Do you trust that software?

ยท

5 min read

It's important to beware of the software you use. Beware and Be aware. What am I talking about?

For example, I can tell various reasons for why you should be careful about using software in general, especially some kinds of softwares, let's start!

Let's say you are a developer, and you use softwares that almost any developer could be using. Let me tell you why you should be a bit careful and be a bit aware of what can go wrong

Clipboard managers

I use this clipboard manager called Clipy , I even wrote about it - https://karuppiah.dev/clipboard ๐Ÿ“‹

Now, what and all do I copy when I'm doing development, or in general?

I copy a LOT of things. A LOT of them are sensitive information โ„น๏ธ, secrets - API Keys, Passwords, of my work related stuff on my work laptop, or even personal stuff on my personal laptop

Clipy can insert some malicious code in their software and send all the copied data to their servers and use it to hack our accounts :) Bank accounts, Cloud accounts, any account

Terminal

As developers, we type so much inside Terminals. It's important to ensure that you can trust the Terminal

Password Manager

It stores all your passwords and secrets. If you can't trust it, well ๐Ÿ˜…

I use Bitwarden, it's an open source password manager. It's popular and trusted by many, though the basic version is free ๐Ÿ†“ which can cause suspicion for users - which is understandable - any free ๐Ÿ†“ software has to be looked at with some suspicion ๐Ÿ˜…

Tools

In general any tool, like client tool, which we will see below, shell (like bash, zsh, fish etc), and then editors like text editors like VSCode, and then extensions like editor extension like VSCode Extension, Browser extension like Chrome or Firefox Extension, addons (similar term like Extension) in different software, and then automation tools, linting tools, build tools, file formatting tools, backup and restore tools, anything, any tool

In all of these tools, you could be using sensitive information that the tool can read, which can be confidential, which can be secrets like API keys, passwords etc. If the tool is malicious, then it can/will cause harm to you

Client tools

In a Client-Server architecture, a lot of us use a lot of tools. There are so many different tools - different kinds of tools, with different kinds of features, pros, cons out there, for each and every thing

HTTP Clients - CLI tools, Desktop Apps like Browsers, Mobile Apps etc

SSH Clients - CLI tools, Desktop Apps, Mobile Apps etc

FTP Clients - CLI tools, Desktop Apps, Mobile Apps etc

Database Clients - CLI tools, Desktop Apps, Mobile Apps etc

And more and more Clients, for any and everything you use

In all of these clients, you could be using sensitive information that the Client can read, which can be confidential, which can be secrets like API keys, passwords etc. If the client is malicious, then it can/will cause harm to you

For example, in SSH Clients, you would use private keys ๐Ÿ”‘๐Ÿ”, or provide passwords. If the private key isn't protected by a passphrase, it's a problem. If the private key is protected by a passphrase, I gotta check if it's still a problem. I have some knowledge gap there, some unknowns, to learn. Passwords, they will be read by the SSH Client I believe, to communicate with the SSH Server

Similar to SSH Clients, same is true for HTTP Clients, Database Clients etc

Libraries

There are so many open source libraries, also known as modules or dependencies or packages ๐Ÿ“ฆ.

We developers build so many libraries, frameworks, tools, services, all of which use libraries

In all of these libraries, you could be using sensitive information that the library can read, which can be confidential, which can be secrets like API keys, passwords etc. If the library is malicious, then it can/will cause harm to you

How to protect yourself from any such trust problems?

Try to use open source software as much as possible. Try to use software that most people use and trust

If you are very suspicious, read through all the code ๐Ÿง‘โ€๐Ÿ’ป๐Ÿ‘ฉโ€๐Ÿ’ป๐Ÿ‘จโ€๐Ÿ’ป - I mean all the source code - of the software - including any libraries it uses etc and look for security vulnerabilities and any suspicious ๐Ÿคจ stuff. But this is almost impossible ๐Ÿ˜…๐Ÿ˜…

And after reading all the code, you can build the code yourself in case it needs building. For example, compiled languages need to be built for using them as an executable, maybe building is not needed for using them as a library. Why build it youself? It's because the pre-built code (bytecode, binary, executable etc) can be built using some other code too, with some stuff injected into, and not the code that you read through, that is open source

And yeah, not all software is open source. And not all software is completely open source. For example, I use macOS Terminal Desktop App - it's not open source I think. I use Google Chrome, it's not completely open source - Google Chrome is a custom built software from Google, where they build it out of Google Chromium, which is open source and then they add some small amount of code to it and make Google Chrome out of it I think. The same is true for VisualStudio Code (VS Code) whose open source version is called VSCodium. On the other hand, Microsoft's Windows Terminal is open source

Funnily, the operating systems we use itself are closed source in many cases - Windows, macOS, while doing development. Many do use Linux and Linux distros, or other open source kernels and operating systems. Just saying

So, yeah, beware of software you use and understand how you are vulnerable from different perspectives

ย