no extension

Bruce Schneier 先生の記事経由:

先日の XZ Utils に仕組まれたバックドアに関連して OpenSSF (Open Source Security Foundation)OpenJS Foundation よりオープンソース・プロジェクトの乗っ取りに関する警告が出ている。 両者とも同じ内容かな。


The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.


The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

これらを踏まえ social engineering による乗っ取りのパターンとして以下を挙げている。

  • Friendly yet aggressive and persistent pursuit of maintainer or their hosted entity (foundation or company) by relatively unknown members of the community.
  • Request to be elevated to maintainer status by new or unknown persons.
  • Endorsement coming from other unknown members of the community who may also be using false identities, also known as “sock puppets.”
  • PRs containing blobs as artifacts.
    • For example, the XZ backdoor was a cleverly crafted file as part of the test suite that wasn’t human readable, as opposed to source code.
  • Intentionally obfuscated or difficult to understand source code.
  • Gradually escalating security issues.
    • For example, the XZ issue started off with a relatively innocuous replacement of safe_fprintf() with fprintf() to see who would notice.
  • Deviation from typical project compile, build, and deployment practices that could allow the insertion of external malicious payloads into blobs, zips, or other binary artifacts.
  • A false sense of urgency, especially if the implied urgency forces a maintainer to reduce the thoroughness of a review or bypass a control.

まぁ,悪人顔の悪人はいないってね。 漫画やドラマならともかく,現実の詐欺師は友好的かつ誠実そうな顔をしてやってくる(笑) 企業・組織などへの標的型攻撃もそうだけど,安全な「距離」をはかりながら徐々に侵食していく感じだよね。 寄生虫が宿主を乗っ取るのと同じ。 これを防ぐのはなかなか難しいだろう。 特に小規模の FOSS プロジェクトなんかでは。


  • Consider following industry-standard security best practices such as OpenSSF Guides.
  • Use strong authentication.
    • Enable two-factor authentication (2FA) or Multifactor Authentication (MFA).
    • Use a secure password manager.
    • Preserve your recovery codes in a safe, preferably offline place.
    • Do not reuse credentials/passwords across different services.
  • Have a security policy including a “coordinated disclosure” process for reports.
  • Use best practices for merging new code.
    • Enable branch protections and signed commits.
    • If possible, have a second developer conduct code reviews before merging, even when the PR comes from a maintainer.
    • Enforce readability requirements to ensure new PRs are not obfuscated, and use of opaque binaries is minimized.
    • Limit who has npm publish rights.
    • Know your committers and maintainers, and do a periodic review. Have you seen them in your working group meetings or met them at events, for example?
  • If you run an open source package repository, consider adopting Principles for Package Repository Security.
  • Review “Avoiding social engineering and phishing attacks” from CISA and/or “What is ‘Social Engineering’” from ENISA.

を挙げている。 比較的大きなコミュニティならこれでもいいんだろうけどねぇ。 サプライチェーンの観点では重要だけどオープンソース・プロジェクトとしては小規模で,殆どワンオペで回してるようなところは難しいかもしれない。 今回の XZ Utils のように。


ブルース・シュナイアー (著), 井口 耕二 (翻訳)
日経BP 2007-02-15
4822283100 (ASIN), 9784822283100 (EAN), 4822283100 (ISBN)

原書のタイトルが “Beyond Fear: Thinking Sensibly About Security in an Uncertain World” なのに対して日本語タイトルがどうしようもなくヘボいが中身は名著。とりあえず読んどきなはれ。ゼロ年代当時 9.11 およびその後の米国のセキュリティ政策と深く関連している内容なので,そのへんを加味して読むとよい。

reviewed by Spiegel on 2019-02-11 (powered by PA-APIv5)

ハッキング思考 強者はいかにしてルールを歪めるのか、それを正すにはどうしたらいいのか
ブルース・シュナイアー (著), 高橋 聡 (翻訳)
日経BP 2023-10-12
4296001574 (ASIN), 9784296001576 (EAN), 4296001574 (ISBN)


reviewed by Spiegel on 2023-10-13 (powered by PA-APIv5)