[NEWS] Protesting within open source software

With the war in Ukraine, a new form of activism has appeared on the Internet. 

Opponents of the Russian invasion of Ukraine are inserting messages and code snippets into widely-used open-source software. In the majority of cases so far, this code, dubbed ‘protestware’, has amounted to messages in solidarity with the Ukrainian people, but there have been instances of malicious code intended to impact users in Russia and Belarus. 

To date, at least two dozen open source projects have added code in protest of Russian actions.

As an example of the new strategy to protest the war, the Krebs On Security blog shared a bit of code from the library ES5-ext on GitHub, as translated with Google:

Most of the protestware so far has been similarly benign, but there have been exceptions. In one significant case, Ars Technica reported that a popular open-source project called node.ipc, with millions of downloads every week, was modified to take action against people based on location. While the code displayed a  “message of peace” to all users, if the software detected the user had an IP address locating them in Russia or Belarus, it wiped files on the user’s computer. 

The MIT Technology Review describes how this impacted an American NGO with a server in Belarus that was collecting evidence on war crimes. The organization, which was unnamed, posted on GitHub that 30,000 messages are likely gone forever. 

Fortunately, that malicious code was quickly removed in less than a day. 

The problem with this new protestware is that it undermines the very nature of open-source software, which is a critical part of what makes the Internet work. Open source projects like WordPress help people build individual websites, while code libraries and other open-source projects help to keep online infrastructure running. 

Such code is often built by thousands of volunteers worldwide, who regularly develop new code and fix bugs, uploading their changes to GitHub or other platforms. Project administrators in theory then review the code and push it out to all users of that software. However, the sheer size of code uploaded to some of the libraries means manual review and testing isn’t always feasible, especially when bugs or security vulnerabilities require rapid action.

In order for this system to work, a great deal of trust must be established among the coders working on the project (generally, contributors subscribe to a  ‘do no harm’ ethos) and then between the contributors and the end-users. People who use the software or code libraries need to trust that the latest versions will continue to work as expected and any major changes that might break things will be communicated in advance. 

With this new protestware, however, this trust may be eroding. As Ars Technica pointed out, the nature of open source projects “means an update from a single individual has the potential to throw a wrench in an untold number of downstream applications.” And if more people turn to adding malicious code, it could undermine the Internet as we know it. 

GitHub user NM17 pointed out that with the advent of protestware, “the Pandora’s box is now opened.” They suggested that “the trust factor of open source, which was based on goodwill of the developers is now practically gone.”

Meanwhile, Electronic Frontier Foundation has issued a warning:

“…remaking fundamental internet infrastructure protocols—like disconnecting Russia from the internet by revoking its top level domain names or revoking IP addresses—to protest a war will likely lead to a host of dangerous and long-lasting consequences. It will deprive people of a powerful tool for sharing information when they need it the most, compromise security and privacy, and undermine trust in the global communications infrastructures we all rely on.”

Unfortunately, it appears that the good intentions behind protestware may have far-reaching consequences for everyone who uses the Internet, whether we interact with code directly or not. 

In other news

• Atlantis in Yorkshire? That’s Odd. Like Atlantis and Lionesse, there are myths and legends aplenty of ancient lands lost to the seas. But now Yorkshire, England, could have its very own tale to tell. Founded in 1235, the town Ravenser Odd may not have been a civilization resplendent with treasures, but it was a working port later destroyed in the ‘Grote Mandrenke’ storm of 1362. Daniel Parsons, a Geoscientist at Hull University leading a survey of the sediments in the Humber estuary, hopes will uncover remains of the town. He also hopes that studies like his can explain more about coastal erosion and how environments are changing faster than we realize.  

• A breakthrough in robo-speed. With a top running speed of 18 mph, the robotic Cheetah may be a long way off the actual cheetah, which travels at fastest between 70 and 80 mph, but this is still a new record for a robotic quadruped. The Cheetah was developed by researchers at MIT who have applied AI-powered simulations that enable the Cheetah to improve its own technique. Every time it meets with new terrain, the bot can learn and alter its movements automatically. The Cheetah may be one speedy bot, but it still doesn’t reach the human record of 27.5 mph, set by Usain Bolt. Even so, it can outrun most of us!   

• New bill to limit big tech. The Prohibiting Anticompetitive Mergers Act (PAMA) is out to do just what it sounds like: prohibit mergers that could negatively impact competition. It would disallow mergers worth more than $5 billion, as well as those that result in shares over 33% for sellers or 25% for employers. In the U.S. Congress, Sen. Elizabeth Warren and Rep. Mondaire Jones are sponsoring the bill, which is intended to increase competition and improve conditions for small businesses, employees, and minority communities. However, for the bill to pass it will need complete support from sitting Democrats, as there are currently no Republican co-sponsors.   

• Netflix to test charging fees to password-sharing customers. Is this the end of an era? Although Netflix has long been lax about users sharing passwords with friends and family, the media streaming giant may soon put its foot down. Business Insider reports that it will launch a test to crack down on password sharing outside a user’s household. Netflix claims that confusion over how and when the service can be shared has impacted its ability to invest in new TV shows and films for its members. The test will begin in Chile, Costa Rica, and Peru over the coming weeks.

• Apple services experience outages due to DNS issues. On Monday, March 21, Apple experienced an outage of rare magnitude for the tech giant, which impacted apps and internal services alike. According to Gizmodo, it affected apps and services such as Apple Music, the App Store, Siri, and even iMessage. Bloomberg reports that it also prevented retail workers and staff from working from home. The outage was resolved by the late afternoon without any detailed public announcement from Apple, but internal communications indicate that it was due to DNS problems. In case this sounds familiar, Facebook experienced a similar outage last year. 

• Hackers target authentication firm Okta. Okta, an authentication service used by major corporations such as FedEx and Moody’s Corp to access their networks, had a recent security breach. Okra Chief Security Officer David Bradbury revealed that hackers accessed the computer of a customer support engineer working for a third-party contractor over five days in mid-January, Reuters reports. The company maintains that the impact on customers is limited and it is identifying and contacting those affected. According to Wired, the Lapsus$ digital extortion gang claimed responsibility for the hack via a screenshot posted on its Telegram channel. The screenshot purports to show Lapsus$ logged in to the Okta administrative or “super user” account. In the same set of posts, the gang shared what they claim is source code from Microsoft’s Bing search engine, Bing Maps, and Cortana virtual assistant software.
  
  Then in a late-breaking twist no one saw coming, Bloomberg reports that the mastermind behind the Lapsus$ hack may be a 16-year-old living with his mother in Oxford, England. According to the report, the Lapsus$ group employed poor operational security, giving out details that allowed cybersecurity officials to track them down. So far no charges have been filed, but it’s certainly a story to watch. 

Tip of the week

After Russia’s military invasion of Ukraine, many people wonder what they can do to help, even when strapped for cash. Fortunately, many companies are chiming in with financial support, meaning users who do business with these brands indirectly support Ukrainians in their fight. 

Epic Games announced this week that it would donate all proceeds accumulated from online gamers through Fortnite from March 20 thru April 3 to organizations such as United Nations Children’s Fund, United Nations World Food Programme, and UNHCR. Other brands, such as LensDirect, are taking a percentage of all revenue from online shoppers and sending it to support Ukraine. 

Grammarly, with offices in Kyiv, New York City, and Vancouver, has committed $5 million, equivalent to the net revenue from their product sales in Russia and Belarus since 2014—to organizations and funds supporting resistance efforts. So writers who use Grammarly (like us) can help just by continuing their subscriptions.