Operation Aurora and Software Distributions as Single Points of Security Failure
Posted on January 23rd, 2010 by miron
Operation Aurora (Google’s compromise by China) highlights the possibility that software distributions may be targeted for code injection by malicious parties. If Apple, Microsoft or a linux distributors are compromised, a large percentage of individuals, businesses and governments could be consequentially compromised when they install software updates.
One way to mitigate such a risk is to have multiple independent security auditors sign software distributions. This is more likely to be successful in an open-source environment, where source is available and can easily be inspected. I started such an initiative in late 2009 – Gitian.org.