Anyone putting malware in their packages needs to have repo deleted from GitHub, npm and blocked from further submissions to open source code. Once you have betrayed peoples trust, you need to GTFO.
Open source code bases are not the place for your slacktivist rants. They hurt innocent people. You cannot booby trap your house. All this does is destroys confidence in the ecosystem.
Or are you against all the economic sanctions on Russia also? Do you oppose businesses pulling out of Russia despite not being legally required to do so?
> They hurt innocent people. You cannot booby trap your house. All this does is destroys confidence in the ecosystem.
You could say this regarding all the economic sanctions on Russia too, but it’s a very weak criticism.
This has nothing to do with any of that, and you are trying to change the goalposts. Guy writes malware, malware hurts peoples systems. Where they are is irrelevant.
How about this then? The sanctions are implemented by a wide ranging alliance of democratically elected governments, meaning they have a mandate behind them and legitimacy. These malware efforts are vigilantism.
These malware efforts are not too different from western companies voluntarily pulling out of Russia, they’re also engaging in their own kind of “vigilantism”.
The question is whether or not this kind of “vigilantism” is bad. It’s not obvious to me that it’s any worse than McDonalds or LVMH shutting down their stores in Russia.
There’s no doubt sanctions have wider backing, but that’s hardly a moral argument. The legal side is indisputable and pointless to debate.
I would say it’s because writing malicious software, basically casting magic spells in digital land to force sand to do math with the intent to cause harm is this ages evil.
Voldemort behavior.
A 21st century sociopathy, and we should as a society recognize that people that have the power to cause great pain on others should be prevented from doing such.
This is a good versus evil thing played out in a world that the muggles only dream of. I am both exhilarated and horrified every day by the actions of the internet wizards.
Sanctions laws are just as opaque to the muggles as digital magic spells, also easily far more damaging than even the worst malware the world has seen.
Yeah but I’m not talking about sanctions I’m talking about writing malware. Nukes are the worst tool yet, even worse than malware. This isn’t an equivalence game, and I don’t think sanctions have anything to do with writing malware.
You want to find equivalence. And you want others to agree with you with equivalence.
I won’t provide that because it’s bullshit.
I am talking about jerks writing malware and hurting systems and you keep talking about sanctions.
Buddy. You are obsessed with sanctions. Is it to do with your wife’s fathers billions?
I’m absolutely in favor of sanctions, as I am also in favor of this kind of “protestware”.
To me the equivalence is obvious, malware is just another kind of economic sanction.
>I won’t provide that because it’s bullshit
Why is it bullshit? What’s the moral difference?
The only difference I see is that sanctions are imposed by governments, but are the governments not also jerks if ”protestware” developers are?
If not, why not?
What about western companies pulling out of Russia without being legally required to do so? Are they jerks too? They sure are causing much more harm than these protestware developers.
> Buddy. You are obsessed with sanctions. Is it to do with your wife’s fathers billions?
It has to do with many of my friends who are currently stuck in Ukraine, in the middle of a war of aggression initiated by Russia.
Today my Kiev based PT called me in tears, asking if I can do anything to help his wife and children flee the country. He’s unable to leave the country himself due to the current rules. I get such calls every day.
I’m certainly biased, but probably not in the way you think. We’ll remain unimaginably rich regardless of any sanctions, not being able to land our jets in London is hardly anything to cry about, plenty of charters available.
Thank you for sharing that. It is a very scary time and it must be crushing to worry about friends in a war zone. I appreciate the context. I hope you are able to find a solution to help those folks out.
I overstepped that and that was stalky. I do sincerely wish good things on you and your close ones, and we are all super on edge. It’s super hard times right now near what what supposed to be the sunshine after hibernation (isolation).
I understand your emotional position with what we shall call equivalence, and while I cannot agree due to my own technoethical models, I can totally understand the want to see harm come to those that are causing so much pain to people you love and care about. The malicious Putin regime has caused so much suffering on the world and we all hope this will end here.
My main goal in this conversation wasn’t to advocate harming anybody.
I’m genuinely curious why software should be special. It’s weird!
OTOH I see this same pattern repeated over and over again in different communities.
If you go to gaming forums, you will see people generally supportive of sanctions arguing that preventing Russians from paying for videogames is a borderline crime against humanity. They’ll say it’s unacceptable to bring politics into their little club.
If you go to football forums, you’ll see Chelsea fans generally supportive of sanctions arguing that sanctioning Abramovich was a step too far (because it screws over their favourite team)
On HN you’ll see people passionately arguing against ISPs pulling out of Russia (they can hardly get paid), or malware in what essentially amounts to business software (lets face it, regular people aren’t going to have their home computers wiped by the node-ipc silliness).
Many people seem to be happy to support these things until it eventually hits too close to their own interests, then you begin to see all sort of mental gymnastics to justify how it should be different.
Your argument assumes the malicious submitter is honest about their identity online. We can't assume that. Instead, we have to assume that all source, regardless or how "open" it is, could be malicious. Only once it has been properly audited by the many eyes of the community should we consider placing any trust in it.
