Programmers hit Russia with hidden-code ‘protest software’ supporting Ukraine


Russia’s invasion of Ukraine elicited a wide range of responses around the world. From harsh financial sanctions to severing trade ties, the Russian economy is under siege.

Corn online, another type of punishment has hit Russia. Some programmers who write freely available open-source software packages have modified their programs to oppose the invasion. Dubbed “protestware,” the program updates checked whether a user was in Russia or Belarus and, if so, took action ranging from from displaying text like “Stand with Ukraine” to trying to erase the contents of the drive they were running on.

How can a programmer slip such a change onto a Russian user’s computer? This is due to the software industry’s movement to increase efficiency by reusing open source code. Call it the software supply chain.

There are no ships, planes or trucks involved. Instead, the channel connects open-source programmers to millions of other developers through servers run by California-based web hosting company GitHub.

A programmer writes a useful piece of code, for example to give applications a spell check function, and publishes it as an open source project on GitHub. Other developers who want to add spell checking to their apps embed the code into their projects. When the original programmer updates the code, applications written by the developers who incorporated it often automatically download the updates from GitHub. Downloads happen automatically as updates may include critical bug fixes or security enhancements.

Overall, this can be beneficial, but it also opens the door to updates that contain harmful code. The Russian protest software incidents came after update issues in January when a developer named Marak Squires sabotaged two popular code libraries he maintained, saying he was unhappy with big companies using his work without paying for it.

These new risks in the software supply chain are just the kind of cybersecurity problem that Boston startup Snyk (pronounced “sneak”) set out to solve. The company monitors thousands of open source code projects and all of the online conversations that take place around the projects, to uncover security vulnerabilities and alert developers before something serious happens.

Liran Tal, director of Snyk’s developer defense team, said the company discovered a variety of modified code protesting the Russian invasion. He’s less concerned with small tweaks that add a political statement. But for changes that modify files or trigger more destructive actions, Snyk triggers warnings and even delays updates for any developer using its protection service (the company offers a limited free service until more comprehensive protection can cost $139 per month per developer).

“This way of delivering a message goes far beyond what one might expect and could essentially harm people, even those who aren’t, so that’s where we come in,” Tal said.

And with all the publicity surrounding the anti-Russian protests, the problem could get worse. “Open source [software] is everywhere, it’s ubiquitous,” Tal said. “Protestware is definitely going to be a bigger problem.”

Aaron Pressman can be contacted at [email protected] Follow him on Twitter @ampressman.


Comments are closed.