Security Risk of Open Sourcing Software

Information Technology as we know it runs on open source software, from the operating systems that power servers (Linux), to the databases behind nearly every major application (PostgreSQL, MySQL, MariaDB), to the web servers delivering billions of pages a day (Apache, NGINX), to the core development tools engineers rely on (Git, VS Code, Docker, Kubernetes, Python, .NET Core). Open source isn’t just a part of IT, it is the foundation of modern computing, cloud, DevOps, cybersecurity, and AI. I’ve personally contributed to this ecosystem for years, building and releasing multiple open-source applications, libraries, and tools that have been adopted by developers, businesses, and hobbyists worldwide. Whether it’s publishing reusable components, maintaining community-driven frameworks, releasing utilities that solve real engineering problems, or actively contributing fixes, documentation, and support, my work has helped strengthen the same open-source model that powers global innovation. Every time a company deploys Docker containers, monitors logs with ELK, secures traffic with OpenSSL, automates pipelines with GitHub Actions, or runs workloads on Kubernetes; they are benefiting from the same open collaboration cycle I’ve been a part of: build, share, improve, repeat.

There are however inherit risk with open sourcing software. As an example, Roblox recently open sourced their PII Classifier product. There are definitely some security and safety trade-offs to consider when Roblox Corporation open-sources their PII classifier (the “PII Classifier”) for chat. It’s by no means a straightforward “win” without risk. Below I walk through the benefits, the key risks, and mitigations.

What’s good about this move

First, from a positive standpoint:

• The model helps detect when users in chat are asking for or sharing personally-identifiable information (PII) (e.g., phone numbers, social handles) — a known safety problem especially on social / gaming platforms with minors. (Roblox)
• Open-sourcing the tool can help the broader community: other companies, researchers, developers can inspect, adapt, extend the model or safety-toolchain — increasing transparency and collective defence.
• Roblox reports strong performance: e.g., a 98% recall on internal test set at 1% false positive rate, and F1 of ~94% on production data vs much lower for baseline models. (Roblox)
• It may stimulate safer ecosystem behaviour: if adversaries know the model’s public, perhaps they (and defenders) both learn faster about bypass patterns.

Key security / safety risks

Here are the main risks to be aware of:

1. Adversary knowledge and bypassing tools

   • By open-sourcing the classifier, malicious actors (those who want PII from others) may review the model, see how it works (features, architecture, what it deems PII / non-PII), and design new evasions tailored to its weaknesses.
   • For example, the blog mentions that users try to bypass filters by obfuscation (“alpha, bravo, Charlie” representing A B C, etc) or implicit references. (Roblox)
   • If adversaries adapt faster than the model upgrades, the open-sourcing gives them a head-start.

2. Model inversion / data-leakage concerns

   • While Roblox says they release the classifier (presumably weights/code) and not the private training data, there still is risk of discovering unexpected biases or patterns. Open weights may allow researchers (or adversaries) to probe for vulnerabilities, induce the model to reveal unintended information.
   • If the model was trained on internal Roblox chat data, even if anonymized, there's a small risk that certain internal “fingerprints” might leak or be reverse-engineered, particularly for adversarial use. (Although there’s no direct evidence of this, it’s a general risk with open models.)

3. False sense of safety / misuse

   • Other platforms or developers might adopt the classifier without full understanding of its limitations (data domain, languages supported, adversarial resilience). If the model was tuned on Roblox’s chat domain (English, etc), it might underperform on other platforms or languages — giving a false sense of protection.
   • The blog itself says “no tool is perfect” and they emphasize need for continuous adaptation. (Roblox)
   • If the model sees deployment in a new environment without proper evaluation, may miss many PII leaks.

4. Operational/maintenance overhead

   • Once open‐sourced, there is expectation of updates, community support, and dealing with new adversarial patterns. If Roblox open-sources but doesn’t commit to consistent updates or community patching, the model may degrade in effectiveness over time.
   • Also the publicly known model may become a target for adversarial ‘red-teaming’ from malicious actors actively trying to find bypasses.

