Conversation

Nov 26, 2018

I think this npm incident falls into the category of "insider threats", which are pretty much every security professional's worst nightmare

Quote Tweet

Aaron Patterson

@tenderlove

Nov 26, 2018

Honestly I'm not even sure what the lesson to learn from this event-stream "event" is. Don't let others maintain your package? Don't trust anyone?

Tony "Abolish ICE" Arcieri

@bascule

Nov 26, 2018

Captain Hindsight sez...

Replying to

Do you feel that that's the responsibility of the maintainer?

Replying to

and

If they wanted him to have the responsibility of doing due diligence, companies depending on his library should have paid him. He stated that he was doing it for fun and it stopped being fun so he handed it off to someone else as quickly as they showed up. It was a hobby project.

Replying to

and

Or they should have done the due diligence themselves. Blindly upgrading to a new version of the library from a different maintainer was their choice. How were they even verifying the sources? Doesn't sound like anything was signed, and an account takeover could have done this.

Replying to

and

So apparently npm has no package signing. I didn't realize it was that bad. The previous developer didn't even need to hand over a signing key to the new developer, since nothing is being signed and verified anyway. What if they had simply chosen a bad / reused password for npm?

Replying to

and

hard to imagine how package signing works without key management, and key management doesn’t work at scale, so i’m not sure this is a super fair criticism

Tony "Abolish ICE" Arcieri

Replying to

and

I think TUF works well for managing a developer PKI and applying package AuthZ policies, however it’s also worth noting that would’ve done nothing to prevent this particular attack, since it was malware injected via transitive dependencies by an authorized publisher

Replying to

and

There are language package managers with package signing. At the very least, pinning the key fingerprint on first use with a mechanism for automatically rotating to requiring signatures from additional new keys works well.

Replying to

and

I'm not sure that end-user key management actually does work well for a system that operates at the scale that NPM does. Do you know what the largest deployment of such a package manager is?

Replying to

and

I don't understand what scale has to do with it. Package signing works fine for many other package managers with a large scale. The basic trust on first use security properties don't require any end user key management or extra work on their part.

11:26 PM · Nov 26, 2018Twitter Web Client

This Tweet was deleted by the Tweet author. Learn more

Tony "Abolish ICE" Arcieri

Replying to

and

I too have direct experience working on many package managers specifically on the problem of package signing, and I would argue for a signing system to be useful, at a minimum every package needs to be signed by a key which is ultimately trusted by the end user

Show replies

Tony "Abolish ICE" Arcieri

Replying to

and

If you’re talking about things like Linux distros, those systems generally have automated signing by central build servers, or at the very least have no form of open enrollment.

Replying to

and

I spent years working on Arch Linux and that's not how it worked at all. The package sources have pinned PGP key fingerprints which are used to automatically verify the sources. There are also pinned hashes for each version. Change of key is investigated. git.archlinux.org/svntogit/packa

Show replies