Some open-source developers are using their projects to target users in Russia after the country’s invasion of Ukraine.
The invasion of Ukraine has been almost internationally condemned. The actions of Russian forces are being investigated for numerous war crimes and the targeting of civilians in areas like Mariupol has equated to genocide.
State-controlled media and harsh penalties for protests mean that a large number of Russians believe the Kremlin’s narrative that the “special operation” was necessary to “de-militarise” and “de-Nazify” Ukraine. The full extent of Russia’s losses in Ukraine is also being covered up.
Most of the protestware is fairly innocuous and displays anti-war messages to Russian users to inform them about the reality of what’s happening in Ukraine.
The developer behind node-ipc – a popular open-source project for building neural networks – explained their decision to add non-destructive code on its GitHub page.
“This code serves as a nondestructive example of why controlling your node modules is important,” wrote the developer. “It also serves as a nonviolent protest against Russia’s aggression that threatens the world right now … To be clear, this is protestware.”
However, the project contained hidden code to wipe the computers of users in Russia and Belarus.
The latter form of protestware has drawn criticism as being counter-productive. Rather than inform general Russian users, it causes damage that will likely increase anti-Western sentiment pushed by the Kremlin. It also has a high potential to cause unintended collateral damage.
In the case of node-ipc, the code hit assets belonging to an American non-government organisation based in Belarus and wiped “over 30,000 messages and files detailing war crimes committed in Ukraine by Russian army and government officials.”
“Me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could.”
Sberbank, a Russian state-owned bank, advised citizens not to update software for the time being due to the protestware.
“We urge users to stop updating software now and developers to tighten control over the use of external source code,” Sberbank said in a statement.
The desire to get the truth to citizens living in oppressive regimes is understandable, but causing damage to the devices that provide a window to the outside world isn’t the way to go about it.
“While we are firmly opposed to what’s happening in Ukraine, intentional sabotage such as this undermines the global open-source community,” commented Liran Tal, Director of Developer Advocacy at Snyk.
Want to learn more about cybersecurity from industry leaders? Check out Cyber Security & Cloud Expo. The next events in the series will be held in Santa Clara on 11-12 May 2022, Amsterdam on 20-21 September 2022, and London on 1-2 December 2022.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.