Supply chain attacks and mitigations PG suggests?

Privacy Questions
1

Reading a lot about rise in supply chain attacks worldwide for the past few years (source) and wished to know how do PG members mitigate against these risks at individual level (assuming the threat model of a random citizen safeguarding against non-targeted, mass attacks). Would be helpful if you could divide your response among to the steps you take on a.) Desktop and b.) Mobile Devices separately.

Is basic sanitation like checking signatures and building software from source yourself enough? Makes me a bit concerned to see even basic building blocks getting vulnerable (link).

2

Have you read about supply chain attacks on this page?

https://www.privacyguides.org/en/basics/common-threats/#security-and-privacy

2 Likes
3

Hey Jonah, thanks for the response. Yes I did read it, but I wanted to understand if there are specific tools, methods, etc. that are being used to mitigate it that might have flew under my radar. I do feel PG currently lacks “specific” advice about supply chain attacks, including what tools to use, step by step guides of what basic sanitation should be, etc. Since some of the PG users are exposed to these threats at enterprise and some have higher threat models, I thought it would be useful to know what they were using.

An example response would be (using my setup as base):

  1. Desktop: I usually prefer applications with reproducible builds that I can build myself, and the ones I can’t build I run through VirusTotal after checking signatures from the developer.
  2. Mobile: I use App Verifier application on mobile to check app signatures, and only download applications through Obtainium or Accressant.
4

Seeing the xz-backdoor, the recent openssh vulnerability and the downstream linux distros being very slow to change things.

I must say if they want to get you, they will.

The only thing you can do is download from reasonable trusted sources.

And the devs you trust should ideally pin most critical libs and have a security policy in-place that they repond to quickly.

3 Likes
5

Ive heard on a podcast that pinning solves an issue and opens it up to other issues.

Also @raptor I dont think the end user has any real actionable thing they can do. I mean do the devs (in general) themselves have a complete software bill of material inside their software?

This can only be solved at the scale of the institutions (github) and governments (but sadly they arent savvy enough for it). It should be regulated but not everyone agrees to being regulated.

Every country needs a programmer/coder/it guy in the higher ranks of government as an elected officials. But greybeards and coders arent socially savvy.

1 Like
6

Makes sense, looks like most of you agree that end user cannot guard against larger supply chain attacks. Just makes me a bit sad :frowning: