This is disgusting and thoughtless, because it accomplishes nothing but alienating Russian or Belarusian users. It doesn’t attempt to spread the truth or convince people that yes, Russian forces really are committing war crimes. Killing children.
I would love for pro-“special operation” Russians to find out why Ukrainian hospitals in the war zone keep their lights off at night. Hint: so they won’t be targeted. Spreading those truths could have done some good, but this… this is merely malicious.
> This is disgusting and thoughtless, because it accomplishes nothing but alienating Russian or Belarusian users. It doesn’t attempt to spread the truth or convince people that yes, Russian forces really are committing war crimes. Killing children.
You could say exactly the same about economic sanctions, no?
The idea that spreading information about Russian war crimes in Ukraine will somehow lead to a popular uprising is really far fetched.
When Wikileaks spread information about US war crimes in Iraq it didn’t lead to any uprising in the US at all, protest yes but no uprising. The regime got re-elected.
Instead what did happened was the imprisonments of the journalist Julian Assange.
In the age we live in most citizens, in any country, are powerless, if you peacefully speak up against your own regime you will be doxxed, silenced, arrested, your bank accounts frozen and even be classified as a terrorist. This have been the case in authoritarian countries but now also is common in so called democratic countries too.
Thinking that you create massive change in another country by putting sanctions on that citizenry is naive, not only will they be punished for the sanctions itself but also when speaking up.
> if you peacefully speak up against your own regime you will be doxxed, silenced, arrested, your bank accounts frozen and even be classified as a terrorist
> this ... now also is common in so called democratic countries too
Node IPC I agree would likely not be used by a "babushka" however the users of those businesses products and services are the people who need to access the services that the business operates. In fact it destroys the data that the users populate with the business.
Therefore, I argue that the user is harmed more than the business.
To compare, I believe average Russians are more impacted in terms of the amount of money that they can access freely, based upon the video that I added in my initial response to your comment, above.
I think now we’re solidly in the same territory as regular economic sanctions, which will also cause more harm to the regular people than to those directly culpable for enabling the war.
But I also think to some extent it’s only fair that the regular people pay a price for the war. Not necessarily a very steep one, but a price nonetheless.
Okay. I certainly hope not. There's limited impact that the ordinary Russian citizen can have I believe on their own government. So it seems illogical to knowingly harm, primarily, an impotent underclass. That seems like unwise strategy. To be clear I'm still a supporter of the sanctions as I understand them impacting the upper class more significantly than the mass underclass.
Presuming that the goal is for Russia to stop and roll back its invasion of Ukraine, the sanctions that have Frozen basically all international currency interactions with Russia.
The node IPC rewrite, to destroy data of business systems, seems unlike anything that you and I have talked about so far in the subthread, and instead seems more like a malicious way to cripple and permanently harm users. Their data which they have entrusted with the businesses now potentially all trashed. It's certainly not like anything which my government, the US government, has publicly discussed doing against Russia in response to this invasion. It's frankly an illegal action by the node IPC owner based on my understanding of computer crimes.
> It's frankly an illegal action by the node IPC owner based on my understanding of computer crimes.
It's absolutely categorically illegal - hell, look at what Aaron Swartz was prosecuted for - and I have no doubt that they'll throw the book at him. This is way beyond the pale. It's not a 'no jury in the land' case like that Ukrainian crewman sinking the oligarch's yacht.
I doubt it, it’s not a “no jury in the land” case, but it probably is a “no prosecutor in the land” case.
In Swartz’s case it wasn’t at all obvious to an outsider how many people would be upset, but there certainly were big domestic interests in favour of prosecuting him. Positive EV for the prosecutor.
Here? You’ll find little serious support for bringing charges, but the chances of the story being spun in a way that casts a very negative light on the government are high.
While I don’t agree in principle, you could easily paint this man as a hero for striking against a war-mongering country that lets their ransomware gangs attack American hospitals and other critical infrastructure with impunity.
Prosecutors worry more about career progression than juries, cases like this have a negative expected value.
