Attack on SolarWinds could have been countered by reproducible builds

Hans-Christoph Steiner hans at guardianproject.info
Fri Dec 18 08:20:00 UTC 2020


Thanks for this info!  RB work can be a slog through annoying technical 
details, so confirmation of its important always helps lift my spirits. 
  Its definitely good fodder for getting funding for related work.

.hc

David A. Wheeler:
> All:
> 
> There’s been a recently-revealed attack on the SolarWinds product “Orion", a Network Management System (NMS). This software is widely used and thus this attack is extremely concerning.
> 
> According to SANS, "SolarWinds has published limited information in which they state they believe the build environment was compromised.” https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
> 
> Let me restate this: it appears that the *source code* wasn’t compromised, and the *distribution* system wasn’t compromised. Instead, the *build system* was compromised. This is *EXACTLY*  the kind of attack that is countered by reproducible builds. Thus, the recent SolarWinds subversion is a very good argument for why it’s important to have reproducible builds (and to verify builds using reproducible builds).
> 
> I’ve read a number of articles about SolarWinds, and none of them mention reproducible builds, even though reproducible builds is clearly a countermeasure to this problem. Perhaps journalists will eventually learn about reproducible builds; that would be nice!
> 
> --- David A. Wheeler
> 
> PS: Here are some articles about the attack on SolarWinds:
> https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/ <https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/>
> https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html <https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html>
> https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html <https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html>
> https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now <https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now>
> https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ <https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>
> 
> 

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556


More information about the rb-general mailing list