Developer Sabotages Open-Source Software Package

This is a big deal:

A developer has been caught adding malicious code to a popular open-source package that wiped files on computers located in Russia and Belarus as part of a protest that has enraged many users and raised concerns about the safety of free and open source software.

The application, node-ipc, adds remote interprocess communication and neural networking capabilities to other open source code libraries. As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones like Vue.js CLI, which has more than 1 million weekly downloads.


The node-ipc update is just one example of what some researchers are calling protestware. Experts have begun tracking other open source projects that are also releasing updates calling out the brutality of Russia’s war. This spreadsheet lists 21 separate packages that are affected.

One such package is es5-ext, which provides code for the ECMAScript 6 scripting language specification. A new dependency named postinstall.js, which the developer added on March 7, checks to see if the user’s computer has a Russian IP address, in which case the code broadcasts a “call for peace.”

It constantly surprises non-computer people how much critical software is dependent on the whims of random programmers who inconsistently maintain software libraries. Between log4j and this new protestware, it’s becoming a serious vulnerability. The White House tried to start addressing this problem last year, requiring a “software bill of materials” for government software:

…the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.

It’s not a solution, but it’s a start.

EDITED TO ADD (3/22): Brian Krebs on protestware.

Posted on March 21, 2022 at 10:22 AM68 Comments


Quantry March 21, 2022 10:57 AM

…raised concerns about the safety of free and open source software…

So developers of non-open source don’t have these exact same tendencies and highly similar leverage?

Raggle March 21, 2022 11:24 AM

Wouldn’t targeting Russia based on IPs also hit neighboring regions that have no part in the current conflict?

TimH March 21, 2022 11:53 AM

Another gentle reminder: Don’t harm people over actions of their government that they have no control over.

Beatrix Willius March 21, 2022 11:54 AM

What about the closed source that I use with plugins? There I don’t even see the source. The plugin developers could do the same as the open source developers did. How do I know what code the plugin developers use?

Source code is not one level deep.

Clive Robinson March 21, 2022 11:59 AM

@ ALL,

A “Software Bill of Materials(SBOM) will not solve these problems.

Why? Because of the “Garbage In is Garbage Out”(GIGO) principle.

In short you need some mechanism to stop garbage geting in…

I know some are going to bristle about this, but there is a reason that most engineering development is a long way away from the artisanal software development.

Software development mostly lacks sensible Quality Control, the desire of Managment is,

1, Get it out the door.
2, To bring in the money
3, To make profit fast.


4, Don’t fix even if you know it’s broken.
5, Unless enough people complain.
6, Then only fix the minimum.
7, And even then do not do it well.

This is not a process that is,

A, Safe for users.
B, Secure for users.

The latter especially because the industry believes the money is not in products but,

C, Stealing user privacy
D, Selling the stolen privacy to anyone with money.
E, Ignoring how this endangers user safety.

Worse the industry is moving from “purchased products” users run localy, and importantly can run Off-Line “privately” to the “rent On-Line” where users pay many times the price, have to run it remotely where there is no “privacy”.

You only have to look at the idiocy around Web Browsers to see that certain “entities” are basically forcing users to relenquish all privacy…

These “entities” by the way are some of the biggest users of “Free Open Source Software” and they do not “give back” in return for what they take.

This issue, is just a surface symptom of an underlying sickness. Like a bruise ontop of a ruptured liver. Fix the underlying sickness and the surface symptom will disappear.

However try fixing the surface symptom but not the inderlying sickness and the patient will die…

Fazal Majid March 21, 2022 11:59 AM

The problem is not Open-Source or the SBOM itself, it is that the packages are not vetted. This would require an independent code review of each version of each package by a trusted party, which would be very expensive. The lack of security vetting is an externality that hardly anyone cares for in this “move fast and break things” world of minimum viable products and corner-cutting. The large corporations like Google et al could jumpstart the process by paying their own employees to do the vetting and release the results (they probably do it already internally, this is about making those internal code security reviews public). I could also imagine a business model for a security ratings agency along the lines of Underwriters Laboratories or TüV to mutualize costs among commercial users of open-source.

Ted March 21, 2022 12:49 PM

@Clive, Fazal Majid


Software security is no doubt complex. I’m a little confused about your takes on SBOMs.

Bruce even said “It’s not a solution, but it’s a start.”

I’m trying to figure out who wouldn’t want to know about a known malicious module in their software.

SpaceLifeForm March 21, 2022 1:33 PM

Stay out of Dependency Hell as much as possible. Do not use Live code that you don’t host yourself.

An SBOM that lists Live code hosted elsewhere is not going to prevent potentional problems, because there is no way to enforce any version control.

Just because it is Open Source does not mean you can trust it blindly. Keep your own copy, and if your app needs to use it over internet, then you must host it yourself, so that you know what is being used Live.

Me March 21, 2022 3:16 PM

@Fazal Majid

See the point of the SBOM is to determine what parts are used, once you have a database that links project (in this case government projects) to dependencies, you have the ability to rank the dependencies for their value. If, say, 75% of your projects are using X, then you might well want to ensure that X is fit for purpose, and if you have the funding to vet it, you can do so.

As Bruce said, it isn’t the solution but it is, I think, the right first step.

Kai March 21, 2022 3:44 PM

What amazes me is not so much that this is possible (clearly it is) but rather that developers will blindly pull in updates from upstream sources without so much as checking a changelog.

name.withheld.for.obvious.reasons March 21, 2022 4:02 PM

@ Bruce
A number of U.S. defense contractors use open source resources in all sorts of applications that are deployed in U.S. military systems, everything from communications, navigation, flight control, fire control, and mission critical applications. Of course there is a mutually exclusive arrangement, under GPL 3.0 the use of code is not often reflected back into the branch or tree from whence it came.

Much of the code that is modified or added is within the context of secure applications and the DoD claims cannot hold up its part of the open source covenant. My question though, what is the level of exposure that mission critical and other systems vulnerable to the problem of open source library and application source that does not receive code reviews necessarily? Of course this question could be broadened but I am just trying to identify the most apparent risk/reward component in our never ending code war escalation. We need a non-proliferation agreement between states and nations, this behavior of weaponizing everything must end. I know, the classic ‘Will if we don’t do it, they will.’ argument, but that’s as stale as 400 year old donuts (and I am not talking about toroidal manifolds).

Greg Hunt March 21, 2022 4:24 PM

A SBOM is just good practice. Development projects should have one anyway in order to manage dependencies and upgrades. Some licenses, the GPL and LGPL in particular, implicitly require a partial one in that they require identification of the GPL-ed components to the recipient. Requiring one that can be shared is not a genuine problem and is a good beginning. What IS a problem, as mentioned above, is live update from remote sources, thats just terrible practice.

For the people speculating about possible scanning business models, there are already companies that provide software threat analysis services (fairly expensively) and I am sure they will move into this space.

David Leppik March 21, 2022 4:39 PM

NPM is particularly notorious for this sort of lax security. A typical framework has a tangle of dependencies, where each library requests the latest minor version of its dependencies, since that usually fixes more bugs than it causes, and that’s typically the only way to resolve all the dependencies.

Other package management systems are more strict about not including untested versions of libraries. But those typically also have a system for including multiple versions of a library within a project, and/or expect a program to have only a small number of large dependencies rather than include dozens of tiny, single-purpose libraries.

Clive Robinson March 21, 2022 6:57 PM

@ Ted, ALL,

I’m trying to figure out who wouldn’t want to know about a known malicious module in their software.

What your statment is asking for is a “Quality Asurance”(QA) Process which stops a “known malicious module” getting in in the first place. Is an entirely seperate thing to a SBOM.

The SBOM is just a “manufacturers component list” little different from a hardware BOM. In both cases it indicates a probable source of a component and absolutly nothing to do with the quality of the component.

Imagine if you will the Ford Pinto motorcar, Ford’s first “subcompact”. It’s BOM indicated a fuel tank as part of the fuel chain, who made it what batch it came from and date of manufacture. It indicated nothing as to if it would turn the vehicle into a “One ton cremator” under certain conditions. It took a number of mid highway cook offs and a Mother Jones article “Pinto Madness” for it to become of concern to first the public, then later those with consumer protection interests, then finally a national agency to actually indicate that it was a danger to anyone who got in one[1]. Importantly the BOM in no way identified and design flaws, as it was not the individual components at fault.

So the SBOM only becomes vaguely relevent, after the event has happened repeatedly and been identified in other ways. And mostly the SBOM is not relevant then unless a specific identifiable component is at fault. It’s actually of even less use than code signing, which I’ve had a “downer on” for decades, and it was not long ago I was proved right in all aspects of my scepticism to code signing.

