A cautionary tale about software dependencies during major geopolitical events
blog.benjaminvr.netI don't really see how this has anything to do with major geopolitical events, other than the fact that the developer of the library is Russian. The author's complaints could have happened with any open source library and don't seem to relate to the war in Ukraine in any way.
To give a more realistic answer to this question, when I was writing an article about npm dependencies[1], I incidentally came upon a case where the developer of node-ipc released a malicious version of the package that affected computers in Russian and Belarusian IPs specifically in response to the Ukraine war[2].
[1]: https://www.preethamrn.com/posts/who-actually-uses-is-odd
[2]: https://www.bleepingcomputer.com/news/security/big-sabotage-...
And then claimed his GitHub was "hacked" to save his ass. And was somehow not banned by GitHub despite clearly violating their TOS.
I forgot about that targeted malware for a while, thanks for jogging my memory.
Imagine now if he had done that towards Israelis or Arabs/Palestinians and how both the internet and governments would react.
He only got away with such blatant crime because the entire west was against Russia. Mad that the overton window went so wide for a while there.
I read the article and got the same impression. It had no conclusion on global event affecting dependencies. More speculations rather than facts.
Thanks for your comments. I have to admit that it is shallow - going in more detail would risk identification of the people involved and paint a target on my back.
I do realize that he may have simply changed his opinion - yet it is the most controversial one and he stood by it ideologically as expressed numerous times through a variety of mediums.
It's a bit tinfoil hat, but I am disappointed and there's no harm in informing others about these observations and this experience. Mind you - and that's about all I'll add - that the repository stagnated in development for some time, increasing my senses about something being off considerably (browser extension ownership for example get bought frequently by criminals to convert a user base into a cash cow, or worse)
Disclaimer at the end of the article: If I am totally misinterpreting my observations and the Discord hostility without even an attempt at producing counter-arguments or productive and professional openness and communication, at least it serves as a cautionary tale of what could be. In any case, no disrespect or attempt to taint anyone's (opensource) software development ventures and/or their personality is intended. The name of the project or its developers will not be shared, if you can find it, be discrete or this article will be removed. Thank you.
Thanks for your time. Have a great weekend.
As someone off this thread, lol, I hope you have a great weekend too.
Whether it happened or not, it's a reminder of what can happen. Better to learn from mistakes you haven't suffered from so deeply yet. For starters, when in doubt, it doesn't hurt to get rid of the software dependencies you don't need.
For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.
Though the dead weight loss of mutual distrust weighs on us all, shouts echo in the void, so go home and read code, and when the next day knocks its ugly knuckles, tears at least wet dry watchful eyes.
> For how to know you can trust a dependency, I'm afraid there is no solution: no theorem prover nor isolation, cryptography nor layerizarion can save you.
I'm taking a stab at addressing this problem with Packj [1]. It carries out static/dynamic/metadata analysis to look for "suspicious” attributes such as spawning of shell, invalid/expired email (i.e., no 2FA), use of files, network communication, use of decode+eval, mismatch of GitHub code vs packaged code, and several more.
Is the author's implication that the developer took the project in a different direction because of the war? I don't understand what the connection is between "major geopolitical events" and the library. It's just a graph that shows that a year after the war started, the developer removed a feature the author liked.
It's more than just this - I wouldn't write a "conspiratorial article" out of nothing, but alas I can not provide depth without risking identification of the people involved and painting a target on my back.
I am watching the advisories for the dependencies closely. Please check my other comment as well.
Thank you, have a great weekend.
Given that this is the internet and I don't know you, how can I distinguish a sane person making well founded claims backed by hidden evidence they won't share with me, and a crazy person just being paranoid and seeing conspiracy where there is none?
Usually the evidence is what makes the difference, but if you can't/won't share the evidence then what good are the accusations?
That's fair, shall I put the names in the article and a link to the repository? Really, it's a war. Do you think I will risk my own wellbeing just to have clout for a few days?
Not to mention opening myself up for the possibility of being sued by one or more contributors for "slander". I chose this approach and won't budge on that - it's not a fairy tale that people are dying and everything is affected by it, the list of embargos is considerable.
Consider that you are connected to the world - including Russia. Would you trust your Russian neighbour if he pivoted his development style, opinions, pace, characteristics? No.
Have a great weekend. Thank you.
We're not asking you to expose yourself or anyone else to any danger.
But you must realize that without going into more detail, we honestly have no idea what you're trying to communicate.
I read your post, and I still don't understand what the war, and embargoes on Russia, have to do with an open source project changing how they do things. From reading other comments here, other people are also confused.
Considering you have Mantine forked on your linked GitHub, you aren't going to great lengths to hide who you are directing this at, so to me it appears like slander.
>> The founder & lead developer is Russian and does not accept donations, perhaps noble, perhaps to avoid a financial trail.