5. Contextual / language domain gaps

   • The classifier is reported as being tuned on English, probably on Roblox chat context. They mention training on production data and synthetic data to cover various patterns. (Roblox)
   • If someone uses it in a different language (German, Farsi, Spanish) or chat domain (forum vs gaming vs business), the performance might drop. Adversaries could exploit that gap.

6. Privacy of the classifier authorship / copyrighted components

   • Less of a “security” risk and more of a compliance/licensing issue: open-sourcing means others can use, derivative work, but also must respect licences. Roblox needs to ensure no sensitive proprietary components are inadvertently exposed.

Mitigations / best practices

If I were advising Roblox (or any organization open-sourcing such a model) on how to manage the risks, I’d suggest:

• Robust documentation: Clearly state the model’s scope (languages, domain, use‐cases), known limitations, and that adaptation is required for new domains or languages.
• Adversarial & red-teaming updates: Keep evolving the model with new bypass patterns, and publish periodic updates or “challenge sets” so the community can test.
• Monitoring & feedback loops: Since adversaries may evolve, ensure there are real‐world monitoring pathways to detect evasion, false negatives/positives, and feed that data back into model training.
• Usage disclaimers for adopters: If others adopt the model, Roblox (or the open-source license) should encourage adopters to validate on their own data, languages, domains — not assume out-of-box full protection.
• Versioning and lifecycle control: Track which version of the model is open, which parts remain internal, and maintain an update roadmap.
• Access to model weights vs API: Consider whether releasing full model weights is necessary, or if providing API/SDK with controlled access might reduce adversary risk while providing transparency.
• Collaborate with broader safety community: Open-sourcing is great, make sure it’s coupled with community governance, third-party audits, and contributions to address new threats.
• Avoid leaking training data or internal logs: Ensure that the open‐sourced package does not include private user data, logs, or other sensitive artefacts. Confirm that the model cannot be exploited (via model inversion or membership attacks) to reveal training data.

My conclusion

Yes, opening up the classifier can be a net positive for ecosystem safety, transparency and public trust. But it also introduces non-trivial security risks, especially around adversary adaptation and domain mismatch. The key question is how Roblox manages the ongoing risk lifecycle (monitoring, patching, domain transfer, adversary catch-up) rather than just the act of open‐sourcing.

Executing the Same SQL Statement on ALL SQL Databases

From time to time you may need to execute the same SQL Statements on ALL SQL Databases on your Server. Better yet, you may even need to have the Database Names to match a specific pattern.

There are two ways to accomplish this:

1 - Using sp_MSforeachdb - This is a hidden Microsoft SQL feature that loops through all databases for you and allows you do execute a query on each database.

2 - Using a Cursor in a While Loop - This is essentially the old fashion way, by looping through all the databases using a loop and executing the command.


In the above code:

DB_Pattern - Partial String you want to find in the database name.
TABLENAME - Name of the Table you want to get a count from.
DB_Name - Variable that stores the Database Name

Comments or questions? Post them below.

Enable or Disable Local User Account on Windows 10 Home Edition

I am often amazed by some of the changes that Microsoft makes to various versions of their Operating System, and Windows 10 is sadly no exception. Suppose that you have installed Windows 10 Home Edition on your Computer and that you wish to temporarily "Disable" (NOT Remove) a User Account on your PC.

As of right now there is no way to do this through any User Interface on Windows 10 Home Edition. To disable an User Account, do the following:

1. Right-Click on the Start Menu, then choose "Run". 
2. Type "cmd" and press enter to run command prompt. 
3. Right click on the Command Prompt Icon in the Taskbar, and choose "Run as Administrator". 
4. Enter the following command and hit ENTER to disable the account in question:

          net user USERNAME /active:no

Here "USERNAME" is the actual you with to disable. For example if you have a User Account called "Joe" you would run this command:

          net user Joe /active:no

To enable the account again, run the following:

          net user USERNAME /active:yes

I have no idea what removing this feature accomplishes for Microsoft, other then annoying the crap out of Administrators, but here is a way around it in case anyone needs it. 

