FOSS FIASCO —

Developer sabotages his own apps, then claims Aaron Swartz was murdered

Developer throws a wrench in thousands of apps after making malicious updates.

Stock photo of the lit fuse of a stick of dynamite or firework.

The developer who sabotaged two of his own open source code libraries, causing disruptions for thousands of apps that used them, has a colorful past that includes embracing a QAnon theory involving Aaron Swartz, the well-known hacktivist and programmer who died by suicide in 2013.

Marak Squires, the author of two JavaScript libraries with more than 21,000 dependent apps and more than 22 million weekly downloads, updated his projects late last week after they remained unchanged for more than a year. The updates contained code to produce an infinite loop that caused dependent apps to spew gibberish, prefaced by the words “Liberty Liberty Liberty.” The update sent developers scrambling as they attempted to fix their malfunctioning apps.

What really happened with Aaron Swartz?

Squires provided no reason for the move, but in a readme file accompanying last week’s malicious update, he included the words “What really happened with Aaron Swartz?”

Swartz tragically took his own life after facing federal hacking charges that could have landed him in prison for 50 years. The charges—for alleged computer hacking crimes and wire fraud—stemmed from Swartz logging into a network at the Massachusetts Institute of Technology and scraping millions of academic papers that were behind a paywall. After being locked out of the MIT Wi-Fi system, he entered an MIT network closet and plugged a laptop directly into the campus network.

At the same time that he included the cryptic Swartz reference in the readme file, Squires also tweeted those same words and included a link to this thread claiming that Swartz was murdered after he discovered child-abuse porn on MIT servers. This now-deleted post, included in the thread, stated:

No, it is not Aaron Swartz who should be on trial but that lofty institution of hired learning, MIT, which is responsible for the heinous crimes that led to his death. The risks taken on by Swartz, which have threatened MIT, can be understood only through the issue of child porn as orchestrated and produced by its acclaimed professors and distributed to their wealthy and powerful sponsors. The MIT cyber-pimps cater to a clientele that includes the highest echelon of the State Department, major corporations, intelligence agencies, the military brass, and the White House.

Every element in the Swartz case indicates that he died in a heroic attempt to expose the perversion that has corrupted the hearts and minds of the global elite, a heinous and often murderous vice that traumatizes innocent children and threatens every family on this planet.

There’s also evidence that Squires may have been charged two years ago with reckless endangerment after allegedly starting a fire in his Queens, New York, apartment. According to news articles, a then-37-year-old man named Marak Squires was arrested after being taken to the hospital after authorities allegedly observed him acting erratically as they responded to the fire.

The articles said Squires was a software developer and early bitcoin investor. A month after the fire, Squires reported on Twitter having “lost all my stuff in an apartment fire” and asked for financial support.

Squires didn’t respond to a message asking for comment on this post.

Throwing a wrench in the supply chain

Last week’s sabotage raises concerns about the safety of the software supply chain that is crucial to large numbers of organizations—including Fortune 500 companies. The two sabotaged libraries—Faker.js and Colors.js—created problems for people using Amazon’s Cloud Development Kit. Big companies, critics have long said, benefit from open source ecosystems without adequately compensating developers for their time. In turn, developers responsible for the software are unfairly strained.

Indeed, Squires in 2020 said he would no longer support large companies with work he does for free. “Take this as an opportunity to send me a six-figure yearly contract or fork the project and have someone else work on it,” he wrote.

The ability of a single developer to throw a wrench into such a large base of apps underscores a fundamental weakness of the current free and open source software structure. Add to that the havoc wreaked by overlooked security vulnerabilities in widely used open source apps—think of last month’s Log4j fiasco or the devastating Heartbleed zero-days targeting OpenSSL systems in 2014—and you have a recipe for potential disaster.

Channel Ars Technica