I think there's an overton window here which is getting pushed. People need to stop unilaterally imposing their own form of punishment to a group of people, just to make a political statement.
It was bad with the BLM saga, but apparently at the time, it was too politically incorrect to say. It is still bad now that the russian invasion is causing an even wider and larger number of such malware.
Make political statements with your government, or do it as a standalone organization. Put ads in the papers, media etc. Don't use an unrelated platform, such as software distribution platforms to make a political statement - esp. if it harms the end user in some ways. There's a name for such action - it's called terrorism. I would hope that the people living in civilized society can see that.
I'm sorry, I don't remember the time someone added a dependency to all their packages that turns on your webcam and uses a shoddily trained neural net to determine if you were black enough to not have your hard drive wiped?
What's more worrying is the corporate take over. Every citizen including CEOs and employees have the right to speak in the public sphere as private citizens, but what they cannot do is leverage the position/influence as corporations, bypass the checks/balances of election in a democracy and wield extraordinary power over the society, impose their beliefs on the rest of us. A small group of people in Silicon Valley influences the belief system of the rest of the world. I think we're going to see a rise of non-woke corporations after the public is fed up. But until then, we're stuck with it. There is a massive silent majority that put up with it because their jobs are on the line.
The wokeness of most corporations is nothing but marketing, and I'm saying that as a trans person who has worked with supposedly woke corporations (rainbow flag at every location's entrance) that had done nothing within their culture to make my situation less awkward.
Though I wish the "anti woke" would see that this helps nobody who is actually marginalized, it's just feel good for naive liberals. Companies for which inclusion and diversity is less than a slogan exist, but they are very far and few between.
We'd rather want safe access to healthcare than corporations throwing pride flags on their logo until exactly midnight of the next month once a year. Thanks.
I know quite a few companies that proudly show their diversity efforts and talk about diverse hiring. They even actively work on gender fair compensation and promotion. And all these things.
The point I wanted to make is that I know of the same companies described above how they let 'minor infractions' from some individuals pass. Minor infractions being quotes like 'Women belong in the kitchen', dick pics, and questioning non binary people if they just need to be with a real man for once.
I found wokeness more often than not to be the social greenwashing of our time.
I've made this experience with regional offices having a vastly different culture from the main office.
In one place I was extremely happy to be able to work remote, becauase using bathrooms in their office (either, really) turned into rolling a dice of risking awkward confrontation always brushed off when I dared talk about it in my HR JF. Sometimes these conversations turn comical, because the "direction" I'm transitioning isn't obvious to some people, leading me into being gatekept from the _wrong_ facility.
Of course that problem exists in most public places as a non-passing trans person, but I'd at least be spared from this at work.
I am trying actively to understand experiences like these to be part of a better workplace culture/experience. What I often find difficult is how to approach these subjects from a position of genuine interest without putting people off. Without being insensitive.
I know there is no "cookbook" of talking to other people. But sometimes I wish to me it were more easy to share and learn.
When I came out, the company I was working for at the time attempted to put me in a "working group for dealing with trans people". I begrundingly agreed to this, but it turned out they didn't want me as an advisor. I dug out precedent for name change without a legal change (it's nearly impossible here); they dismissed it and then spent the rest of the meeting telling me they'd have to ask all the women on the floor if they were comfortable with me using the restroom. (I had not requested that whatsoever, i did not male-fail at that point). I handed them a copy of the SAP guidelines[1] (this was a much smaller company than SAP) and bailed. If you want to do it right, hire a real consultant.
Thankfully a few months later there was a change of leadership, and my name was changed in Slack/AD with no problems whatsoever.
I spent all of 2021 with a challenge to myself to do stdlib only, and though at first it was challenging, it was great! I learned so much that using a library now seems like tying a cow to my neck to make a bowl of cereal
>We do not allow anyone to use our platform in direct support of unlawful attacks that cause technical harms, such as using GitHub as a means to deliver malicious executables or as attack infrastructure
Why are they still hosting this? It would seem to violate the CFAA and therefore be unlawful
But I don't understand why/how it would wipe the PC. Unless I missed something, the code from the package does not delete anything.
