72 comments

[ 2.4 ms ] story [ 127 ms ] thread
No it's not.
I agree. It's always is.
Correlation is not causation. I don’t see anything on that list that is a consequence of the license.
> I don’t see anything on that list that is a consequence of the license.

That's an interesting point. The GPL does not restrict what software can do. GPL software can potentially do all of these things. Heck, a virus or malware could be GPL licensed, there's nothing stopping that.

The advantage is that under the GPL, they must provide sources which allows the user (who must have software engineering skills) to modify the software to change behavior.

There are indeed PoC malware in GitHub licensed as GPL. ("malware" here meaning "virus", not whatever Stallman thinks it means).
> Software whose functioning mistreats the user is called malware

Hmm, well based on that super broad definition, sure, proprietary software is "often malware". But usually "malware" is understood to mean software that exploits vulnerabilities in a computer system, not merely software with DRM, paywalls, banners, ads, etc.

I think GNU might need to pick a different term here than "malware" unless they are intentionally fear mongering to get the free software conversation going.

Based on that definition, GNU Emacs is malware as whenever I see it on my system (it used to be included with several Linux distros and macOS), I cringe at the thought of all of disk space I could be filling with fortune files.
I would modify the definition to this:

> Software whose functioning intentionally mistreats the user is called malware

There is nothing stopping you from removing GNU Emacs. There are features missing in Roam Research. But in Emacs org-roam, if you are missing a feature, you can ask any programmer– they don't have to be an org-roam maintainer– to add a feature as it is free software. Roam intentionally takes away the freedom to modify the software.

I get your point, but I think in this case the distro would be the malware not emacs.
> unless they are intentionally fear mongering to get the free software conversation going.

I think it's this.

However, they aren't wrong, per se. Users should have control over their systems and their privacy. But hyperbole and fear mongering are not very effective at affecting change in the system.

I would argue that they have a noble mission but take it to such an extreme as to not be very practical.

I don’t know about that.

The way I remember it “malware” as a term was invented to be a bigger umbrella term to account for things like bonzi buddy when “virus” wasn’t quite as good of a description.

Wikipedia[0] says

> Programs are also considered malware if they secretly act against the interests of the computer user

It's fair to say proprietary software often creates an ability and incentive to act against the interests the user which results in it becoming malware.

[0]: https://en.wikipedia.org/wiki/Malware

Yes, they are intentionally fear mongering, just read most of their examples. It’s like reading tabloids.
Fear mongering? Now you go to the other extreme.

What is malware? Is that browser toolbar your aunt has on ther internet explorer Malware? Probably yes.

Is a "Cleaner" Program that does effectively nothing except Phone home Malware? Probably Yes.

Is a software that does similar things behind your back without your knowledge, but that has some useful parts to it Malware? Maybe Yes?

But is ALL proprietary software malware merely because I don’t get the source? I could get the Linux source but it wouldn’t do me any good because I don’t know how to compile it. The whole thing is a silly argument. I pay for some software precisely because it does what I want!
Probably not, but unless you fire up wireshark or reverse engineer precisely which bits on your disk a software touches, you cannot always tell which one does and which doesn't.
Malware needn't exploit a vulnerability. There is much malware (e.g., Comet Cursor, Bonzi Buddy, etc.) that relies on being installed by the end user and may even present as a fun or useful program... but it's really doing something to your detriment behind the scenes.

If Bonzi Buddy counts as malware, so does the Facebook app.

I used to work for a company that used to classify software as malware. The original definition is much closer to what is broadly accepted (at least by antivirus vendors). Much of what is classified as malware doesn't exploit anything other than the user's expectations.

The definition of malware is social construct, not a technical one, otherwise Powershell.exe would light up like a Christmas tree.

The only reasonable way to talk about malware is with respect to users' wishes and desires.

I'll note that AV vendors invented a "less bad" label, PUP, for less-destructive malware. That doesn't make it not malware though.

