One of the fundamental rules of computer security tells us that we must keep all the programs we use updated. However, there are exceptions to this principle, at least according to Russia’s largest bank, which has asked its customers to temporarily skip software updates.
According to TASS, Sberbank urges users to avoid downloading and installing updates to any program. The credit institution also asks that developers in general “reinforce control over the use of external source code” due to the increase in cases of “provocative content” detected in this type of software.
For those who urgently need to use their updated programs, the Russian bank suggests two solutions, one of which is impractical and out of reach for most users. Scan the files with antivirus software or perform a manual inspection of the update source code.
When malicious code leaks into open source
In recent weeks we have seen how the West has increased economic sanctions against Moscow and many companies have decided to stop operating in the country. Some of the proposals invited technology companies to stop providing updates to Russian users, but this point has not been reached due to the security risk it represents.
However, in parallel a movement known as “protestware” arose whose goal is to add “protest code against the Ukrainian war” in open source software projects. According to observers, “protestware” has manifested itself in different forms in more than 30 active projects.
We are talking, for example, about node-ipc JavaScript library changes, which is part of the Vue.js framework used to create user interfaces. The new code verified through the IP address if the computer was in Russia and Belarus and, if so, erased the user’s data, changed files for others with heart symbols or displayed anti-war messages.
According to the Open Source Vulnerability Database, a developer added code to node-ipc so that a file called “WITH-LOVE-OF-AMERICA.txt” is created and saved on the users’ desktop and in OneDrive. This protest method was not well received and he received a vulnerability identification CVE-434 for his unauthorized changes.
As reported by The Verge, some security analysts have rejected the idea of holding protests in this way, even in noble causes, and have described these actions as “module sabotage”. Analyst Selena Larson referred to it as “forced insecurity”, after Sberbank’s request for the “protestware” threat.
Advantages and disadvantages
Let us remember that one of the advantages of open source software is that anyone can contribute, modifying or inspecting the code. This allows projects to be more transparent and secure, in practice, because as we can see it also facilitates the sabotage of certain libraries that are tremendously used.
It should be noted that the existence of vulnerabilities in open source libraries is not something new. Many of them, let’s remember Log4Shell, go unnoticed for a long time. In fact, some never receive a CVE ID which allows developers and customers to address the security issue.
The war in Ukraine poses important ethical challenges related to technology in the sense of how to get involved and, if you want to, speak out. Since open source libraries are used by millions of programs around the world, it is important to keep in mind that certain actions can reduce confidence in these.
As for the scope of the Russian bank’s request, this may have collateral damage. Outdated software is synonymous with increased computer security risks. The threats, meanwhile, are much more than the “protestwar” movement and continue to circulate on the internet seeking to reap new victims.
But these are not the only technological headaches facing Russia. With companies like Amazon, Microsoft and Google fleeing, the country has a cloud storage crisis looming. This is a problem that could cause “critical systems” of the federal and regional authorities begin to cause problems.
Images| unsplash
George is Digismak’s reported cum editor with 13 years of experience in Journalism