> I strongly encourage you to stop making false allegations.
I encourage you to find out the definition of Trojan[1] and then find out what Marak did to sabotage his code.
To qualify as a Trojan, Faker.js needed to be:
- advertised as being for a certain purpose
- coded to do something to damage the person who installs it (even if it still does the thing it advertises that it does)
In this case, Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop, which would break a lot of CI/CD servers and build processes.
In some circumstances, this could easily lead to economic harm. In the worst circumstances, it could take down a vital service (like a health app) and cause people to be seriously harmed.
> Marak allowed people who thought they were installed Faker.js and tricked them into installing something that ran an infinite loop
They were installing a legitimate new version of Faker.js though - which just happened to be running an infinite loop. It's users who trusted Faker.js author to not pull this kind of stuff off and it turned out they were wrong to do that.
If it isn't security-breaking, it isn't a Trojan. I have not seen any evidence that this prank, immature as it may be, resulted in an actual security breach.
The term is derived from the ancient Trojan Horse. It doesn’t have to involve security breaches because the only requirement is a breach of trust through deceit.
That's BS. Mark didn't just remove it or make it "non-functional". He deliberately changed the code to run in a infinite loop and halt any code that pulled it in. That seems exactly like the definition of a Trojan to me.
It isn't disguised as anything. If you included a random module in your application package manager, and allowed it to update itself and run scripts then liability is on you for not verifying it and checking the license to see if they provided any warranty.
But is this really a "warranty" issue? Sounds more like a fraud issue (ianal).
Given it was done with the intention of messing up other people's computers which the maintainer did not have legit access to - maybe its even a CFAA criminal hacking issue (ianal).
Anyways, there's a huge difference between accidentally doing something and doing something with the specific intention of hurting someone else. Sure you can disclaim responsibility for accidents & negligence, but i'm pretty sure you can't disclaim responsibility for intentionally malicious conduct in a contract, certainly you wouldn't be able to do so if it was criminal conduct (IANAL).
If someone hands out free food on the corner with a sign that says you aren't entitled to it and so you get used to getting free food there. In fact, you've found ways to save on your budget because of it. You also optimized your route home from work to get there at the most convenient time.
One day, you show up and they have a sign up that says... No more free food, vote for Bernie. Are you really the type to complain that now you have to pay for food again or find someone else to give you free food, and throw a fit that their vote for Bernie sign is a trojan?
It's software, not consumable carbohydrates. Easily copied infinitely once created. Nobody is arguing he doesn't have to stop making it. Nobody is even arguing he doesn't have the right to delete his tepos. What he did was intentionally poison the templates to trigger automated updates to break other people's software, and that's just not okay. Forget the machines... It's simply misanthropic behavior.
But he didn't withdraw his offering he sabotaged it.
I guess the metaphor would be if you gave out free food all the time with a sign saying people aren't entitled to it, and then one day decided to add laxatives to it because you felt the people were ungrateful.
Which would land you in jail for a long time no matter what the sign said.
No, the person giving free free food here did not go up to people's houses saying here is free food still, eat it cause it is yummy and safe. The people getting the free food showed up cause they felt entitled, grabbed whatever they could find and said... oh, this isn't the free food that I'm used to getting here... oh, and I forgot to read the sign that has been there all along.
This analogy doesn't work the way you want it to. What you are describing would be literally illegal.
The person who put up the free food and the sign, after it was proven that they willfully poisoned the food (which is the only way I can interpret intentionally encoding an infinite loop in your testing library), would be liable for assault. You cannot just put up a sign that says "taker beware" to indemnify yourself from liability, especially after establishing the pattern that the food is safe.
If you ever wondered why grocery stores throw out perfectly good food (and sometimes padlock their dumpsters) rather than donate it to shelters, it's because this is how society works. They have to be clear that even food being thrown away is not intended to be free for the taking because if a pattern becomes established of people eating safe food out of a grocery store dumpster and one day that food is not safe, the grocery store can be held liable for injuries. Even if the grocery store never wanted anyone to use that food. The hard part would be proving the store intentionally poisoned it... But if that proof were made, the law is clear on who is responsible for the harm caused, and it's not the people eating out of the dumpster.
The underlying philosophical principle that underpins all of this legal precedent is "Don't intentionally cause harm." Marak broke that principle. Thank God Marak was only writing npm libraries and didn't own a grocery store.
This entire story, from the initial changes through the breakages through third parties intervening to mitigate their services being used to cause the breakages through other third parties stepping in to take responsibility to continue maintaining the code that had become vital, is one big open source community success story. The community interpreted intentional harm as damage and routed around it. And that was always one of the intended benefits of the open source approach, right? That the creator of the software can't ruin your day because they feel like it? Whether that creator is an evil corporation refusing to open their proprietary code, or a rogue actor deciding to take a sledgehammer to the pipeline... Open source mitigates the harm caused by both.
You seem to be misunderstanding what a Trojan is. From Wikipedia:
> In computing, a Trojan horse is any malware that misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive Trojan Horse that led to the fall of the city of Troy.
> Trojans generally spread by some form of social engineering; for example, where a user is duped into executing an email attachment disguised to appear not suspicious (e.g., a routine form to be filled in), or by clicking on some fake advertisement on social media or anywhere else.
Marak disguised his malicious DoS attack as previously released useful software. I am completely baffled why people are defending his actions, at all. He could have easily just pulled down his repo, that would have been totally within his rights. Releasing malicious software under the guise of something else is not.
And the fact that people are quoting the license of "no implied warranty" is irrelevant. The law does not look kindly on those that act with malicious intent, regardless of what a license agreement says. For example, if he changed the repo to instead encrypt your hard drive, I guarantee he'd be going to jail. While thankful this was just a DoS attack and not something more serious, it was attack all the same.
Unless you can show Marak Squires breached these folks security systems, it simply is not a Trojan.
(As a separate point, a claim that something distributed as source code is "disguised" simply cannot be in good faith.)
By claiming it is a Trojan, you are accusing Marak Squires of a potential felony by accessing a computer system without authorization. Making serious accusations like that should require some evidence. I don't see any.
They didn't disguise anything. It was MIT licensed, so you could have forked it long ago. You got used to the source you were using being useful, and so you felt entitled that they would maintain it in a way that was appropriate for your standards based on what you felt entitled to. The thing is with open source projects like this, no one owes you anything but it is too hard to admit that for many people.
No one reads licenses lol. The intent is the same as a trojan: making software malfunction for the intent of either economic gain or geopolitical goals. Intent matters; there is a fundamental difference between shipping crappy code for fun, and making good code break without warning for thousands of users.
A Trojan is where the attacker gains direct access to a protected system. It is a back door disguised as an innocuous file. The whole point of the Trojan Horse was the Greeks hiding inside of it to get into Troy.
Where is your evidence that Marak Squires gained access to any of the systems that downloaded and used his packages?
I think there is two aspects of the word "trojan", but it does not imply "remote command and control", it's often that, but more broadly it means something that is disguised as one thing, but is not.
