Open-Source Code Protestware Raises Safety Concerns

ChatMail   |   March 15, 2022

Open-Source Code Protestware Raises Safety Concerns

In the world of encrypted phones, customers and competitors alike often talk about open-source platforms. There is a misconception that any application not built on open-source coding is, somehow, inferior or can’t be trusted.

This perception is about to change. The latest cybersecurity news comes from the front lines of the hacker rivalry, which is heating up as the Russia-Ukraine conflict continues. This is a story about a misguided attempt to support a peaceful resolution of the war by hacking open-source code.

The elaborate scheme singled out geolocation for Russia and Belarus in the world's largest software registry, Node Package Manager, which contains over 800,000 code packages.

A Misguided Message of Peace

An Interprocess Communication open-source code developer, who maintains about 40 NPM libraries, decided to protest the attack on Ukraine by writing new code for a NPM package called peacenotwar. He then published it on Github, noting: “This code serves as a non-destructive example of why controlling your node modules is important. It also serves as a non-violent protest against Russia's aggression that threatens the world right now. This module will add a message of peace on your users' desktops, and it will only do it if it does not already exist just to be polite.”

A week went by without any downloads of the peacetowar module.

An Escalated Event

As the developer was also the maintainer of the popular node-IPC, he inserted malicious code in the package; adding a function to identify the IP address on target computers in Belarus and Russia. This would affect developers who use node-IPC in their own projects.

The malicious code was designed to wipe files on the target IP addressed computers and replace them with a heart emoji. The attack was pushed with an update. More than a million downloads of other open-source code libraries, using the node-IPC application, are done weekly.

For perspective, imagine if an OS update was created to intentionally delete files on your computer.

The newly coined term for this type of malware attack is Protestware.

The Implications for Open-Source Software

A researcher at Snyk, a security company that tracked the coding changes and published the incident, referred to the node-IPC author by his handle when criticizing the decision to launch the attack.

“Even if the deliberate and dangerous act of maintainer RIAEvangelist will be perceived by some as a legitimate act of protest, how does that reflect on the maintainer’s future reputation and stake in the developer community?" In fact, the protest has angered many open-source code users and has sounded alarm bells about the safety of free software that anyone can inspect, modify and enhance. Experts are tracking other protestware updates against Russian aggression in Ukraine.

Other Incidents Worth Noting

As far back as 2010, when hackers disrupted open-source code for Google and other companies, the potential to poison the internet with malintent has been a real threat. Free and Open-Source Software is easier to hack because it is available to the public. The internet runs on FOSS. The recent Log4J attack nearly brought down the internet.

Another NPM scandal wasn’t a hack, just a disastrous result of a developer who unpublished more than 250 modules from the library. Known as the Left-Pad Incident the 2016 code catastrophe broke the internet, requiring NPM to reinstate the code against the programmers’ wishes.

In 2017, a systems-security researcher who was an assistant professor at the University of Minnesota was studying the potential for human error and reducing its influence as part of his larger body of work around security, operating systems, program analysis and compilers – with the Linux OS at the centre of his work, the basic level of which is the Linux kernel. The kernel is open source, so it is publicly available to view and contribute to its millions of lines of code.

While trying to demonstrate to developers “how a malicious actor might slip through their net,” the researcher worked with PhD students to produce and publish their work, entitled “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits.”

It proposed the theory of someone introducing vulnerabilities intentionally into the Linux kernel as part of a legitimate patch to fix a real bug. The suggestion set the community on fire and ultimately got the university banned from contributing to the Linux Foundation’s work indefinitely.

The outlash was due to the fact the paper was research conducted on the community without seeking prior approval. The researchers claimed that none of the bad bugs they created for the experiment had made it to the Linux kernel and that their test cases with the bad patches had all been pulled, with real patches substituted. But the Linux Foundation asserts one patch from the study did get through. Even though the test didn’t cause any harm in the end, the university was chastised for having crossed a line.

Regardless, thousands of open-source weaknesses are discovered every year and are tracked in the U.S. Department of Commerce’s National Vulnerabilities Database and are rated as Low, Medium, or High.

Why ChatMail Uses Proprietary Code

A prior ChatMail blog noted, “Going open-source would demonstrate the strength of our security, but it could also introduce weaknesses.” We decided the best way to showcase the quality of our data privacy and encryption, without opening any potential weaknesses, was simply to prove how our encryption works by showing off a device’s database and how the messages are encrypted in real-time. At no point are messages ever stored in plain text.

The most secure encryption is very close to open source, trusted maintainers control the update process and security researchers, and cryptographers verify the encryption, using layers of the strongest cryptography. ChatMail Advanced Messaging and Parsing Protocol is our exclusive end-to-end encryption, securing the full cycle of ChatMail communications, in transit and at rest on our hardened devices using both our PGP and Diffie-Hellman Elliptic Curve Cryptography, with Curve25519. CAMP always protects user’s privacy through our state-of-the-art encrypted technology.

Our CAMP protocol uses Hash-based Message Authentication Codes with a 256-bit secure hashing algorithm, which is often referred to as military-grade. It is so secure it is used to protect sensitive information by the U.S. government. It is the same authentication used in Bitcoin. Our symmetric encryption is AES-256 in counter mode. Automatic verification is done with your public identity key.

As you can see, there are pros and cons to the use of open-source architecture. While the public code is maintained and watched by people around the world, who observe changes and alert managers to risks and vulnerabilities, it is also open to threat actors.

The Right Way to Use Open Source

Combining the knowledge gleaned from FOSS and managing it in a secure, private communications protocol with multiple encryption algorithms is a superior approach. Applying the latest in open-source virtualization technology and custom management tools within a privately owned and operated custom server ultimately guarantees security.

ChatMail. Engineered for Security. Designed for Privacy.