Political activism kicks FOSS in the nuts

Criminals and political activist are using open-source projects to unleash ill-conceived cyber-terror operations.

Some of you might have already be aware about very unfortunate turn of events in a number of formerly open-source projects like node-ipc (a part of vue-cli) and a few others. TL;DR some politically motivated hot-shots have decided that it would make them stand for human rights and whatnot if they add bits and pieces of cyber-terror tools in the publicly maintained packages to “punish Russians”. Or in this case, software developers who might be using IP addresses rightfully or incorrectly perceived to belong to address pools allocated to Russian Federation. Such tools may wary from zeroday exploits to encryptors and, perhaps, some others I didn’t bother to check.

Leaving the discussion of obvious idiocy and outright criminality of such actions to readers’ homework assignment (you can check here, here and here just to get a gist of consequences of being and idiot) I really want to bring up a very different point. Namely I want to discuss how a very few infantile, pimple-faced, soy-fed creeps with psychological issues and low testosterone levels can cause a great damage to a great movement many of us have dedicated decades of their lives to.

Yes, I am talking about loss of trust and reputation damage to open-source movemen as a whole. Like many of you, my software stack is predominantly open=source of based on frameworks and libraries maintained by communities around the world. I rely on these bits, pieces and whole systems both for my personal and professional life. After browsing though examples like above I have my professional paranoia to kick up to 11.

I have a lot of friends and business partners in Russia. And I am not giving in to a silly and poisonous propaganda from TV, MSM and our elected representatives trying to convince me that I have to break all my ties with Russian people, eat lentil and kill my dog to punish some politicians living 8,000 miles from me on the other side of the planet.

However, from now on I literally have to start watching my six with every update of my software stack, installation of every piece of software to any of my devices (yup, good riddance Mozilla) because I have no easy way – correction – no way AT ALL – to know if such an update or installation won’t wipe out or encrypt my hard drive or worst. If you aren’t worried about such possibilities – you should start now. If you think I am out of touch with reality – you might want to check your head first.

The trust is lost, ladies and gentlemen ;( Only time would tell, how bad the fallout will be. If you are a part of an open-source development community start paying attention what dependencies your project pulls in; pay extra attention to code changes during code reviews. The reason is simple: once your own project – even inadvertently, through a third party dependency or code injection – becomes an attack vector and cause a damage to your customer – you can stick a huge fork into your work, ’cause it is done for good.

I am truly hopeful, that proverbial “thousands of eyes” will be able to spot not only bugs in the open code, but security treats and cyber-terror injections before it is too late!

Signal or Telegram: who’s a better guardian of your privacy?

I am offering you the following without any conclusions on my own, so make your call.

A few days ago one of the founders of Signal messenger (Moxie Marlinspike) has started claiming that Telegram is worst or equal than infamous Whatsapp and FB’s Messenger in terms of security and encryption. His reasons show all but familiar tactics of turning facts inside-out to fit the narrative (i.e. https://twitter.com/moxie/status/1474067551785144327).

Claims likes this are actually addressed in Telegram’s FAQ where it explains how how they split encryption keys between the geos in order to make it nearly impossible for any single country to get access to the content of even not end-to-end encrypted chats). Also, you might want to check this for more in-depth explanations https://telegra.ph/Why-Isnt-Telegram-End-to-End-Encrypted-by-Default-08-14.

But just today I came about this analysis of the history of Signal https://yasha.substack.com/p/signal-is-a-government-op-85e exposing Moxie’s possible connections to NSA and perhaps other agencies. Which won’t be very surprising for a guy who headed the encryption team at Twitter.

Anyway – judge for yourself and feel free to forward it around if you think this is helpful.

Github social conditioning

Microsoft Github isn’t about social coding anymore: it is all for social conditioning now.

Yesterday Microsoft made another clear-cut action of posturing and virtue-signaling (much like their decision of not to sell certain technology to police departments). This time around they declared war on English language and made it clear to everybody that they are in a position to decide the meaning of the words for the rest of us. In particular, for the software development communities. Yes, I am talking about the contraversial and illogical step to remove common term “master” from their popular version control system Github.

Today, after almost ten years of being a customer, I have deleted my Github account and completely moved elsewhere. If you’re thinking about doing the same you can find ample alternatives from bitbucket.org to jetbrains.space with many options in between.

Replacing words in programming languages or changing their meaning has nothing to with social justice or better world. It is how big tech companies are flexing their muscles and exercise their control over software development crowd.

Submission or outright genocide through commercial meanings is what Microsoft was doing to Free Software and later Open-Source Software for years. This is what Microsoft keeps doing no matter how many times their management will say “we embraced open-source” or “we admit our mistakes in the past” – they still have the same agenda and they still do everything they can to submit open-source development to their command. Massive contributions into Linux Foundation and Apache Software Foundation are just that: a tactical moves to setup people who would be doing their bidding for them.

Perhaps open-source developers and other software professionals would hear this and hit Microsoft back exactly where it hurts: their P&L, user base and influence they should no longer have.

Hey LinkedIn – you’re next!