Are you a software engineer or a mercenary?
The opinions stated here are my own, not those of my company.
Just under a month ago, Russian forces invaded Ukraine and began a campaign of violence and terror. Of course, the Russian regime has long shown hostility to truth and human rights.
Once a war begins, this steady stream can easily become a flood of information. It’s then even more important to collect and archive these files.
Then a routine task causes a month’s of data to be instantly deleted: updating your software packages. What’s worse is that this was not a weird glitch but an intentional way that the software was written.
This is the case with a popular package node-ipc, with over a million downloads weekly, which recently included a ‘feature’ to delete files on the installed machine if your IP address is in Belarus or Russia.
What is being dubbed ‘protestware’, which is malware in a pretty bow, is not only harmful to open source, it can be dangerous geopolitically.
Do no harm
In the original cited example, an American NGO had a server located in Belarus that lost about a month’s worth of data because of a few do-gooders half a world away. This malware was introduced without discussing it with the community, and they failed to consider the side-effects.
If I ever find a tool that uses node-ipc, such as Vue, I will never use it again. I fundamentally can never trust these developers again. If I see their contributions on a resume I would not hire them. Those people have burned my trust not just on their library, but are ruining the reputation of open-source in general.
When building a product, everything is a series of trade-offs. What tasks to I prioritize for an MVP? Is it better to spend time building modules in-house or grabbing one from the community?
For the latter, I’m failing to see the benefits of open-source here. If the upside is saving some time, the downside is that I lose much more than just a bit of time.
It is wholly unjustifiable to purposely inject malicious code into anything you distribute, and I would never be able to trust you as an engineer. Where is your line? Russia’s invasion is horrific, but will you take a different stance if China invades Taiwan?
Who are these people using your software? Russian government? Russian corporations? Students? The sanctions currently underway are going to take the Russian economy to the brink of default, or beyond. This will affect everyone regardless of how they feel. Despite what some congress people suggest, we should not blindly take out our anger on individual Russian citizens or expats. Allowing them to build web tools for protest is being made impossible by short-term interests.
Some comments have suggested that licensing protects the developers. After all, the MIT license states:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THEAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHERLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
If your code is intentionally malicious, I am skeptical that this would protect you from the CFAA, though I am not a lawyer. Either way I would be nervous about this actually going to a judge who may end up ruining a lot of good of open source code because of a bad actor. If the MIT license loses some of its legal protections that would have a ripple throughout the entire community.
Open source was created to facilitate collaboration between peoples across borders. This move to weaponize tools we all use destroys this ideal. Now every company, every developer needs to worry about their dependencies. Do I work for a company you don’t like for your own personal reasons? Do you not like the country I live in? Are you some disgruntled employee who will go postal in the cyber domain?
Perhaps the answer is to pin your dependencies and review every single patch from every single dependency and subdependency all the way down. The Vue CLI
yarn.lock file has over 20,000 lines, so good luck.
What will be next? As an American, can I trust any Russian developers now? How do I know they won’t try to attack me? The honest answer is that I can’t. Any library owned by a Russian might be malware. And since open source software is insecure, I’m not going to spend the time trying to audit their code when I’ll just write things myself. Perhaps the real answer is to say that open source doesn’t work, that I cannot trust my fellow developer, and rewrite every module myself as I can only trust myself.
Can I trust any Chinese developers? Will we be able to keep the open-source ecosystem safe, or will we be forced to raise walls to keep ourselves secure?
By introducing geopolitical weapons, you’ve made yourself into a mercenary.
About 71% of Americans have left the country at least once, but that seems too low. Leaving the security and safety of your nation-state is something people don’t always appreciate. Embassies exist around the world to provide some sort of legal protections and services when abroad.
When you are in another country, you are implicitly a representative of your country. When you do things, it reflects on your country in a positive or negative way.
Open source developers may do a bit of travelling, giving talks in London and Paris, and never considering the potential hazards that face fellow citizens. If you were to get arrested in a foreign country, your nation-state is going to have to put in effort to get you out.
By launching a cyberattack on Russian and Belarussian computers, you are a belligerent in this conflict. However, unlike a legitimate soldier you don’t have a uniform nor a general to report to. You are acting independently in a way that’s quite dangerous.
War is not like Emily in Paris. It’s brutal and hellish and where your nationality matters quite a bit. Node.js developers may think their package is simple and fun as they never build something complex enough to run into US export controls, which are quite serious. It’s just one way that what you build as an individual can have severe geopolitical consequences.
Is a cyberattack from an individual American equivalent to an attack from the federal government? No, but it’s not hard for this to turn into an escalating conflict. Why wouldn’t Russian developers, individual or state-employed, begin to launch attacks on the US government or private citizens?
Getting a slap on the wrist from a judge is bad, but getting involved with state-actors is significantly worse.
This is where protestware moves away from its suggested goal of peace towards increasing violence. Soldiers follow strict hierarchies and do only what is asked as small pieces of an overarching plan. Individual anarchists do not know this plan nor do they coordinate to make sure what they do fits into this plan.
Cyberwarfare is one of the many fronts of this war, and the Ukrainian government is pulling in people to their IT Army. This is an army, not a group of anarchists. They need to work together to complete specific military objectives, not sew chaos and cause unknown harms.
The US government is warning that Russia may be preparing to launch cyberattacks against US businesses. A coordinated defense is going to be essential, a partnership between public and private interests.
There is no room for individual actors pretending they know what is best.
Engineering ethics is about considering the implications of your work. You shouldn’t do harm to others, particularly not innocent civilians. Can the developers of
node-ipc prove their malware hit only the targets they intended? Did they work with the US or Ukrainian government to maximize military harm and minimize civilian harm?
It seems doubtful and leads me to distrust them broadly. They did not consider implications of their change. They did not communicate this change. They executed a cyberweapon regardless. They have behaved unethically.
How to do real good
Is the original story true? It’s unclear. But regardless, every developer should be thinking about how their software may harm others in any circumstance. A good engineer will try to minimize harm, not create it. More clearly, a good engineer will not engage in rogue acts of violence but work with the proper organizations to achieve military objectives with greater effect and precision.
If you want to help, that’s great! We should do everything we can to help the Ukrainian people fight and win this war.
If you want to fight, join the IT Army or enlist in an Ukrainian international brigade. That way, the work you will do will be in direct coordination and the rules of war will be made clear to you.
Otherwise, there are plenty of ways to give money effectively. The UN’s Refugee Agency, UNICEF, and the World Food Programme can all use the resources to aid those being directly affected by the disaster.
Ukrainian refugees crossing over to Poland need a lot of help, but I’d understand if that didn’t feel direct enough. Consider writing to your representative and encourage them to support refugees here or provide additional aid.
Do not take it upon yourself to act as a non-state actor in a broad military conflict, as you lack the authority and competency to accept the potential consequences of doing so.