Russian plugin, go fuck yourself

25 March 2022

Estimated reading time: 8 minutes
Category: ex-oss
Tag:
pierogi press

Before I start this post discussing what happened this week, I want to state that I asked Andrey if it was okay for me to write it, or if doing so would unnecessarily keep the wound open for him. He said it was okay. So we’re cool on that.

As for why I am qualified to write this post, if you find anyone else who

  1. gave several years of their life to the WordPress open source project;
  2. has an undergraduate degree in international affairs with a concentration on post-Soviet Russian and Eastern European studies and a minor in Russian language in literature, and a postgraduate certification in internet law and policy;
  3. had several years of full-time professional experience working with the governments of the US, Russia, Ukraine, Belarus, and the US sanctions regime against Russia thrown in for good measure;
  4. is currently professionally tits-deep in the UK’s Orwellian legislation about freedom of speech, content interception and moderation, device interception and alteration, and an identity-verified splinternet mandated by government demands for control; and for that matter,
  5. contains at least 25% raging Ukrainian blood, and in fact, is
  6. so ethnically Slavic that they own a pierogi press (see header image),

please tell me so that person and I can swap political war stories and recipes, because this war is making me hungry. Pierogi press, democratising dumplings.

This post is written entirely from the outside. I feel a bit Michael Corleone here – “just when I thought I was out, they pull me back in” – having retired from all OSS community involvement just before the pandemic. (You can thank Joomla for that.) I am no longer involved in any community outside my current professional role, nor do I “keep up” with what’s going on with them.

The enduring personal friendships I made in those years, however, are the stars I navigate home by, and always will be.

So on to the drama.

What happened

By now everyone knows what happened. A Russian propaganda plugin entitled “Za Mir”, which displayed a banner with the “Z” symbol, was approved for inclusion in the WordPress.org plugin repository. This meant the plugin was featured in the dashboards of – as the project and its controlling company so often boast – 43% of the sites on the open web.

Among the people to see it were Ukrainians, like my friend Andrey in Kyiv, who is currently spending every day trying very hard not to die.

A furious debate apparently ensued in the project’s Slack, which I’m no longer in, about whether the plugin was acceptable or not. It was eventually pulled on the basis of some airy hand-waving about being “kind, helpful, and respectful.”

The authority to pull the plugin was exercised by the project’s leadership, who as is well known, are not elected by, accountable to, or removable by the community, and are employees of the US company which owns and controls the .org open source project.

A community debate also ensued, because the community loves a bit of wpdrama. That debate didn’t fix the problem, but it certainly created new ones, which I’ll go into shortly.

WPTavern, which is also owned by the US company which owns and controls the .org open source project and therefore must toe certain lines, deeply, had a write-up. Sadly, I must advise you to read the comments.

This was not a freedom of speech issue.

It is a danger sign about the health of the WP project that free speech, and the American First Amendment, seem to be the only tools that the community has at their disposal to intellectually process what happened.

Let me be very clear on this, because I know that this is something that the community is going to struggle to comprehend:

  1. The plugin was not a free speech issue.
  2. The plugin was not a First Amendment issue.
  3. The plugin had absolutely nothing to do with free speech or the First Amendment.
  4. Any attempt to deal with the issue through 1, 2, or 3, was completely wrong.
  5. Any attempt to deal with the issue through 1, 2, or 3 was a threat to the project.
  6. If this doesn’t make sense to you, to back to no 1.
  7. If this morally offends you, go back to no 1.

The plugin was not the work of a good-faith actor making a controversial political statement as a valid exercise of his right to free speech. The plugin was a bad-faith actor, affiliated with the Russian military, deploying a social engineering proof of concept to show that it’s possible for Russia to gain access to 43% of the world’s web sites.

He did not submit his plugin to the repo to express an opinion. He jiggled the handles until he found an unlocked door. He found it.

Because obviously the project didn’t get the memo – I mean, the actual memo, issued by the White House two days before the plugin hit the repo – warning US businesses to shore up their defences against Russian cyberattacks. Those public-facing PR statements, if you didn’t know, are always accompanied by direct communication from the government, to companies, on the specific threats heading their way and the mitigations they need to put in place immediately.