Ok, fair point, then maybe we ought to be quibbling over the semantics of "mistreat" then. IMO making software not work if the user doesn't pay isn't mistreating the user. GNU disagrees and thinks anything short of 100% optional/unenforced payment is mistreating the user.
This is not true. If you are never provided with the software then GNU wouldn't say you can access the source code.

So if someone says "I won't give you X software unless you pay Y dollars" that is fine

However if they do pay the expectation is they also get access to the source code if they're running the software on their own machine (depending on which license we're talking about of course)

> So if someone says "I won't give you X software unless you pay Y dollars" that is fine

How can you say that though if someone can just get a copy from a peer without paying you? People just go around the paywall and grab a free copy without payment which is why DRM exists at all. So then I make it so the software has to connect to a server to check if you've paid for it, and now suddenly that's mistreating the user?

Having software connect to a server to check if you've paid for it is still allowed. You just have to provide source code. However, you don't have to provide the source code for the software running on the remote server.
In either case this is all a moot point because you don't have to go full GNU to provide source code to paying customers. This still happens in some enterprise situations with contracts in place to assign legal liability for sharing the code for free to other people while still respecting the freedom of the software users to have access to the source code.
Of all the possible things that might be expected, why is a copy of the source code the thing that stands out. If it’s on my machine why shouldn’t I expect excellent documentation, or configuration support, or build help, or features as I request them? What makes the source code and only the source code the exact thing I should expect?
That is... the definition of malware. I notice that lately people have been moving the goalposts so they can justify things like hidden telemetry as not being spyware.
Not moving goalposts, just saying we need to be more precise in our categorization of software. Calling all proprietary software "badware" doesn't really convey much information. We should create more meaningful categories that convey what the software is actually doing that is undesirable.
This is going to sound like a rant, but I really don't mean it that way. I'm not trying to make a value judgement.

GNU picked the term "malware" on purpose. I think the purpose was to (slightly) confuse, connect a known bad thing with commercial software, and spur further dissuasion. I doubt they intended to fearmonger though. That said, your intuition that they picked it to "get the free software conversation going" is, IMO, spot on.

They did the same thing with "free" in "free software". When people misinterpreted what they meant, they used that as an opportunity to ... explain their point of view. Many here may not remember when conversations like "it's free software" ... "no, not just free in cost, but free as in freedom" ... "yes, I know it's cost free, but you can charge money if you want" ... "yes, I know no one charges anything, but it's really about freedom!" was a common conversation in tech circles. I suspect a similar goal for "malware" now.

If clarity was a primary goal, they would have, IMO, picked different words.

Would the abuse of system privileges and capabilities count as "exploiting vulnerabilities in a computer system?" In fact, one might expand this in order to include software that that exploits vulnerabilities in psychology. In this way, you have a term that encompasses all the ways software can be "bad" for end users.
You can call it telemetry, you can also call it spyware.

You can call it DRM, you can also call it user restriction.

You can call it serving ads, you can also call it remote code injection.

You can call it subscription based, you can also call it user lock-in or remote killswitch.

There is not a lot of modern proprietary software that wouldn't fall into these categories. I know a lot of people claim not to care about it, that is a separate issue, but the fact is that most proprietary software is in fact malware, even if people don't mind installing malware.

A dandelion can either be a weed or part of a salad. It's a matter of context.

> You can call it subscription based, you can also call it user lock-in or remote killswitch.

If you stop paying for your gym membership and your access card gets automatically revoked, do you consider that to be some kind of physical instantiation of malware?

If the muscles I built at that gym were incompatible with any other gym, yeah I probably would.

Metaphors don't work as well as people think.

Being a malware has noting to do with exploiting security vulns. When you installed a cracked video game found on a warrez website back in the 2000s, that came bundled with pop-up ads spawning on your computer, it was called a malware.

Today, Windows itself comes bundled not just with ads, but with a keylogger and monitor all you do on your computer.

