Weekly Edition
Return to the Security page
| |||||||||||||
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise
Mike Perry writes
about the motivations behind his deterministic build work on the Tor
Project blog. "Current popular software development practices simply
cannot survive targeted attacks of the scale and scope that we are seeing
today. In fact, I believe we're just about to witness the first examples of
large scale 'watering hole' attacks. This would be malware that attacks the
software development and build processes themselves to distribute copies of
itself to tens or even hundreds of millions of machines in a single,
officially signed, instantaneous update. Deterministic, distributed builds
are perhaps the only way we can reliably prevent these types of targeted
attacks in the face of the endless stockpiling of weaponized exploits and
other 'cyberweapons'."
(Log in to post comments)
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 23, 2013 16:24 UTC (Fri) by mmarq (guest, #2332) [Link]
Now!.. he is right, but exaggerating.
If the development is open source, how can a "compromised patch" escape the "scrutiny" of the maintainers ?
Yet occasional in less minor projects, and or with less attentive maintainers it could... but it would be a lot of risk for the attacker, because "he" could be easily tracked back no ?
OTOH malware attached to the build tools on the "client" side would be similar to any other sophisticated attack, but then how could Tor help in this ? ... no manner the anonymity the malware would be implemented downstream not travel the network ?
Damn paranoia !.. yet the idea of an unified pool like the idea of an United Linux could make everything more tractable and easier to maintain, doesn't need to be a whole distro (that was the mistake), only a comprehensive large pool. Then distributed builds employing all sophisticated detection and removal tools would make everything pretty safe.
The "small fish", the occasional builder will be the only real concern. But like Web browsing who is willing to take the responsibility ? ... unless you prevent them to build anything whatsoever, any other tool effort, system, approach, method, will be pretty useless... but such "prevention" doesn't me to me very "free" or "democratic" does it ?
The worst attacks are the "subtle" ones... and destroying a good idea by self induced paranoia seems a terrible attack in itself lol
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 23, 2013 16:47 UTC (Fri) by mmarq (guest, #2332) [Link]
But somehow i like the article... i like the word "deterministic" lol
If the organization behind OSS, can maintain "deterministic safe" source repositories, being the "builded" repositories the ones non-deterministic due to the very large number of different builds and entities involved, then compile install from online, by deterministic safe/encrypted live systems, of deterministic safe entities, directly into the machines of users, can be by far the best assurance. lol
Sure Tor can help, but don't see how it is a deterministic factor, more than SSH as example.
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 29, 2013 13:09 UTC (Thu) by drag (subscriber, #31333) [Link]
If third parties are able to recreate the binaries from audit-able source code in a manner so that they match up with checksums from binaries distributed by somebody else then you don't have to depend on having the distribution channel 100% secure in order to make sure people have access to binaries that are not manipulated. I understand that package management uses signatures and checksums to help make sure packages are not manipulated, but if the underlying system used to build and checksum the software then it only serves to provide a false sense of security.
How it's done in the voting machine industry, for example, is that companies must register and get their source code audited by a third party that is registered with whatever government entity they are dealing with. This includes the code for end user software and any machine's programmable firmware. Then government representatives take the source code provided by the voting company and then compile it themselves following directions provided by the original developers. Nothing is allowed to be provided directly by the voting machine company.. the government representatives must install the operating systems and set up the build environment themselves, for example. Then the firmwares and software and checksum'd and those checksums are publicly available for download from government websites so that third parties can independently verify everything.
Obviously this is hugely time consuming and expensive and is not practical for open source software projects and the binary distribution channels used by average Linux users.
However if you can design the build environment so that software compilation can be entirely reproducible then that makes it possible to verify the fact that nobody has yet taken advantage of any security flaws in a project's build system and distribution channels to screw with users that depend on it.
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 23, 2013 17:20 UTC (Fri) by mmarq (guest, #2332) [Link]
Sorry for the barrage of posts... but in the end a lot can be accomplished by securing the end systems of this large distributed network, which by far and large are client/desktop systems. "Containers" not only for the OS but for applications, and specially complement the file permissions with capabilities, above and beyond the idea of encrypted files and folders and suitable for embedded very effective IDS/IDT and removal tools, would make the incredible threat stockpiling, incredibly less threatening.
But somehow i think this doesn't please the "status quo" at all, "security" can be such a good argument for influence and maneuver for restrictive approaches... and for commercial purposes! (let them all stay unsafe and buy the illusion of safety so they can continue buying)...
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 25, 2013 14:02 UTC (Sun) by kleptog (subscriber, #1183) [Link]
I find it a little odd that there's a huge focus on attacks by governments while right now criminals are using similar attacks to steal hundreds of millions of dollars from bank accounts across the world. It's not entirely clear where the money is going, but it sure as hell isn't for tickets to Disneyland.
Now, this is from a Tor developer and since its stated goal is to protect against government interference I can understand the focus. But I wouldn't be so quick to assume that organised crime isn't working just as hard to break into your systems.
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 26, 2013 12:56 UTC (Mon) by AndreiG (guest, #90359) [Link]
How many 'criminal enterprises' can do split trunking ? Or have direct access to all of Google's, Microsoft's or Apple's infrastructure ? Do 'criminal enterprises' get direct access to the security vulnerabilities of major OSes ?
How can it possibly be that some cartoony 'criminal enterprise' cartel be anywhere near the capabilities of the US government in anything but piss poor megalomania ? When was the last time a Mob boss sent 40 million people in abject unemployment by using public money to bail out petty white collar economic hitmen ? My memory is fussy, but I never heard of a bunch of ATM hackers and phisher wiping out entire countries with white phosphorous and depleted uranium.
And, by the way, what is a 'criminal enterprise' ? For a vast majority of people, Goldman Sachs is a criminal enterprise who stole billions. Or the US government , for a whole different kind of very physical criminality ...
The world isn't in economic collapse because some fuzzy-defined 'russian' hackers ( or whatever nationality/ethnicity was hyped up as cartoon villains in the latest batch of Hollywood superheroes movies ) steals your online account credentials.
If you find it odd that there is a 'huge focus on attacks by governments', what about the millions upon millions on the receiving end of US policy in the middle east and the like (where attacks are very physical and not metaphorical) ?
Does anyone else with an gram ( metric system here, no body parts and beans ) of historical general knowledge a brush of political aptitude find this quite 'Marie Antoinette-esque' ?
Perry: Deterministic Builds Part One: Cyberwar and Global Compromise Posted Aug 25, 2013 21:15 UTC (Sun) by roskegg (subscriber, #105) [Link]
mmarq: how to slip a change into the codebase? With a little knowledge you can bypass the git log. How many people do "git diff"? How often?
Watering hole attacks are indeed the low hanging fruit. And the low hanging fruit for defense is to build in ways to SWIFTLY revert to previous images. When a crocodile attacks a wildebeest at the waterhole, everyone flees.
So, you need a fast reversion mechanism, and a fast mechanism for a user to report, and the watering hole comptroller to relay the "scream".
All other methods to harden the code are nice, but I see too many over-confident young programmers selling insecure code based on the unmerited "wunderkind" fantasies of their customers. Reversion, rollback, and swift escalation are the proper arrow to put our development wood behind.
|
|||||||||||||