A JavaScript backdoor that affects millions

Software might be eating the world, but JavaScript is eating software whole. With the prevalence of package managers like npm and yarn, which make it easier to for web developers to quickly use libraries to solve coding problems, it's become much easier to blindly install code without really investigating what's inside.

Overnight, the JavaScript community panicked as it became clear that a relatively banal package with more than two million downloads per week had been quietly compromised. Developers were using the EventStream library to help with input and output in their applications, with thousands of new downloads daily, but the maintainer had quietly transferred ownership to an unknown third-party:

According to the Github discussion that exposed the backdoor, the longtime event-stream developer no longer had time to provide updates. So several months ago, he accepted the help of an unknown developer. The new developer took care to keep the backdoor from being discovered. Besides being gradually implemented in stages, it also narrowly targeted only the Copay wallet app. The malicious code was also hard to spot because the flatmap-stream module was encrypted.

This is wild on so many levels, because open source software tends to rely on the integrity of the community itself, and the work of unpaid, volunteer maintainers who look after their packages. This developer had more than 700 packages, and just couldn't give it attention anymore, so had assumed it would be best to hand it off.

The malicious developer quietly implemented a backdoor attack, designed to steal private keys for a specific Bitcoin wallet, and it went undetected for weeks as other developers updated to the new version without paying much attention to the changes. It's unclear if the attack, designed to compromise Copay, was successful, but the company is urging its wallet users to update as soon as possible.

The chaos that ensued in the GitHub discussion where the issue was first raised is akin to watching a slow-motion train wreck: one developer identifies a problem with the new maintainer, but can't figure out exactly what's going on, and the original author shows up saying "If you guys feel strongly about this, why don't you volunteer to maintain it and contact npm support?"

Developers spent the better part of a few days trying to raise the alarm both with the npm index and the Node.JS community, eventually getting attention and having the compromised version pulled. The damage is done, however: the issue history shows a slew companies from Microsoft to the BBC looking to consider pulling the code out of their products in the last 24 hours.

It's interesting, because so much depends on npm and other third-party packages... but this isn't even the first time it's happened. Back in 2016, a single developer broke thousands of products by yanking a popular package called 'left-pad' from the registry, breaking deployments and builds largely due to a spat with the Kik messenger service.

Making tools available as tiny packages, downloadable by any developer has made web and application development easier in many ways, but the complexity of this issue has shown how little thought there has been into the business model of open source all these years on. My initial thought about all of this was do we need an antivirus for NPM packages, but I quickly realized what we actually need is a more sustainable way forward.

When a developer burns out of providing free support, and a mistake is made, who's to blame? Nobody, except those blindly using packages that could go away at any moment. The argument against using them, however, and building your own tools to solve an issue, is just as problematic: it takes time and resources, so why not use the free thing? Companies love free.

As of this newsletter, the ticket with the original discovery has over 400 comments and it's difficult to know how many products were actually affected: we'll probably keep seeing it unravel in the coming days. But, perhaps it'll help companies think more clearly about the price of free, and better ways of supporting open source, in the future.


A Facebook vs UK blockbuster is unfolding

4A4C7B4E00000578-5514151-image-a-8_1521332589790.jpg#asset:7762

Over the weekend a new installment in the blockbuster franchise what did Facebook do now was released: the UK government seized internal Facebook documents using rarely-invoked legal powers. Why? Because Facebook won't talk to the UK government, so they've taken matters into their own hands.

Here's what happened just over the weekend:

  • The UK is investigating how fake news got so out of control on Facebook, and discovered that a company called Six4three had a 'cache of internal documents' from the company that might help shed light on how Cambridge Analytica happened.
  • The UK requested the CEO of Six4three hand over the documents, which supposedly include confidential Facebook executive emails, as well as correspondence with Zuckerberg. Six4three refused.
  • When the Six4three CEO was visiting the UK on business in London, an MP invoked a parliamentary mechanism to compel him further to hand them over, sending a serjeant at arms (pictured above) to his hotel with a final warning. He still refused.
  • The Six4three CEO was escorted to parliament, and told he risked fines or a prison term if he didn't hand them over immediately, which is when he relented, then quickly fled the country. 
  • The documents are under seal in the US as they're being used in a lawsuit, and Facebook is desperately fighting against the UK government, which plans to release them unredacted today. The UK's stance is simply that California-based courts have no relevance in Europe.

The thought of what may be contained in these documents is, very frankly, fun to imagine. If we get them released unredacted today, we may get a rare peek inside how Facebook's executives communicated about the entire affair, including how user data was considered by the team in the years leading up to the breach.

Stay tuned.


Apple faces App Store antitrust lawsuit

Initially it looked like this was going to disappear, but an antitrust lawsuit accusing Apple of breaking the law by forcing all apps through the App Store, is set to move forward with the U.S. Supreme Court taking up the case this week.

The lawsuit has been seven years in the making, and essentially says that the company breaks the law by forcing apps into the store, then requiring a 30 percent commission for all sales beyond that. It has legs because on other platforms, you're able to download apps as freely as you like, and alternative marketplaces are allowed to thrive, like Amazon's Android App Store.

Apple argues that any antitrust proceeding would "threaten the burgeoning field of e-commerce" but the plaintiffs say that consumers are made to pay higher prices as a result of the rules and developers are harmed too, because they have little recourse to sue Apple on their own.

What happens if Apple loses? It's difficult to actually know, but The Verge breakdown of this sees a number of circular fights before any results:

If a court rules that Apple has an unlawful monopoly, it could require Apple to pay out hundreds of millions of dollars or even change its App Store model. If the Supreme Court upholds the Ninth Circuit’s decision, though, it will just send the case back to a lower court, where the fight will keep going.

What it would do, however, is keep marketplaces from being "toll-keepers" and open the conversation about whether or not digital platforms should be required to let others play on their own turf. 

If the lawsuit proceeds, which we'll know within a few days, the actual verdict isn't expected to arrive until sometime mid-2019. Still, it has an opportunity to shake up the way we think of digital marketplaces, from Uber to Apple, giving you more choice in the end.

I'm not saying Apple should be forced to employ the wild-west install-any-app-you-want tactic, which allows users to sideload apps from other sources, but forcing a rule change to allow other App Store models on iOS wouldn't be a bad thing.


Tab Dump

Amazon has a new, custom ARM processor in its server cloud
The long, slow march toward a new processor architecture continues! This time it's Amazon's "Graviton" processor, which is available for use in its cloud platform as of today. Wild!

Facebook says it's disbanding the 'war room' it uses for elections
A few weeks after flashy tours were given for the press, Facebook told Bloomberg it was disbanding the practice... and then denied the whole damn thing despite having been on the record. 🤷‍♀️

Venmo lost a lot of money
This report is wild: Paypal-owned Venmo posted a lost 40% larger than expected, around $40 million, due to fraudulent activity on its website. It's since been essentially shuttered, and it's a fascinating tale of an acquisition that has costed millions in surprising ways.