← @ChristopherA Twitter archive
Christopher Allen
@ChristopherA
#SmartCustody Adversary — Supply-Chain Attack
SUPPLY-CHAIN ATTACK may be one of the least obvious adversaries that we cover in #SmartCustody. But that makes it particularly important, because you may not be aware of its possibilities. (1/11)
6/22/2020, 12:09:50 PM
Favs: 6
Retweets: 1
linkChristopher Allen
@ChristopherA
In a Supply-Chain Attack, someone corrupts your computer, your hardware wallet, or your other cryptocurrency hardware before you ever see it. (2/11)
6/22/2020, 12:09:51 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
Here's how we explain the motivation: "I'm the slyest of thieves because I worm my way into your life without your even knowing. ... My goal is to mess with your devices so that I can mess with your digital assets, and you may never figure out how I did it!" (3/11)
6/22/2020, 12:09:51 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
Is this hypothetical? Maybe. Nonetheless it's been highlighted by security analysts as a potential threat. (4/11) https://threatpost.com/cryptocurrency-wallet-hacks-spark-dustup/140445/
6/22/2020, 12:09:51 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
And we've always wondered about the "factory-sealed" computer used to supposedly prove the identity of Satoshi Nakamoto, especially since it was delivered by that person's assistant. That's a prime example of an opportunity for an attack of this sort. (5/11)
6/22/2020, 12:09:51 PM
Favs: 1
Retweets: 0
linkChristopher Allen
@ChristopherA
The problem with a supply-chain attack is that it can make you very paranoid. Anyone could be an attacker, from a worker in a factory to a reseller to your postal carrier, to the eponymous “evil maid”. (6/11) https://en.wikipedia.org/wiki/Evil_maid_attackevil
6/22/2020, 12:09:51 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
The ideal solution? Buy from manufacturers directly. If you can, do so in person by going to their warehouse! I bough my first @Ledger hardwared from their store in Paris. Every person you can cut out of the supply-chain is one less vector of attack. (7/11)
6/22/2020, 12:09:52 PM
Favs: 1
Retweets: 0
linkChristopher Allen
@ChristopherA
Of course, this is really practical when in fact the known incidents of SUPPLY-CHAIN ATTACK are very few. However, whether you purchase directly from a manufacturer or not, seek hardware that is sealed and offers some measures of tamper-resistance. And re-check regularly! (8/11)
6/22/2020, 12:09:52 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
On my most critical personal devices, I enclose them in tamper-evident bags, or add a tamper-evident seal, or just some add glitter polish and take a photo. I check these twice a year. I personally feel it is unlikely to happen to me, but it is so cheap to protect against. (9/11)
6/22/2020, 12:09:52 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
And this at last of the #SmartCustody category "Loss by Crime, Theft" by networked, personal or systemic, institutional or internal, through the supply chain or through social engineering. You need to consider them all in your risk analysis! (9/11)
6/22/2020, 12:09:53 PM
Favs: 0
Retweets: 0
linkChristopher Allen
@ChristopherA
Have your own stories of SUPPLY-CHAIN ATTACK impacting digital assets? Your own solutions? Let us know! And please consider supporting #SmartCustody. We're working on V2, with multi-sigs and other expansions: https://smartcustody.btcpay.blockchaincommons.com/ (10/11)
6/22/2020, 12:09:53 PM
Favs: 0
Retweets: 0
link