Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Programming Open Source

GitHub Restores Account of Developer Who Intentionally Corrupted His Libraries (thenewstack.io) 193

What happened after a developer intentionally corrupted two of their libraries which collectively had more than 20 million weekly downloads and thousands of dependent projects?

Mike Melanson's "This Week in Programming" column reports: In response to the corrupted libraries, Microsoft quickly suspended his GitHub access and reverted the projects on npm.... While this might seem like an open and shut case to some — the developer committed malicious code and GitHub and npm did what it had to do to protect its users — a debate broke out around a developer's rights to do what they wish with their code, no matter how many projects and dependencies it may have.

"GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."

An article on iProgrammer further outlines the dilemma present in what might otherwise seem like a clear-cut case.... "Yes, it is open source in that you can fork it and can contribute to it but does this mean that GitHub is justified in denying you the right to change or even destroy your own code?"

As of last night, however, it would appear that the entire affair is merely one for intellectual debate, as GitHub has indeed lived up to what some might view as its end of the bargain: the developer's account is active, he has been allowed to remove his faker.js library on GitHub (depended upon as it might be), and has since offered an update that he does "not have Donkey Brains".

This discussion has been archived. No new comments can be posted.

GitHub Restores Account of Developer Who Intentionally Corrupted His Libraries

Comments Filter:
  • Nope (Score:4, Interesting)

    by The MAZZTer ( 911996 ) <megazzt@nospAm.gmail.com> on Saturday January 15, 2022 @05:54PM (#62175877) Homepage

    "GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."

    He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.

    • "GitHub suspending someone's account for modifying their own code in a project they own however they want spooks me a lot more than NPM reverting a package," [tweeted one company's Director of Engineering & Technology]. "I kind of love what Marak did to make a point and protest to be honest."

      He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.

      If the ToS already prohibits what he did then your spot on that he should be banned, but there is still the question of whether GitHub had the right/justification to "reset" the owners work without their permission.

      The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files so no direct or permanent harm was done was done to any of the down loaders. But there was probable financial impact to those corporations. Tho

      • Re: Nope (Score:2, Insightful)

        by ttfkam ( 37064 )

        Can you imagine if someone in ANY other field of engineering decided to willfully sabotage a part and folks got upset because he was giving the parts out for free? I'm actually all for civil disobedience when something is broken, but to question harm mitigation by folks who detected the harm because the guy had a "right" to ship broken/faulty parts?

        Like making friction brakes on elevators and saying, "I just made the current batch not automatically arrest on free fall to prove a point."

        This right here is wh

        • Re: Nope (Score:4, Insightful)

          by russotto ( 537200 ) on Saturday January 15, 2022 @06:53PM (#62175989) Journal

          Like making friction brakes on elevators and saying, "I just made the current batch not automatically arrest on free fall to prove a point."

          If Otis was just picking up the brakes that some rando brake enthusiast regularly left in a pile on the side of the highway, I'd expect that to happen.

          This right here is why a lot of folks should not be called "software engineers". Far too many of you have no idea what "ethics" in the field entail.

          If you insist on this sort of "ethics" or duty existing, you'll kill open source dead. One of the reasons it works, despite the users not paying the developers, is that the developers have no obligation to the users.

          • Re: (Score:2, Redundant)

            by PPH ( 736903 )

            the developers have no obligation to the users.

            Just the opposite. The only obligation they have to the users is the ethical obligation to produce, to the best of their ability, a product that is fit for use. There are no deep pockets or boards of directors' benefits packages to go after should they fail to live up to this.

            And more often than not, it's the reputation of the individual developers that is on the line. The OSS management hierarchy is pretty flat, unlike that of for-profit software houses. Where the devs might be sitting anonymously in cubi

          • by raymorris ( 2726007 ) on Sunday January 16, 2022 @12:09AM (#62176567) Journal

            In common law jurisdictions, the developer has either a duty of "reasonable care" or "slight care", depending on the jurisdiction.