Maybe the corporation which legally owns and controls the open source project did get that memo, and that information just didn’t trickle down. Maybe they didn’t get the memo at all.

Regardless of whether they did or did not:

what it does prove is the exact the scenario I wrote about at the turn of the year, when I discussed how the US government and military now view open source projects as national security threats.

The idea that vital internet infrastructure can be responsibly maintained by any random volunteer who shows up, without any vetting or training or qualifications, through the magic of software freedom and some airy hand-waving about the American First Amendment, is a ship which has sailed directly into the Kerch strait.

Exhibit A is – and should be, for all the world to see – the WordPress project allowing the Russian military to social-engineer a coordinated propaganda campaign into the dashboards of 43% of the sites on the open web.

But while наш друг may have successfully demonstrated a proof of concept on that cybersecurity threat, he also created another one.

Do you people not understand how sanctions work?

Let’s recall that the open source project is completely legally owned and controlled by a US company which provides a global tech platform as well as an enterprise offering. That company could, at any time, be gently asked to consider ceasing offering those services to Russian users and clients. Or it could be told, not asked, and brought into the sanctions regime.

Thus taking 43% of the sites on the open web, and the open source community which powers them, with it.

I dealt with the Russian sanctions regime in a previous job, in my Washington years, which might as well be a previous life. There are no concessions in it, no exemptions, and no mitigations, least of all freedom of speech. The sanctions regime has roughly the same sense of humour as the six-foot-seven Secret Service agent with the Glock standing at your office door while his charge meets with your boss. You are not going to “kind, helpful, and respectful” your way out of it.

You’re going to block the country and users and the services and the clients and the sites by lunchtime, or else a lot of big guys with Glocks are going to show up at your front door at dinnertime. Deeply.

Still, if your mission is “democratising publishing”, that’s going to grate against your principles. So it’s in your interest to do everything in your power to maintain good stewardship of the project, and the platform, so that it doesn’t raise the eyes of the sort of people who already see you as a national security threat.

Letting a Russian state actor use your platform as a billboard for a state propaganda campaign is not going to get you the results you want.

Is there a precedent for a global open source project being brought into the American sanctions regime?

We may be about to find out.

It’s quiet uptown

There is a quote I include in my upcoming privacy book, one which reflects the point in the narrative where I have to stop being the hand-holding good cop and start being the face-slapping bad cop:

If you think your job is writing code and not understanding politics and the political implications of technology, not only are you bad at your job, you are dangerously bad at your job and a threat to others.Aurynn Shaw

This week, a lot of people were dangerously bad at their jobs and a threat to others.

They failed to understand the political implications of a bad-faith abuse of their systems; they failed to recognise a bad-faith abuse in the first place; they processed the situation through an American worldview which was completely irrelevant to the situation; in doing so, they created a timewasting argument about the wrong problem; they caused real unnecessary hurt to people who are the active targets for genocide:

a tweet from Andrey saying "had cruise missiles upset me less"

and they validated every concern the US government and military has about OSS projects being a threat to national security, and at 43% of the web, global security as well.

And for what, exactly?

It’s been nearly five years since I stood in Paris on a breathtaking summer’s day and asked the community to consider what democratising publishing actually means, and what it stands for, beyond the four software freedoms. To define what principles it stands for, and how to defend those principles. In hindsight, the talk was a total waste of my time, even if the trip, my god, most definitely was not.

But in deciding that the project isn’t going to stand for anything beyond an incredibly naive American worldview of how rights and freedoms and speech and threats interact on the web, via its controlling corporation’s commercial interests, the project also made itself a vulnerable target.

One which, if taken advantage of, puts 43% of the sites on the web at risk. This week, that happened, with such ease and efficiency that some Russian military functionary, somewhere, will have been laughing his head off at the whole lot of you.

There’s a song about a man with authentic political principles meeting his idol, and discovering that his idol’s only political principle was building a career for himself. The good guy, as emotionally flawed as he is, can’t comprehend that. And he asks that bad guy, who will someday kill him in a jealous rage, one question:

If you stand for nothing, Burr, what’ll you fall for?