In mechanical engineering components are manufactured against a reliable specification and are tested not just by the manufacturer but major users of the component. In some uses involving members of the public the component is tested “in use” repeatedly and or replaced on a regular schedual as part of “preventative maintainance”.

Such continuous testing carries atleast three basic penalties,

1, People
2, Time
3, Cost

That is more qualified people are required, the time to delivery is increased, and the cost is also increased. All three of these are seen as something to be not just reduced in the software industry but reduced below the point of “lip service”. The result of such an ethos can be tragic as some people who were friends and relatives of those on certain Boeing aircraft have found out.

A SBOM will not stop such tragic events happening in the first place, only correct engineering processes worked out over a century of response by science to failures and tragady will work towards that.

Artisanal design is about “patterns” seen in the design of wheels for horse and other animal drawn vehicles. The patterns took several millennium to reach a point of design that was at best sub-par. With science the design of wheels has moved beyond what was imaginable less than half a working life time ago. It should be noted that much software is produced by “patterns” not by either “science” or “engineering” processes.

[1] The Pinto crushed up design, the desire to get it to 2000lb dry weight and Ford changing the design process to one that halved the previous design times have all been blaimed. Likewise the changing national 301 standards during the design and production life. But the fact is statistically it was like every other US subcompact of the time. It’s been said that the real cause of the problems was not the fuel system but the drivechain that caused the Pinto to stall out when moving in fast moving traffic, thus subjecting it to rear end shunts at way above the forces used in even the most exacting of the Nationaly required tests. The reality is journalistic sensationalism and political shenanigans and the then US regulator putting their thumb on the test scales by modifing the way they carried out the test to cover their own a55.

MrC March 21, 2022 8:51 PM

I agree with SpaceLifeForm. The approach to handling dependencies taken by NPM and its imitators has always struck me as absolutely insane.

Clive Robinson March 21, 2022 9:27 PM

@ SpaceLifeForm, ALL,

Stay out of Dependency Hell as much as possible. Do not use Live code that you don’t host yourself.

I guess the question now is,

“Who is going to go over to,

And add ‘Nukes Peoples Machines'”…

Brad Templeton March 21, 2022 11:20 PM

This is far beyond a SBOM. Huge numbers of us run many software packages which are either bulk-updated or often auto-updated from a wide range of “suppliers” in a ton of countries. In the open source world, we install keys for the managers of repositories (like Ubuntu) which in theory sign packages after checking them, but they don’t really check them. When the actual official authorized developer of a package wants to insert malware into their package little can stop them. It’s a violation of trust and they may face punishment but we have little means to stop it.

This developer attacked indiscriminately, civilians and legit targets alike — a no go under the rules of war. How would we feel if he had coded it to only target specific military targets. What if the developer was in Ukraine, and a state of war existed between his nation and the target nation, and he went after only military targets? Would the doctrines of war make this otherwise unacceptable breach of trust acceptable? What if it were Putin’s computer itself?

Western companies are all ceasing business with Russians and shutting stores. What if Microsoft or Apple or others did more, and bricked people’s devices. Or simply stopped providing necessary services to them? Or further, actually attacked military targets?

No rules will stop this. If your country is going to be in a war (either one it started or one it was drawn into) you now must consider is any software updating on your system coming from an adversary — or from a source that can be compromised by an adversary. That’s a very high bar.

JonKnowsNothing March 22, 2022 12:16 AM


re: The BOM behind the S

RL tl;dr

Once upon a time in Silicon Valley before Elon was a word…

There was a software vendor that sold Financial Packages to medium size companies. Companies big enough to fork out $$$ to THEBlUES but not enough $$$ to pay anyone to be staff in-house geeks. Data Entry was OK of course ’cause of the books, and Billing Clerks were OK too, because Money Flows where Billing Goes .

This vendor had a whole prêt-à-porter suite that sat just right in the tight pockets of the CEO-Owner. The vendor sold a good number of suites and sweetened the deal by making custom modifications – just like the hamburger ad: We Want It Our Way.

Skipping to the last page of the story:

The vendor kept the copyright and full ownership of all mods. The customers thought they owned the suite outright but long before M$ figured it out, the vendor sold a “license for use” and not the source code.

One fine day, Nouveau Riche bought the business and didn’t particularly want to keep paying $$$ to the vendor. So Clever Clogs, just stopped paying the “maintenance fee”.

It was a very smart accountant (one of those MBAs that Clive rants about) that noticed a small warning that appeared on the screen about 30 days after Clever Clogs stopped paying the maintenance fees:

  Warning: Any edits on this page will not be saved.
  Warning: If you continue all data will be permanently altered.
  Warning: Call The Vendor immediately!

Yes indeed!

The smart MBA went to the master console and shutdown all access to the computer.

The Lasting Paragraph…

The vendor had inserted a whole pile of time-bombs in the source code that would trigger random or rather non-random targeted data damage if the maintenance fees were not paid.


* Accounting suite: 100% custom software by The Vendor
** List of included modules: 100% custom software by The Vendor
** List of modified modules: Bespoke or Bespoken software by The Vendor

There was no software dependencies other than those provided by TheBlues. All code was 100 created by The Vendor. No plugins or hitched on coding. Straight up EBCDIC.

The software ran just fine for many years. The BOM was lurking the entire time. Only Clever Clogs set off the fuse.

Ulf March 22, 2022 4:43 AM

@Kai: In this case, reading the changelog wouldn’t have helped; the relevant entries read “added ssl check” and “bump for ansi-regex module update”, which sound innocent enough.

What is amazing to me is that people pull in in dependency updates without apparently doing much testing.

Who? March 22, 2022 6:47 AM

@ TimH

I completely agree with his thoughts. Russians are victim of an imperialist government; they have no control over decisions taken by the russian government. They have no choice about going to war, or stay at home, most of they do not even know there is a war.

wiredog March 22, 2022 6:48 AM

@ name.withheld.for.obvious.reasons
In the part of DoD/IC I work in we use a lot of open source software. Usually a couple of years behind the latest stable version so that it can be tested for problems. Our customers are willing to pay for heavy unit testing and regression testing. A nice thing about Linux is you can build it to run a really minimal kernel with just the bits you need without having to modify the actual source.

Bob Paddock March 22, 2022 8:54 AM

Isn’t intentional Sabotage of software already illegal in most all
jurisdictions of the world? As far back as at least 1988 with Court
deciding in favor of the Trucking Company and against the software

Also The Revlon Group Inc. [Revlon Cosmetics] vs Logisticon in the
early 1990s.

See: “Self-Help Remedies for Software Vendors” by Henry Gitter in the
January 1993 issue of The Santa Clara High Technology Law Journal.
Vol 9, Issue #2.


Te Aka Matua o te Ture
Report 54
May 1999”

Gambler March 22, 2022 9:15 AM

SBOM is not a start of anything. It’s the worst kind of security theater. Larger companies will try to use things like that to make it more expensive to do any kind of development and drive smaller competitors out of business, while doing absolutely nothing that addresses the actual problem of software sabotage. This much is obvious.

Modern software is based on a lot of untenable assumptions. No one wants to re-evaluate them, so eventually the whole ecosystem will collapse. All I see from larger companies is lies about this. They pretend the whole thing is manageable. I don’t believe there is any kind of long-term plan. They just hope to extract enough resources out of the current system so they can survive its downfall.

JohnnyS March 22, 2022 9:41 AM

Major financial institutions implement “Agile and/or insert buzzword here” by senior management bringing in foreign and severely underpaid “programmers” on weird visas to hack together “business applications” using public repos of code like Node. There is no real “security culture” there, just “make it quick and push it out the door” with little to no security effort. The same senior management that brings in this stuff is almost always absolved of blame when it fails, as they have either been reorganized somewhere else or have enough minions to throw under the bus.

Do we try to write regulations to require businesses to provide proof that they have done a good security job in development (a priori), or do we try to punish those companies that get hacked because they did a poor security job (a posteriori)?

Ted March 22, 2022 9:46 AM


The SBOM is just a “manufacturers component list” little different from a hardware BOM. In both cases it indicates a probable source of a component and absolutly nothing to do with the quality of the component.

Hmm. I’m assuming lots of software is vulnerable. But let’s take Log4j for example. This code was vulnerable, then it became known-vulnerable – with a CVE.

A SBOM could tell you if this module is in your software and need to update it or take other actions.

So you’re right that a SBOM doesn’t necessarily tell you about the code’s quality. But as I understand it, it can tell you if you have certain components. And this could be helpful if a vulnerability is disclosed.

Frank Guy March 22, 2022 10:31 AM

OSS fanatics are just like the Bitcoin peddlers. At least with closed source, paid-for software you would have a company whose (brand)name and future hinges on the quality of that software.