> This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now.
Nah, the author knew it's would be controversial. The first sentence is there as an excuse.
I think there's some history rewriting going on here, as a different version of the code (9.2.2) which apparently contained the malicious code was linked to from another GitHub issues, but that version no longer exists in the git history.
Yes, it appears the Russians are not bombing civilians indiscriminately like the US did early in the war. Of course warfare tech has improved since then, but also Russia has an interest in preserving Ukraine, and simply getting rid of its racist, puppet government.
Russia has been indiscriminately bombing civilians and civilian and humanitarian infrastructure since day 1 of invasion. There are mountains, and mountains of evidence.
I'm guessing your American "news" outlets, CNN and MSNBC, are telling you it's important to wave the American flag and bless this war in Ukraine. Zelenskyy isn't a neo-Nazi, but nice diversion. A lot of Ukrainians, and Eastern Europeans in general, are nationalists and even neo-nazis, and for good reason: as a response to the horrors of communism via the soviet union and the American hegemony's exploitation, they can't find much else to agree on. Just like how Donald Trump's MAGA movement gained so much power in response to Democrats & Republicans rape of the middle class and warmongering.
Look up these terms: Manufacturing Consent and the Propaganda Model[0], and Useful Idiot [1].
[0] - https://en.wikipedia.org/wiki/Manufacturing_Consent
[1] - https://en.wikipedia.org/wiki/Useful_idiot
Do you believe that there are moral principles that apply universally? If so, I’m interested in hearing a consistent set that makes Russia invading a country wrong but it’s ok when the USA does it.
Sadly I think most people’s moral reasoning here is TV man says Russia is the bad guys and USA is the good guys. Bad guys always bad good guys always good.
I mostly don't believe in universal morality, I just try to find my own moral meaning.
I think Iraq and Ukraine are both examples of a (military) superpower curbstomping a smaller nation under a flimsy, false, pretext.
I think Ukraine is also different because it's a democracy, and they're outright bombing hospitals and leveling cities, and Putin is threatening to nuke the world if he doesn't get his way.
So they're both bad, but I see Ukraine as genuinely worse.
> I mostly don't believe in universal morality, I just try to find my own moral meaning.
I'm trying to steel-man here, but this reads to me as "I am mostly morally unprincipled" in the sense that you do not require consistency in your own moral meaning, whatever that is. Most people probably aren't satisfied with a moral system that's "whatever sterlind feels like today."
Here's a thought experiment: imagine if the powers that be in the West were fully aligned with Russia for whatever reason. As a result they deploy the full force of traditional and social media message control along with all the other measures taken to sway public opinion in favor of Ukraine. In that scenario, do you believe the vast majority of people in the West would be just as enthusiastic about the "special military operation" as they are about Ukrainian resistance today? Do you think your opinion would be different? Why or why not?
I try to follow my own moral principles consistently, though sometimes I fail because I am weak. My principles are mainly empathy, truthfulness, being a good friend and respecting autonomy. Those are what make me feel like I'm doing the right thing.
I don't have an ultimate basis for those principles other than they "feel right." I'm not Kant. I don't think Kant was on the right track. That's what I meant by not believing in absolute morality - I just follow my heart, and admittedly judge others against what my heart says.
Well there were many reports of hospitals being bombed in Afghanistan and Iraq. Not to mention Vietnam where there was 3x as many bombs dropped as in whole WW2 on all sides, nuts!
You're attacking a straw man. No one is saying the invasion of Iraq was justified.
One major difference is the motivation for the war. Putin wants to return to USSR borders, which is a motivation of conquest. The US did not want to conquer Iraq. It is not the 51st state.
Another is the regime that existed. Ukraine was a peaceful democracy. Iraq was not. Hussein killed many thousands of Iraqis, too.
The invasion of Iraq was a series of war crimes that should never have happened, but Bush was not nearly as authoritarian as Putin and Hussein is not Zelensky.
