public
/
website
5
0
Fork 0
Code Issues 4 Pull Requests 4 Packages Projects Releases Wiki Activity

make links open new tab

This commit is contained in:
Anton Livaja 2025-04-04 13:16:48 -07:00
parent 24bd065ecb
commit d3cfa03cef
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
_posts/2025-04-02-bybit-safe-report.md
View File

@ -35,7 +35,7 @@ Traditional infrastructure has historically lacked mechanisms to distribute trus
## Root cause analysis and mitigation strategies
In our opinion, the primary causes of this incident stem from two key issues identified in the [Sygnia report](https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/):
In our opinion, the primary causes of this incident stem from two key issues identified in the <a href="http://web.archive.org/web/20250328121908/https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" rel="noopener noreferrer" target="_blank">Sygnia report</a>.
* > ... a developers Mac OS workstation was compromised, likely through social engineering.
@ -93,7 +93,7 @@ The idea centers on extracting the **signing** component from the application (w
However, simply making a component offline does not eliminate all single points of failure. To close off supply chain threats stemming from compiler, dependency or environment compromise requires that the application is reproduced on multiple diverse systems (using different chipsets and operating systems), using a fully bootstrapped compiler—a fully hermetic, deterministic and reproducible process.
We've developed open source tooling for this under **[StageX](https://codeberg.org/stagex/stagex)**. To learn more about the importance of reproducible builds, check out [this video](https://antonlivaja.com/videos/2024-incyber-stagex-talk.mp4), where one of our co-founders explains how the SolarWinds incident unfolded—and how it could have been prevented.
We've developed open source tooling for this under <a href="https://codeberg.org/stagex/stagex" target="_blank" rel="noopener noreferrer">StageX</a>. To learn more about the importance of reproducible builds, check out <a href="https://antonlivaja.com/videos/2024-incyber-stagex-talk.mp4" target="_blank" rel="noopener noreferrer">this video</a>, where one of our co-founders explains how the SolarWinds incident unfolded—and how it could have been prevented.
##### Reference design
@ -111,13 +111,13 @@ This reference design was developed for the Safe{Wallet} team, but it can be app
* Signing operations are performed exclusively on the engineer's offline system
* Distrust has developed open source tooling to drastically simplify PGP key provisioning: **[Trove](https://trove.distrust.co/generated-documents/all-levels/pgp-key-provisioning.html)**
* Distrust has developed open source tooling to drastically simplify PGP key provisioning: <a href="https://trove.distrust.co/generated-documents/all-levels/pgp-key-provisioning.html" target="_blank" rel="noopener noreferrer">Trove</a>
3. **Offline signing applications are deterministically compiled, verified, and signed by multiple engineers**
* Includes a full set of tools needed for secure offline key operations
* Distrust also created **[AirgapOS](https://git.distrust.co/public/airgap)**, a custom Linux distribution designed specifically for offline secret management. It has been independently audited and is used in production by several major digitial asset organizations.
* Distrust also created <a href="https://git.distrust.co/public/airgap" target="_blank" rel="noopener noreferrer">AirgapOS</a>, a custom Linux distribution designed specifically for offline secret management. It has been independently audited and is used in production by several major digitial asset organizations.
4. **All sensitive operations are fully verified offline before any cryptographic action is taken**