Bob Paddock March 22, 2022 10:54 AM

@Frank Guy

“…paid-for software you would have a company whose (brand)name and future hinges on the quality of that software.”

What I’ve seen happen is the Suits put all the good assets in a new company, leave the liabilities like pensions and so called ‘Health Care’ in the original company, then the original company goes bankrupt.

It has happened in Big Pharma, Coal Mining industry, and may be playing out in the new Meta vs old Facebook right now. Time will tell.

EvilKiru March 22, 2022 10:55 AM

@Frank Guy: You mean companies like Symantec who don’t care one whit that their reputation is “friends don’t let friends use Symantec software?”

ciphertext March 22, 2022 11:36 AM

I don’t think anyone should be surprised by this event. Indeed, I’m surprised it hasn’t been reported on before. I think that as more and more events similar to this are surfaced (e.g. “protestware”, “revengeware”, “poison-pill-ware”), we will see a larger influence for regulated software. Just as you have licensing boards for medicine, legal, financial, and engineering; you will see a push for a certified or licensed software developer.

The assumption of risk (risk of loss, failure, or other calamities) for using OSS has always been 100% for people using the software (either personally or as part of a larger effort). The idea is that if the OSS code was garbage, then that reputation would “get out” and it wouldn’t be used any longer. That is still the case, but now that there is a much larger variety of sources for OSS (both OSS products themselves or proprietary products that make use of OSS) that is combined with an increase in the size of OSS projects in general, it is much harder to review the code for completeness and acceptance. When you pay a licensed third party to design and build a bridge or building, you are sharing that risk with the third party. When you pay for a vendor’s software, you are sharing the risk with that vendor. The vendor still has a reputation to consider in a fashion similar to OSS projects, but if you produced a product for sale and your product fails due to some defect in design/workmanship, then there are product liablity issues that can be actionable in a court of law.

JonKnowsNothing March 22, 2022 12:29 PM

@Ted, @Clive, @All

re: A SBOM could tell you if this module is in your software and need to update it or take other actions.

This used to be fairly standard procedures. Updates came in 2 formats:

  • Security Fixes
  • Program Fixes

For each type the vendor would list the program and a summary of the repair.

Each format had options for Install All or Selective Install.

This system was replaced with “forced updates of anything we can throw in the pot” and the result is: They broke more than they fixed.

Internally this summary is part of the Release Notes and part of the Bug Tracking System. Only the summary 1-liner is released to the public.

There are some public facing reporting systems but End Users aren’t likely to visit those sites, nor would they know what to do with the information if they happen to click there. A large number of items listed will not or cannot be fixed.

The same happens with corporate internal fix reporting systems. The vast majority will never be fixed. Often in the 10K range of no-fix/not-fixing-it code.

lurker March 22, 2022 12:32 PM

@ciphertext, “… a certified or licensed software developer.”

Would MCSE count there?

HeyItsMoo March 22, 2022 12:55 PM

@wiredog, @Clive Robinson, @ALL

That’s why SBOM is just one of multiple pillars, without which a single one will be a weak point. I work in DoD space as well, and what everyone is working towards/expecting to happen is TIC 4.0/CMMC 3.0 or whatever will incorporate requirements for:

  • SBOM
  • Code Signing
  • Static Analysis

(As such for CMMC 2.0/NIST 800-171 compliance, all of the above are sufficient, but currently unnecessary to satisfy NIST 800-171 3.4.1, 3.4.3, 3.4.4, 3.4.8, 3.11.2, 3.12.2, 3.13.3, 3.14.1, 3.14.2, etc.)

Along with promoting a best practices mindset that:

Incorporation of dependency as source code (e.g. GitHub repo) > Incorporation of dependency as package (e.g. binary/tarball); this increases the effectiveness of static analysis tools.

FWIW, most folks already do some of this at the OS level: your OS package manager is pulling down signed vuln-lists every night and comparing them to the installed packages and flagging the vulnerable ones then installing updates. As to cost/scalability/sustainability of establishing trust anchors in the rest of the software supply chain, sounds like a fallacy – if an organization like Debian is able to have a security manager that coordinates community-managed package vulnerabilities, then any bigger organization, especially for-profit ones have the capacity to so.


The latter is already the case. Pretty much every state in the US has mandated data breach reporting with financial penalties today (and EU probably has similar). Equifax paid $700 million to settle their liability over their 2017 data breach. It’s basically up to the individual company to figure out where their software supply chain is racked and stacked on their corporate risk registers. Some industries are going to have them higher (financial, healthcare due to the additional regulatory liability) than others (manufacturing, but most large manufacturers have product safety liability in addition to prior production-affecting history with things like stuxnet).

JonKnowsNothing March 22, 2022 12:59 PM

@Ted, @Clive, @All

re: [SBOM] can tell you if you have certain components … .

It can’t and it won’t. There are 3 conditions that would have to be satisfied to have even a small chance of “doing something”.

1) Large code bases have a known list of dependencies. It’s in the MAKE file. There are newer methods but essentially the compiler creates OBJ output and does round robin on dependent-cross dependent code to produce all the OBJ files required by the LINKER. If something is missing, the compile will belly up. (1)

2) There are large sets of “interpreted” or “non compiled” code. This is Run Time Code and like all Run Time Code you won’t know if it borks until you Run It. The common failure is “Works For Me but Not For You.”(2) The most common reason is found in #3. The other problem is if the developer didn’t declare a dependency on check in or omitted to provide the required subsystem. This later is found during testing. Often an Environment Setting is missing or a particular version of the compiler needed.

3) The ever handy portable code that “every” programmer carts around from job to job. It’s a set of “working code prototypes” that have already been sorted out and are Ready To Use. This differs from the public code hunks that are on the web as they are private to the programmer. It’s mostly utility code because no company has a “perfect suite” of code and utility programs and it is just a PITA to build the same ol’stuff over and over just to do text-alphameric manipulations. Ready REGEX.

The SBOM is an attempt to list all the “freeware” used by corporations. Programs the corporations don’t pay for it. They don’t pay for the upkeep. They don’t pay for the development of new features. They just Don’t Pay.

The Neocon-Neoliberal attitude is: If it’s free I can take as much as I want, as often as I want and I can profit from it as much as I can. Someone’s gotta make money from it,so why not B$-E$.

Now the corporations are attempting to back fill their own Program Sewage Systems; and they still do not want to pay.

  • TANSTAAFL: There ain’t no such thing as a free lunch

Search Terms

1) There are lots of ways a compile won’t belly up but the code is still trash. Often from a left over older OBJ in the build area. This a Build Engineer procedure problem.

2) The Bells of Hell Go Ting-a-ling-a-ling

Winter March 22, 2022 1:10 PM

If you want to hear from other people who know what an SBOM is and is not:

Open Source Security podcast
The Legend of the SBOM

Josh and Kurt talk about SBOMs. Not what they are, there’s plenty about that. We talk about why everyone keeps claiming they’re super important, and why we’re starting to see some people question if we really need them. SBOMs are part of a future that’s still being invented.

Bob Paddock March 22, 2022 1:50 PM

@lurker, @ciphertext,

““… a certified or licensed software developer.”

Would MCSE count there?”


The IEEE has been pushing for software developer licensing since 2012.

I wrote an extensive blog series on it at that time, which you can
find with a bit of searching, with responses from several state
licensing bodies to my query about licensing software developers.
Nine years on, they may have changed their positions.

My issue with the whole licensing process of software developers was
the prerequisites. If you did not have at least a four year degree you
could not even set for the test. In the sample test only Clive could
have answered some of the questions.

The issue has died and come back in various forms since 2012.
The major sticking point is how to write the test, as the area of
software is vast. For example does someone writing accounting and
inventory software need to know how to write Embedded System code, or
the other way around to pass the test?

National Council of Examiners for Engineering and Surveying was/is
also involved. They were the test administrators as I recall. When I
asked questions back then NCESS told me to contact the state, the
state told me to contact NCEES. At times things got strange with the
regulations not even knowing what software was, yet tried to cover it
with regulations for Engineers building bridges.

I know several Professional Engineers that deliberately let their
credentials laps, as it made them the target for any problem and not
Management whom failed to understand the project requirements.

In the end the only thing software licensing will do is enrich lawyers
and drive software development to places without such regulations.

vas pup March 22, 2022 3:52 PM

I guess that Government in the jurisdiction where programmer who takes own retaliation action against other users (government or private)in foreign jurisdictions when doing nothing to prevent such actions/attacks becomes accomplice and should expect retaliation actions from initial targets – cyber or kinetics.

Unfortunately, when attribution is very difficult and not reliable, then innocent casualties are very likely to happen as some respected bloggers already pointed out.

