News, Trends, and Insights for IT & Managed Services Providers
News, Trends, and Insights for IT & Managed Services Providers
Business of Tech | Let’s learn about protestware

I wanted to note this new trend – protestware.      What’s that?    Developers deliberately sabotage their own software libraries to protest — turning software into “protestware.”     Pulling from Tech Crunch:

In July, the developer of the widely used atomicwrites Python library Markus Unterwaditzer temporarily deleted his code from the popular code registry PyPI after the site said it would mandate two-factor authentication for maintainers of “critical projects” — projects that fell into the top 1% of all downloads on the registry. 

A week into 2022, thousands of applications that rely on the heavily used npm projects colors and faker broke and began printing gibberish text on users’ screens. It wasn’t a malicious actor hijacking and altering these legitimate libraries. It turned out the project’s developer Marak Squires had intentionally corrupted his own work to send a message of protest to big corporations.

Squires’ protest was prompted by the Log4Shell security flaw that burdened Log4j project maintainers, primarily open source volunteers, with critical vulnerability patching over the December holidays. Squires had earlier expressed frustration at Fortune 500 companies using his free, open-source code without offering financial support or sponsoring their upkeep. The Log4Shell vulnerability only reinforced that sentiment — that the businesses ubiquitously reliant on Log4j in their applications have not done enough to support the unpaid volunteers. They sustain these critical projects in their free time.

In March 2022, weeks after Russian troops crossed into Ukrainian territory, the popular npm project node-ipc — downloaded over a million times each week — began wiping the machines of suspected Russian and Belarusian developers. The project’s developer, Brandon Nozaki Miller, allegedly sabotaged the code to corrupt the computers it was installed on. The sabotaged versions of node-ipc — now effectively malware — were taken down from the npm registry.

But here’s the key passage:

“The conversation around ‘protestware’ is really a conversation about software supply chain security. You can’t trust what you can’t verify,” Dan Lorenc, the co-founder, and chief executive at Chainguard, a startup specializing in software supply chain security, told TechCrunch.

Why do we care?

Besides wanting to understand precisely what protestware is, which I think has a lot of value, there’s the relation to a trend we already discussed.  Supply Chain security.     A phrase that wasn’t considered just a few short years ago is becoming key to how product is delivered.  As such, services companies both have a new challenge to face.. but on protestware specifically, they should be able to leverage any work in overall supply chain security.  That’s the good news.   It’s a big problem, but this doesn’t add anything more to it… especially if you already don’t trust anything.  

Choose your upgrade:

Get the full benefits of Business of Tech Plus

Insider Access

$12/month

Perfect for MSPs and ITSPs that want full interviews, early access, and ad-free listening

  • Programmatic Ad-free private podcast feedSame show, little interruptions
  • Channel Chatter previews1–2 topics with light insights
  • Early access to interview episodesHear it days before public release
  • Monthly Insider BriefTighter analysis you can share internally
  • Extra audio segmentsCut interviews, behind-the-scenes commentary, quick competitive notes
  • Become an Insider for $12/month

    Leadership Access

    $149/month

    Perfect for MSPs and Vendors that run a team and need the extended tactics, executive summaries, and weekly alignment brief

  • All Insider Access benefits plus . . .
  • Invite your teamIncludes access for 5 team members with option to add more
  • Vendor Strategy BriefsThe entire library, plus new analysis every month
  • Channel ChatterAll topics, full insights, complete vendor discussion + sentiment list
  • Quarterly State of the Channel Briefing
  • Monthly AMA submission priorityAsk Dave direct questions, and skip the line
  • Get the Leadership Edge for $149/month

    Vendor Partner

    $500/month

    Perfect for channel companies or vendors looking to deepen their engagement with the show.

  • All Leadership Access benefits plus . . .
  • Get highlighted as a show sponsor You'll get placement in the show notes, throughout the website, and on our dedicated sponsors page.
  • Enjoy regular shout outs You'll be featured in a rotating format during the show
  • Become a show sponsor for $500/month

    Search all stories