care or _understand_ the severity of this change, then I have no problem if the project dies, gets forked, or whatever.
I believe he acted in bad faith because the git commit message was "restructuring external dlls", as if it was a minor change which had nothing to do with botnets. He knew what he was doing was wrong, otherwise why not honestly say "integrated Spider service"? It reminded me of the PHP repo hack last year when a backdoor was added with a git commit message "fixed a typo".
If he was adding it in bad faith, why would he put it on GitHub for all to see, rather than building the binaries in a private fork? Seems like this is incompetence / naivete rather than malice.
He put the code in a commit titled "restructure external dlls" with no reference to what it did, and in other commits includes the string "Spider" (no description of _what_ that does in the title). These weren't added as pull requests where one might expect to review proposed changes, but as direct commits to ~master.
It's not uncommon for people to put obfuscated malware into open source code See: hackers putting cryptominers and wallet stealers [0] into compromised NPM packages, or UoM campus being banned from contributing to Linux for backdooring the Linux kernel [1].
It’s disingenuous to assume people are acting in bad faith. The developer tried to turn his users computers into a botnet. The thing that made him change course was that other people noticed and said something. Public criticism and not a sense that spider runs counter to his users interest is what people are objecting to.
The idea that, at some point in the future, the developer will make a token effort to notify his user base before doing something against their interest is enough to make me not want to use this developers software.
Even if the author legitimately didn't mean to do harm, and was acting in good faith, he should never (or at least, for a very very long time) be trusted to contribute to software that isn't subject to someone else's review.
He's shown such a fundamental misunderstanding of the trust that was placed in him. He knowingly merged _malware_ into his software and then did the minimum amount of plausible deniability (a discord poll that 99.99% of his users don't access, and an opt-out buried in a menu).
> Even if the author legitimately didn't mean to do harm, and was acting in good faith, he should never (or at least, for a very very long time) be trusted
I disagree. Let people learn from their mistakes.
> ... to contribute to software that isn't subject to someone else's review.
That's hard to do when it is the author's own software. This "someone else must be lord and master" solution often doesn't apply to reality. Also, I've seen entire companies full of bosses managing people who "are not to be trusted" to do the right thing eventually end up doing the worst possible evil. Let the author learn, and move on.
> He knowingly merged _malware_ into his software and then did the minimum amount of plausible deniability
Or he asked his most active users, and they said it was fine as long as I can turn it off. Who knows... To assign any intent other than to make some money would be assuming a lot of facts that are not in evidence. The good guys won on this. Let's move on to actual problems instead of punishing someone for learning.
I'm interested in finding out to what degree you hold this viewpoint. How severe do the negative consequences of an action have to be where you would switch from saying "let them learn from their mistakes" to "we can't trust them again".
(I'm honestly interested in knowing, this isn't just a rhetorical statement.)
If a crime has been committed is one such line, and were the author to do this kind of stuff repeatedly, there's another such line there. But if we hang everyone on the first offense, there will be no one left to hang anyone.
I wouldn't necessarily "hang" a first-time offender, but I'd definitely be wary, and cautious of how much I'll trust them in the future. Personally, I'm not a fan of making statements that say "I'll never again buy/use such-and-such a service or product". I might be willing to consider using their software again in the future. (I'm speaking in the context of this argument, since I've never actually used ImageGlass.)
Regarding crime, there a lot of behaviors that aren't legally defined as crimes, but are still objectionable (sometimes very). As such, there is no court to prosecute them with the legal system's presumably objective processes, so it's up to the general public to make our own assessments.
Finally, I'm curious as to your level of tolerance to questionable, unexpected behavior by software developers. Maybe not this one, but I wouldn't be surprised if there were certain actions by software developers where you wouldn't tolerate even a single offense. In any case, our differences regarding tolerance to questionable behavior is why we're all discussing this incident anyway.
Maybe the best way for the author to learn from his mistake is to get yelled at and the project forked away from him.
Like, I dunno, but if someone decides to feed my dog a KitKat, I probably wouldn't trust them around my dog anymore, you know? Yeah, they've learned their lesson about dogs and chocolate, but what other stuff don't they realize?
> Maybe the best way for the author to learn from his mistake is to get yelled at and the project forked away from him.
If you feel like that is appropriate, you could do that. I'm just glad the author removed the malware, and hope he's able to find a way to make money that doesn't involve a commercial botnet.
"My users pushed back against malware I snuck onto their computers, they're so toxic and they're killing my dreams of successfully infecting them with malware!"
Without really knowing the author, it's hard to know whether they did what they did in bad faith or in good faith. Regardless of whether it's malice or naivete, either one makes it hard to trust such a developer again, at least right away. They'll have to work hard at earning that trust again and be careful to not make such glaring mistakes again.
Not necessarily bad faith but bad judgment for sure. I could understand making this "opt in" for users who understand what it does and want to help out, but it definitely shouldn't have been loaded by default.
The reason they reverted the commit as soon as they got _called_out_ is because bam they got CAUGHT!!
They though they could be smart and slip in a malware quietly without anybody checking, which was pretty bad executed because literally anyone can see the commits.
You don't just accidentally type in a full line introducing a malware that IS of common knowledge ("Oh sorry my fingers moved on my own! I didn't it was a malware!!"), that doesn't exist, there is no sugarcoating, this was absolutely evil intended, stop painting as clean innocent what is visibly dirty
>Very positively surprised by you listening to feedback and changing it, I was about to drop ImageGlass. I'm sure you'll figure out a better way to financially support the project.
>One thing you should definitely do is promote the Microsoft Store version more directly, I previously didn't know you could even buy ImageGlass. Now I'll do just that. It's hard to notice on the website, and you could also display something when launching the program the first time.
- https://github.com/d2phap/ImageGlass/issues/1252#issuecommen...
Financial support for a project is hard. Novel approach I've not seen before, not something I'd want.