Patrick Wardle Malware Specialist On Mac Whose Work Is Used Without Permission
JAKARTA - Patrick Wardle is known as a malware specialist on Mac. But his work at the Cupertino-based company has traveled further than he realized.
In addition to a former NSA and NASA employee, he is also the founder of the Objective-See Foundation, a nonprofit that creates open-source security tools for macOS. In this role much of Wardle's software code is now freely available for download and decompile. Even some of these codes seem to attract the attention of tech companies that use them without their permission.
Wardle will present his case in a presentation Thursday, August 12 at the Black Hat cybersecurity conference with Tom McGuire, a cybersecurity researcher at Johns Hopkins University.
The researchers found that code written by Wardle and released as open source has made its way into a number of commercial products over the years. However all users do not give credit to themselves or license and pay for the work.
The problem, says Wardle, is that it's harder to prove that the code was stolen than it was implemented the same way by chance. Fortunately, because of Wardle's expertise in reverse engineering software, he was able to make more progress than most people.
“I was only able to find out [code theft] because I wrote reverse engineering tools and software, which is not very common,” Wardle told The Verge. “Because I straddle these two disciplines, I can find it happening on my tools, but other indie developers might not be able to do it, which is a concern.”
The theft is a reminder of the precarious status of open source code, which underpins much of the internet. Open source developers usually make their work available under certain licensing conditions.
But because the code is often public, there is little protection against unscrupulous developers who decide to take advantage.
In one recent instance, the Donald Trump-backed application Truth Social allegedly removed a large portion of code from the open source project Mastodon, which resulted in a formal complaint from the founder of Mastodon.
One prime example in Wardle's case is a software tool called OverSight, which Wardle released in 2016. Surveillance was developed as a way to monitor whether any macOS app is secretly accessing the microphone or webcam, with much success: it's effective not only as a a way to find Mac malware that's watching users but also to uncover the fact that legitimate apps like Shazam are always listening in the background.
Wardle, whose cousin Josh Wardle created the popular Wordle game, said he built OverSight because there was no simple way for Mac users to confirm which app had the recording hardware enabled at any given time, especially if the app was designed to run silently.
To overcome this challenge, the software employs a combination of analytical techniques that turn out to be unusual and, therefore, unique.
But years after Oversight was released, he was surprised to find a number of commercial applications incorporating similar application logic in their own products. Even to the point of replicating the same bug with Wardle's code.
Three different companies were found to incorporate techniques adapted from Wardle's work in their own commercially available software. Neither of the offending companies was mentioned in the Black Hat talks, as Wardle said he believed code theft was likely an employee's job, not a top-down strategy.
“Companies also react positively when faced with it,” Wardle said. The three vendors he approached reportedly admitted that his code had been used in their products without permission, and all ended up paying him directly or donating money to the Objective-See Foundation.
Code theft is an unfortunate reality, but by paying attention to it, Wardle hopes to help developers and companies protect their interests.
For software developers, he advises that anyone writing code, whether open source or closed source, should assume it will be stolen and learn how to apply techniques that can help uncover cases where this is the case.
For companies, he suggests that they better educate employees about the legal framework around reverse engineering other products for commercial gain. In the end, he hoped they would stop stealing.