Re: Attack on SolarWinds could have been countered by reproducible builds

Fri, 18 Dec 2020 00:20:18 -0800 



Thanks for this info!  RB work can be a slog through annoying technical 
details, so confirmation of its important always helps lift my spirits. 
 Its definitely good fodder for getting funding for related work.


.hc

David A. Wheeler:

All:

There’s been a recently-revealed attack on the SolarWinds product “Orion", a 
Network Management System (NMS). This software is widely used and thus this attack 
is extremely concerning.

According to SANS, "SolarWinds has published limited information in which they 
state they believe the build environment was compromised.” 
https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/

Let me restate this: it appears that the *source code* wasn’t compromised, and 
the *distribution* system wasn’t compromised. Instead, the *build system* was 
compromised. This is *EXACTLY*  the kind of attack that is countered by 
reproducible builds. Thus, the recent SolarWinds subversion is a very good 
argument for why it’s important to have reproducible builds (and to verify 
builds using reproducible builds).

I’ve read a number of articles about SolarWinds, and none of them mention 
reproducible builds, even though reproducible builds is clearly a 
countermeasure to this problem. Perhaps journalists will eventually learn about 
reproducible builds; that would be nice!

--- David A. Wheeler

PS: Here are some articles about the attack on SolarWinds:
https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/
 
<https://www.sans.org/blog/what-you-need-to-know-about-the-solarwinds-supply-chain-attack/>
https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html 
<https://www.cnn.com/2020/12/16/tech/solarwinds-orion-hack-explained/index.html>
https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html
 
<https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html>
https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now
 
<https://www.computerweekly.com/news/252493662/SolarWinds-cyber-attack-How-worried-should-I-be-and-what-do-I-do-now>
https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/ 
<https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/>




--
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556






















					Reply via email to