Mainstream software have turned themselves into malware in a desperate attempt for monetization in a world where nobody wants to pay for software (in parts because FLOSS alternatives exist, but not only).

I would say that modern forms of telemetry(some game companies used literal rootkits!) would be considered malware/adware 15 years ago.

Try to find me a modern closed source program, with big userbase without such telemtry.

It depends on how you define "malware". This defines malware as "Software whose functioning mistreats the user".

I understand the point that's trying to be made. People use software because it provides value to them. I certainly have used or seen software that's abusive (anti-virus/malware products are pretty bad in this respect), and I don't use them.

Unfortunately, proprietary software generally has much more funding and thus can create a much better product than open source alternatives. A recent example for me was looking for an alternative to Lightroom Classic. I found a few different open source projects that replicated different aspects of Lightroom, but not provided the full feature set combining library management with raw editing.

The question then comes down to, how much privacy am I willing to sacrifice to get the extra value?

The answer to this question will be different for different people. As people become more and more privacy focused, we see additional pressure on companies that provide proprietary software to improve privacy in their applications.

GIMP is the classic example of why free software can't compete for end users.
Then Krita[0] is a classic counterexample: A free software digital painting tool with lots of functionality that provides a superior UX to Adobe products.

[0]: https://krita.org/en/

My daughter uses Krita with a drawing tablet. She's not very experienced but the software is good at making it easy for her to at least do all the basics. I was pleasantly surprised when I found Krita after buying her drawing tablet.
> a superior UX to Adobe

I have a couple of years of experience working with that, and I strongly disagree.

It’s also quite buggy. I’ve hit crashes several times while working with large drawings.

There are better examples of desktop OSS that beat proprietary ones: Blender, vlc, ffmpeg+Handbrake, Firefox, 7zip.

> It’s also quite buggy. I’ve hit crashes several times while working with large drawings.

Hmmm, I am sure this happens to Adobe products too– is Krita worse?

The Kurdish ethnic minority was severely persecuted in Turkey. At Turkey's pressure, Microsoft refused to add Kurdish language to Windows until Windows 10, despite languages with far fewer speakers being in Windows. This made Windows complicit in Turkey's cultural genocide against the 3 million people who speak only Kurdish. In above and many other situations, the character of “proprietary” limits human rights.

Ubuntu GNU/Linux was the first OS to support Kurdish.

Don't forget when Apple removed Hong Kong protest safety apps from the app store.

By that definition, I feel most open source software is malware. I have yet to find a single open source project that is user-facing (i.e. not a compiler, etc), not funded & developed/driven by a major corporation and providing a good USER EXPERIENCE. By that definition, much more open source software is malware, than proprietary software.

It is incredible how much time you lose by using Linux and open source tools. GIMP, Darktable, LibreOffice, Eclipse, etc. the list goes on and on. Any tool that you need in your daily workflow usually sucks when it is open source, compared to their commercial counterparts. And the lack of understanding of the open source community that "normal" people don't care about "open source" and simply want a good user experience, didn't help over the past 20 years to improve anything. Using OpenSource makes you feel like you are back in 2000.

Having funding and a coordinated team and management focused on solving customer problems and shipping the right features is something that just doesn't work when a bunch of unpaid devs "team up" and loosely work on solving problems they "think" people have and building UX that "they" like, as opposed to what customers like. My experience with open source is much more along the lines of "a bunch of nerds building software for themselves that nobody else can use or wants to use". This is not a recipe for success.

And god knows I tried. I tried to switch to Linux about once a year in the past 20 years. It always ended up to be an utter disappointment UX wise. Linux is not something people want to use. It's a great accomplishment. But without focusing on UX, Linux will never reach any adoption outside of the server realm. Period.

> I have yet to find a single open source project that is user-facing (i.e. not a compiler, etc), not funded & developed/driven by a major corporation and providing a good USER EXPERIENCE.