In modern Russia, if one receives money transfer from any other country, they may receive "Foreign Agent" (иностранный агент) status
https://en.wikipedia.org/wiki/Foreign_agent
"prohibited from receiving state funding, teaching at state universities, or working with children"
As per the page you linked to, FA law applies only to this who engage in “political activity”, which most people (regardless of the country) tend not to do.
The way Russian authorities tend to interpret laws may be quite surprising. For example, Russian government insists they conduct Special Military Operation (SMO). It is enough to reference Russo-Ukrainian conflict as War, instead of SMO, even in private conversation, to get a few years in jail.
I apologise for being pedantic (I am a programmer with a law degree and so have twice the inclination to be): can you provide specific examples of the FA law being interpreted in “surprising ways” especially in light of the GP concerns about a developer of some NPM package?
Here is a list of individuals designated as FAs (the Russian DOJ site doesn’t load for me so I can’t verify it right now). https://ru.m.wikipedia.org/wiki/Список_иностранных_агентов_(... I recognise a few people on that list and can see why they are on it based on what I read online. Can you suggest some names that are surprising?
Just to be clear, we are discussing the interpretation of the law, rather than whether or not the law should exist in the first place - that’s an entirely different kettle of fish.
#5 Моргенштерн Алишер Тагирович Crazy rap performer.
#8 Чичваркин Евгений Александрович Businessman, moved to London before FA law was implemented.
#59 Новиков Илья Сергеевич Lawyer of Nadezhda Savchenko
I am not surprised they are on the list, this is how Russian Government operates. Interpretation of law is surprising by western standards.
#5 is definitely suspicious reasoning - no surprise it is being appealed in the courts. That said, having read a little about this colourful persona, I have to admit my thought was “good job, he deserved it” although I know I really shouldn’t think like that. :) This is really an example of cancel culture, just done by the government. The problem is that there’s not really a law against being an arse and bringing in such a law would do more harm than good, so they are doing “the wrong thing for the right reasons”.
The other 2 cases seem pretty clear-cut and less than 0 sympathy from me personally.
FWIW, based on my experience in living in both systems there are some fundamental differences in culture that may help to get a better perspective: group has priority over individual; responsibilities / duties of the individual rather than rights; the more people you reach with what you say the higher the expectation that you will be a role model and the greater the censure if you don’t (sadly corruption and cronyism often gets in the way); a very strong “us” vs “them” mentality. I see these all the time playing out in different ways.
As for applying “western standards” I actually had a law lecturer (I studied and live in UK) argue that this sort of thing is an example of “cultural imperialism”. I would just caution that a thorough understanding of historic, social, geographical (and other) challenges should be considered before trying to import patterns from elsewhere. Governance is what we would call in IT a “hard problem”.
I’ll stop before this becomes an essay. :)
I guess it's fair to say that "western standard" is what an average EU judge does to an EU citizen, not King Leopold's ideas.
If you continue quoting from the wikipedia article, you'll also come across this (emphasis mine):
> if they engage in "political activity", a broadly interpreted term
Everything is politics. - Thomas Mann
I see the post got flagged, sad to see but if that's the verdict this'll be the last comment on this post.
The title is not "I caught a Russian developer doing bad things during war!!", the title mentions "a cautionary tale", which from my point of view is a PSA through the means of sharing observations and my interpretation, with some speculation to inform the reader of possible avenues which may affect them, if not through this repository, through another.
To close my writing I'll include the content of a comment in response to a different user, which should define my intent:
"My point would mainly be to spread awareness and share an experience and my interpretation of it, not "slander" and paint a target on my back by namecalling and divulging more information which doesn't serve a purpose beyond wanting clout under the assumption that the war does not affect myself and others around me."
Thanks. Have a good weekend.
From my experience as a developer from Russia, it's usually the other way around from what's found in the article. Since 2022, there's been a lot of instances of malware being found in dependencies which target Russian developers (deleting data in prod, denial of service). Many sites which host tutorials, programming blogs etc. have become unavailable to Russian devs ("access from your country is blocked"). Some repos removed Russian localizations altogether. Github deleted repos and banned accounts of developers with links to Russian banks and other large companies (even if they don't work there anymore). In the last year, our corporate site was defaced and DDoSed several times from foreign IPs.
I don't know about others, but I have't witnessed some kind of similar refusal by Russian devs to cooperate with Western devs, not there's been any protests in the form of altering repos.
What really changed in Russian IT after the war started is that 1) it strenghtened Russia's infosec - for example, our company finally started reviewing random dependencies developers found on the Internet before going to production 2) some companies went into "hiding" and changed their legal names, "moved" their offices abroad, changed country info in GitHub profiles etc., to avoid being associated with Russia because it's now problematic if you want to deal with Western companies/devs (refusal to work with). As for not receiving donations etc. - it's not easy to set up because of sanctions.