JonKnowsNothing March 22, 2022 5:20 PM

@Bob Paddock, @lurker, @ciphertext, @Clive, @All

re: the whole licensing process of software developers was
the prerequisites. If you did not have at least a four year degree you
could not even set for the test.

Software and even business certifications were supposed to show someone had a “base level knowledge” and not an “elite level” knowledge. Clive+Co are far beyond elite level.

Credential Certificates provide 2 things: Barriers to Entry and Cash Cow Re-Certifications.

There are competing certifications that are vendor provided courses. It used to cost @$10,000USD + Hotel/Food for a week long Boot Camp Cram Course with an immediate follow on of the Exams (short term memory duration). Early adopters dropped out when the money wheel started turning too fast and companies wouldn’t pay for their employees to retest.

As noted: Not a single item provided assurance that the certificate meant anything more than the ink it was printed on.

After the initial head rush of “HEY, I CERTIFIED!!!” … folks got to “I GOTTA CERTIFIED EMPTY BANK ACCOUNT”.



Note: In the USA a HIP-RIP-LOVID area had an outbreak of COVID in the schools that knocked out a lot of teachers. Teachers normally require 4yr degree and certification. Substitute teachers require certification. During that recent large outbreak of School COVID, the state dropped their certification requirements and replaced them with a 2-4 hour course, given to the National Guard, so they could pick up teaching for the sick teachers.

Clearly certifications aren’t all that meaningful.

Mr. Peed Off March 22, 2022 5:36 PM

With all software the “fitness for purpose” is on the end user. Knowing the SBOM might help some users judge fitness or unfitness. I suspect that less than 1 in a billion users are capable of making knowledgeable “fitness for purpose” decisions. The rest of us will continue with the “poke and hope” operations.

JonKnowsNothing March 22, 2022 6:21 PM


re: it’s pronounced S-Bom

ROFL – be care if you “think” you know how an acronym is pronounced.

There be dragons in pronunciation caves.

JonKnowsNothing March 22, 2022 6:32 PM

@Mr. Peed Off

re: With all software the “fitness for purpose” is on the end user. Knowing the SBOM might help some users judge fitness or unfitness. I suspect that less than 1 in a billion users are capable of making knowledgeable “fitness for purpose” decisions. The rest of us will continue with the “poke and hope” operations.

Gated by the negative funding for software of any type.

  • The larger the user base the less likely the funding.

Poke and Hope while Dumpster Diving at the Tech Recycling Store. (1)


1) tl;dr

When the various boom/bust cycles hit Silicon Valley, there were regular drive by dumpster diving parties at defunct premises. What the now-dead-stock-option company couldn’t flog at the tech auctions, went into the dumpsters.

Clive Robinson March 22, 2022 6:37 PM

@ Gambler,

Modern software is based on a lot of untenable assumptions. No one wants to re-evaluate them, so eventually the whole ecosystem will collapse.

Of your three point the short answers are,

1, Untenable assumptions = Yes.
2, No re-evaluation = Yes.
3, Economy will collapse = Maybe.

The game as you note with,

They just hope to extract enough resources out of the current system so they can survive its downfall.

But actually they care not a jot about the downfall…

They believe that they can take the value and “skip out to somewhere or something else”.

That is they do not believe in “total colapse” just “partial colapse” and they think they will be “smart enough to know which bit will be colapse proof”.

If you have any doubt about this look up the long history of “water rights wars” and who currently are buying up all the water rights they can get their hands on legaly, by illegal extortion, or force majeure.

But I’ve predicted for over two decades now that whilst history has “water wars” as the ultimate control via denial of agriculture etc. I’ve been looking at “energy wars”. The US has since the 1980’s been running as a matter of foreign policy a way to control the worlds energy supplies, not just the dwindling carbon fossil fuels, but nuclear and more recently “alternative” energy sources.

This “control of energy” is yet another form of warfare, some would say worse than “bombing them [nations] back to the stone ages” to stop independent economic development, thus the ability to get out from being the equivalent of vassle states for the US and other alleged Super Powers. The point being as water is fundemental to agrigulture thus feeding your population, energy is fundemental to any kind of industrialisation that lifts your population out of poverty and enslavment/serfdom.

Thus a plan thought up by the economists behind the German National Socialist party, carried on into the current EU. Put simply quite a number of industrial regions can not feed themselves, so they are actually vulnerable to food supply control[1]. So the plan is foist huge debt on certain nations so they are forced to remain agrarian and feed the industrisl regions at low cost. Look at what has happened in the EU with the North beggering the South and asset stripping them of any viable industry. In a smaller way look what happened with Spain and the Catalan. Most of Spain is bankrupt beyond recovery, so they are doing the “Parisitic Empire” routien on the people of the Catalan[2].

[1] Something not lost on Putin, see what petcentage of the worlds grain comes from Rilussia and the Ukrain combined.

[2] Which is the fate Russia keeps inflicting on other parts of the world. Putin’s “Strong Russia” is predicated on slavery anf serfdom and worse. Basically what Russia has always done for the last 600years or more, rather than actually develop a real economy. The fate of Russia is always the colapse of it’s parasitic empire. You only have to look at the history of Spain to see what is going to happen to Putin’s Russia. He can not avoid it and stay in power…

JonKnowsNothing March 22, 2022 7:52 PM

@Clive, @All

re: [Russia needs to] develop a real economy

To the last syllable of recorded time …

All of “Western” Europe (and North America) have all tried to get Russia to develop a “real economy”, meaning One Exactly Like Ours.

Of course the “Ours” part depends on who is doing the speaking or dictating or invading.

The truer terror is that Moscow is more Eastern than Western and has had long ties with China along with wars too.

The “real economy” wanted is the one that can take Russia’s Resources for the Least Amount of Money or War Dead.

This hasn’t changed in 1,000 years. It is not likely to change this year either.

What continues is the salivation of disaster capitalists at the continued destruction and displacement in Ukraine. All those cities now people free and bombed out; ready for western integrated surveillance & development. Not all that much different from what was there before, and the millennia before that.

And all our yesterdays have lighted fools
The way to dusty death.


Search Term

The Tragedie of Macbeth is a tragedy by William Shakespeare. It is thought to have been first performed in 1606.

(from Macbeth, spoken by Macbeth)

Tomorrow, and tomorrow, and tomorrow,
Creeps in this petty pace from day to day,
To the last syllable of recorded time;
And all our yesterdays have lighted fools
The way to dusty death. Out, out, brief candle!
Life’s but a walking shadow, a poor player,
That struts and frets his hour upon the stage,
And then is heard no more. It is a tale
Told by an idiot, full of sound and fury,
Signifying nothing.

I quite like the section about the “poor player who struts up on the stage”; a clever double or triple entendre.

HeyItsMoo March 22, 2022 8:05 PM


re: There be dragons in pronunciation caves.

In the manufacturing industry (especially the defense contractors; as you know the military loves their acronyms) the Bill of Materials (BOM) is pronounced /bɑm/. A Software Bill of Materials (SBOM) is thus pronounced /ɛs.bɑm/. This is well characterized, but you have to be in the industry where this stuff is hot to know it. (Who’da thunk that the “SQL” in “SQL Server” is pronounced /ˈsiːkwəl/?)

One of the interesting intersections here remains between the military-industrial complex and software industry especially in the original context of weaponizing the software supply chain. Concepts like code signing, SBOM and how they relate to zero-trust are hot topics in government now, specifically between US DoD and their relationships with contractors.

lurker March 22, 2022 8:12 PM

@JonKnowsNothing: The Play Whose Name Cannot be Spoken.

Beware the tradition that says those who utter the name of this play will suffer misfortune in the same measure as the anti-hero.

If Birnam Wood should come to Kyiv then we are all lost.

JonKnowsNothing March 23, 2022 12:45 AM


re: If Birnam Wood should come to Kyiv then we are all lost.

I would have thought it went differently. The arrival of Birnam Wood heralded the end for MacBeth.


Though Birnam Wood be come to Dunsinane
And thou opposed, being of no woman born,
Yet I will try the last. Before my body
I throw my warlike shield. Lay on, Macduff,
And damned be him that first cries “Hold! Enough!”

It might be better to cast the 3 witches in the roll of All is Lost. Certainly someone(s) bewitched Ukraine that Nothing Would Come Of It.

When shall we three meet again?
In thunder, lightning, or in rain?

When the hurly-burly’s done,
When the battle’s lost and won.

That will be ere the set of sun.

The hurly-burly’s not yet done in Ukraine.

Clive Robinson March 23, 2022 1:50 AM

@ JonKnowsNothing, Ted, ALL,

This system was replaced with “forced updates of anything we can throw in the pot” and the result is: They broke more than they fixed.

