It's important to beware of the software you use. Beware and Be aware. What am I talking about?
For example, I can tell various reasons for why you should be careful about using software in general, especially some kinds of softwares, let's start!
Let's say you are a developer, and you use softwares that almost any developer could be using. Let me tell you why you should be a bit careful and be a bit aware of what can go wrong
Clipboard managers
I use this clipboard manager called Clipy , I even wrote about it - https://karuppiah.dev/clipboard ๐
Now, what and all do I copy when I'm doing development, or in general?
I copy a LOT of things. A LOT of them are sensitive information โน๏ธ, secrets - API Keys, Passwords, of my work related stuff on my work laptop, or even personal stuff on my personal laptop
Clipy can insert some malicious code in their software and send all the copied data to their servers and use it to hack our accounts :) Bank accounts, Cloud accounts, any account
Terminal
As developers, we type so much inside Terminals. It's important to ensure that you can trust the Terminal
Password Manager
It stores all your passwords and secrets. If you can't trust it, well ๐
I use Bitwarden, it's an open source password manager. It's popular and trusted by many, though the basic version is free ๐ which can cause suspicion for users - which is understandable - any free ๐ software has to be looked at with some suspicion ๐
Tools
In general any tool, like client tool, which we will see below, shell (like bash
, zsh
, fish
etc), and then editors like text editors like VSCode, and then extensions like editor extension like VSCode Extension, Browser extension like Chrome or Firefox Extension, addons (similar term like Extension) in different software, and then automation tools, linting tools, build tools, file formatting tools, backup and restore tools, anything, any tool
In all of these tools, you could be using sensitive information that the tool can read, which can be confidential, which can be secrets like API keys, passwords etc. If the tool is malicious, then it can/will cause harm to you
Client tools
In a Client-Server architecture, a lot of us use a lot of tools. There are so many different tools - different kinds of tools, with different kinds of features, pros, cons out there, for each and every thing
HTTP Clients - CLI tools, Desktop Apps like Browsers, Mobile Apps etc
SSH Clients - CLI tools, Desktop Apps, Mobile Apps etc
FTP Clients - CLI tools, Desktop Apps, Mobile Apps etc
Database Clients - CLI tools, Desktop Apps, Mobile Apps etc
And more and more Clients, for any and everything you use
In all of these clients, you could be using sensitive information that the Client can read, which can be confidential, which can be secrets like API keys, passwords etc. If the client is malicious, then it can/will cause harm to you
For example, in SSH Clients, you would use private keys ๐๐, or provide passwords. If the private key isn't protected by a passphrase, it's a problem. If the private key is protected by a passphrase, I gotta check if it's still a problem. I have some knowledge gap there, some unknowns, to learn. Passwords, they will be read by the SSH Client I believe, to communicate with the SSH Server
Similar to SSH Clients, same is true for HTTP Clients, Database Clients etc
Libraries
There are so many open source libraries, also known as modules or dependencies or packages ๐ฆ.
We developers build so many libraries, frameworks, tools, services, all of which use libraries
In all of these libraries, you could be using sensitive information that the library can read, which can be confidential, which can be secrets like API keys, passwords etc. If the library is malicious, then it can/will cause harm to you
How to protect yourself from any such trust problems?
Try to use open source software as much as possible. Try to use software that most people use and trust
If you are very suspicious, read through all the code ๐งโ๐ป๐ฉโ๐ป๐จโ๐ป - I mean all the source code - of the software - including any libraries it uses etc and look for security vulnerabilities and any suspicious ๐คจ stuff. But this is almost impossible ๐ ๐
And after reading all the code, you can build the code yourself in case it needs building. For example, compiled languages need to be built for using them as an executable, maybe building is not needed for using them as a library. Why build it youself? It's because the pre-built code (bytecode, binary, executable etc) can be built using some other code too, with some stuff injected into, and not the code that you read through, that is open source
And yeah, not all software is open source. And not all software is completely open source. For example, I use macOS Terminal Desktop App - it's not open source I think. I use Google Chrome, it's not completely open source - Google Chrome is a custom built software from Google, where they build it out of Google Chromium, which is open source and then they add some small amount of code to it and make Google Chrome out of it I think. The same is true for VisualStudio Code (VS Code) whose open source version is called VSCodium. On the other hand, Microsoft's Windows Terminal is open source
Funnily, the operating systems we use itself are closed source in many cases - Windows, macOS, while doing development. Many do use Linux and Linux distros, or other open source kernels and operating systems. Just saying
So, yeah, beware of software you use and understand how you are vulnerable from different perspectives