Protestware: Right ends, wrong means?
Do the ends justify the means? Most of us would probably say it depends. The answers to that question tend to come with a host of qualifiers — the world isn’t all black and white, after all.
But in general, those who agree with the ends are more likely to justify some wiggle room with the means, whereas those who don’t like the ends are less likely to like the means either if they stray from “the rules.”
That describes much of the ongoing debate over so-called “protestware” — malware or other, less malicious but still distracting or irritating code injected into open source software packages to make a political, personal, or moral point. In recent months, the debate has become more topical and heated, after some protest malware was launched against political targets and open source advocates loudly condemned the fact that it can damage many more users than the supposedly intended targets.
The Open Source Initiative (OSI) has condemned Russia’s invasion of Ukraine and in a blog post called protestware that simply issues anti-war messages relatively harmless. But it pleaded for an end to protest malware, saying the “weaponization” of open source “damages the work of developers and operators solely because they have a Russia-assigned IP address. It harms peacemakers as much as the warmongers — even ethical hackers using a VPN to work against the invasion might become collateral damage.”
“The downsides of vandalizing open source projects far outweigh any possible benefit, and the blowback will ultimately damage the projects and contributors responsible,” wrote Stefano Maffulli, OSI executive director. “By extension, all of open source is harmed. Use your power, yes — but use it wisely.”
The motives aren’t always political, however. Sometimes they’re personal. With open source now the dominant software (about 80%) in just about every codebase, there are pockets of resentment from some developers who feel they’re making products that others use for free (and for profit) without getting much support, acknowledgment, or compensation.
In fact, some developers and maintainers of open source projects simply quit maintaining them because they’re tired of doing so, or want to focus on something else. That is an ongoing problem.
But in January, open source project developer and maintainer Marak Squires went further. He sabotaged two of his widely used open source projects out of apparent frustration over large corporations and commercial consumers using those free components without supporting the overall open source community.
Users of two open source libraries, colors.js and faker.js, suddenly found that applications using the libraries were printing gibberish. Paul Ducklin, writing on the Naked Security blog, said Squires had “trashed his own code” by adding an infinite loop at the end that prints the text “testing testing testing” over and over again, after applying a function called zalgo to it.
“Zalgoification, if you’ve never heard of it, is a way of making regular Roman characters look weird and meaningless by littering them with accents, cedillas, umlauts and other so-called diacritical marks,” Ducklin wrote.
Squires had warned earlier that “I am no longer going to support Fortune 500s (and other smaller sized companies) with my free work. There isn’t much else to say. Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it.”
Hence the debate over means and ends. Most of those involved agree that one might have noble reasons to support a nation under attack, or justifiable reasons for wanting some compensation for a product from which others are profiting handsomely.
But as numerous members of the vast open source community note, the damage from protests like this can and do affect many more users than the allegedly intended targets.
Indeed, while some open source advocates say they can understand Squires sabotaging his projects due to lack of support, protestware like “peacenotwar” is serious vandalism.
Don’t poison the food
“Asserting your rights to your own stuff is like saying, ‘I’m done offering free food,’” Tobie Langel, principal at UnlockOpen, told TechTarget. “This is like leaving the free food around, but you put stuff on it that makes people sick.”
In an email interview, Maffulli said protest is “an important element of free speech that should be protected. It’s one thing if a maintainer adds a banner that displays a political message but doesn’t really change the behavior of the program.”
“Totally different is the case of software that is modified to delete system files if it detects that it’s running on computers located in a specific part of the world or with a set locale.”
So how big a deal is this? It’s not widespread, at least yet, according to some open source experts, who point out that protestware is so far very much a fringe activity. They say it should simply be another reminder to users of open source that they should always verify before they trust.
Indeed, there are plenty of hackers whose motives are criminal, not political or personal, looking to exploit open source weaknesses. And open source software components are, after all, part of a software supply chain with potentially tens of thousands of components that need to be tracked and vetted for security defects.
One of the most effective ways to do that is with an automated tool called software composition analysis that can help create a software Bill of Materials (SBOM). President Biden’s May 2021 executive order on cybersecurity called for every software product purchased by federal agencies to have an SBOM, although that is still very much in the works.
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, said protestware “is no more nor less a problem for consumers of open source than any other risk that might be present within the open source software consumed by an organization that lacks any meaningful open source governance practice.”
His colleague, Michael White, applications engineer with the Synopsys Software Integrity Group, agrees. “When you choose to use a software package from ‘elsewhere’ you are placing a lot of trust in the author, maintainer, and distributor of that package,” he said.
No blind trust
So while the motives of protestware purveyors may be debatable, White said, “at the end of the day this is really the prerogative of the author, and that’s the risk you must assume.”
“Don’t forget,” he added, “that we’re already familiar with packages that have been intentionally backdoored by malicious third parties for some time now via hijacking attacks, so the idea of ‘package-goes-bad’ is not a new phenomenon at all for many security teams. The way they solve this is via a centralized SBOM inventory.”
Beyond that, is there a way to solve the potential increase in frustrated or burned-out developers and maintainers who are tired of working for free to enhance the profits of others?
Maffulli said there is no one-size-fits-all solution. “The main complaint I have with most conversations about supporting maintainers is that they paint and address it as if the world of open source maintainers is homogeneous when clearly it’s not,” he said. “The maintainers of GNU LibC or Kubernetes have a totally different set of needs from the maintainer of a small npm [node package management] package.”
White agrees that there is no simple fix and that a blanket call for “support” could have some unintended consequences. “It would be great to see the community rally around and support long-term maintenance of a number of critical packages,” he said, “but this is something the community has been trying to figure out for many years.”
“Probably no maintainers got into this with the expectation that they ‘need’ support, but it’s still the right and logical thing to do from both a holistic as well as a business perspective for many of the top consumers and integrators of these packages to contribute something back.”
“There are downsides though,” he added. “While a hobby or passion project is one thing, it might get challenging to have to prioritize enhancement requests from paying donors over other requirements. So it’ll be interesting to see how this plays out.”
“I also wonder what this might do with licensing terms,” he said. “Would the support be conditional on the license terms not changing? Would it force particular licenses in preference to others?”
All of which are more reminders that the world is not all black and white, just like means and ends.