You forgot to mention that “forced updates” was not just “Security Fixes and Program Fixes” it became a way for companies to incrementally own a persons comouter in a way the actual system owner could not stop. Including forcing people to download an entire OS they did not want[1].

The result was an increasing fraction of people resorted to any method they could to stop such downloads, especially Microsoft Downloads, that lets be honest have long been seen as “Malware” in their own right.

The result was that with increasing frequency these “patches” got reverse-engineered by various unsavory people from basic criminals through non-domestic inteligence agencies, into companies pretending to be assisting to “law enforcment” but in fact pandering to the whims and wants of mentaly diseased individuals in positions of power[2] for significant profits (Can anyone say NSO Group, or what was that bunch in Italy that got hacked and had vast amounts of internal documentation “liberated”).

Such is the downside of “responsible disclosure”…

It’s in part why I don’t mention the things I used to do with regards to my own research not just in detail but at all.

Also why I’m sitting on a growing pile of vulnerabilities some going back more than a quater of a century.

Think of the dilemma as one of those impossible to answer “Ethics 101” discussions. Where all you realy end up realising is that “for the common good” means nothing of the sort and just plays into the hands of the “might is right” brigade for whom no aberant act is too vial or bestial not to be used at the whim of those in charge.

Thankfully as I’ve found, is that if you sit on “code” vulnetabilities for long enough, they eventually cease to be relevant (except in Microsoft’s case). Because applications cease to be used, deficient libraries get replaced, and new languages cause total re-writes.

But the reality is “code” is the least of our worries. I’ve pointed out publicly for most of this century that Level III attackers would abuse,

1, Implementations (code)
2, Protocols
3, Standards

And that attacks on Standards would be valid for decades if not effectively indefinitely. Just to prove me right the NSA have been “caught out” in all three areas in that time.

This does not make me some kind of “Evil Genius” there are without doubt a lot of people way smarter than me around and certainly a lot more evil depending on your choice of measure.

Our host @Bruce has for years pointed out that some have a talent for “thinking hinky” or as he very recently indicated the very real issue of looking at things and seeing not just how they work, but how they don’t work or can fail. That is seeing not just defects, but how they can in turn become not just vulnarabilities, but actual attacks and full breaks. Some think it is some kind of “gift” or “special talent” personally I think it’s a curse. Because I’ve also been “blessed” with the ability to see why what looks like a good idea can have within it the seeds of it’s own destruction or failing.

Over the years, I’ve come to realise that everything I do and more importantly say has consequences, and all good implicitly has evil as well and it can not be avoided. That is anything that is usefull as a tool is implicitly usefull as a weapon, and all weapons can be used not just for defence but attack as well. There is no such thing as “pure knowledge” that is to abstract for it not to be used directly or even inadvertently for harm.

A lesson from history that might be four thousand years old, we simply do not know.

A search for a way to improve or extend life resulted in the white crystals found on putrifing waste piles (AKA “middens”). Which were thought to be some kind of frozen life force being cooked up with something that was known to preserve food and the like from putrification effectively indefinately which was honey. As such the result is mostly harmless but could “thin blood” which can actually extend your later life (think Warfarin and other blood thinners reducing your risk of heart attacks and strokes).

However “over cook” the mixture and the sugars in the honey break down and become a way more accessable fuel if not actual carbon. The result for the unlucky experimenter an explosion of what we now know as a form of low grade explosive. However as far as we can tell this explosion was actially seen as a sudden release of “life force” thus indicative that they were on the path to vital knowledge. But how many thousands or millions have been killed since by the gun powder that it was?

Gun powder is not inherantly good or bad, it has no agency of it’s own. It’s what a “Directing Mind” does with it, as seen through the eyes of an “Observer” that decides good, bad or evil.

As I know a bag of very finely milled and dried flour can make breads, pastries and cakes. But also mix in enough air and a small spark turns it into a very crude “Thermobaric bomb” or “Fuel Air Explosive”(FAE/FAX) of devistating power under certain circumstances[4].

[1] Actualy costing some people thousands of dollars in “mobile phone charges” as they could not stop the likes of Microsoft forcing downloads of gigabytes of unneeded, unwanted, and increasingly extreamly questionable software that could and did end up breaking peoples computers.

[2] Such as those tyrants, despots and worse that think nothing of stealing vast unimaginable amounts from the national treasury to inflict pain, suffering, torture and death, not just on the subjects of their own country who arguably could dipose them. But anyone anywhere in the world who happened to point out what these despots and worse were[3].

[3] One such example of the ilk being The House of Saud and it’s current leader, who spent unimaginable amounts trying to destroy the reputation of “The Man that is Amazon”… Apparently for daring to point out that the leader of the House of Saud had a journalist not just killed but butchered, whilst possibly still alive…

[4] Even accidental very inefficient fine powder explosions are more than sufficient to destroy entire dock side silos and other storage containers. It does not even need to be a fine powder, the wheat husks we call “bran” will also cause explosions, even though bran is normally so dificult to burn you can use it as a fire retardant. But flour is not the only hidden danger in your kitchen cupboard, as Mythbusters were fond of demonstrating “non-dairy whitener” you put in your coffee is also easily made into an FAE… Then there is that shimmer above hot oils just below their flash point temprature… Credited as the most powerfull conventional weapon at the time of it’s development back in 2002 is the US Air Force parachute droped GBU-43 nicknamed the “Mother Of All Bombs”(MOAB),

The MOAB is a conventional “big iron” bomb not an FAE, but is so powerful that one of the reasons they decided to declassify information on it was that they could be made so powerful, that the results could be easily mistaken for a small tactical / battle field nuke like the Davy Crockett when reported back, so cause a nuclear response by an opppsing force. But the MOAB or “super daisy cutter” is almost as a sneeze compared to thermobaric FAE weapons capabilities. Russia claims it’s FOAB which is an FAE is more than four times as powerfull as the MOAB but in a smaller package. Certainly tests carried out on prototype FAE’s found they were easily capable of fliping tanks over at more than a hundred meters under favourable conditions with sustained burn temperatures with “flare material” loads up in the 2000 centigrade range (think thermites and above).

For various reasons thermobaric weapons can be truely horrific weapons, but… Of not much use in “open field” conditions as the Russian’s found in Afghanistan. Thermobaric weapons work better in mountain and similar semi-confined areas against “cave complexes”. Variations made as “smart weapons” work against bunkers, hence the term for some thermobaric bombs of “Bunker Busters”.

Denton Scratch March 23, 2022 8:40 AM

The IEEE has been pushing for software developer licensing since 2012.

Gas fitters and electricians are licenced. They have to receive training on the latest standards and equipment each year. No sane person would hire an unlicenced gas fitter or electrician.

Licencing programmers seems to me to be a train that is going nowhere. If this country introduces mandatory licencing for programmers, we’d suddenly cease to have a software industry – all programming would be done somewhere that doesn’t mandate licencing. Software can be imported from India at zero cost; but a gas-fitter in India can only install gas boilers in India.

For an electrician, the required training includes essentially everything you need to know to do the job. How’s that supposed to work with software? Do you have to demonstrate expertise in every programming language that’s still in use? Do front-end web developers have to be expert in COBOL?

Or perhaps certification is by discipline: so maybe front-end developers only have to demonstrate expertise in Javascript, HTML and CSS. So how many certifications do the IEEE think we need? Is it forbidden for a certified front-end developer to work on a PHP back-end? Does that mean that a software company now needs to hire 6 people to do a job that was previously done by one?

It makes no sense; unless you (IEEE) are hoping to make money by providing training and certifications.

Clive Robinson March 23, 2022 10:54 AM

@ Winter,

With regards,

Open Source Security podcast The Legend of the SBOM

Thst’s half an hour of my life I’m never going to get back…

@ ALL,

The takeaway,

1, SBOMs might help with licence managment.
2, SBOMs are not usable by humans only robots and tools.
3, SBOMs create major data managment issues (think diffs on steroids).
4, SBOM tools are increadibly flaky.

And for what gain / advantage?

Appart from,

1, SBOMs might help licence managment.
2, They might one day answer questions you have not yet had a reason to either think about or ask.

Oh and importantly, people not only think SBOMs are hyped, they think the hype has peaked and is subsiding significantly already before they’ve even been used by the majority of people (who now probably never will unless they want to do US Gov contracting).

The two most important things you will learn are Squirrels are omniovors and what they excreate smells because of it. So save yourself a half hour of your life for something more enjoyable like sticking your head in a tumble dryer…

Winter March 23, 2022 11:21 AM

“SBOMs are not usable by humans only robots and tools.”

The point of the whole podcast series is that things like log4j ao have shown that security for a large organization can only be done when using automation.

What use are SBOMs? They allow you to track your “supply line”

Can that be done by hand? NO

Is this materially different from tracking FLOSS licenses? No

It has to be done, which means the build tools will have to be changed to tack the SBOM and warn when something changes/is afoul.