            Their legal obligation is to exercise either slight care or reasonable care to avoid actions that bring harm to others. In California, for example, it's "reasonable care". Some jurisdictions apply the lesser standard. Let's look at the definition of the lesser standard:

            Slight care - The care a reasonable person exercises in unimportant matters, or the care used by a careless person in a similar situation.

            Throwing rocks off an overpass would violate the duty of slight care.

            The developer's legal duty is to be at least a little bit careful not to do things that cause harm. Instead, they actively, intentionally, caused harm. That's an actionable tort anywhere.

            One might think "it's his code, he can change it in the wants to". That's true, the dev is allowed to change their code. In a similar way, if it's your rock you can throw it.

            If I throw a rock as my way if trying to hurt you, your complaint isn't that I'm not allowed to throw that particular rock. You'd sue me for INTENTIONALLY HURTING YOU. My rock is just the tool I used to hurt you with.

            Note, btw, you can sue me for throwing my rock off an overpass without looking to see if anyone was below. Even if I wasn't TRYING to hit anyone, I'd be liable for recklessly creating a situation that's likely to bring harm.

            Same here. He intentionally took actions that he knew (and even intended) to cause harm. It makes no difference whether he used his rock or his code to try to bring harm. He or she is liable for intentional harm.

            One might then ask "what about situations where you have a legitimate reason to harm, like business competition?" The law recognizes specific situations in which there is a sufficient public policy interest in allowing the harm. These specific instances are exceptions to the general duty of reasonable care.

            One class of exceptions is that certain relationships have a higher standard of care. For example doctor-patient, parent-child. In a few jurisdictions, a lower standard is applied for trespassers vs invitees and licensees, so the dev would have an argument (though not a very good one) if the people were stealing the code.

            If you're still thinking "but it's their code!"
            Remember, it's my rock!

            Because the rock is mine, I can throw it. I still have to be somewhat careful not to hurt others when I throw my rock.

            • the developer has either a duty of "reasonable care"

              I agree, and I ran my career under those ethics. It was often hard to do with idiot, politically appointed, politically motivated, and completely none technical project managers (schedule jockeys) standing behind me using stacked ranking as a stick.
            • Sorry, but legally this isn't going to fly. Yes, the default standard is what you cite but, because of first amendment issues (and the CA constitution equivalent) it does not apply to speech. That's why it's not illegal to post a video or report of someone behaving in an atrocious fashion (even though it's reasonably foreseeable that someone might decide to go beat them up for it). This is incredibly important otherwise it would be way way too easy to block important but very controversial causes (as the

            • Your analogy doesn't fit the situation as he didn't do anything to anyone else with his copy of his code. He edited his own copy of his own code on his source code repository on a computer system he was authorised to access for that purpose. That action does not change other people's copies of the code, which will all still work just fine. Source code is human-readable legally protected speech (we know this from the era of PGP). His speech includes a clear and stern warning about its lack of fitness for pur
        • Re: Nope (Score:4, Informative)

          by sjames ( 1099 ) on Saturday January 15, 2022 @11:59PM (#62176555) Homepage Journal

          OTOH, if someone is giving away elevator friction brakes and disclaiming all certification, guarantee, fitness for purpose or that any sort of formal testing has taken place, what does it say if some company installs them without testing and QC of their own?

        • Can you imagine if someone in ANY other field of engineering ...

          No, you can't, and you shouldn't, because no other field of engineering makes duplicates of your "brakes" like they were and MP3s. And more importantly, no other fiels of engineering autos upgrades their "brakes" to millions of cars using your blueprints of last night.

          Using an anogy here would not bring you closer to any kind of truth.

        • Github, understandably, does not want to take on any legal responsibility for developers' code or for its public usage. That's a potentially tremendous morass of liability. But if they start telling developers what they can, and cannot, publish in their git repos to prevent this sort of malicious abuse, they have much deeper pockets to sue for liability for the next malware or the next ransomware embedded project. So it makes sense that they'd not react quickly or firmly to the discovery of such abuse.