A script to drop all tables and their content, views and stored procedures in MS SQL

Occasionally as a developer you may encounter a case where you want to completely remove all tables, views and stored procedures in a database without removing the system tables, system views and system stored procedures or without having to delete the database as a whole and recreating it.

One way is to right-click on each table one by one and try to delete them, only to find out that a foreign key constraint prevents you from doing so, at which time you have to try and figure out how each table relates to the other, and remove them in the correct sequence. If you have a few hundred or even thousand database objects this could take a long time!

Fear not, because we finally have a solution for this! The script below will take care of this for you in one shot and give you a clean database to work with.

Formatting Large Hard Drive (greater than 32 GB) with Fat 32 to work with both Mac and Windows

If you are a user who uses both a Mac and a PC (OSX and Windows) you may come across a scenario where you need to use an external Hard Drive for both Operating Systems to backup and transfer files between the two. Most external Hard Drives are formatted in the Windows NTFS file system format, and unfortunately Mac OSX only allows you to read files from NTFS, but you cannot write files to NTFS.

Some solutions for this problem include the purchasing of a software that converts files and folders to NTFS as you attempt to copy them to the external Hard Drive, the most notable one out there is Paragon NTFS for Mac OS X which at the time of this writing supports OS X 10.9 Mavericks already! Of course the software does cost $19.95, and may therefore not be an option for some users. 

A much simpler solution is to format the Hard Drive using the Fat32 file system format which all Mac OS X versions already support. The problem that most users run into when they attempt to format an external Hard Drive larger than 32 GB is that the built in Windows Disk Manager does not support it. 

An easy solution to this problem is to use a Disk Utility Software such as Seagate Disk Wizard. This utility is FREE if you have at least 1 Seagate Hard Drive on your sytem, but you have to purchase the professional version if you do not. If that is not the case for you, you can use a similar tool called "AOMEI Partition Assitant" to do the same.

For Seagate Disk Wizard, you can follow the steps below to do this:

1. Install and Launch the Seagate Disk Wizard by downloading it from HERE for free and running the executable. 
2. Select "Add New Disc" to do a simple partitioning and formatting.
   
   
   
3. Select the correct disk and follow the wizard prompts. 
   
4. Select MBR or GPT. MBR is recommended for partitions smaller than 2 TB.
   
5. Select the Unallocated disk and then Create new partition.
   
6. Change the File system: to FAT32. If you prefer, you may manually select the partition letter and add a label. Select Accept.
   
7. DiscWizard will display its progress.
   
8. Select OK when complete.
   

That's all you need to do! Now you can plug your external USB Drive into both a Mac and PC and read and write from both operating system.

NOTE: Another small point to keep in mind is that if your Disk Space is larger then 3TB in size, in order to have the whole disk as 1 partition it will have to be GPT, not MBR. Otherwise you will have to create multiple partitions.

To convert from MBR to GPT, do the following:

1. Open a command prompt on your windows Operating System.
2. Type "diskpart" and press enter.
3. Type "list disk" to see a list of disks on your system.
4. Enter "select disk #" where "#" is the Disk Number from the list provided.
5. Type "convert gpt" to convert the disk to GPT. 

I hope this helps others looking for an easy solution. Feel free to leave any comments or questions you may have. 

Thanks,

Pete Soheil

DigiOz Multimedia, Inc.

www.digioz.com

Joomla 2.5 and 3.0 Recaptcha Plugin Suddenly Not working!

We have been using the Recaptcha Plugin on all our Joomla Sites to filter out spam registrations on the sites, and up until last week everything was working without any issues. Last week however all of the sudden ALL Recaptcha Plugins on ALL our Joomla Sites stopped working at the same time.

After some head scratching, we came across the following announcement by the Google Recaptcha Team, which basically said the Recaptcha URL's have all changed. 

To their credit they did announce the change, but they announced it in a Google Group that no one ever checks or reads! This should have been front page news on the Recaptcha Home Page.

