American NGO affected by your recklessness (node-ipc vulnerability)
github.comThis issue has turned into an absolute embarrassment
https://github.com/RIAEvangelist/node-ipc/issues/233
People like the maintainer are doing nothing but harm to the mutual trust that exists in the open source community.
What an absolute dumpster fire. These issues will end harming decades old traditions of open source collaboration and hacking.
This is not the way.
The real reason this shouldn't be allowed is because the internet is absolutely not secure enough for citizens from one country to start attacking other countries. You think it's funny to wipe a Russians hard drive with a heart but I garuntee what they do back out of spite won't be. The very epitome of throwing rocks from glass houses.
I'm not even sure if we have to consider retribution why this is a bad idea. There is no control over the blast radius this has. It could hit anything, from a military or criminal system (possibly doing something you could consider good) down to any kind of hospital, humanitarian organization, an org collecting data against putin. In any kind of conventional weapon used by a western state, such a lack of control would be a huge no-go.
It's not just the internet that's not secure enough, the physical world is very insecure for most of us too. There are lots of entities in Russia that aren't even related to the government that have the ability to reach out and roughly touch the maintainer. Any crime syndicate that was impacted by this is a potential threat to him now. It's pretty reckless to indiscriminately cause damage this way.
> There are lots of entities in Russia that aren't even related to the government that have the ability to reach out and roughly touch the maintainer. Any crime syndicate that was impacted by this is a potential threat to him now.
This is some weird fanfic. Russia is dangerous, but you have to do A LOT for those dangers to follow you outside of the country (much less to the US!)
It’s hard enough for Russians to get visas to travel to the west, and in the west you actually go to prison.
FWIW my wife fled Russia after her driver was shot and killed by the mob in an effort to get at her father.
Sounds like a fake story. What idiots would only store their war crime evidence database inside the aggressor state and not keep backups of it abroad?
If true, this arrangement was pretty much doomed to fail anyway. node-ipc did a good thing by notifying them of their folly before the Belarus KGB or Russian FSB did.
Maybe read the story before commenting next time.
I did, what makes you think I didn’t?
> Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus
This story is fucking crazy. Just think about it for a moment. A clearnet service hosted in Belarus to “securely” report war crimes? With all the data stored inside Belarus?
If this story is true, it’s absolutely a good thing that their server got wiped.
For the TL;DR types:
>We are an American NGO based in Washington, D.C. that monitors human rights infringements by authoritarian regimes in Belarus, Russia and other post-Soviet states. Since our start in 2014, we have been in contact with over 2,500 whistleblowers that provided us with detailed reports on various kinds of abuse happening there.
>Due to internet censorship there, one of the web services used to contact us securely was hosted on servers located inside Belarus. Normally, we backup the received content to an external server on 20th day of every month, as this is reasonable given the volume we usually get, but since the start of the invasion on February 24th, traffic to our web service has increased over fiftyfold. Our staff has been working round the clock to accomodate the influx and during one of their tasks, package containing node-ipc module was updated on a production server, which resulted in executing your code and wiping over 30,000 messages and files detailing war crimes commited in Ukraine by Russian army and government officials. Due to the way the files were stored on the server, we are not able to recover any data and it's most likely gone forever. For some of the senders, this might as well have been their last contact with the outside world, as many of them were front-line soldiers that could've been killed in action during the offensive.
>Personally, me and my colleagues are absolutely devastated. All I can say that your little shenanigan did more damage to us than Putin or Lukashenka ever could. Profesionally, our counsel suggested filing criminal charges federally and it's likely we'll be proceeding this way.
This is the first time I've seen someone weaponize a repo like this, it's rather concerning.
I agree. I sincerely hope this sort of braindead thing doesn't become widespread
You can mitigate against those kinds of attacks using npm's `--before` option:
npm i --before=`date -I -d '-5 days'`
The maintainer, riaevangelist, appears to be breaking federal hacking laws by including the "peacenotwar" malware. They falsely claim it only shows a message on the users desktop, however if actually recursively overwrites the users files.
https://github.com/RIAEvangelist/node-ipc/issues/319
The maintainer has taken to banning anyone pointing this out. I don't believe this is someone with good intentions. Riaevangelist may have had their account stolen. Either way they are clearly operating in support of Russia under a false flag, an increasingly common and complex issue.
Given the supposed criminal nature of these acts GitHub and other serves must step in to remove the offending commits, releases, and maintainers. Allow someone else to fork it.
> Either way they are clearly operating in support of Russia under a false flag
I don't see how this is clear at all. What is the evidence that this is a false flag?
There were plenty of comments on HN that were supportive of locking Russian citizens out of their accounts and disabling their domain names. I don't find it hard to believe that someone went a step further.
There's people advocating we attack anti air missiles on Russian soil to implement a no fly zone. Why is overwriting hard drives extreme enough that it has to be a false flag attack
Thank you for this breakdown. It wasn't clear to me at first what was going on from OP's link.
Sorry about the bad title. First time submitting to HN, will be more verbose next time
Your title is fine! I just didn't know the context of what was going on with the project and its dependencies.
This issue sucks. Software packages should not intentionally cause data loss.
However, the person who filed this should have had better backups.
Edit: ok, re-read it. They have a process for backups but the invasion interrupted the process. That sucks.