Tell HN: Microsoft forgives malware? Node-ipc virus writer not banned GitHub
https://arstechnica.com/information-technology/2022/03/sabotage-code-added-to-popular-npm-package-wiped-files-in-russia-and-belarus/
I just wanted to bring up the fact that the perpetrator behind this cyberattack, "RIAEvangelist", is currently not banned on Github. Hours after publishing the malware code on Github's node-ipc repository they appeared to have temporarily locked his account. But given the fact that his activity remained shortly after, it means Microsoft didnt opt to punish him very long (or at all?).
Malware author's profile: https://github.com/RIAEvangelist
What are the broader implications of Microsoft's inaction against a clear case of computer sabotage? Could their inaction against this user be interpreted as negligence? Could it be interpreted as a relaxation of company policy restrictions against malware being hosted on Github? Discuss.
20 comments
[ 5.1 ms ] story [ 60.2 ms ] threadThe alternative is not that the person is banned from GitHub. The alternative is they make a new account, under a new name.
Just because it's a centralized point of distribution doesn't mean it is desirable to suddenly plop on a responsibility to police the world's software.
Furthermore, if you're not auditing new versions of dependencies before you let them loose on your systems, that's all on you.
Writing software is a bit like sex. You make one mistake, and you end up supporting it for life. Always practice safe dependency management.
Microsoft has no nor should they have any responsibility, to protect anyone from anyone else. Especially with their propensity for going overboard in that regard.
I'm not very surprised Github is equally lazy when it comes to protestware like this. Taking action might be seen as voicing an opinion and opinions cost a business money.
I used to run a relatively large open source MMORPG server (hundreds of concurrent users), with a tight-knit community. People there have done some pretty awful things (hacking, doxxing, you name it), yet when you try to punish them, the community finds a way to revolt, and rumors of all sorts will come out of the woodwork. It is human nature. Github is correct to tread carefully in all cases. Whether it is moral is another matter.
There are tiers of support and feature availability if you want a hosted solution at https://about.gitlab.com/pricing/, though the free version is very similar to Github's free version.
Github hasn't been the only option for source code repos for years now.
My best guess is MSFT (which is the owner of both) is wary of taking a political stance here.
Microsoft has taken some fairly assertive political stances wrt Ukraine, so I'm not sure corporate neutrality is to blame here (take this with a grain of salt: I work for MSFT, albeit not on anything remotely related to policy or comms).
The message Microsoft is sending right now is loud and clear: That they dont take malware threats seriously. That it isnt a big deal when users upload malicious code / trigger a supply chain attack that permanently deletes peoples files. Because the worst thing that can happen is only a minor slap on the wrist.