To put this in terms everyone understands, here is basically what you have to do to get your Joomla Recaptcha working again:

1. Go to "/plugins/captcha/recaptcha" folder of your Joomla installation, and open the file "recaptcha.php". 
2. In the file, find this code block:

const RECAPTCHA_API_SERVER = "http://api.recaptcha.net";
const RECAPTCHA_API_SECURE_SERVER = "https://www.google.com/recaptcha/api"; 
const RECAPTCHA_VERIFY_SERVER = "api-verify.recaptcha.net";

Replace it with this:

const RECAPTCHA_API_SERVER = "http://www.google.com/recaptcha/api";
const RECAPTCHA_API_SECURE_SERVER = "https://www.google.com/recaptcha/api"; 
const RECAPTCHA_VERIFY_SERVER = "www.google.com";

3. Next, find line 118, which looks like this:
   
   

   $response = $this->_recaptcha_http_post(self::
   RECAPTCHA_VERIFY_SERVER, "/verify",
   

   
   And replace it with this:
   
   

   $response = $this->_recaptcha_http_post(self::
   RECAPTCHA_VERIFY_SERVER, "/recaptcha/api/verify",
   

That's all you have to do to get things back up and working! Credit for this fix goes to "SniperSister" on Github who posted this solution in THIS GIT Commit as well as THIS Bug Ticket he opened on JoomlaCode.

Enjoy!
Pete Soheil
DigiOz Multimedia, Inc.
www.digioz.com

iPhone is disabled try again in 22,955,128 minutes!

From time to time you may enter your iPhone, iPad or iPod lock screen password wrong. The first few times you enter it wrong, you will get an error message like this:

If you keep trying and enter it wrong every time, you will get this screen:

If you still keep trying, and really piss the phone off, you may get this screen after a few attempts:

In case you are wondering, that's 44 years! While I understand the message, I wonder what Apple was thinking when they created this system. Surely they didn't expect people to wait that long to use their phone again! 

The good news is, you won't have to wait for 44 years to use your phone again. The bad news however is that you may or may not lose all your files and apps depending if you regularly back up your phone to either iCloud or your PC. 

How to fix this mess:

Case 1: If you have previously synced your device with iTunes:

• You may be able to reset the passcode by restoring the device. To do so, do the following:
• Connect the device to the computer with which you normally sync and open iTunes. Note, that if iTunes prompts you to enter the passcode, try another computer that you have synced with. 
• Right-click the device in the left column and select Back up.
• When the backup is complete, select Restore.
• When finished, restore from your most recent backup.

Case 2: If you have never synced your device with iTunes, and don't have it backed up to iCloud:

• Connecting the device may result in this error message: "iTunes could not connect to the [device] because it is locked with a passcode. You must enter your passcode on the [device] before it can be used with iTunes." You have pretty much lost all your content and apps at this point, but can still use the phone by wiping everything out and bringing it to the factory setting. To do so, do the following:
• Disconnect the USB cable from the device, but leave the other end of the cable connected to your computer's USB port.
• Turn off the device: Press and hold the Sleep/Wake button for a few seconds until the red slider appears, then slide the slider. Wait for the device to turn off.
• While pressing and holding the Home button, reconnect the USB cable to the device. The device should turn on.
• Continue holding the Home button until you see the "Connect to iTunes" screen. When this screen appears, release the Home button.
• iTunes should alert you that it has detected a device in recovery mode. Click OK, and then click Restore to restore the device.

Case 3: If you have never synced your device with iTunes, but DO have it backed up to iCloud:

• Follow the steps outlined in Case 2 above to wipe out your phone and re-install the factory software and setting. 
• Once this is done, in the welcome screen chose "Restore from iCloud" and follow the on screen instructions to restore all your content and apps to their previous state, which means you get all your stuff back to the point you backed up to the cloud. So depending on when you last backed up to the iCloud you may only lose a few days worth of stuff. 

I hope this information comes in handy for someone. Feel free to leave any comments or questions you may have below.

Thanks,
Pete Soheil
DigiOz Multimedia, Inc.
www.digioz.com