IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Open source sabotage sparks fears of backlash

A developer’s protest against the Russian invasion of Ukraine may have much wider ramifications

People protesting the Russian invasion of Ukraine

When Russia launched its offensive on Ukraine, the reaction around the world was swift: Governments imposed sanctions, businesses cut ties, and citizens took to the streets to protest the war. Then, there was the unique response from developer Brandon Nozaki Miller.

Miller, who’s also known by his handle ‘RIAEvangelist’, is one of the key figures behind an open source package called Node-IPC, which is a piece of digital plumbing that’s widely used to handle network communications at a basic level. It’s incorporated into software ranging from JavaScript developer tool Vue.js to the Unity video game engine that powers thousands of games.

As a result, it was rather dramatic when Miller launched what was essentially a sabotaged update to the code – a move that he terms not malware, but 'protestware'.

Dubbed 'peacenotwar', there were two rogue updates to the Node-IPC package. The first checked whether the host computer was based in Russia or Belarus (which is supporting Putin’s invasion). If it was a match, the package would overwrite files with heart emojis.

Given the impact this could have on computers, it was quickly flagged as a vulnerability. A second, more benign version was released that would leave files intact, but which placed a “message of peace” in a text file on users’ desktops.

“This code serves as a non-destructive example of why controlling your node modules is important,” Miller wrote in the NPM repository where it was distributed. “It also serves as a non-violent protest against Russia's aggression that threatens the world right now.”

The full consequences of the ‘protest’ aren’t clear, though Russia’s largest bank, Sberbank, has since instructed its staff to not install further software updates to guard against such an attack. And since the vulnerability was published, a message purporting to be from an American NGO operating in Belarus has claimed that the vulnerability has wiped out files that contain information on human-rights abuses committed by the Belarussian regime.

Miller, when approached, asked not to be quoted directly and advised that would only speak on background. He did, however, post an explanation for his protest on GitHub. “War is not the answer, no matter how bad it is,” he wrote. 

“Please stand up against this injustice and stand up against evil. Everything that evil people need to hurt people, you have to say; ‘What can I do? When one person is standing next to another and they are standing next to another, you soon have movement. Here's how little people can come together for more than one person. Do what you think is right, follow your own morals.”

Whether or not the protest was successful is perhaps in the eye of the beholder, and reaction appears to have been mixed, to say the least. “Thanks for all the free pizza, and thanks to all the police that showed up to SWAT me,” wrote Miller on his GitHub page, referring to the practice where people are targeted by fake calls to police claiming the victim is armed and dangerous, leading to armed response units being deployed. “They were really nice fellas.” 

Related Resource

Identity: The digital trust accelerator

Building trust in governments and public sector organisations

Whitepaper cover with title above a multi-hexagonal graphicFree Download

The broader implications of the attack could also reach far beyond Miller’s front door. “It's actually the rest of the [open source] community that is getting concerned about this,” says Ross Brewer from cyber security firm Attack IQ. “If you've got contributors that are prepared to manipulate code, just on a whim because they want to say something political or whatever, then you start to [wonder] how many people have access and how many contributors are there? And what control do they have control over? And then what safety is in the system?”

He argues that a protest such as this could undermine the trust model that is implicit in open source, and that there’s a potential for significant backlash against those who launch such protests, harming their reputation in the community more broadly. He also fears such attacks could cause a backlash from the targeted regime.

“Once we get into these geopolitical situations, and you've got these have-a-go heroes that are hacking countries, there's going to be a response from that and it's the backlash that we've all got to deal with,” says Brewer. “We just become collateral damage in all of that.”

Featured Resources

Big data for finance

How to leverage big data analytics and AI in the finance sector

Free Download

Ten critical factors for cloud analytics success

Cloud-native, intelligent, and automated data management strategies to accelerate time to value and ROI

Free Download

Remove barriers and reconnect with your customers

The $260 billion dollar friction problem businesses don't know they have

Free Download

The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business

Free Download

Recommended

Organisations are scaling back their open source software due to security fears – Anaconda
open source

Organisations are scaling back their open source software due to security fears – Anaconda

15 Sep 2022
What is cyber warfare?
Security

What is cyber warfare?

20 May 2022

Most Popular

How to secure your hybrid workforce
Advertisement Feature

How to secure your hybrid workforce

23 Sep 2022
What your hybrid workforce needs from their laptops
Advertisement Feature

What your hybrid workforce needs from their laptops

21 Sep 2022
Cloud and cyber security certifications remain highest paying for IT professionals
Careers & training

Cloud and cyber security certifications remain highest paying for IT professionals

29 Sep 2022