The invasion of Iraq took place over weapons that did not exist. The invasion of Ukraine is happening because of non-existent neo-Nazis in the Ukrainian government. Not identical, but there are parallels.
Is it fair to compare which war was worse? The suffering is same anywhere, or do you mean that brown peoples lives are less important? If that is the case then this is really fucked up.
I am brown, so you can take your insinuation that I'm a white supremacist elsewhere. Try to address what I actually said instead of putting words in my mouth.
I'm not arguing about it on a humanitarian basis. The invasion of Iraq and subsequent forever-war is a huge humanitarian disaster that Putin may or may not beat.
I'm arguing about whether Putin invading a peaceful, democratic country in order to expand his borders is more or less justified than the US invading a hostile, murderous dictatorship.
I'm sorry but Ukraine was not peaceful before the invasion. There was extensive fighting in the east over years. External entities where funding various factions and the previous government was a puppet.
You paint Ukraine as some peaceful and stable European place when it just factually wasn't. If Russia invaded Finland I would agree with you but nut Ukraine.
The puppet government and fighting in the east were also because of Russia. You're just arguing that this war started in 2014 or earlier, and I agree with you.
The Iraq invasion and Afghanistan were far worse and unjustified. NATO has killed more than Putin ever will. Russia is attacking Ukraine with geostrategic cause. Whether or not you agree. Ukraine was falling into NATO hands.
What the hell are NPM and GitHub doing, are they letting this malware exist since it's for the "right" cause? I understand where this guy's heart is at but this is wrong on so many levels. I reported this to both of them this morning, and they are still up, I can't be the only one. If they don't take it down then that is a serious trust issue there, and represents a new reality where people will willingly host malware if it's for the correct political cause.
I forked the repo to make the README.md more accurate and satirical (and removed the actual malicious code), but sadly I can't make a PR since he's locked down the repository to only contributors.
At least with Faker.js, it didn't act as malware. Simply a deleted project. That was a more respectable protest. This... well it's certainly an attention-grabber. But if he wants people to be sympathetic to his message, good luck with that now.
Have the creator thought that a Russian or a Belorussian person who use this software might are against the government or their country?
Blaming citizens who are mostly uninformed and mislead due to information control, and have little real power to change what's happening, doesn't help at all to the current situation.
People frequently forget that the actions of one's government do not necessarily represent an individual's standpoint. Go after high-level officials and oligarchs, but do not go after common folk - they've already lost enough.
Not necessarily but they are frequently morally culpable. The problem is that Collective punishment is indiscriminate. It makes no effort to discern between active objector and protester and a supporter.
Microsoft maintains GitHub.
This is water on their mill. Use solid, corporate backed dotnet, not random soyware.
Next you know FOSS is dead in the water.
If one random supporter of the current thing can cause such a mayhem, imagine what can happen to any of the projects in 2-3 years: you run update and find your sever wiped out because capitalism is bad or indigenous people of Tuvalu lost a fishing boat or whatever.
On the longer run this is the end of community projects in mission critical applications.
You are one brain damaging soy latte away from total distaster.
And even if you ignore that: what about the browser you use to install it? The library you use to decompress the file? The library you use to checksum it? The dependencies you install when you write code in .NET (which is the entire problem here and is literally no different whatsoever in .NET, aside perhaps from differences in the size of their standard libraries)?
I'm sorry, you're right to say that this is wrong and that the ease of installing malware is terrifying (and not nearly enough acknowledged), but there's no lazy magic bullet that will save you. Welcome to combinatorial explosion!