      • Re: Nope (Score:2, Insightful)

        You're right. Software developers shouldn't be called engineers but instead miracle workers. Name any other science field that has virtually reduced the costs of its output to zero. Oh that's right, you can't.

        I am all for ethics but you just stepped out of your domain and have no fucking clue what you are talking about. In fact the whole reason this came up is because those ethical engineers always get a pay check and this guy doesn't.

        • You're right. Software developers shouldn't be called engineers but instead miracle workers. Name any other science field that has virtually reduced the costs of its output to zero. Oh that's right, you can't.

          Basically ALL of them.

          https://asapbio.org/preprint-s... [asapbio.org]

          I am all for ethics but you just stepped out of your domain and have no fucking clue what you are talking about. In fact the whole reason this came up is because those ethical engineers always get a pay check and this guy doesn't.

          I just don't understand this perspective. How does one slap an MIT license on something and have no idea what this means? It would be one thing to be mad if people were ignoring the terms of your license yet here that clearly isn't happening.

          • Which is why there is a difference between ethics and legality. Legally he is owed nothing. Ethically, considering how widespread his code is used, it's fair to compensate him for his consistent hard work and to further support it. This cost would be miniscule for large entities like those involved but it's not the culture.

            It's kind of like being invited over for a dinner with a friend, but you bring a plastic container, put the food in that, and leave. It's rude, unethical, and will cost you a friend.

            This

        • by narcc ( 412956 )

          This is a bit much. Programmers aren't engineers by any stretch, that's true. Neither are they scientists. The aren't mathematicians or logicians either, though many fancy themselves to be.

          Of course, there are many engineers, scientists, and mathematicians that are also programmers. It's a handy skill to have in many different professions. But that's all it really is.

          Programming is just a skill, and not a terribly difficult one to learn. Children can, and very often do, teach themselves. In the 80's

          • by N1AK ( 864906 )
            This is an arbitrary definition. I can engineer things, perform scientific experiments, and compute mathematical calculations but I wouldn't be widely accepted as being an engineer, scientist, or mathematician because I don't meet the standard those communities would accept (sometimes by qualification other times by informal assessment). You can teach someone engineering in about 10 seconds with some lego, they don't get to call themselves an engineer and build bridges. The same is equally true of programmi
      • Zeroing out the repo would have been far safer than "resetting" it.

      • The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files so no direct or permanent harm was done was done to any of the down loaders.

        One of the libraries changed to do an infinite loop, logging to the console endlessly. That's a denial of service attack, both in terms of using up the cpu, and possibly disk space (depending on if that was logged and how/if log rotation was configured)

      • by Improv ( 2467 )

        Check the license. I suspect they had the right to do it.

      • "The main issue is the question of if the code is actually "malicious" in the true sense. The code in question didn't damage anyone's hardware or files"

        THIS TIME. But what about the next time?
        This guy clearly demonstrated that he is willing to sabotage his own code, and release it on an unsuspecting public. Though files/hardware weren't damaged, there is still damage in the form of downtime and other kinds of loss related to his actions.

        He needs to be banned without question.

      • there is still the question of whether GitHub had the right/justification to "reset" the owners work without their permission.

        That question can be easily answered by looking at what license he chose. Did grant permission for other people to make derived works, or not?

    • by mysidia ( 191772 )

      He used GitHub's infrastructure to distribute a malicious update to users. That should e a ToS violation if it isn't already.

      If the dev's going to be a big baby about them not liking the world and cause a mass disruption by breaking his stuff, then I think Github's perfectly justified in responding by breaking or disabling his account, repository and/or freezing the last safe version.

      I mean... What permutation of Rights and Freedom would Infer that a developer have a right to break their code, but thei

      • " I think Github's perfectly justified in responding by breaking or disabling his account, repository and/or freezing the last safe version"

          Are they sure it's "safe"? Just because it works and appears it does what it's supposed to does not mean it's safe.

          I hope they are at least scrubbing everything that he contributed up and down for logic bombs and other nasty surprises.

