"Targeting every computer with a Russian or Belarusian IP address with this sort of hacktivism as a means of protest against the actions of a government is patently absurd and harmful. Developers living in countries that commit war crimes, including the US, might want to consider how they would feel if the tables were turned."
This statement was originally published on eff.org on 21 March 2022.
The horrific Russian military invasion of Ukraine has understandably led to a backlash against Russia. The temptation is to label anything Russian, from state media and students to cats, as bad and block it to signal outrage and ostracization. This type of thinking has infected the open source and internet security communities as well – a terrible idea with potentially harmful consequences.
Recently the maintainer of a popular open source Node JS package “node-ipc” released a new plugin called “peacenotwar.” A Node JS package is publicly-available JavaScript code used by developers to add functionality to applications. According to the maintainer, this plugin would display a message of peace on users’ desktops, serving “as a non-violent protest against Russia’s aggression.” Some versions of the node-ipc package, a networking tool that has been downloaded millions of times, will automatically run this protest-ware. Then a post on Github claimed that some versions of the node-ipc package were deleting and overwriting all files with the heart emoji if the package was installed on a computer with a Russian or Belarusian IP address.
If the accusations are true, this is a terrible idea which could result in all sorts of horrible and unintended outcomes. What if a Russian human rights or anti-war organization, or a Russian hospital, was using this particular software package? This action – although conceived of as a simple nonviolent protest by the package creator – could result in the loss of important footage of protests or war crimes, loss of medical records, or even the deaths of innocent people.
The trend of half-baked hacktivism involving everyday internet users is now growing into sites and games that encourage users to become part of DDoS (Distributed Denial of Service) attacks against some Russian digital assets. For the same reasons mentioned above, randomly sending attacks without thinking through the consequences and potential collateral damage are feel-good actions that amount to shooting in the dark. Also unknown are the consequences for users that were part of this campaign. Are users aware that they could have their IPs logged by a potentially aggressive and vindictive target? It’s an incredibly irresponsible action that gives tools to ordinary users without the due diligence it deserves, putting innocent lives at risk on all sides.
Targeting every computer with a Russian or Belarusian IP address with this sort of hacktivism as a means of protest against the actions of a government is patently absurd and harmful. Developers living in countries that commit war crimes, including the US, might want to consider how they would feel if the tables were turned.
This sort of digital xenophobia didn’t start with the Russian military invasion of Ukraine, however. For many years the common network defender orthodoxy has been to block certain countries deemed disreputable from your network, effectively creating no-fly lists for IP addresses. Most traffic coming from Russia or China is malicious, the thinking goes, so why not block all traffic coming from Russian or Chinese IP addresses? Putting aside for a moment the question of whether Russian and Chinese hackers have heard of VPNs, this bit of network security theater ensures that entire countries are thrown under the bus, many of whom might find your service useful, because of a few bad actors. 1
Calls are mounting to disconnect Russia from the internet since the Russian invasion of Ukraine. This is an awful idea and it once again treats Russia as a monolith, punishing the Russian people because of the actions of their authoritarian leaders. Russians who might be looking up information about a protest or trying to find news about those killed in the war will be blocked. Someone living in Ukraine in an area bordering Russia or Belarus could have their IP address incorrectly categorized as Russian or Belarusian. Their communications and ability to access websites about relief or evacuation efforts could be blocked.
We have warned that remaking fundamental internet infrastructure protocols– like disconnecting Russia from the internet by revoking its top level domain names or revoking IP addresses – to protest a war will likely lead to a host of dangerous and long-lasting consequences. It will deprive people of a powerful tool for sharing information when they need it the most, compromise security and privacy, and undermine trust in the global communications infrastructures we all rely on.
Treating the population of a country as a monolith risks alienating and denying services to people who would agree with you, people who are your allies, and people who desperately need sources of information and help. It makes the internet less open and more hostile for all involved. Equating people with their authoritarian governments in your performative activism is never a good idea.
- 1. Of course if you are running a network that is only meant for a few specific people to access, you might feel justified in engaging in this bit of security theater. If that is the case then you should ask yourself why you are not banning all outside traffic except for a dedicated VPN? After all, malicious traffic can come from a country you trust just as much as a country that you don’t.