This node npm supply chain attack incident is a wake up call that the current security model of mainstream operating systems such as Linux, MacOSX or Windows are no longer suitable for modern day threats and they need a "zero-trust" like model for applications. Mitigating supply chain attacks like this one requires adopting application sandboxing by default, assuming that any application can be compromised, and capability-based security model like Fuchsia, Genode OS or mobile operating systems like Android or Apple's IOS. In the case of Linux, the most suitable sandboxes are docker container and Firejail tool that can restrict operating system resources which an application can access, including the $HOME directory. Firejail can even provide a fake $HOME directory. In the case of Microsoft windows, there is the Windows Sandbox, but it is only available on Windows pro or enterprise. But even so those countermeasures would only prevent the user data from being damaged, malicious NPM packages could still attempt to send credentials, tokens or database information back to the attacker. More details at: https://hkubota.wordpress.com/2020/12/31/comparing-sandboxin... and https://docs.microsoft.com/en-us/windows/security/threat-pro....
Another suitable mitigation strategy may be lock dependencies version or switch to other programming languages with a proper standard library and limited number of packages where one can at least audit the code.
Run it in a container. Don't let the container run as root - create an account which has the same ID as a dummy account on your host system. If you have to volume mount, be very explicit about what paths you mount and use the read only flag if it makes sense. If you can't mount read only because you need to write to certain files, then grant the container account access to those files using ACLs (eg: on Linux user 'chmod' or 'setfacl').
It kinda does… root can write to places that the user cannot. Like Boot partitions, or entire device nodes, or load kernel modules that the user cannot see. That xkcd is a funny historical joke, but the root/user distinction is still a critical part of operating system security today.
But it is true. Who cares if the program can write to your system configuration when it can encrypt your entire home directory and use your private SSH keys to encrypt all your servers as well.
I'd argue the root/normal user separation is largely useless on single user desktop computers.
They could just drop something in bashrc or somewhere else for a persistent exploit. The system files contain nothing worth touching on a personal device.
Persistent userspace. And while I understand privesc in major platforms is not the insurmountable problem it seems, it is still a layer of protection important to the model of preventing SMM, hypervisor efi boot and root level persistence, without something else up its sleeves.
I guess people have forgotten the lessons of 90s Windows:
Don't download and run random .exe from the internet, assume they are hostile until proven otherwise.
Don't download, install and run random code libraries from the internet, assume they are hostile until proven otherwise.
I think their point might have been that Unity forgot that lesson. And everyone else, transitively, along the chain.
As horrible and impracticable as it sounds, the only way to prevent this happening is to read the source of every (/transitive) dependency you install. Yes, we can trust people, and yes, we can blame them when they betray our trust - we can even prosecute them - but as this shows, that's not always going to stop people. And it's certainly not going to stop attackers who gain control of those dependencies.
This is something we really need to think about as a profession. I would favour a system where dependencies are restricted to pure computation only (no syscalls) and any greater permissions must be granted explicitly. But that's extremely onerous, and likely - for many devs - to lead to a 'just click yes' mentality; even besides that, there are doubtless many cases it won't prevent. All I'm sure of is that we can't continue like this.
I think this is engendering a false sense of security. NPM's awful documentation doesn't specify whether it's possible for a dependency published 1 year ago to install, via a wildcard [transitive] dependency, a dependency updated today[0]. I have absolutely zero faith in the NPM devs' having considered this.
[0] In fact, it doesn't specify this flag at all. Nor does the command line help, or man page. It doesn't say a word about this, and it appears the only way to determine the semantics of this flag is to run it.
Checking source of module all it does is make a file in desktop. That the issue opener has a troll face as avatar doesn't help in taking their claim serious.
It previously altered the file system by adding a file in every folder and causing issues. That version was then reverted with the current one that only adds a file to the desktop.
My guess is that the npm package itself got hijacked? The latest version on npm is v11.1.0 (updated 3 days ago) while master on GitHub is v10.1.0 (updated 9 months ago).
No, this was intentional. The author added the peacenotwar package to the dependencies and bumped the version a bunch of times to trigger automatic dependency updates.
This is why you should pin dependencies, but good luck keeping up with that in modern Javascript dependency hell where every framework pulls in half a gigabyte of dependencies.
I would love for pro-“special operation” Russians to find out why Ukrainian hospitals in the war zone keep their lights off at night. Hint: so they won’t be targeted. Spreading those truths could have done some good, but this… this is merely malicious.