          I for one would not trust any of his stuff.

    • by gweihir ( 88907 )

      The update was not malicious. You have no clue what "malicious" in this context means and what he could actually have done. Github has much better grasp of the legal angle than you do.

      • by narcc ( 412956 )

        You have no clue what "malicious" in this context means and what he could actually have done.

        How is replacing whatever it used to do with an infinite loop not malicious? Sure, it could have been worse, but that doesn't make this any less shitty. If someone punches you in the face the fact that they could have stabbed you instead doesn't make it any less rotten.

  • by PhunkySchtuff ( 208108 ) <(ua.moc.acitamotua) (ta) (iak)> on Saturday January 15, 2022 @05:59PM (#62175883) Homepage

    What I haven't seen discussed widely is the elephant in the room - what if this developer wanted to be far more malicious, instead of making a blatantly obvious point?
    What if he had have committed some changes that individually didn't look like much, but combined over a few months or more added up to putting a backdoor into the code, or a crypto miner or something that would otherwise be classified as malware?
    It's clear that people were blindly pulling changes from his repo without even glancing at the changelog. This could have been a far more severe problem, assuming it hasn't already happened in any other popular library.
    Just because it's open source, and just because you _can_ read the code, does it mean that you have personally checked over the code of every library you're pulling into your project? No, of course you haven't - you're too busy working on your project. You trust the libraries will do what they say on the box, and you trust that if they are popular and widely used then _someone_else_ has looked over the code and found it to be OK.

    • by DontBeAMoran ( 4843879 ) on Saturday January 15, 2022 @06:05PM (#62175897)

      The same way you assume that if a lot of people are using something, then it must mean it's at least good enough. And then you use Windows 10/11 and you wonder WTF is wrong with people.

      • by gweihir ( 88907 )

        The same way you assume that if a lot of people are using something, then it must mean it's at least good enough. And then you use Windows 10/11 and you wonder WTF is wrong with people.

        Every day. And MS Office is worse.

    • Yes, the act of civil disobedience can be useful to highlight flaws in process or organization. I just can't believe the folks that think the harm mitigation put forth by GitHub and npm were unreasonable and infringing on the dev's "rights".

      Both could be good things. The first is arguable, but the second is akin to self defense and unambiguously good. If the code change were actually malicious, I sure as hell want anyone to put the brakes on as soon as it's detected on their networks/storage devices.

    • I applaud his epic level of trolling. He just killed the many eyes argument.

      • I'm pretty sure that Log4J killed the many eyes argument first.

        • What do you mean? The bug was found. And, more importantly, the bug was fairly benign if you weren't using a version of the JRE that also have a known RCE bug. Both were found by the many eyes.
      • You wouldn't know, you only know it is "something-something about many eyes?"

        Look up what it is, and you'll notice it is not in any way relevant here. It doesn't say, "Dude, like, if there are a lot of eyes, there no bugs, maaaan!"

      • by gweihir ( 88907 ) on Saturday January 15, 2022 @11:56PM (#62176549)

        I applaud his epic level of trolling. He just killed the many eyes argument.

        That he actually did not. There is a delay to the eyes working and they did work nicely within that delay.

      • Three weeks before seems pretty quick to me.

        You have no idea whatsoever what the sentence is that contains the phrase "enough eyeballs", do you?

        I guess you think somebody said something like "with a lot of users, there are never any bugs"? That idea came from your head, nobody else's. I'll tell you a story that illustrates what he WAS talking about, the story of how we fixed shellshock.

        First, understand the section with the eyeballs phrase is discussing how and why Linus got a large number of developers w

      • by tlhIngan ( 30335 )

        I applaud his epic level of trolling. He just killed the many eyes argument.

        No, it's happened a number of times already the past few years. From Apple's "goto fail", to heartbleed, shellshock, and Log4j, it's pretty much blown the many eyes argument out of the water.