Have there already been cases where a project switched part of their codebase to protest something(whatever it may be) and it resulted in lower quality/security issues, or is that something we'll see in the future?
Seems like an interesting attack vector. LibFoo was made by BadGroup, use LibBar instead, it's GoodGroup approved!
Meanwhile LibBar has security flaws, known or unknown, intentional or unintentional, which quickly get absorbed into other projects in a political frenzy to expel LibFoo at all costs (and said actions also are incentivized given that they drive publicity, engagement, etc).
I would have thought this completely nuts, prior to the whole node-ipc malware debacle. I would expect state actors to make the most of this expanded Overton window.
Many underestimate how many resources Russia puts into cyber warfare, and how simple dependencies or Docker images can be infected with malicious intent. Authors often have no choice but to do what they are told if they are physically located in Russia. Western folks, having never lived in such an environment, simply have no idea how things are different.
Are there not enough examples already proving the state of things in the industry right now? All the points the author mentioned are valid, in my opinion. Even if in this particular case it may not be true, there is a large background suggesting why it could be true.
I'm not sure the article really makes the point, but in my experience the war has complicated remote work.
I'm tangentially aware of at least one US company that was outsourcing work to Russian and Ukrainian coders. Apart from the obvious "team" dynamics collapsing, it's not even possible (legal) to pay Russians at this point if you are a US company.
I'm also aware that the narrative inside Russia as to the cause of the war is very different to the narrative I hear. Naturally I believe the narrative I hear as do they.
In this global work-space, who you hire and where they live can become material quickly.
> it's not even possible (legal) to pay Russians at this point if you are a US company.
Unless you are buying oil, diamonds and many other things through NATO allies or proxy companies registered. But I agree, rules for thee but not for me.
https://www.washingtonpost.com/business/2023/11/14/russian-o...
I have trouble discerning the author's point exactly.
- Yes, you can't rely on open-source project going in the same direction as you want.
- Yes, any process involving people has a phycological and interpersonal component.
> To this day we read about the war and it feels distant[...]
> [..]don't get blindsided, especially in times of war[...]
I'm glad the author is not affected by the war, but I supposed it's fair to say that it is not hard for the author to stay unbiased (or it might be just indifferent).
My point would mainly be to spread awareness and share an experience and my interpretation of it, not "slander" and paint a target on my back by namecalling and divulging more information which doesn't serve a purpose beyond wanting clout under the assumption that the war does not affect myself and others around me.
Thanks for reading. Have a good weekend.
Yeah, of course, there are many much worse effects from this invasion. But one, while less harmful than the many deaths and displaced people, that hits close to home is that it is not really possible to collaborate with folks in Russia anymore. Hopefully their country will relent and allow them to rejoin the international community.
I've had to reread, I was certain I missed something. But no, this is entirely conspiratorial speculation without any basis _or_ even without any point?
If at least they explicitly put forward a theory like "it's russian influence to slow down western digital development" it would have some internal consistency, but no. They suppose it's russian influence (again, without basis) without any theory of _why_ Russia would care about an inconsequential CSS-related lib. Shrug.
> any theory of _why_ Russia would care about an inconsequential CSS-related lib
Most likely he didn't want to deal with the maintenance burden of CSS-in-JS or React.
I must be Russian because I don't want to deal with that either. Those darn Russians...
Major shifts in behavior from the lead developer does not concern you? Overthrowing the dependencies used and opting in for more experimental and not as battletested JS frameworks does not alarm you?
Going against a strong personal opinion after stagnation of development and a complete pivot on multiple levels is normal to you?
Shall I mention mainframes still run COBOL? Should I introduce the latest version of this library to achieve the same? You do know it entails more chance of something wrong happening, and yes the developer is Russian, didn't we have an advisory against Kaspersky?
Why would a repository with six figure stars be negligible and Kaspersky not? Please read other comments as well. Thanks for your perspective and have a great weekend.
Your entire operating theory is that a man you don't even know, a software developer, changed how he feels about software design?
>Shall I mention mainframes still run COBOL? Should I introduce the latest version of this library to achieve the same?
What the heck are you even trying to say here?
>Going against a strong personal opinion after stagnation of development and a complete pivot on multiple levels is normal to you
I mean, maybe his country launching itself into war and mining it's population for bodies to throw at Ukranian bullets and most educated or valuable people fleeing made him reevaluate his feelings on lots of things? Do you have any actual concerns about the code, or are you honestly trying to draw some crazy conspiracy between "A library went a direction I don't like" and "This might be an attack against my work"?
the developer of a library removed a feature around the time the war started and this is enough to accuse them of what, being a Russian state operative? without evidence, this is borderline xenophobic, man.
people's minds change, APIs change: look at the mess that was Python 2 -> 3, Angular 1 -> 2, react-router 4 -> 5, etc.