If people had confidence in the ecosystem because they thought they could blindly trust code from random strangers, then it was misplaced to begin with.
I agree with you there, however reality is that you may have one of these packages in your build, on your system, just through merit of using something else in the js ecosystem. We are never going to have a vetted set of dependencies. It will forever remain a mess as long as the platform and ecosystem exist. At best we can be reactive and kick bad actors out of the picture.
What a dumb idea… similar with other ongoing sanctions and group responsibility. It sounds like there are a lot activists who consider themselves as true right doers. You are oversimplifying the world by your naive and arrogant thinking. What do you know about “russians” you are going to affect? Just because they are living within the country does it mean they are supporting they government. But you want to make their life even harder? From their perspective the whole world is against them without any distinction only because of their nationality. And no they would not make rebellion, but rather switch to government propaganda that “west hates us and wants our collapse”.
Right, your activism saved the situation and stopped war… or?
Think about this before oversimplifying
I am Ukrainian and my partner is Russian, both having families in these countries. We already see the impact of western sanctions, they are not affecting government the same way they are hurting people living there. And one more thing. While Ukrainian government calls to west to leave Russian market to reduce money flow to Russian, one of main income for Russian government - gas pipeline to EU goes through Ukraine and no one even tries to sabotage it to really affect finances of hostile gov.
I am against the war, but it does not mean I will built my ego by making other people to suffer only because it is a trend nowadays unfortunately in western world too
Hmm, a throwaway account with a single comment constructing a straw man to argue against western sanctions for the war.
It’s simply an unfortunate reality that the Russian state can’t be punished for their actions without collateral damage.
The purpose of the sanctions is to economically punish Russia in order to ensure that Russia and others do not repeat the same actions in the future.
Furthermore, the sanctions create a huge distraction for the Russian leadership that’s already very busy with their war effort. Within months, the sanctions will also severely disrupt Russian military supply chains as they rely heavily on imports.
> And no they would not make rebellion, but rather switch to government propaganda that “west hates us and wants our collapse”.
Yeah, nobody cares. This isn’t the purpose of the sanctions.
> my partner is Russian, both having families in these countries
Same. My in-laws control one of the biggest exporters in Russia, their business has been severely hurt by the sanctions. Despite this, you won’t find many arguing against the sanctions in our circles, it’s simply the appropriate response to Putin’s folly.
On account, I have it for couple of years and using it for bookmarks, so your judgement is far from correct.
On sanctions I can agree there is no other way, but lets dont compare economic sanctions with random marketing ones just to share on social media and put badge “i punished russians”
What about having same reaction of activists for Iraq, Serbia, Libya? Nah because, it was a “right thing”, only bad guys are died there. Or because most of nowadays activists are living within invading countries?
Again I am not supporting Russian war or government, I am raising my voice against infant activism, where main reason behind is building up own ego or marketing purposes and nothing what is affecting the real problem.
That's how war works. When you shoot an invader, do you think that the invader necessarily supported the war? No, but you have to defend yourself.
If we're not going to bomb Russia we need to at least use all economic sanctions. That has unintended consequences. But that's war. The only solution is for Russia to surrender.
We can't afford to be week because the enemy isn't. They're targeting civilians and we're thinking about the economic wellbeing of Russians? What nonsense.
I think your examples are terrible. Everything you listed is controlled by western companies or individuals.
>OpenCV
Intel, a US company
>Redux
I don’t think this was developed in Russia at any point, current maintainers appear to be American. One of the original devs came from a Russian background but seems to live in the UK, and would be considered a traitor in Russia judging by his tweets.
>Kotlin
Jetbrains, a Czech company which suspended their presence in Russia because of the war.
> What if Russians also will play this game with OpenCV, Redux, Kotlin, Nginx…
The Russians are already attacking us. Just off the top of my head: NotPetya, Korea Olympics attack, US elections, US pipeline attack.
You can't say we have to surrender in the open source front out of fear that they will respond back when they're the ones attacking the civilized world on all fronts.
Think logically about what you're proposing. Hurting people doesn't suddenly make them go "Darn, the rest of the world is hurting us because they don't like our government. I know, let's overthrow our government and become super friendly with the people trying to hurt us!" It leads to extreme antagonism that most frequently trends towards ultra-nationalism and even more extreme hardline stances.
Iran in the 1950s took a relatively anti-western approach towards things and tried to nationalize their own oil. In 1953 we overthrew their democratic secular government and installed an authoritarian (and deeply unpopular) monarchy. In 1979 they then had a genuine revolution and overthrew the US puppet monarchy, and created the Islamic Republic that exists to this day. We'd do anything to go back to 1953 now, but that bridge has long since met the cruise missiles of freedom. And Iran, while perhaps the most colorful illustration because of how we radically transformed the country (against us) in such a short time, is closer to the rule than the exception. Iraq (the only other Shiite majority nation than Iran) is going down the exact same road today.