Free software developed by a major corporation is still free software. It may not use the open-source development model, but it's still free software.

> GIMP

https://krita.org https://penpot.app

> Eclipse

IntelliJ IDEA Community

> usually sucks when it is open source

The UX argument has been well-worn. In my experience Jitsi Meet, videoconferencing software, is far more reliable than Zoom and Google Meet.

I don't think these examples have anything to do with being open source. They're problems of funding and organization. Of course a lot of open source software doesn't compete well with corporate projects, because it's made by individuals as a hobby. That said, I can list OSS which is highly competitive with its closed equivalents, like Blender and Krita, or has completely displaced corporate software, like VLC, FFmpeg, and git. The issues you mention are real and widespread, but I find open source solutions are still the best tool for the job a significant amount of the time. This is also ignoring the field of corporate open source, which has made great, if caveat-laden, strides in the past few years.
> A proprietary program puts its developer or owner in a position of power over its users. This power is in itself an injustice.

Apart from the horrible style and lack of nuance, it's simply not true. To reply in the same style: who pays for proprietary software, often can demand changes. With OSS, the user is in no position to do so at all.

There is of course nuance here, since large companies with many end users do not listen to their paying customers, and OSS developers can be responsive, but I don't feel particularly kind to someone who uses false and nonsensical premises to make a political point.

> the proprietary program's developer is tempted to design the program to mistreat its users

I mean ...

> who pays for proprietary software, often can demand changes

So how do I demand that Windows 10 stops spying on me?

Boycott it. If enough users cease to buy the OS, Microsoft suffers economic consequence and may change the design to adapt to customer desires.

This model works less well for free software / open source, which often has a lack of financial incentives to motivate (or demotivate) developers.

> Boycott it. If enough users cease to buy the OS

So I have to convince thousands (for Windows maybe a million) of people that the thing that irritates me should be removed. Nope, that seldom happens. I find better luck in FOSS where there is enough tweaking potential that I can remove the irritating thing I don't like. Maybe FOSS maintainers and developers have no financial incentive to do what I want, but I can always have a local patch to do that.

Absolutely. You (with your training and ability to manipulate software, test, debug, and deploy) can make the change you like (and maintain it in perpetuity if you can't find someone to take on upstream maintenance).

This is not an option most software users have, but it's probably an option for most readers of this forum.

> This is not an option most software users have

Yes, but the good thing is that more and more people are learning how to program so I am hopeful that things will get better :)

> So I have to convince thousands (for Windows maybe a million) of people that the thing that irritates me should be removed.

No, you can alternatively pay money for a different tier of license that lets you turn it off.

You are assuming that such a tier exists (remember, my comment was not specific to telemetry)
> who pays for proprietary software, often can demand changes. With OSS, the user is in no position to do so at all.

What do you mean by that? With OSS, I can demand any change that I want and have any software development shop that I choose implement that change at a competitive price.

Quite on the contrary, paying for proprietary software does not mean any right for changes as such - even when paying for really expensive enterprise support contracts; I recall a case where not only the vendor would not make such a change, but we were prohibited by the contract to make the change ourselves (by patching the compiled code, which we were technically capable to do for that particular change we wanted).

> paying for proprietary software does not mean any right for changes as such

Sure it can. There are enough cases where the rights of proprietary software are transferred to the client, or the contract includes the right to make changes or get changes made.

That's not at the scale of MS, of course, but that's exactly the kind of qualification missing in OP's statement.

> To reply in the same style: who pays for proprietary software, often can demand changes.

Not if it's incompatible with available alternatives (such as Windows), and you're paying for the privilege of merely having security updates.

Have you ever seen a payer demand a change from a proprietary vendor and get it? Whereas, people fork and make distros of free software all of the time.

> Have you ever seen a payer demand a change from a proprietary vendor and get it?

