If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
However, if I had a company, at any place of the planet, I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever. Simply because, today it was Russia, tomorrow he might change his mind and decide that actually capitalism is the root of all evil, who knows. The chance is perhaps small, but why take the risk? You can only lose your reputation once.
Even from the perspective of “this is unique opportunity to cause damage to the enemy”, this action was stupid. The most likely victims were young people, i.e. precisely the part of demographics that opposes Putin, on average. And if you want to use your software for a cyber attack, it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret, and maybe no one would even find out. Instead, FSB will now be more careful about this attack vector.
The only good outcome is that people have noticed how utterly insane is the current state of JavaScript development, and hopefully everyone will now get a bit more careful. (Ah, probably not. But one can dream.)
I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever.
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
Yeah, we’re all really worked up right now but this was an utterly wild failure of judgment by the maintainer. Nothing debatable, no silver lining, just a miss on every possible level.
I don’t know how to fix it at the package manager level though? You can force everyone to pin minor versions of everything for builds but then legitimate security updates go out a lot slower (and you have to allow wildcards in package dependencies or you’ll get a bunch of spurious build failures). “actor earns trust through good actions and then defects” is going to be hard to handle in any distributed-trust scheme.
If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
I don’t think about it in terms of a pretext. I do think that when someone at the FSB reports to Putin about the damage done to Russia by an attack like this, they might want to propose options about how to retaliate.
it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret
Which is probably happening already at a high rate. This node package author could be the one in a thousand who decided to take the visible, evil, ineffectual route instead of the invisible, evil, effective route.
If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
However, if I had a company, at any place of the planet, I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever. Simply because, today it was Russia, tomorrow he might change his mind and decide that actually capitalism is the root of all evil, who knows. The chance is perhaps small, but why take the risk? You can only lose your reputation once.
Even from the perspective of “this is unique opportunity to cause damage to the enemy”, this action was stupid. The most likely victims were young people, i.e. precisely the part of demographics that opposes Putin, on average. And if you want to use your software for a cyber attack, it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret, and maybe no one would even find out. Instead, FSB will now be more careful about this attack vector.
The only good outcome is that people have noticed how utterly insane is the current state of JavaScript development, and hopefully everyone will now get a bit more careful. (Ah, probably not. But one can dream.)
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
Yeah, we’re all really worked up right now but this was an utterly wild failure of judgment by the maintainer. Nothing debatable, no silver lining, just a miss on every possible level.
I don’t know how to fix it at the package manager level though? You can force everyone to pin minor versions of everything for builds but then legitimate security updates go out a lot slower (and you have to allow wildcards in package dependencies or you’ll get a bunch of spurious build failures). “actor earns trust through good actions and then defects” is going to be hard to handle in any distributed-trust scheme.
I don’t think about it in terms of a pretext. I do think that when someone at the FSB reports to Putin about the damage done to Russia by an attack like this, they might want to propose options about how to retaliate.
Motivating nonstate actors matters as well.
Which is probably happening already at a high rate. This node package author could be the one in a thousand who decided to take the visible, evil, ineffectual route instead of the invisible, evil, effective route.