I think Hanlon's razor is outdated. Plausible deniability is the new meta. On top of that, the maintainer seems intent on not fixing the problem.

Not only is it outdated, the Nolnah's razor (reverse form of Hanlon) is more likely to be true nowadays: "Never attribute to incompetence that which is adequately explained by malice".

The bad actors have become too good at acting like well-meaning klutzes.

Wholesale violations of legal and social norms as the secret sauce that will give your company a leg up? Sure if we get caught the stockholders will have to pay to keep our asses out of jail. But we'll get to keep our share of the loot.

Yeah this is the world we now live in.

Right, there are times where the "algorithm" falls over because of pathological inputs.

Can the problem be fixed without making the software useless?

Sure. We've had dictionary software for decades.

This whole trend of adding a service to stuff that doesn't need a service is very annoying.

Since it has been shown to be possible in other languages, why wouldn't it be?

It is possible. If you have a free database to do that please upload it?

You can absolutely have an offline DB for lookups/translation for any language that has a server-hosted option available.

Do you have a freely licensed one to share?

Absolutely. In my understanding and approach, it would need two smaller modifications:

1. making "scanning" (the clipboard capturing feature opt-in, with a huge notification for the implications

2. disabling the English-Chinese online translation plugin by default

use TLS enabled dictionary service. if there is none, you dont want this feature. at all. make sure they click through something or explicitly enable is even hard as you cannot assume a user understands the impact. they might not understand what it means to send their data over plaintext, or what someone can do with it.

I don't want this feature with TLS either. Sometimes I copy passwords from my password manager to paste into the intended app. I don't want everything that enters my clipboard sent to a third party.

Does this service exist?

Does it matter?

Will the existence or lack thereof excuse the absolute lack of security and privacy this package exhibits? And the lack of interest from the developer?

Yes it matters. Something that doesn't exist cannot be used. Any other insightful comment you wish to make?

Don't be dense.

At least try to keep up with the main concern: "sending potentially private or security impacting information in plaintext across the internet".

"Does not exist blah blah"

That has to be one of the most inane replies I've read in a while.

I think that in today's polarized world, it's very much needed. I think we need to look at each other's fallibilities and failures, and not hate each other for it. But the issue needs to be taken care of, especially since it's known since 2009. It's ridiculous that everyone let if fly for so long.

Yes, but it is a tricky situation when a common tactic is to pretend to be ignorant. For example by "just asking questions". We need more patience and respect in this polarized world but at the same time there are a minority of malicious actors who intentionally abuse any assumption of good faith given

Yeah, I agree, it's tricky. And besides, the clipboard leak should be fixed for sure, malice or not. It's strange that it has been known for so long.

But it cannot be adequately attributed to ignorance, so no, Hanlon's razor does not apply. There is an obvious security breach.

I definitely consider it a security breach. But I do still think it's ignorance. Debian maintainers let it slide since 2009, so for at least 16 years now (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534731) - are they also malicious? I just think that not enough fucks were given.

Debian maintainers in 2009 did not let it slide, they did fix it in 2009 ... but it came back, twice! (and it seems not many cared about StarDict in 2015 to fix it promptly that time)

> the same kind of problem was reported by Pavel Machek in 2009 and again by "niekt0" in 2015. The 2009 bug was solved by patching the application's default configuration to disable networked dictionaries. That appears to have worked for a time, but the YouDao plugin, which was added in 2016, does not respect the configuration option. The 2015 problem was not fixed until August 6 of this year (although the package was removed from Debian for unrelated reasons for a few months from 2020 to 2021). That fix just removed the stardict_dictdotcn.so plugin, which also sent translation requests to dict.cn and was later subsumed by the YouDao plugin, from the package.

It cannot be ignorance if they have been fully aware of this behaviour. As it stands, it's either maliciousness or negligence.

It isn't rare at all for bugs to surface many years later and that doesn't mean whoever was responsible for maintenance to be malicious, it is if the bug was planted on purpose, and there are some examples of that (the xz library saga, for instance). Of course, you could argue that that too was incompetence but that's not how this works: lack of oversight by others does not imply malice on the part of those others for failure to catch the issue.

Stuff like this can fly under the radar for a long time because lots of people will assume how it works without actually verifying that it really works like that.

I completely agree. Also, these people have a lot of other assignment, as I imagine. I, for one, have certainly let things slide in the past that ended up biting me, for whatever reason, malice not included.

Sufficiently advanced ignorance is indistinguishable from malice.

(but malware authors usually cover their tracks better)

guy works for a Chinese media company and he's essentially trying to slip a backdoor into Debian systems.

malice & typical CCP behavior IMHO. The responses from the maintainer are unacceptable and he should have his privileges stripped

> pressured

Maybe incentivized? $1000? $10000? Would be interesting to hear from the developer himself.

>nor do I think that they gain any advantage of it

I guess the companies receiving all this clipboard traffic are absorbing operational costs to humbly provide this surreptitious service to the world for free, and the package maintainer only wants to help them realize their mission.

We truly live in an utopia!

Willful negligence is, at some point, malicious.

No. The simplest answer is that they’re deliberately and maliciously exfiltrating data. The other explanation requires more hoops.