So as I understand under the hashtag #StandWithUkraine some idiots have started supply-chain attacks, targeting Russian and Belarussian targets. I’ll leave the exercise to find the respective repos on GitHub to the inclined reader.
Has everyone gone bonkers now?
Aside from affecting the wrong people (full quote of the text at the bottom of this post) it also raises other questions. I wonder who is using 7-Zip for example?! Last time I checked it was fairly popular, given its excellent support for a multitude of archive formats. Not that I consider someone who came up with this clever software idiotic enough to pull the same disastrous “pranks” as those mentioned above, but imagine if the author of 7-Zip decided to delete data based on the geo-located IP of the user or the user’s locale? … or how about instead more subtly corrupting the data … or corrupting and not reporting it when unpacking files? Imagine Russian FLOSS developers were as reckless and unprofessional as their virtuous counterparts elsewhere …
There is plenty of software out there written or maintained by Russian developers. And while I agree with the sentiment, that if you don’t pay for it you shouldn’t place demands, it’s a wholly different story for FLOSS developers to callously and wantonly wreak havoc like that.
This may very well become a selling point for proprietary software. While not necessarily more secure, the fact that there is a paid business relationship with the maker of the consumed library/software may seem to provide assurances FLOSS no longer can, because of idiotic actions of certain FLOSS contributors. Trust built over decades can be quickly lost. But can it be regained? … and how fast?
PS: the quote from said NGO (link above), reproducing all spelling issues verbatim:
We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.
Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it’s most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could’ve been killed in action during the offensive.
Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Profesionally, our counsel suggested filing criminal charges federally and it’s likely we’ll be proceeding this way.