Well, Alex, if you stand for nothing, you’ll fall for the Russian military exploiting every vulnerability you ever laid out in public for all the world to see.

And you did.

Stay safe, Andrey.

A slightly surreal postscript: two hours before Andrey brought this to the world’s attention, I received a invitation to go on the main WP podcast to discuss the post I wrote last week on the UK’s Online Safety Bill, in the context of the threat it poses to free speech as well as the WP ecosystem. I turned down the request without a second thought, for two reasons. One, as most people are now aware, it was made explicitly clear to me that I am no longer welcome in the WP community, and enough has already been said about that. But two, that interview would not be received the way I or the hosts would want it to be, because as most people are also aware, the WP project does not “do” politics, even when they directly threaten the mission of democratising publishing or the billion-pound ecosystem built in its name. So there would have been no constructive point or positive outcome resulting from that interview whatsoever, hence me turning it down, with no hard feelings.
Two hours later, literally two hours later, the WP project proved, once again, that it does not do politics, even when it directly threatens the mission of democratising publishing or the billion-pound ecosystem built in its name.

The Author

I’m a UK tech policy wonk based in Glasgow. I work for an open web built around international standards of human rights, privacy, accessibility, and freedom of expression. The content and opinions on this site are mine alone and do not reflect the opinions of any current or previous team.

13 Comments

  3. Chris Wiegman says

    Thank you for your perspective Heather. I can’t deny that your view is something that does keep my up at night as my own career, for better of for worse, is still tied to a WordPress project where “this will make no difference” isn’t just in relation to regulation and politics but to conversations I’ve had just this week with what, in a functioning project, would be completely non-controversial.

    I often feel like the powers-that-be aren’t just digging their own graves with a shovel but they’ve used that sweet, sweet investor money to upgrade that shovel to some serious mining equipment and the future with it is not bright.

  4. Tom Hermans says

    Perfect write-up and while I already agree, learned a lot by reading this in the process.

  5. Ines says

    Thank you, Heather, for writing this up. As a fellow Slavic with a family history of war, I have a _lot_ of feelings about this. I am severely disappointed in the approval of this plugin in the first place, and the fact that no protocols were put in place to prevent such incidents. As a community, we must do better.

    I’m glad to call you friend. Slava Ukraini!

  6. Edward Caissie says

    Thank you.

    I have a lot more to say and thoughts to consider with your very fine points of view (which, in general, I agree with) being taken in.

    I also am no longer a part of the WordPress ecosystem and this debacle has reinforced my opinion it was the right thing to do for myself then and still.

    Definitely some pierogies… er, food… for thought.

  7. Amanda J. Carson says

    Thanks for writing this post Heather. I saw Andrey’s tweet with the mention of the plugin guidelines but had no idea that the situation was this fucking bad. And yeah I agree. When your “we don’t do politics” gets you to the point of being used like this, it’s time to step back and consider how far you’re willing to take your attempt at neutrality.

  10. Ryan Hellyer says

    If we don’t have a complete understanding of a situation, then surely the solution is to make sure that people do have a complete understanding of the situation.

    I missed the Slack conversation and perhaps falsely assumed that this was just a case of someone having zero idea of what was going on in the world and clicking the “approve” button. I didn’t think there would be any question whatsoever about this being appropriate once brought to the attention of everyone else.

  12. Heather Burns says

    My last thought on this, as the comments close:

    This fiasco, among many other things, was a common example of one of the biggest misperceptions about how the open web works. And that misperception is that the US First Amendment is a global speech laundering utility.

    It is not.

    You cannot take (e.g.) a state-directed propaganda campaign of hate speech against the citizens of another country, launder it through an US-incorporated project, and declare it acceptable under the US First Amendment.

    That is not how any of this works.

    If a project has contributors or, worse, decision-makers, whose political and legal understanding of their own profession is so feeble that they truly believe the project is and should be a laundromat, via the US and its First Amendment, for things like state-directed genocide campaigns, then that project has two problems.

    Neither of which are mine.

Comments are closed.