We are not there, but there is no other route for improving security at scale.

Clive Robinson March 23, 2022 11:30 AM

@ Bob Paddock, ALL,

With regards,

In the end the only thing software licensing will do is enrich lawyers and drive software development to places without such regulations.

You forgot to mention that the users of software will also move, so it will not be just software developers moving to eastern mongolia or some other such place, other jobs will go there as well due to keeping supply / manufacturing lines short.

Software licencing is as silly an idea as saying you have an “Engineering licence” that covers all asspects of engineering.

You would need hundreds if not thousands of different domain sublicences, many of which would overlap in many odd ways. Thus you would need a hierarchy of licences with foundation licences.

For all the fact I deride the artisanal way of software development and say it should have a more engineering focus (which it should). Software developers actually have to know way more than Drs, Lawyers, Accountants, and most other “profesionals” because there are no stable niches in which you can stay and become a life long expert, many come and go in a very short time. The reason is the “software industry” only became an industry maybe fourty years ago, and it has not developed even usable “metrics” yet. In engineering terms that takes you back to the days of steam power, where any half way competent aryisanal wheel wright or blacksmith started making boilers.

Engineers and science as we know them were born out of death and destruction created by artificers who did not know there was a better way, and they all wantd to cash in on the future…

Well two major things are different with software and boiler development,

1, In the main awful as it is software does not cause destruction and death (well OK when peoples rage boils over or the stress turns their arteries to pipe clay).
2, We know there are way better ways to do software development (but they take time and resources which managment don’t want).

When you talk to software developers that have degrees and higher degrees, many did not go down the CompSci route, software was just some part of what else they were doing. Further they know there are better ways, but unless they are in very niche areas such as ultra critical safety systems, then they know managment won’t go down those routes…

Where we realy need licences is not in the software development and support people but in those who manage them…

Quantry March 23, 2022 11:34 AM

Re: avoiding dependency hell; Too late.

Have a look in the source of this blog: Dependency hell.
At least 80% of the planet ignore your basic warning.

Try applying for a job: Third-party human-resources Dependency Hell.
Your boss lies on your separation slip to get you “LEGITIMATELY” fired…
you’ll never work again. Got lucky, but a second one lies?…

Rebuke a gang of thugs in gov’t, for a murder and various other immoral acts?…
Justice Dependency Hell.

Carry a cell phone?… Mercenary Dependency Hell.
Just let the smug remember this warning:
Isaiah 39:4-7.

Sincerely – the walking RFID beacon.

SpaceLifeForm March 23, 2022 12:29 PM

@ Quantry, Clive

Have a look in the source of this blog: Dependency hell.

Yep. Noticed that long ago. It is nuts to have this site pull in Live code (JavaScript) from CF. It is not that large.

I’m not saying CF is going to crash and be inaccessible, but the Live code could become broken. It could be rug-pulled as happened before.

It is also a tracking method.

This is why I said you must host it yourself.

Bystander March 23, 2022 3:29 PM

Hardly surprising…

I am surprised that the discussion has not veered into the direction of software development for functional safety.
Though it might not be directly related to the subject, this is the field of work where you find processes, structures, rules and conventions to create software your life can literally depend on.

It is no 100% safeguard, but applying the principles laid down in e.g IEC 61508, DO-178C, ISO 26262, MISRA C and the likes would be the first step into the right direction.

The reason why this approach did not find widespread application is that is not compatible with the en vogue agile methods which are eagerly applied neglecting a sound architecture.

MISRA C tackles specifically the complexity and dependencies in software development.

The downside?
Software is way more expensive.

There you have the reason why this is only applied where the pressure is high enough to do so.

This is not the case for the incident described here.

So – how to increase the pressure?

JonKnowsNothing March 23, 2022 5:20 PM

@ Clive, @ Bob Paddock, @ALL

re: Software developers actually have to know way more than Drs, Lawyers, Accountants, and most other “professionals” because there are no stable niches in which you can stay and become a life long expert, many come and go in a very short time.

This is really a critical issue in all software. Folks exiting a US U with 4yr degree don’t know much about business or how anything works.

  • They don’t know a transmission from a transmission from a transmission.

In order to develop some sense of what your are doing you need to learn the what’s where how and why’s of what the business is doing no matter where you land. It’s not enough to know CompSci stuff you need simpler stuff like how to left justify an address line from right justified data without some formatting app to do it for you. If you are designing critical items you need to think and work not just to the design but also with how the mechanics work.

Like Mats Järlström in Oregon, who got into beef with the Engineering Society in Oregon because he had an Engineering degree from EU but not in Oregon (no reciprocity). Plus he figured out there was a timing flaw in the stop light timing system because left turn vehicles take longer to clear the intersection than right turn vehicles so the yellow light needs a longer timer.

A very clever example knowing how things can work was in a How They Make It type film. The company had an old production line and a new production line. Stuff had to go from the old line to the new line. The old line was fully automated except a person had to cart the heavy finished item over to the new line and set it on the conveyor. The Thinking Folks reconfigured the pathway between the lines to be slightly down hill. The product was very durable, not fragile. The moved the product exit point slightly higher than before. They build a spring loaded cart. The box dropped from the old machine onto the cart winding the spring. The cart rolled down the slope to the new line and bumped hard sliding the box onto the conveyor there. The wound spring uncoiled and move the cart back up the slight slope ready for the next drop.


Def Transmission:

  • vehicle gearbox
  • a message
  • spread of infectious agent

Search Terms

Signal timing

Mats Järlström

Oregon USA

Clive Robinson March 23, 2022 6:20 PM

@ vas pup,

Unfortunately, when attribution is very difficult and not reliable, then innocent casualties are very likely to happen

Also there is another issue that few think about and is covered under the doctrine of first strike, and similar.

If I make a harmful action against another nation then it can be used by that nation as a reason to unleash a massive “defense response”.

It does not matter if I am,

1, A person under flag on active duty
2, A person under flag not on active duty
3, A person who is a civilian carrying out their assigned job
4, A person who is a civilian not on their assigned job.
5, A person acting on the orders of another nation.
6, A person from another nation using the territory of my nation to take action

Or similar, by international treaty it becomes the “first strike” which is probably illegal, but the response even if grossly disproportionate is perfectly legal.

You’ve only got to look around the world to see many claims that a much inferior nation made the “first strike” which a belligerent nation, primed and waiting on the boarder then uses as the excuse to invade.

Almost every year the US and South Korea have had “war games” of some form or another where they deliberatly fire towards the North Koreans. Normally the North Koreans do not respond to such provocative action. Then one year the US/SK over played their had and fired into “disputed territory” and NK responded in a fairly obvious way… When it was pointed out that as far as NK were concerned they were firing into their own territory that had been illegally invaded, that legal trickery flipped on it’s access.

Thus any activity against a known armed beligerant, they can claim is hostile, even though provoked can be used as an excuse to launch an overwhelming counter response/strike legally. Hence there can be immense value in “False Flag” activities.

Whilst I can very much understand people wanting to come to the aid of a quite and peacfull state being attacked by a hostile and beligerant nation hell bent on “occupation” or worse, they have to realise that their actions carry consequences way beyond the act of making an active protest.

It’s just one of the many reasons I was horrified when US President Barak Obama made “cyber-crime” equivalent to “kinetic action” thus promoting it from “crime” to “first strike”.

Many people are looking for “legal excuses” to carry out what would be illegal activities, and giving them what they want is “playing into their hands”…

Sending munitions so a nation may “defend it’s self” is not a first strike or illegal activity. Lending yourself for “humanitarian aid” to that nation is again not a first strike or illegal activity. However picking up a weapon of whatever kind without “being under that nations flag”, effectively makes you a “hostile beligerent”, “foreign agent”, “mercenary”, or even “insurgent” or “invading force”. Using that weapon is “an act of war” that has consequences on your home nation and thus it’s civilians like your loved ones you left in what you thought was the safety of home…

I don’t like it, but those are the rules we arived at over the last half millennia or so, designed to protect civilians on both sides and third party civilians as well in neutral territory, hence the complex rules about vessels of war and neutral ports.

Making cyber-activities “acts of war” was one of the most stupid things anyone can do, because those so called “cyber-weapons” are not weapons in hostile hands. They are mearly a set of instructions that have been given for agents or second party entities to follow. Those agents belonging to the second party are technically treasonous even though they may have no agency, but just appear to.

Just thinking about it is enough to make your head spin and give you sleepless nights, but that is the trouble when you have “active agents without agency”(computers) not just visable to others but accepting of the instructions of others…

Clive Robinson March 23, 2022 9:40 PM

@ JonKnowsNothing, ALL,

All of “Western” Europe (and North America) have all tried to get Russia to develop a “real economy”, meaning One Exactly Like Ours.

