Hmmm. I think you might be flipping between build servers and signing servers as is convenient for your argument, but the reality is that a compromise of either is sufficient, no?
-
-
Replying to @taviso @carrickdb and
It depends; if the prod signing infra is online then build servers and signing infra is synonymous. If separated and designed to mitigate insider threats then its different.
1 reply 0 retweets 0 likes -
Sneaking in a defect into large source control happens, and if you can, and you are patient, that defect will ultimately get signed. It’s very unlikely this is quicker than using zero days but it is possible to do.
1 reply 0 retweets 0 likes -
Replying to @rmhrisk @carrickdb and
Definitely not quicker, but you can reuse an image on any phones you recover, so pretty effective? Not sure I'm sold that this is harder than compromising some escrow infrastructure, is that the main argument?
2 replies 0 retweets 0 likes -
Replying to @taviso @carrickdb and
I agree that an attacker that could get a beachhead inside a hardware/os provider and sneak in a vuln into source control that isnt caught via code review and other means could create a back door that would get signed.
1 reply 0 retweets 0 likes -
I also agree that if there was no downgrade protection in the platform that would be a persistent attack vector for the attacker. I believe that’s the argument you are making of so we are on the same page here.
1 reply 0 retweets 0 likes -
Replying to @rmhrisk @carrickdb and
I was thinking of the San Bernardino case, physical access to device, need to defeat FDE. I think it's a good argument that infra to handle escrow is difficult and error prone... but it's a good counter that similar infra already exists, so not a *huge* increase in attack surface
1 reply 0 retweets 0 likes -
Replying to @taviso @carrickdb and
Disagree. It’s massive difference in attack surface.
1 reply 0 retweets 0 likes -
Replying to @rmhrisk @carrickdb and
Yep, I guess we do disagree on this. I don't see a significant difference in attack surface to build and package signing infra, which already regularly gets popped and that's good enough to defeat FDE today. Where do you see the difference?
1 reply 0 retweets 0 likes -
Replying to @taviso @carrickdb and
Show me Apple, Google or Microsoft signing infra getting popped regularly and maybe I’ll believe you that it a regular occurrence in related systems. Even then layering the changes to accommodate frequency of access and associated authentication problems is massively different.
1 reply 0 retweets 1 like
I don't follow, Microsoft build infra was just recently popped?
-
-
Replying to @taviso @carrickdb and
I’m not familiar with the details of that incident so I can’t comment but your word was “frequently” not “once”.
2 replies 0 retweets 0 likes -
Replying to @rmhrisk @carrickdb and
It's happened at Adobe multiple times, as well as Debian and Red Hat. It only happened at DigiNotar once, but you use that example, no?
2 replies 0 retweets 0 likes - 20 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.