Attack on SolarWinds could have been countered by reproducible builds
Hans-Christoph Steiner
hans at guardianproject.info
Fri Dec 18 08:20:00 UTC 2020
Thanks for this info! RB work can be a slog through annoying technical
details, so confirmation of its important always helps lift my spirits.
Its definitely good fodder for getting funding for related work.
.hc
David A. Wheeler:
> All:
>
> There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.
>
> According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
>
> Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY* the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).
>
> I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!
>
> --- David A. Wheeler
>
> PS: Here are some articles about the attack on SolarWinds:
> https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ <https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/>
> https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html <https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html>
> https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html>
> https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now <https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now>
> https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ <https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>
>
>
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the rb-general
mailing list