If the code detects that it’s running in Russia or Belarus, it tries to replace the contents of every file on the user’s computer with a heart emoji.
A software library is a collection of code that other programmers can use for their purposes. The library node ipc is used by: Vue.jsa framework that powers millions of websites for companies such as Google, Facebook and Netflix.
This one critical security vulnerability is just an example of a growing trend of programmers sabotaging their own code for political ends. When programmers protest through their code – a phenomenon known as “protestware” – it can affect the people and companies who rely on the code they create.
Different forms of protest
Malicious protestware is software that intentionally damages or takes over a user’s device without their knowledge or consent.
Benign protestware is software created to raise awareness about a social or political issue, but does not harm or take over a user’s device.
Modern software systems are prone to vulnerabilities because they rely on third-party libraries. These libraries are made of code that performs certain functions, created by someone else. Using this code, programmers can add existing functions in their own software without “reinvent the wheel”.
Using Third Party Libraries is common among programmers – it speeds up the development process and reduces costs. For example, libraries listed in the popular NPM registercontaining more than 1 million libraries, rely on average five to six other libraries of the same ecosystem. It’s like an automaker using parts from other manufacturers to finish their vehicles.
These libraries are usually maintained by one or a handful of volunteers and made available to other programmers for free under an open-source software license.
The success of an external library is based on its reputation among programmers. A library builds its reputation over time as programmers gain confidence in its capabilities and the responsiveness of its administrators to reported defects and feature requests.
If vulnerabilities in the third-party library are exploited, it could give attackers access to a software system. For example, a critical security vulnerability was recently discovered in the popular Log4j library. This flaw could allow an attacker to remotely access sensitive information captured by applications using Log4j, such as passwords or other sensitive data.
What if vulnerabilities are not created by an attacker looking for passwords, but by the programmer himself with the intention of making users of their library aware of a political opinion? The rise of protestware raises such questions and reactions have been mixed.
Ethical questions galore
“The downsides of wrecking open source projects far outweigh any potential benefit, and the backlash will ultimately hurt the projects and contributors responsible.”
What is the main ethical question behind protestware? Is it ethical to do something worse to make a point? The answer to this question largely depends on the individual’s personal ethical beliefs.
Some people may see the impact of the software on the users and argue that protestware is unethical if it is designed to make life harder for them. Others may argue that if the software is designed to make a point or raise awareness about a problem, it can be considered more ethically acceptable.
From a utilitarian perspective, you could argue that if some form of protestware is effective in bringing about a greater good (such as political change), it may be morally justifiable.
From a technical point of view, we are developing ways to automatically detect and counter protestware. Protestware would be a unusual or surprising event in the change history of a third-party library. Restriction is possible through redundancies, for example code that is similar or identical to other code in the same or different libraries.
The rise of protestware is a symptom of a larger social problem. When people feel they are not being heard, they can resort to various measures to get their message across. In the case of programmers, they have the unique ability to protest through their code.
While protestware is a new phenomenon, it will likely remain. We need to be aware of the ethical implications of this trend and take steps to ensure that software development remains a stable and secure area.
We rely on software to run our businesses and our lives. But every time we use software, we put our trust in the people who wrote it. The rise of protestware threatens to destabilize this confidence if we don’t act.