sec: Possible Malicious non-public fork with misleading doc website

[JakobLichterfeld]

In #3825 a user reported an issue, but was not using any official teslamate images.

The fork in non-public (which can be an indication of malicious activity) but there seems to be a misleading website as well, they removed .org from official https://docs.teslamate.org/ and replace with.com.cn

The issue is not the translation of the doc (even if this must result in an out-of date doc as it is not maintained) the installation instructions point to the non-public fork.

TeslaMate officially does have full Chinese translation and use Chinese API endpoint when needed.

[JakobLichterfeld]

@brianmay any ideas how we can handle this? Report the website?

[brianmay]

We have a MIT license, where the only requirement is that the license is not removed.

Disclaimer: I am not a lawyer.

I think this does mean people can make private forks and claim that they are official Teslamate. Which is unfortunate from the support point of view.

This is a case where GPL would help, any changes that are distributed must be distributed in source too. But maybe too late for Teslamate.

I think the best we can do is what you did, say we can only support the official Teslamate from the official Teslamate github repo. People are free to make forks, but we can't support them. Any problems need to be reproduced with the offical image before we can support them.

I note that their image has 15 docker layers:

https://hub.docker.com/layers/dhuar/teslamate/1.28.5.1/images/sha256-925e9a9b1a6808f437e8932d3aae514bca06cee2d6761e7e920af8bb609a8c32?context=explore

Ours only has 12:

https://hub.docker.com/layers/teslamate/teslamate/1.28.5/images/sha256-8c5ac2651ff4177e9bc90d5fff8c4f6a30acb27292437b90f600f5eb61671c7a?context=explore

My brain is a bit asleep right now, not sure if this is significant or not. Will come back to this tomorrow. It wouldn't surprise me if they are missing recent changes in Teslamate or something like that.

[brianmay]

The typical tool to solve the issue of "people can distribute malicious code and call it my project" is to register a trademark on the project name. But you would need a non-zero budget to do so. You probably would need some sort of legal entity to to hold the trademark too, and need to do it in such a way that it can't be taken over in the future and used for a closed proprietary solution.

[JakobLichterfeld]

Thanks for your thoughts!

I also agree on the trademark side, thus you can see often claims on official websites of open-source projects, that this is the only official site and that there are scam versions of it.

It just makes me sad to see how open source is being abused and people are being potentially harmed.

[brianmay]

There might be open source lobby groups that will do the trademark stuff for us. e.g. I think the FSF does that, and there are others.

I just saw this article, but haven't read it: https://google.github.io/opencasebook/trademarks/

[JakobLichterfeld]

Reply to kkthxbye's comment, which he deleted:

As the fork is non-public, your guess about the repo is mostly wrong and does not matter.

The user you mentioned tried to obfuscate his involvement in a project he linked and does not behave in an open-source manner. Furthermore, the stars for his repos seem to be botted/fake.

There's no reason to talk to someone who's already tried to screw you over.

[brianmay]

After what happened with xz (maintainer facing mental issues was bullied until he handed over the project to a malicious developer), it is quite clear you can't be too careful here. We don't know anything about this project or its maintainer or if they are trustworthy or not. I think we need to err on the side of caution here. Particularly as this code has access to Tesla Tokens and - I believe - has significant use across the globe.

There is nothing wrong with creating a fork of TeslaMate, that is fine. But we cannot check every fork and rate it for trustworthiness either.

There is nothing wrong with posting a diff of the two images either. I am a bit surprised in got deleted. However, as the xz experience shows us malicious actors can be patient, waiting years while they develop good changes before they switch to malicious changes. If we endorsed the image now, could will stand by this in, say 2 years time?

In this case I don't even see a good reason for a fork, if there is something lacking with the official images, then we would be more then willing to review any pull requests to fix this. Forks of open source software are generally only required if upstream is moving in a way that contributors don't like or is failing to merge pull requests for some reason.

[JakobLichterfeld]

I fully agree with that.

I am a bit surprised in got deleted

I also don't understand why kkthxbye deleted his comment. (I have clarified my answer in this respect above.)

[kkthxbye-code]

@JakobLichterfeld - Your answer was rude and weirdly emotional. I was in no way promoting the image, just trying to have calmer heads prevail and provide some actual investigation. Your goal seems different so I deleted it. Have a good one.

[oivindoh]

A cursory search yields https://github.com/mywind2020/teslamate-cn/commits/master/ as the likely source of those images

[vanling]

Looking at their (translated) description:

Chinese version of TeslaMate, fixed the problem of unavailability of map and location in China, added battery health display.

and commits master...mywind2020:teslamate-cn:master

it does not look very "malicious" but you never know these days.

[haerr]

[Admin Exit: remove of potential malicious link]

This website engages in commercial activities by adding translated documents to the website and embedding new pages in the documents to sell products.

[linhongjun]

I'm using this one in China on my VPS. It's easy to deploy on server with only one script to run.
It fixed the problem of map and location in China, no need to access to github.com blocked by GFW.
They sell a ready-to-use TeslaMate Box at the price of 40 USD which can store data home.