Actions lead to equal but opposite reactions, not only in physics. This is the reason that in times past you'd have "blood feuds" lasting for centuries. People don't care about your reason for some hostile action, they only care about that action. Start intentionally breaking open source software to try to hurt some group and that group will start doing the exact same thing to you. Won't it be great for open source software when an increasing chunk of pull requests are from people trying their hardest to insert malicious code as subtly as possible, because politics?
Nobody seriously expects that any form of sanctions will result on a popular uprising in Russia.
Sanctions, and presumably non-government actions like this are entirely fair moves in order to punish Russia for their war of aggression, in order to discourage Russia and others from starting wars in Europe ever again.
It’s sort of like putting a murderer in prison, nobody expects that to directly fix anything.
> Start intentionally breaking open source software to try to hurt some group and that group will start doing the exact same thing to you.
This sounds a lot like a veiled argument against providing any support for Ukraine. Because open source software isn’t special, why wouldn’t the same logic apply to literally everything else?
It doesn’t work that way. Everyone is connected, same software, same ecosystem, same network. If you attack one person with malware you attack the world.
It is strictly true. Delusional is thinking that the internet is not shared medium for the world.
No way. GeoIP is an opinion. Ask that couple in Kansas what they think of it.
There was a report (could be fake?) that a U.S. NGO that had some Russian appearing hosts got hit in this malware attack. You cannot restrict malware to a region. Internets man. Internets.
How soon we forget Stuxnet. EternalBlue/WannaCry. NotPetya. You write malicious software to harm systems, any systems, you are an enemy of the internet.
You really have to be delusional to equate stuxnet with WannaCry and NotPetya.
Stuxnet caused zero harm outside of the very specific systems it targetted, there was no collateral damage. In fact, it was designed in a way that rendered collateral damage almost impossible.
WannaCry and NotPetya were indiscriminate attacks against the whole world (Well, NotPetya refused to execute if you only had en_US keyboard layout installed).
Whatever helps you sleep at night, malware developer.
You certainly came out of the woodwork with that comment. It must have struck a nerve. Not many people go around defending stuxnet, a malware tale for the ages in bad fucking intelligence operations.
I’m sure the people behind Stuxnet are proud of their work (and they should be!), they significantly disrupted the Iranian nuclear program without hurting anybody, without causing any collateral damage.
I’m not sure what special meaning “malware” holds to you that would automatically render their actions immoral. Preventing Iran from getting nuclear weapons is absolutely a good cause.
> Not many people go around defending stuxnet, a malware tale for the ages in bad fucking intelligence operations.
Literally nobody actually working in this field would agree with you. Stuxnet was a very successful operation.
You keep saying no collateral damage. 40% of systems infected were outside Iran. The developers should be ashamed they took a clean surgical implant and wormed it up. Lots of collateral damage, even if you choose to ignore it.
The mission was successful, at great cost. If you have any involvement in such shady business, I encourage you to stop.
Seriously, this is dumb. I understand that you took offense to likening Stuxnet to WC, And yes, NK/RU made a much bigger mess than US/IL, but it’s all malware to those of us outside of the great game. I have the same opinion of the Stuxnet authors as I do with the wannacry authors, they are Malware dev scum.
So you don’t actually have anything intelligent to say on this topic?
> but it’s all malware to those of us outside of the great game
That’s hardly true, is it? Stuxnet didn’t even exist for those “not in the game”, whereas Wannacry and NotPetya indiscriminately destroyed the files of those people.
If you weren’t in the game, Stuxnet was just a news story and at most yet another vague alert from your antivirus.
The people behind Stuxnet, Flame, Duqu and Gauss should be praised for pushing the envelope on responsible cyberwarfare. Years later, researchers still haven’t been able to decrypt some of their modules as the targeting is just so specific.
RESPONSIBLE!!!! That word. It’s such a shibboleth.
We should never celebrate the tools of war. We should not praise those that pushed the envelope us further into cyberwarfare. Cyberwar is bad, mkay.
The very fact they were discovered, are being analyzed today, and started a global normalization of deviance with respect to fucking each other’s cybers up is a failure in my opinion.
Do you believe that the alternative of letting the Israelis bomb Iranian nuclear facilities would have been better? That’s what they would have done if not for Stuxnet.
Let me explain, I think we are arguing very different things. I am making a technical distinction about writing code, in that once you turn a tool of art into something less discriminate like a worm, or hide malicious and obfuscated code one crosses the line to doing active harm against your mission, whatever that is. I am not making any geopolitical statement or position on the outcome or actions beyond that which I consider a technical foul play to hurt others with software, malicious software, malicious intent. There are surely more elegant tools to wield.
Unfortunately I think this is a rather naive idealistic view. Software doesn’t exist in a vacuum, it very much exists in the middle of everything in the real world.
Stuxnet is malware, sure. But what about the software Iranians were using to develop nuclear weapons? Surely that must be even worse?
Open source code bases are not the place for your slacktivist rants. They hurt innocent people. You cannot booby trap your house. All this does is destroys confidence in the ecosystem.