This happens constantly, but in private. Usually the conversation goes like this:

    customer: opens support ticket, asking how to do some task X
    vendor: sorry, that needs a feature added to the product
    customer: fine, we'll switch to $other_vendor
    vendor: oh look at that, our engineering department scheduled the feature for next release.
Granted though that when dealing with vendors as large as Microsoft that's not going to happen.
At least in the cloud space, the conversation is often more like "We would use you, but X and Y features are business-critical and you do not support them."

They're called "table-stakes features."

GPL software is the foundation of the privacy unfriendly platforms we now have. Facebook runs on Linux, Google runs on Linux.

Having Linux available made it much more cost effective to store data and do computation on the server, instead of the user’s device.

You think Facebook would exist if it had to buy per CPU licenses of Windows NT Advanced server?

Frankly, we would have been better off in the Microsoft world of individual PCs running proprietary applications on the computer the user owned. Because it ran on your system, you had defacto control over what it did, and if you really wanted to, could reverse engineer and patch it (witness game hacks, and what Microsoft did for backwards compatibility).

Now thanks to the economics of GPL software such as Linux, we are being pushed to a model where all data is stored and computed with on servers you don’t own.

You don't think they'd just run on the BSDs instead if GPLed software didn't exist?
For some reason, the BSDs never really developed as a rival to commercial server operating systems. Solaris, Irix, Windows NT, etc all seemed to exist pretty well even though BSDs were freely available. Then Linux came and ate everyone’s lunch.

Maybe it was the GPL’s requirements to contribute back changes that resulted in Linux rapidly developing a lot of capabilities?

Fascinating argument! If I may distill it, it sounds like

Low-cost server software -> more power to server-based systems and companies -> more centralization of data -> less privacy

Expensive server software -> more power to standalone computing and individual users -> more decentralization of data -> more privacy

On a related note, I wonder what would be the threshold at which the cost of servers and software would make social media and ad-tech companies economically unviable, and which would have prevented Facebook, Google, and others from becoming what they've become.

In some ways, this kind of plays out in iPhone vs Android.

Apple seems to default to push computation and data onto the device.

Google seems to default to push computation and data into the cloud.

> Proprietary software, also called nonfree software, means software that doesn't respect users' freedom and community.

Proprietary software is generally just referred to as "Software".

Also known as the stuff that makes phones ring, cars start, satellites communicate, banks able to track money, grocery stores track how many bananas they have, airplanes not collide...

Fundamentally software makes the world go around, and a huge chunk of it is proprietary.

I don't see how that contradicts the original statement. Software can be useful while not respecting user freedom.
Does a comment have to contradict something it replies to?
(comment deleted)
`(Please note that the article wrongly refers to crackers as "hackers".)`

Always fun to see someone out there still trying to fight the fight of owning word definitions that much of the rest of the world has agreed on.

Gnu has done some amazing stuff, but I think they are making themselves look a bit silly with this clickbaity title and intentionally dodgy definition of 'malware'.
It seems like the Solarwinds exploit deserves inclusion on their list. The big thing about the event is you have a whole bunch of high-value-target companies who uncritically load whatever update Solarwinds (and the other proprietary vendors they use) send them. The create a huge "attack surface" and allowed the hackers to stay in the various systems for a substantial period of time.

And yes, "anyone can be hacked" but if the various companies compiled their admin software from source, things would certainly be harder - even if dubious source got through, the action of the software of "phoning home" would be a lot more suspicious, etc.

I think we need to be adults about these different categories of software.

The primary aspects of adult interactions are consent based on honesty and good communication about any arrangement.

If you are ok delegating services and other work, you are already trusting another person or organization. There is nothing wrong with trusting a software vendor if the benefits are there and the vendor behaves in a trustworthy manner.

Companies often pay for parts they need to create products, where the parts are made with a proprietary process. Whether depending on a vendor for a unique part is worth it depends on the situation.

And there isn’t an open source or free state-of-the-art-software solution for every problem.

If proprietary software is often malware, free software is often shitware.