That on it’s surface is a form of “tribalism” which is not what is needed, in fact it’s about the worst thing possible for all of us.

There are three ways a “tribe” can exist long term,

1, Self sufficient thus issolated if they wish, and are alowed to be.
2, By being a parasite, in one way or another, what you might call a “criminal enterprise” which is the way of those we alow to lead.
3, By trading with other tribes, allowing the build up of expertise that would not otherwise exist, and the forming of an interlocked commonwealth by which all move forwards equitably.

What you semi-sarcastically call “One Exactly Like Ours” is actually “us” being a parasite off of “them”. As most know where there is a “them and us” viewpoint trouble follows every time.

It is a way of oppression and theft, where “we” force “them” into being a vassal state of slaves and serfs, so we can “asset strip” them and leave them with nothing of worth. There is no “long term” existance in that for “them or us”.

Call it a “Deniable Empire” where “we” take the benifits but give non of the “protections” or benifits to “them”. But most importantly “we” use it to pretend we are some how the occupiers of the “Moral High Ground” where as in fact “we” are being about as bad as it can get on the evils of “might is right” spectrum, whilst fooling ourselves we are being “beneficent” etc.

Such hypocrisy was given a name back in the 1800’s it’s called “Playing the White Man’s Game” and a look at the activities of the “merchant venturers” through history will tell you a lot about how it fails.

Such Empires always end, as the flow of treasure / spice is one way by oppression and it becomes endemic. So such Empires are unstable and often end badly. A look at Spanish history through to what they are still upto tells you just how iniquitous and destructive such behaviour is.

The underlying problem is a “parasite” does not evolve inteligence, or skill or move forward. It gets trapped in a mindless cycle of bloodsucking, rapacious behaviours from which it can not escape.

The reason is to quote the words of a song,

“The subtle whoring that costs to much to be free”

Of lazyness and indolence, in the good times the treasure flows in and it is used foolishly to buy pointless status symbols, thus the treasure flows out. The problem is gain by buying is not sustainable only gain by learning and applying knowledge is.

That is to be sustainable each participent in trade has to have a “value added” process. It is the excess value from that process that in part sustains the population in the present, and the rest if invested “in our future” rather than squandered in our present makes it sustainable.

The other issue is resources that become waste, have to become resources again in a bound environment, which the Earth effectively is.

Appart from energy that comes from the Sun, we live in a bound but leaky environment that is actually “running down”. That is we are loosing to space noble gasses like helium, hydrogen etc as well as life sustaining gasses and molecules. At the other end radio issotopes are decaying down towards the likes of iron. We are lucky in that we have a moon that imparts energy into our planet and keeps the core molten which in turn gives us a significant magnetic field that creates a bubble around the planet that deflects much of the “Space Weather” that would otherwise have stripped our atmosphere away by now.

So we have a dwindling set of resources, a growing population and a realy bad non recyclable polution problem.

That is few realise that the ultimate form of polution is the heat from ineficiency of work. Every thing we do is “work”, and requires energy input, but it is all inefficient. Which causes energy to go from a coherant usable state to an unusable incoherant state of random movment or vibration of atoms and sub atomic particles by a number of processes the dominant of which is radiation transport. Together those processes give us the effect we call “entropy”. That random vibration is what thermal energy is and if it can not radiate away, then by logic the planet will heat up. Thermal energy by it’s very nature is “destructive” thus adding to the overal entropy effect. How we reduce this is currently a matter of some debate, with many behaving the way Nero was alleged to do, which is “Fiddle whilst Rome burns”.

If such people are alowed to have primacy, then the end will come rather quickly. Trade by which knowledge is gained gives sustainability of the resources we can hang onto. Unfortunately that is not enough, as resources are being lost.

Only knowledge and it’s application through science and engineering will get us to the point we can,

1, Reverse the resource loss.
2, Sustainably manage thermal polution.

If we don’t then we know we are doomed by simple logic.

Howrver there is another issue that is even more contentious which is “population growth” that has enabled us to hide another issue which is “increasing life span”.

I’m not going to go into them but I know you are aware of just how contentious they realy are (from HIP discussions).

The upshot is two things are needed to ensure the survival not just of humans but the ecosystem we call earth,

1, An equitable commonwealth.
2, Getting out of the gravity well.

If we fail to do both whilst we still can, then the Earth’s fate is sealed. Then the only subject left to argue about would be when and how, it will end for “all of us” not if.

JonKnowsNothing March 24, 2022 1:30 AM

@Clive, @All

re: [an] even more contentious which is “population growth” that has enabled us to hide another issue which is “increasing life span”.

Both of these issues are going to rear up PDQ and a number dystopian outcomes are on the books over reproduction rates, reasons and rights.

Animals under normal population environments find a balance between food sources and population size. This does not mean equilibrium. It means a teeter totter swing effect from growth = over abundance of food and decline-starvation = reduction of food.

Humans constantly mess up this balance for nearly every creature because of our view of

  • “[Let Man] have dominion over the fish of the sea, and over the fowl of the air, and over the cattle, and over all the earth, and over every creeping thing that creepeth upon the earth.”

which fits the neoliberal-libertarian view that any “unclaimed resource is Free to Take and Take as Much as they Like”. It’s also a driver for enslavement, serfdom, peonage and other forms of human exploitation: If a being can be classified as “under dominion” it can be claimed, harvested and used.

This same attitude has cause imbalances in certain countries because their view of their own population was that their people are interchangeable and the higher tiers required, demanded, and enforced “duty and dedication to The Work” at the expense of “Personal Life Choice”. (1)

A round about way of getting to: They worked their population so hard and so long there was no incentive and no funds and no time to raise families. Japan and China are both examples now struggling to find population growth long after the normal “time frame” for people to have families.

Other countries seeing the writing on the wall, are attempting to enforce population growth even though people are struggling with the same unaltered issues: no incentive, no time, no funds. The USA is a veritable yo-yo on this topic and going from State to State you can find most of the permutations used around the globe.

  • We want families with children but we don’t want parents to take time from The Work to have children, we don’t want to pay to raise and feed them, and we don’t want to pay to educate them.

In a recent conversation with a person familiar with End of Life issues and the effects of Aged Deaths from SARS-CoV-2 with collapse of the older population that was left “unprotected contrary to assurances” and who’s vaccine status is now dwindling faster than the rest of the population, I made some observations about the Bank of Mom and Dad(2) and the nature of a virus.

  • The virus is opportunistic. It doesn’t have a mind or direction. It doesn’t decide to do X or Y or Z. It is parasitic and simply takes advantage of “abundant food source”.
  • Governments have figured out how to take advantage of the virus. A regular cycle of ForEverCOVID cleansing the older population off the planet. Every 2-3 months another mini-cleansing cleans out the Bank of Mom and Dad.
  • An unexpected side effect of Omicron is that it also affects younger people. Governments hadn’t counted on that. They had expected a generational renewal of interchangeable workers, dedicating their lives to The Work.
  • Clearing out the Bank of Mom and Dad may still outweigh the loss of some young workers to Long COVID.

It wasn’t really that much of a surprise, other than connecting up a few of the dots for them. For sure they had seen plenty of morgue trucks over the last 2+ years.


1) In the USA this could often seen with programmers sleeping under their desks. I kept a sleeping bag in a desk drawer for just those occasions.

2) My posts on the Bank of Mom and Dad maybe found in the archives or on the Wayback Machine.

SpaceLifeForm March 25, 2022 4:07 PM

@ Clive

I guess some are paying attention.

As I noted 4 days ago…


An SBOM that lists Live code hosted elsewhere is not going to prevent potentional problems, because there is no way to enforce any version control.

From the El Reg article:

This involves using high version numbers (e.g. 99.10.9) in the hope that internal npm private proxies – set up for fetching code from an internal registry – are configured to look for new versions of existing packages first from the public npm Registry before falling back to the local registry.

You must host any Live code yourself.

Lock it down, never look outside, until you vet it. This is basic SCM.

Clive Robinson March 25, 2022 5:03 PM

@ SpaceLifeForm,

As I noted 4 days ago…


But it’s worse than that… They insist the handling of the SBOM can only rationally be done by “Robots and tools”…

Well how do I put it…

A human seeing the version number of a part jump massively, would more than likely say,

“Hang on a moment why?”

Thus dig further, and ask others.

A robot/tool just checks “which is bigger” and thus gets slamed off the rails of any journy to a local repository to some distant place of hurt and pain.

