Connect with us


An Inside Job: The Danger of Weaponized Open Source Projects



Menacing green skull and crossbones over a background of green numbers on a horizontally-held smartphone.

Gerald Benischke is making the open source community take a hard look at the possible consequences of weaponized code. He’s right to be concerned that everything “open source has achieved over the last 30 years … [is] now at risk of become collateral damage.” Why?

It’s not about sitting on the fence or taking sides in a war. It’s about what open source has achieved over the last 30 years and I think that’s now at risk of become collateral damage.

Gerald Benischke

Open Source Softwar(e)

Following the Russian invasion of Ukraine, many companies cut their services and sales to some or all Russian customers. Open source NoSQL database MongoDB is among them. Benischke also looks at how a modified node library now tries to delete files on Russian IPs.

Is this even Open Source?

Less damaging but more personally intrusive, a community Terraform AWS module changed its code and added to its Apache license. “Additional terms of use for users from Russia and Belarus” require those users to agree with three statements. One of those statements is “Putin is a dickhead.” Benischke notes this violates part of the Open Source Initiative‘s definition of open source:

5. No Discrimination Against Persons or Groups.
The license must not discriminate against any person or group of persons.

OSI, The Open Source Definition

Protestware or Malware?

Once our software can’t be trusted, what will happen?

Benischke warns about the possible “unintended consequences” of weaponized code. He’s right it goes beyond protest, especially in the case of the destructive Node library:

“In my mind, the term protestware is attempting to legitimize the malicious actions and very much turns open source libraries into weapons to be aimed and fired at your opponent… I do think that these actions are to be condemned — especially as the “delete files based on geofencing IP addresses” has got the potential of causing collateral damage.”

Collateral damage to trust in open source could kill it.

The deeper (and probably the worst) unintended consequence is the loss of trust in the open source community. Benischke asks if it’s even open source code if you can’t trust it.

The Open Source Initiative has a positive, agreeing response to Benischke’s post. They support “creative” forms of “protestware” that are informational or symbolic, but they distinguish this from (and reject) weaponized code. However, they do not mention trust at all or the consequences of losing it.

Why does trust matter so much? If you can’t trust your dependencies, who is in a position to take ownership of them all to ensure their safety? Only a few large companies allied with the most powerful nations could afford this. Exclusive multinational blocs using trusted but closed source software might emerge. And it’s not as if we didn’t already have enormous challenges with security, maintenance, project sustainability, and the “bus factor.”

This is why Benischke’s concerns about the death of trust as a lethal poison are not far-fetched or or of secondary importance to WordPress and open source. If anything, he understates the precarity of the moment we are in.

What about you? Let us know in the comments.

Post Status Postscript

WordPress may not be interested in the US Department of Defense, but the DoD is interested in WordPress!

It wasn’t hard to see the weaponization of open source coming long ago. I just thought it would be malign individuals and organizations outside the open source community exploiting open source code to spy on and harm enemies. I didn’t think it would be members of open source projects themselves. And now we’ve experienced this, with the Zamir plugin. (See our related thoughts on that story over here.)

That is all very concerning. I hope it’s not as bad as Heather Burns says it is, but she may be right:

“The .org OSS project is entirely legally controlled by a US company which could, at any time, fall under scrutiny for providing services to Russia, or be brought into the sanctions regime.”

Heather Burns @WebDevLaw

Is this how we need to think now, of globalized, international open source projects and communities?

It also reminds me of a conversation I had at the last Post Status Partners Retreat. I had asked a WordPress OG why he thought there seems to be always a constant sense of anxiety about disaster just around the corner in the WordPress community. I haven’t seen that in other projects that are healthy even if they have a much smaller market share — like Drupal, for instance. (Speaking of which, you should check out Amy June Hineline‘s comparison of the Drupal and WordPress communities in her recent chat with David.)

My question led to the response that only WordPress can destroy WordPress, and then we had some fun imagining “evil” self-sabotage scenarios that might realistically play out. Later I posed this as a thought experiment with other people — imagine a Screwtape Letters take on WordPress. What would a clever demon do to ruin the project by manipulating its insiders?

Even in the worst case scenarios, most people agreed that some massive corporations are so dependent on WordPress, they would take it over in their own — in-house (and likely as good as proprietary) distribution. WordPress would not die. The project as we know it might die. The community would die. The software, at the end of the day, is the most durable thing — but it’s not worth much to us if it’s torn away from open source freedoms and an open, cooperative community of contributors. Can a community like this survive abandoning a fully globalized, international openness?

— Dan Knauss

Source link

Continue Reading
Click to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.