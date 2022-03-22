But online, another kind of punishment has hit Russia. Some programmers who write freely available, open source software bundles altered their programs to display opposition to the invasion. Dubbed “protestware,” the program updates checked to see if a user was located in Russia or Belarus and, if so, took action ranging from showing text like “Stand with Ukraine” to trying to erase the contents of the drive they were running on.

Russia’s invasion of Ukraine has prompted a wide range of responses around the world. From steep financial sanctions to the severing of business ties, the Russian economy is under siege.

Advertisement

How can a programmer slip such a change onto a Russian user’s computer? It’s due to the software industry’s movement to increase efficiency by re-using open source code. Call it the software supply chain.

There are no ships, planes, or trucks involved. Instead, the chain connects open source programmers with millions of other developers via servers run by California web-hosting company GitHub.

Get Innovation Beat Boston Globe tech reporters tell the story of the region's technology and innovation industry, highlighting key players, trends, and why they matter. Enter Email Sign Up

A programmer writes a useful bit of code, say to give apps a spell-check feature, and posts it as an open source project on GitHub. Other developers who want to add spell-checking to their apps incorporate the code into their projects. When the original programmer updates the code, apps written by the developers who incorporated it often automatically download the updates from GitHub. The downloads happen automatically because the updates could include critical bug fixes or security improvements.

Overall, that may be beneficial but it also opens the door to updates containing nefarious code. The Russian protestware incidents came after update problems in January when a developer named Marak Squires sabotaged two popular code libraries he maintained, saying he was unhappy big companies were using his work without paying him.

These new risks in the software supply chain are just the kind of cybersecurity problem that Boston startup Snyk (pronounced “sneak”) set out to solve. The company monitors thousands of open source code projects and all of the online conversations that happen around the projects, to uncover security vulnerabilities and alert developers before anything bad happens.

Advertisement

Liran Tal, director of Snyk’s developer advocacy team, said the company has discovered a variety of altered code protesting the Russian invasion. It is less worried about small tweaks that add a political statement. But for changes that alter files or initiate more destructive actions, Snyk triggers warnings and even delays updates for any developer using its protective service (the company offers a limited free service up to more comprehensive protection that can cost $139 per month per developer).

“That way of delivering a message goes well beyond what anyone would expect and essentially might harm people, even those unintended, so that’s where we step in,” Tal said.

And with all the publicity around the anti-Russian protests, the problem could get worse. “Open source [software] is everywhere, it’s ubiquitous,” Tal said. “Protestware is definitely going to be a bigger problem.”

Aaron Pressman can be reached at aaron.pressman@globe.com. Follow him on Twitter @ampressman.