Compare commits

..

15 Commits

20 changed files with 453 additions and 512 deletions

View File

@ -1,2 +1,3 @@
source "https://rubygems.org" source "https://rubygems.org"
gem "jekyll-theme-console", path: "./_vendor/jekyll-theme-console" gem "jekyll-theme-console", path: "./_vendor/jekyll-theme-console"
gem 'jekyll-feed'

View File

@ -21,26 +21,30 @@
title: Distrust title: Distrust
email: lance@distrust.co email: lance@distrust.co
description: >- # this means to ignore newlines until "baseurl:" description: >- # this means to ignore newlines until "baseurl:"
Understand and mitigate security threats others won't see coming. Trust Nothing
baseurl: "" # the subpath of your site, e.g. /blog baseurl: "" # the subpath of your site, e.g. /blog
url: "https://distrust.co" # the base hostname & protocol for your site, e.g. http://example.com url: "https://distrust.co" # the base hostname & protocol for your site, e.g. http://example.com
banner: "https://distrust.co/assets/base/distrust-logo.png"
header_pages: header_pages:
- index.md - index.md
- about.md - about.md
- services.md - services.md
- tools.md - tools.md
- blog.md
- contact.md - contact.md
style: dark # dark (default), light or hacker style: dark # dark (default), light or hacker
listen_for_clients_preferred_style: false # false (default) or true listen_for_clients_preferred_style: false # false (default) or true
footer: '2024 Distrust, LLC' footer: '2023 Distrust, LLC'
# Build settings
theme: jekyll-theme-console theme: jekyll-theme-console
permalink: blog/:title.html
plugins:
- jekyll-feed
# Exclude from processing. # Exclude from processing.
# The following items will not be processed, by default. # The following items will not be processed, by default.
# Any item listed under the `exclude:` key here will be automatically added to # Any item listed under the `exclude:` key here will be automatically added to

View File

@ -1,4 +1,4 @@
<footer style="height: 40px"> <footer style="height: 40px">
<span><img src="assets/base/distrust-white.svg" width="20px" alt="copyleft"/></span> {{ site.footer }} <span><img src="/assets/base/distrust-white.svg" width="20px" alt="copyleft"/></span> {{ site.footer }}
<script type="text/javascript" src="/assets/js/main.js"></script> <script type="text/javascript" src="/assets/js/main.js"></script>
</footer> </footer>

