Dunno, you could just use a 0day once to compromise the build server... that scales really well, and has really happened 
-
-
Replying to @taviso @qwertyoruiopz and
That presumes the code signing system is online and automated; bad design x2.
1 reply 0 retweets 0 likes -
Most code signing system compromises have been due to online keys. That’s why sensitive keys are kept offline.
1 reply 0 retweets 0 likes -
>sensitive keys kept in HSM >code signing HSM connected to internet
1 reply 0 retweets 1 like -
Replying to @saleemrash1d @taviso and
I’ve worked on several such systems for large companies; properly designed ones are either offline (manual) or at a minimum air-gapped; in all casss quorum of physical employees. Not online like let’s encrypt.
2 replies 0 retweets 0 likes -
Replying to @rmhrisk @saleemrash1d and
Ah-ha, I think you're saying you believe you can build a secure HSM infrastructure, but the necessities of a lawful access system (e.g. speed and scale of LE access requirements) would require you to make design compromises?
3 replies 0 retweets 1 like -
The government requires speed? Since when?
1 reply 0 retweets 0 likes -
Replying to @carrickdb @taviso and
200 sovereign nations, 10s of thousand of agencies each, many departments, many employees. Then in the hearings they talk of timelines in hours and days.
1 reply 0 retweets 1 like -
Replying to @rmhrisk @carrickdb and
I don't see that it follows that all nations will be automatically granted access, but the other part of the argument is convincing to me.
1 reply 0 retweets 1 like -
Replying to @taviso @carrickdb and
It doesn’t require all nations to want equal treatment (though it’s unrealistic to believe they won’t) the volume form the USG alone would necessitate the system being online, take the top 10, its a ridiculous volume.
2 replies 0 retweets 1 like
I agree, I think it's a strong argument without needing the slippery slope of other nations.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.