Attack on SolarWinds could have been countered by reproducible builds
David A. Wheeler
dwheeler at dwheeler.com
Fri Dec 18 00:33:11 UTC 2020
All:
There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.
According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY* the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).
I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!
--- David A. Wheeler
PS: Here are some articles about the attack on SolarWinds:
https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ <https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/>
https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html <https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html>
https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html>
https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now <https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now>
https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ <https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20201217/96c0b628/attachment.htm>
More information about the rb-general
mailing list