OK I think we can expect the tools to get some kind of update to reduce this specific issue in future, but it’s going to have lots of issues in ordinary usage…

But that’s not the point, people need to consider. Consider a human mind with leys call it malicious intent, will think up ways to cheat any automated system out there that is above even rudimentary complexity (and version numbers easily crosses that threshold). Importantly those of malicious intent will carry out tests with thos “robots and tools” till it finds a way that works, then they win (and always will do[1]).

We see this with Malware and AV systems.

The thing about SBOM’s is they are at best a very lousy “audit system” that without one heck of a lot of human interaction will fail and fail over and over again…

The reality is the people thinking this SBOM nonsense up are at best on an “academic self-abuse trip” and those they work for/with see a new “Enterprise Tools” market to fleece lots of money with.

If people think I’m wrong then three rules apply,

1, They have to say specifically what they don’t agree with point by point –with no hand-wavery.

2, They have to, evaluate with logic and present their formal reasoning.

3, They have to stick around when things with SBOMs inevitably fail to do anything other than past tense audit, and go through why their reasoning failed.

[1] To see why draw up even a modetately simple specification. Then work your way through every potential state transition and write a bullet proof state machine… Only you will find you can not do that, for a whole heap of “usability issues”. Oh and folks please do not imply “Machine Learning” or “AI” will solve this… We already know it won’t currently and if history is anything to go by won’t any time soon if at all…

JonKnowsNothing March 25, 2022 10:28 PM

@ Clive, @ SpaceLifeForm

re: Automating Failure

There have been many many schemes to attempt to “automate” auditing, validation and bucket loads of other things that tend to go “TUP at 3am”, and all of them are failures.

Some more spectacular than others.

Any system that enforces strict rigor, fails because people just cannot tolerate doing it “by the book 24x7x365”. They find oodles of ways around any thing they consider a road block or unnecessary red tape. And they shoot down the entire product chain by skipping the mandated steps.

Even if you “educate” folks about why you need to do “THIS before THAT”, they just won’t do it.

A Classic example in bug databases:

* Please describe the fix being submitted. (a required field)

One might expect a description of which files, variable or logic was touched by you will get:


Then you escalate by blocking certain key words hoping to get a description… What you get is:

*NULL CHARS in the field.


Because the Dev wrote their own submit routine omitting the required, hated, and despised description field plus omitting a lot of other fields too.

The borkage shows up when you have to do search or report and find the field in the database is all NULL CHARS.

* The Retort: It’s a “cleaner” submit process.

You might very well ask: You want a clock with that? I couldn’t possibly say.

filobus April 17, 2022 1:58 AM

This is laying mines on a beach.
You think your enemy will be killed, but it could be a child, it could be even yours.

Proposed solution is a start, the best solution isn’t technical, is education, is giving example, is respect (for yourself and others), is (sorry for being banal) love.

Michael Vielhaber April 18, 2022 9:57 AM

Only remedy I see (for the critical stuff, rest is and will be doomed):
LESS People.
Smarter people.
Real software engineers.
That implies mostly male, white, not too young.
That implies no trans-stuff, no codes-of-conduct. No diversity mixing.
Go woke, stay broke.
Back to C++-14, F99, Eiffel – no “scripting”.
Stand-alone monolith, no reliance on outside libraries (except the language itself and Boost-like stuff).

Clive Robinson April 18, 2022 5:47 PM

@ Michael Vielhaber,

Only remedy I see (for the critical stuff, rest is and will be doomed):

Every thing is “doomed” in one of two ways,

1, It evolves into something better.
2, It comes to a cessation.

The first is “evolution” the second covers several things but most important is “entropy”. Like it or not eventually evolution has to come to an end, as it requires work to be done.

Entropy is the decay of energy states from coherent to incoherent. Work can only be done when there is sufficient coherent energy available above the incoherent thermal background.

As for,

LESS People.
Smarter people.
Real software engineers.

I’m known for my view that “software engineering” is not “engineering” nore is it something that is done by far the vast majority of developers and coders. Put more simply the majority do not follow any recognisable engineering methodology.

Is that their fault? Mostly no, it is the fault of consumers, shareholders and managers. We’ve been through the arguments for and against this many times on this blog. The result is usually, reason and logic -v- wishy-washy argument that somehow engineering fundementals do not apply… Because well “software is creative” endevor followed by hand waving and that people tend not to get injured or be killed by bad software, so it’s somehow acceptable.

Which brings us to,

That implies mostly male, white, not too young.

Which in the main describes people who do the “engineering / science” methodology on which we build the real physical world. Not the “artisanal patterns” of try and try again of hunt and peck solutions that still in many cases bares no relation to physical reality.

The question thus is “Why the specific group are of this type?”.

Something that has been noted since the late 1980’s is engineers tend to have high IQ’s but lower “social communications” skills, and be quite a bit further up what we now call the autism spectrum than others. They tend to have few what they consider “real friends” but the normal levels of people they are acquaintances with. They also tend to get not just married later but have children later in life. Further that engineering had a parent to child pass on (about 15% higher than other occupations).

It was this “late children” that for a couple of decades various investigators assumed might be the root cause of engineers being higher on the autism spectrum including the “Old gametes are bad gametes” and similar arguments. Something that is now increasingly seen as a false notion.

Which brings us onto,

That implies no trans-stuff, no codes-of-conduct. No diversity mixing.
Go woke, stay broke.

All societies have “codes-of-conduct” they are a fundemental part of any social grouping. Anyone who puts “Personal Rights above Social Responsability” is generally a self entitled person who sufferes from one or more of the “dark mental deficits” of narcissism, sadism, Machiavellinsm and being a psychopath. Resoning and logic deduction tend not to be high on their list of attributes.

As for the various SJW activities, in times past we had “Political Correctness” and before that various other sniffy type “I’m more moral than you are” type behaviours.

On analysis such people are not the success in life they think they should be or particularly held in the esteem they believe they are entitled to (unsprisingly). By and large they are disruptive in their aproach to life and insist their view is somehow more valid than anyone elses, that rules do not apply to them etc. They get called many things such as “Passive Agressives”, “Karens” and similar. Because they tend to be petty and small minded and suffer from stunted or abnormal behavoural development and have a strange form of vanity.

Because of their often limited abilities, the are very careful to avoid anything where logic, reason or plain facts will show up their inabilities. They can not live in an environment where they might be held accountable or shown to have been wrong. Thus they “crab sideways verbally” and do not commit on paper on any other way in which they might be shown to be wrong. If challenged they will blaim others, usually by saying the other person did not understand or just flattly denying.

They are therefore actually very bad at most things required for group functioning or any kind of success in life as individuals or otherwise and their relationships are almost always nonfunctional. More formally they suffer from a form of Narcistic Personality Disorder (NPD) and exhibit “Passive Agressive” behaviour traits that can become indirectly or sometimes directly physically agressive, if they think they will get away with it. You will find such people get sent on “anger managment” courses, as few actually want to deal with them other than by avoidence (the wrong thing to do).

I’ve been told they are attracted to certain types of activity, one of which is “talking about organising” rather than actually organising or coming up with workable methods to achieve desirable outcomes. So not “meetings about meetings” but meetings about the organisation that should be considered for “meetings about meetings”[1]…

The point is these people will gravitate to where their “ego food” requirments are likely to be met. Unfortunately those who lack the “social communications” or similar skills will be seen by Karen’s to offer an ideal environment for their existance. Any worthwhile manager, should be alert to the warning signs and exert appropriate managment early and unavoidably[2]. Often a Karen will realise that they are not going to get what they want and will move somewhere else and if they won’t go their inability to “follow the rules” will fairly quickly lead down the disciplinary path.

Oh and one thing just to be clear the term “Karen” has no implied gender bias, the behaviours are found in as far as I am aware all human genders, as it’s effectively predicated on an underlying “state of mind” such as one of the “dark mental deficits”.

[1] A friend who’s proffession it is to deal with the more extream forms of NPD pointed out that those further down the agression scale are the sort who would get on “make-work committees” and if given the opportunity would “Discuss endlessly in the minutest detail the shade of green best used in all lighting conditions to indicate biliousness on a poster warning that you might get seasick on a cruise boat…” a turn of phrase that has for some reason got forever stuck in my head 😉

[2] Have a read of,

About halfway down there are a couple of lists of traits that once you are aware of them you can “plan for the trouble to follow”. Avoidence is not an option, though by and large nearly all managers are “avoident” where every they can be. Remember Passive-Agressives almost never respond to mediation and the like because they see it as “confirmation of victimisation”. They might in a very few cases respond to formal rule setting and documented accountability, but it will be at best grudgingly. In the meantime the harm they do is often irreparable. Thus early action as indicated toward the bottom of the article is realy the only sensible way to minimise harm. Especially when you remember some narcissistic personality types will resort to indirect or even direct harmfull behaviours including planned violence with intent to do more than just transitory harm.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.