If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
However, if I had a company, at any place of the planet, I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever. Simply because, today it was Russia, tomorrow he might change his mind and decide that actually capitalism is the root of all evil, who knows. The chance is perhaps small, but why take the risk? You can only lose your reputation once.
Even from the perspective of “this is unique opportunity to cause damage to the enemy”, this action was stupid. The most likely victims were young people, i.e. precisely the part of demographics that opposes Putin, on average. And if you want to use your software for a cyber attack, it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret, and maybe no one would even find out. Instead, FSB will now be more careful about this attack vector.
The only good outcome is that people have noticed how utterly insane is the current state of JavaScript development, and hopefully everyone will now get a bit more careful. (Ah, probably not. But one can dream.)
I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever.
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
I don’t think about it in terms of a pretext. I do think that when someone at the FSB reports to Putin about the damage done to Russia by an attack like this, they might want to propose options about how to retaliate.
it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret
Which is probably happening already at a high rate. This node package author could be the one in a thousand who decided to take the visible, evil, ineffectual route instead of the invisible, evil, effective route.
If Russia needs a pretext for more malicious activity, they can always make up a genocide or whatever, so this part does not really bother me.
However, if I had a company, at any place of the planet, I would now take care to not use “node-ipc” or any other library made or maintained by the same author, ever. Simply because, today it was Russia, tomorrow he might change his mind and decide that actually capitalism is the root of all evil, who knows. The chance is perhaps small, but why take the risk? You can only lose your reputation once.
Even from the perspective of “this is unique opportunity to cause damage to the enemy”, this action was stupid. The most likely victims were young people, i.e. precisely the part of demographics that opposes Putin, on average. And if you want to use your software for a cyber attack, it would be more efficient to contact your country’s secret service and ask if they have some good ideas—who knows, they might give you a code that only activates on a specific IP address, and maybe steals an important state secret, and maybe no one would even find out. Instead, FSB will now be more careful about this attack vector.
The only good outcome is that people have noticed how utterly insane is the current state of JavaScript development, and hopefully everyone will now get a bit more careful. (Ah, probably not. But one can dream.)
The sadder part is that an action like this damages the whole system. Sure I should avoid “node-ipc”, but the probability of such things happening with any package has also gone up—perhaps some Russian sympathizer does the same thing in retaliation, or more likely, someone in some unrelated conflict in the future decides to do this because there’s precedent for it. So now I need to worry about all packages, and either do costly extra things like locking all package versions and then manually updating them over time, or perhaps do nothing but expect that I’ll get pwnd more frequently going forward :(
I don’t think about it in terms of a pretext. I do think that when someone at the FSB reports to Putin about the damage done to Russia by an attack like this, they might want to propose options about how to retaliate.
Motivating nonstate actors matters as well.
Which is probably happening already at a high rate. This node package author could be the one in a thousand who decided to take the visible, evil, ineffectual route instead of the invisible, evil, effective route.