Comment by npteljes
1 day ago
Hanlon's razor applies here, I think. It's just ignorance, not malice. I doubt the maintainer has connection, or was pressured by these two random dictionary websites to include this - nor do I think that they gain any advantage of it.
People need to be on the lookout though, the xz incident showed that FOSS is indeed vulnerable.
I think Hanlon's razor is outdated. Plausible deniability is the new meta. On top of that, the maintainer seems intent on not fixing the problem.
Not only is it outdated, the Nolnah's razor (reverse form of Hanlon) is more likely to be true nowadays: "Never attribute to incompetence that which is adequately explained by malice".
The bad actors have become too good at acting like well-meaning klutzes.
Wholesale violations of legal and social norms as the secret sauce that will give your company a leg up? Sure if we get caught the stockholders will have to pay to keep our asses out of jail. But we'll get to keep our share of the loot.
Yeah this is the world we now live in.
Right, there are times where the "algorithm" falls over because of pathological inputs.
Can the problem be fixed without making the software useless?
Sure. We've had dictionary software for decades.
This whole trend of adding a service to stuff that doesn't need a service is very annoying.
6 replies →
Absolutely. In my understanding and approach, it would need two smaller modifications:
1. making "scanning" (the clipboard capturing feature opt-in, with a huge notification for the implications
2. disabling the English-Chinese online translation plugin by default
use TLS enabled dictionary service. if there is none, you dont want this feature. at all. make sure they click through something or explicitly enable is even hard as you cannot assume a user understands the impact. they might not understand what it means to send their data over plaintext, or what someone can do with it.
4 replies →
I think that in today's polarized world, it's very much needed. I think we need to look at each other's fallibilities and failures, and not hate each other for it. But the issue needs to be taken care of, especially since it's known since 2009. It's ridiculous that everyone let if fly for so long.
Yes, but it is a tricky situation when a common tactic is to pretend to be ignorant. For example by "just asking questions". We need more patience and respect in this polarized world but at the same time there are a minority of malicious actors who intentionally abuse any assumption of good faith given
1 reply →
[flagged]
2 replies →
But it cannot be adequately attributed to ignorance, so no, Hanlon's razor does not apply. There is an obvious security breach.
I definitely consider it a security breach. But I do still think it's ignorance. Debian maintainers let it slide since 2009, so for at least 16 years now (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731) - are they also malicious? I just think that not enough fucks were given.
Debian maintainers in 2009 did not let it slide, they did fix it in 2009 ... but it came back, twice! (and it seems not many cared about StarDict in 2015 to fix it promptly that time)
> the same kind of problem was reported by Pavel Machek in 2009 and again by "niekt0" in 2015. The 2009 bug was solved by patching the application's default configuration to disable networked dictionaries. That appears to have worked for a time, but the YouDao plugin, which was added in 2016, does not respect the configuration option. The 2015 problem was not fixed until August 6 of this year (although the package was removed from Debian for unrelated reasons for a few months from 2020 to 2021). That fix just removed the stardict_dictdotcn.so plugin, which also sent translation requests to dict.cn and was later subsumed by the YouDao plugin, from the package.
It cannot be ignorance if they have been fully aware of this behaviour. As it stands, it's either maliciousness or negligence.
It isn't rare at all for bugs to surface many years later and that doesn't mean whoever was responsible for maintenance to be malicious, it is if the bug was planted on purpose, and there are some examples of that (the xz library saga, for instance). Of course, you could argue that that too was incompetence but that's not how this works: lack of oversight by others does not imply malice on the part of those others for failure to catch the issue.
Stuff like this can fly under the radar for a long time because lots of people will assume how it works without actually verifying that it really works like that.
1 reply →
Sufficiently advanced ignorance is indistinguishable from malice.
(but malware authors usually cover their tracks better)
> pressured
Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.
>nor do I think that they gain any advantage of it
I guess the companies receiving all this clipboard traffic are absorbing operational costs to humbly provide this surreptitious service to the world for free, and the package maintainer only wants to help them realize their mission.
We truly live in an utopia!
guy works for a Chinese media company and he's essentially trying to slip a backdoor into Debian systems.
malice & typical CCP behavior IMHO. The responses from the maintainer are unacceptable and he should have his privileges stripped
Willful negligence is, at some point, malicious.
No. The simplest answer is that they’re deliberately and maliciously exfiltrating data. The other explanation requires more hoops.