Common Threats: Supply chain attacks #2467
Conversation
dngray
force-pushed
the
pr-supply-chain-attack
branch
from
7f653ef to
756a45f
Compare
✅ Your preview is ready!
|
|
This pull request has been mentioned on Privacy Guides. There might be relevant details there: https://discuss.privacyguides.net/t/add-supply-chain-attacks-to-common-threats-page/17595/6 |
There was a problem hiding this comment.
I'll have to read this tomorrow, but I'll just note quick that new colors should be checked against https://webaim.org/resources/contrastchecker/
|
Yes i should have marked this as a draft, it might require editorial editing to make it nice. |
dngray
force-pushed
the
pr-supply-chain-attack
branch
from
8e589ea to
566a0ec
Compare
docs/basics/common-threats.md
Outdated
| @@ -57,6 +58,26 @@ By design, **web browsers**, **email clients**, and **office applications** typi | |||
|
|
|||
| If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user. | |||
|
|
|||
| <span class="pg-amber">:material-package-variant-closed-remove: Supply Chain</span> | |||
There was a problem hiding this comment.
I'm wondering if, instead of placing this here, we add a new section at the bottom of the page: "Advanced Persistent Threats" where we cover larger-scale issues like this. Thoughts?
There was a problem hiding this comment.
I kind of like that idea, we might find something else to put there in the future.
There was a problem hiding this comment.
I'm wondering whether this actually is a good idea at all.
Supply chain attacks don't necessarily have to come from an APT. For example in the case of naming similar nodejs libs that are often typo'ed or uploading some crappy crypto wallet to a store, these are not done by an APT.
APT or not, it really doesn't effect the way the attack is carried out. By putting it under a heading like that we might be insinuating only an APT can pull it off.
jonaharagon
force-pushed
the
main
branch
5 times, most recently
from
91e0dc7 to
af45bcc
Compare
dngray
force-pushed
the
pr-supply-chain-attack
branch
2 times, most recently
from
a22ca8d to
40686f3
Compare
jonaharagon
force-pushed
the
main
branch
3 times, most recently
from
2471612 to
775ff52
Compare
jonaharagon
force-pushed
the
pr-supply-chain-attack
branch
from
7b1ad13 to
01abb10
Compare
dngray
force-pushed
the
pr-supply-chain-attack
branch
from
01abb10 to
c4a5f24
Compare
dngray
force-pushed
the
pr-supply-chain-attack
branch
from
89962a9 to
bef1766
Compare
dngray
force-pushed
the
pr-supply-chain-attack
branch
from
bef1766 to
496d2a4
Compare
jonaharagon
force-pushed
the
main
branch
2 times, most recently
from
0a94f3f to
d80af39
Compare
Signed-off-by: Jonah Aragon <[email protected]>
jonaharagon
force-pushed
the
pr-supply-chain-attack
branch
from
496d2a4 to
a8a4ade
Compare
jonaharagon
temporarily deployed
to
github-pages
GitHub Actions
Inactive
|
This pull request has been mentioned on Privacy Guides. There might be relevant details there: |
Changes proposed in this PR:
Closes: #2382