        What this developer has done is far worse than any of that - it's basically given ammunition to open-source detractors on why to never trust open source. You think Oracle and Microsoft aren't secretly jumping for joy? One developer managed to ta

    • by gweihir ( 88907 )

      Indeed. This small and harmless bit of activism nicely shows the extreme incompetence and sheer insanity of most developers.

    • by gTsiros ( 205624 )

      no i do not "trust" them

      i test them

    • by mattr ( 78516 )

      For production I audit libraries line by line and do not blindly install crap that people I don't know put onto github. I make guarantees to my clients that I do so and am not throwin in the kitchen sink. Obviously there is a limit to recursively checking libraries so it would be useful for "some trusted parties" to do that diligence and then put their name on it ("no malicious code / phoning home / exfiltration / tracking / crypto miners as far as we know"). That kind of service would be worth money and th

      • And you think that your line-by-line checking of hundreds of thousands of lines of code is going to find something in an already well-audited piece of software? Or that you will find a malicious back door that others haven't? Because even though hundreds of people have done both manual and automated testing, their efforts aren't as meaningful as your cursory review?
  • On a side note (Score:4, Insightful)

    by 93 Escort Wagon ( 326346 ) on Saturday January 15, 2022 @06:51PM (#62175979)

    I take it this guy doesn't want to be a developer? Because it's hard to see a reason anyone would trust anything he releases, going forward - or why any hiring manager isn't going to just toss an application from him straight into the circular file.

    • Going forward malware scanners should probably flag anything written by him as potentially sketchy.
    • I take it this guy doesn't want to be a developer?

      I am inclined to think that the "invisible hand" of the free market will take care of this, even though no money changed hands. Basically, this guy has signalled that his code can't be trusted, probably not ever again. I would be reluctant to employ him to write code, no matter how good it is, for fear that he might pull a childish stunt like this again. Foot, meet bullet.

  • I think if I was incorporating OSS into a product, I'd add a Q/A step in that tested new builds using the OSS stuff before it got incorporated into a new release. In many ways it kind of amazes me how that wasn't done already. I use Linux but am constantly building against new versions of Linux to ensure nothing broke.
    • by ceoyoyo ( 59147 )

      I think I'd add a step that tests all the stuff, OSS or otherwise, before it got incorporated in a new release.

      • Everybody who develops software does some level of testing. And they have controls in place to look for malicious commits that constitute insider-threats. But clearly none of those methods are perfect as software still gets released with bugs. You really think that people just write code and don't test it?
    • That's not quite the issue. These are a case of dependencies that you pull in, rather than a platform that you run on which might be updated and deployed independently of your software. However, some dependency management and deployment systems (imo, foolishly) allow for a version range rather than fixed version (e.g. "latest 2.x" rather than "2.1.3.4"). This means that while you might test against 2.1.3.4, as soon as 2.1.3.5 is released, any new deployments would grab the new version despite the fact that

  • Nope. Just shit.

    And yes, some dumbasses will go crawling back.

    Fool me once, shame on you.
    Fool me twice...

  • I have not used it anywhere up to now. And won't use it anywhere now.
  • Main problem (Score:4, Interesting)

    by gweihir ( 88907 ) on Sunday January 16, 2022 @12:04AM (#62176559)

    The main problem is not that he changed his code. The main problem is that he pointed out to many, many would-be emperors that they are naked, that their development practices are insane and that they are building houses of cards (or worse). Look at all the but-hurt comments here that want to place the blame solely in this guy, when shoddy, insecure and unprofessional practices made this possible in the first place. The people complaining about what he did are really the ones responsible for the problem in the first place because _they_ screwed up massively and continue to do so.

    As to Github, they likely looked at the legal angle, found that this was entirely legal (came even with a major version increase) and that unless they want to police all software on their platform on this level, they better give him access back pronto.

    • The number of people who seem ready to do mental gymnastics to pardon abusive behavior is ridiculous.

      Please get help for your mental health issues. Stop making excuses for people actively trying to hurt others.

      • by gweihir ( 88907 )

        The number of people who seem ready to do mental gymnastics to pardon abusive behavior is ridiculous.

        Please get help for your mental health issues. Stop making excuses for people actively trying to hurt others.

        Bullshit. The mental contortions that some people will employ (you included) to find somebody else to blame for their own screw-ups is staggering.

        Incidentally, I never made any excuses for the guy and I most certainly did not "pardon" him. These are all in _your_ fantasy. What I did point out is that there is plenty of blame to go around and that most of it is certainly not on him, yet gets ignored completely by many people because they would otherwise have to look at what _they_ did wrong. Big ego-small-sk

        • by narcc ( 412956 )

          He's right, you know. This guy did something mean and nasty just to be mean and nasty. Why anyone would defend his disturbingly antisocial behavior is beyond reason.

          Trust is an essential part of any functioning society. It's even more important in software, where no amount of testing and preparation is sufficient to protect you against a malicious actor. (The underhanded C coding contest is proof enough of that.)

          So, no, I don't put any blame on the developers for trusting what looked like a minor update

    • Github has no responsibility to police all accounts exactly the same. Indeed, that was exactly what section 230 (safe harbor provision) of the CDA established. Github can choose to moderate (i.e. delete) his update to their platform without incurring any liability or any duty to police all other software similarly. They are totally free to just delete accounts and take down whatever code they feel like (with a few limitations that don't apply here).

      It's the reputation with their user base that is what co

      • by gweihir ( 88907 )

        And in the real world, as soon as they start to moderate outside of what Section 230 allows, they may well lose Section 230 protection.

        • I'm curious to hear your legal theories and would like to subscribe to your newsletter. What boundaries does 230 place on moderation? My understanding is that there are none despite the constant assertions of Monday-morning armchair lawyers.
    • ... shoddy, insecure and unprofessional practices made this possible in the first place.

      There has to be an element of trust, that people you deal with won't be stupid or malicious. Without that, scarcely any business could be conducted, and all the money would be spent checking up whether you are being screwed, rather than producing something worthwhile. I do agree, though, that you need to understand risks, and make sure your business will not be sunk because of some unexpected screwup by a supplier.

    • How the heck did this get modded up? Yes everybody in the world who works on the software that runs our society is incompetent and unprofessional except for the OP. I mean clearly the reason people's houses get robbed is that the makers of their door locks are all incompetent and unprofessional. I mean the only reason you ever get a rip in your jeans is that the manufacturers are incompetent and unprofessional. The only reason dishes break if you throw them in anger is that the pottery companies are all
  • Comment removed based on user account deletion
  • Look, I get that people have different views about the role of corporations in software development. Personally, I believe that in many cases it's beneficial to society to offer software under the MIT license because society benefits if software is cheaper to use and we adopt common standards while in other cases the GPL carrot/stick approach offers more benefit.

    If this developer feels so strongly about corporations not benefiting from his work without paying he had a choice. He could have shared his code under a license that was a restrictive as he wanted. It could have been free for individual developers and small shops to use but require a paid license if a large corporation wanted to ship or even run.

    But, what's not cool, is to share his code under a license that clearly gives corporations the right to use his code and then turn around and break it because, now that his code is popular, he regrets not cashing in on it. If he'd insisted on some weird restrictive license then people would have just shrugged and written an alternative.

    This is the coding equivalent of quoting some cheap price to connect the big mansion on the hill to the new sewer system and then, once you've disconnected their septic system so they can't shower or shit until you finish, turning around and walking away on the grounds that rich people like that should pay plumbers more. Well, no one was forcing you to be their plumber.

  • Fool me twice shame on me.

      Why would anybody trust him after this?

  • does this mean that GitHub is justified in denying you the right to change or even destroy your own code?

    WTF? Not a single word in either of the articles even indirectly implied the author can't do whatever he wants with his fork. If the author is having problems getting his copy to work, I bet anything it'll be traceable to something he did, not something GitHub did.

    I suspect the author is simply angry that not everyone wants to use the broken fork and would prefer to use a working one. I can understand t

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984

Working...