General Discussion
  >> tbbMeter Issues


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread
Standard User drewbert
(newbie) Fri 04-Mar-11 17:31:24
Print Post

Why is the tbbMeter code obfuscated? Why not open source?


[link to this post]
 
tbbMeter requires the .NET framework. .NET apps are generally easy to disassemble using .NET Reflector, but tbbMeter has deliberately been obfuscated using CliSecure. Essentially there's no way of knowing whether tbbMeter is malware or not. In fact, it gives the impression that tbbMeter has something to hide.

Apps that are this inquisitive about what's happening on your system are often open source. Is there a good reason that it's not open sourced? Stick it on GitHub or something like that paranoid people can compile for themselves, and so the wider tech community can provide patches and improvements. You say that you can't get it running on Mac because of your constrained resources -- well you wouldn't lose any control if you open sourced it, but you'd open the door to a whole load more man-hours of work.

Without that kind of openness, I'm reluctant to install an app that watches what I do and phones home in the background. I expect many other people feel this way, or at least should.

Edited by drewbert (Fri 04-Mar-11 17:59:50)

Administrator MrSaffron
(staff) Fri 04-Mar-11 19:21:29
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: drewbert] [link to this post]
 
If truly open then there would be a myriad of clones and how can the average non-programmer be expected to know for sure which version is the real one, and which one has not had people inject their own malware into it.

Andrew Ferguson, andrew@thinkbroadband.com
www.thinkbroadband.com - formerly known as ADSLguide.org.uk
The author of the above post is a thinkbroadband staff member. It may not constitute an official statement on behalf of thinkbroadband.
Standard User drewbert
(newbie) Fri 04-Mar-11 19:48:20
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: MrSaffron] [link to this post]
 
Hi Andrew,

Thank you for your reply.

> how can the average non-programmer be expected to know for sure which version is the real one

Because they would download it from your website, just like they already to.

As I said, you (thinkbroadband) would maintain control over what goes into the main branch of the code. Someone like me could come and review the code in the repo and, if I'm not convinced that the build on your site matches the code in the repo, build it for myself.

The average user will never do this, but the fact that it's possible and a few people can do it shows that you have nothing to hide. There are plenty of great open source applications that prove the model.

As for my primary question, why is the code obfuscated? Your organisation must have paid quite a lot of money for the tool that does that. It seems like a fairly simple application (not detracting from the amount of work you have done on it -- I know how hard it is to make even a simple application work well), so I can't see that you're protecting proprietary algorithms or such. Surely the real 'value' of this system is not the code itself, but the network of loyal users feeding data into your system. That kind of behaviour is based upon (mutual) trust. Seeing an obfuscated app like this that 'phones home' with my data doesn't make me feel very secure when it's running on my PC.

Furthermore if it were open source I would offer some patches for some improvements I'd like to see. You could take them or leave them, but at least I could have them smile


Register (or login) on our website and you will not see this ad.

Standard User drewbert
(newbie) Sat 19-Mar-11 15:14:53
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: drewbert] [link to this post]
 
I'm disappointed that there is no official response as to why this application's code is obfuscated. It installs a service to launch itself with administrator access to the box, thus circumventing standard user access control (UAC).

I am uninstalling this application. I advise anyone else who cares about the safety of their PC and values open and honest software to consider doing the same.
Standard User camieabz
(legend) Sat 19-Mar-11 15:33:22
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: drewbert] [link to this post]
 
I imagine there was a lot of time and/or money put into this, and some might not want such a project made open source for obvious reasons.

I myself don't care for software which raises the permission requirements when running, but generally, due to the locking down of operating systems these days, most programs which access other services tend to require UAC elevation.

I didn't subscribe to the sending of data, nor did I subscribe to the 3rd party tool that was on the other version previously. That's fine. I have no need to see their code though. That's their private project imo. If I choose to install it, I do so as it comes.


I advise anyone else who cares about the safety of their PC and values open and honest software to consider doing the same.


Assuming there would be any shred of evidence beyond baseless suspicion, what motive would TBB have for such coding practices? They don't sell anything directly, and you are protected in several ways:

http://www.thinkbroadband.com/tbbmeter/license.html

(See sections 4 and 11)


As for advising anyone to not use 'x' software, what grounds have you for suspecting it to be either:

a) Suspicious
b) Unsafe


They might want a little intellectual privacy too. No one is forced to participate, and anyone can uninstall the product at any time. What exactly do you suspect the program of doing that makes you try to advise others to not use it?

~~~~~~~~~~



© Camieabz 2002-2011 - All rights and lefts reserved.

report this link

Edited by camieabz (Sat 19-Mar-11 15:34:18)

Standard User RobertoS
(sensei) Sat 19-Mar-11 19:47:02
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: camieabz] [link to this post]
 
I find most open source software to be even buggier than tbbMeter and full of too many uncoordinated ideas. As for trusting the safety of it, which stands more chance of code that very cleverly hides something highly dangerous - trusted company or open source?

Peer review is no guarantee at all.

As a major example Open Office is a complete pig compared to MSOffice. For my tiny amount of usage I admit to putting up with it, purely because its free. It has little else to commend it in my eyes.

On the opposite side of the fence, Mozilla stuff seems to be reasonably controlled and usable.

My broadband basic info/help site - www.robertos.me.uk
My domains,website and mail hosting - Tsohost. Internet connection - IDNet Home Starter Fibre. Live BQM.
Standard User john2007
(legend) Sun 20-Mar-11 13:18:02
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: RobertoS] [link to this post]
 
I suppose your experience would depend on which open source software you use. I almost exclusively use Linux and find it less buggy than my memory of the Windows systems I've used. As for security, the e-mail spam bot and virus net infected PCs are invariably Windows based.

I think people assume code obfuscation makes it more difficult for hackers to find weaknesses, there doesn't seem to any evidence for this. Perhaps it just makes it harder for the good guys to spot and warn of vulnerabilities.

I'm sure Windows software is peer reviewed, it is a standard technique. I'd say the more eyes peer reviewing the better.
Standard User john2007
(legend) Sun 20-Mar-11 13:27:26
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: MrSaffron] [link to this post]
 
They'd download from a trusted source. Isn't this a main source of WIndows infections, i.e. not been trained to only download binaries from trusted sources?
Standard User RobertoS
(sensei) Sun 20-Mar-11 14:36:57
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: john2007] [link to this post]
 
Obfuscation is not primarily to prevent hacking, it is to stop code (intellectual property) theft.

As I remember it, in C# intermediate code is produced and visible. Unless it is obfuscated it is easily reverse-engineered.

My broadband basic info/help site - www.robertos.me.uk
My domains,website and mail hosting - Tsohost. Internet connection - IDNet Home Starter Fibre. Live BQM.
Standard User RobertoS
(sensei) Sun 20-Mar-11 14:40:10
Print Post

Re: Why is the tbbMeter code obfuscated? Why not open sourc


[re: john2007] [link to this post]
 
In reply to a post by john2007:
They'd download from a trusted source. Isn't this a main source of WIndows infections, i.e. not been trained to only download binaries from trusted sources?
Doesn't your question contradict the preceding statement?

My broadband basic info/help site - www.robertos.me.uk
My domains,website and mail hosting - Tsohost. Internet connection - IDNet Home Starter Fibre. Live BQM.
Pages in this thread: 1 | 2 | 3 | (show all)   Print Thread

Jump to