Opened 7 years ago

Closed 5 years ago

#6521 closed enhancement (fixed)

air gap the build machine

Reported by: cypherpunks Owned by:
Priority: Very High Milestone:
Component: Archived/Ponies Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Here is the attack...
An attacker finds out your build machines IP, buys a zero day exploit, gets access to the build machine, adds malicious code to the binary before it gets hashed and signed. To keep a low profile and to profit for a long time from the backdoor the exploit will only be used against selected high profile targets.

Since you don't have deterministic builds for everything (Tor, TBB) no one will find the backdoor. Don't expect people to thoroughly inspect each and every disassembly.

A good defense for network attacks against the build machine is using air gap.

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by mikeperry

Given that we don't really have a physical office other than where Andrew gets snail mail, where would we store these machines to keep them safe? How do we authenticate people who get to have physical access? What happens when those people travel but an emergency security issue is found?

Also, what about malware that infects the USB storage devices used to transfer source code onto the airgapped machine?

I think deterministic reproducible builds are the clear winner over airgapped machines, and are also likely to actually be less effort in total.

comment:2 Changed 7 years ago by weasel

Component: Tor Sysadmin TeamPonies

unreasonable requirement - moving to ponies.

comment:3 Changed 5 years ago by Sebastian

Resolution: fixed
Status: newclosed

We have deterministic builds for TBB now

Note: See TracTickets for help on using tickets.