View File

@ -6,62 +6,6 @@
<link rel="icon" type="image/png" sizes="96x96" href="/assets/favicons/favicon-96x96.png"> <link rel="icon" type="image/png" sizes="96x96" href="/assets/favicons/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="/assets/favicons/favicon-16x16.png"> <link rel="icon" type="image/png" sizes="16x16" href="/assets/favicons/favicon-16x16.png">
<title>{{ page.title }}</title> <title>{{ page.title }}</title>
<meta content="{{ site.title }}" property="og:site_name" />
{% if page.noindex %}
<meta name="robots" content="noindex" />
{% endif %} {% if page.title %}
<meta content="{{ page.title }}" property="og:title" />
<meta content="article" property="og:type" />
{% else %}
<meta content="{{ site.banner }}" property="og:image" />
<meta content="{{ site.title }}" property="og:title" />
<meta content="website" property="og:type" />
{% endif %} {% if page.summary %}
<meta content="{{ page.summary }}" property="og:description" />
{% else %}
<meta content="{{ site.description }}" property="og:description" />
{% endif %} {% if page.url %}
<meta content="{{ site.url }}{{ page.url }}" property="og:url" />
{% endif %} {% if page.date %}
<meta
content="{{ page.date | date_to_xmlschema }}"
property="article:published_time"
/>
<meta content="{{ site.url }}/about/" property="article:author" />
{% endif %} {% if page.thumbnail %}
<meta content="{{ site.url }}{{ page.thumbnail }}" property="og:image" />
{% endif %} {% if page.categories %} {% for category in page.categories
limit:1 %}
<meta content="{{ category }}" property="article:section" />
{% endfor %} {% endif %} {% if page.tags %} {% for tag in page.tags %}
<meta content="{{ tag }}" property="article:tag" />
{% endfor %} {% endif %}
<!-- Twitter Cards -->
<meta name="twitter:card" content="summary" />
<!--<meta name="twitter:site" content="@{{ site.share.twitter_username }}" />-->
<!--<meta name="twitter:creator" content="@{{ site.share.twitter_username }}" />-->
{% if page.title %}
<meta name="twitter:title" content="{{ page.title }}" />
{% else %}
<meta name="twitter:title" content="{{ site.title }}" />
{% endif %}
{% if page.url %}
<meta name="twitter:url" content="{{ site.url }}{{ page.url }}" />
{% endif %} {% if page.summary %}
<meta name="twitter:description" content="{{ page.summary }}" />
{% else %}
<meta name="twitter:description" content="{{ site.description }}" />
{% endif %} {% if page.header-img %}
<meta
name="twitter:image:src"
content="{{ site.url }}{{ page.thumbnail }}"
/>
{% endif %}
{% if page.robots %} {% if page.robots %}
<meta name="robots" content="{{page.robots}}" /> <meta name="robots" content="{{page.robots}}" />
@ -75,8 +19,8 @@
<!-- If you find anything interesting or want to talk to us, reach out via our /contact page!" --> <!-- If you find anything interesting or want to talk to us, reach out via our /contact page!" -->
<!-- https://git.distrust.co/public/stack --> <!-- https://git.distrust.co/public/stack -->
<!-- https://git.distrust.co/public/website --> <!-- https://git.distrust.co/public/website -->
<!-- mobile menu content -->
<!-- mobile menu content -->
<div class="menu-content" style="display: none"> <div class="menu-content" style="display: none">
<div class="inner-menu-content"> <div class="inner-menu-content">
<div> <div>
@ -91,6 +35,9 @@
<div> <div>
<a href="/tools.html">Tools</a> <a href="/tools.html">Tools</a>
</div> </div>
<div>
<a href="/blog.html">Blog</a>
</div>
<div> <div>
<a href="/contact.html">Contact</a> <a href="/contact.html">Contact</a>
</div> </div>

View File

@ -3,7 +3,7 @@
<div class="menu"> <div class="menu">
<div> <div>
<a id="home-link" href="/index.html"> <a id="home-link" href="/index.html">
<img class="menu-logo" src="assets/base/distrust-text-white.svg" <img class="menu-logo" src="/assets/base/distrust-text-white.svg"
alt="Distrust broken chain logo with white text" /> alt="Distrust broken chain logo with white text" />
</a> </a>
</div> </div>
@ -20,6 +20,12 @@
<li class="show"> <li class="show">
<a href="/contact.html" class="action-button">Free Consultation</a> <a href="/contact.html" class="action-button">Free Consultation</a>
</li> </li>
<li class="show">
<a href="/feed.xml" style="vertical-align: middle;">
<img style="filter: grayscale(100%); width: 22px; vertical-align: sub" src="/assets/base/rss.png" />
</a>
</li>
</ul> </ul>
<div id="hamburger-menu" class="hide menu-button-container" for="menu-toggle"> <div id="hamburger-menu" class="hide menu-button-container" for="menu-toggle">
<input id="menu-toggle" type="checkbox" /> <input id="menu-toggle" type="checkbox" />

View File

@ -9,15 +9,6 @@
{%- include header.html -%} {%- include header.html -%}
<main> <main>
<section>
<h2>About Distrust</h2>
<p>Distrust was founded in order to improve the security, privacy and freedom of individuals and organizations and promote principles of Open Source software worldwide. We specialize in helping organizations reduce risk through a holistic first principles approach rather than simply checking boxes according to often outdated "best practices".
</p>
<p>Close collaboration with our clients allows us to attain a deep understanding of technology stacks which we use to help teams refine threat models and ensure that the mitigating controls being used establish a reasonable level of security accordingly. We do this by offering variety of services which are tailored to fit the client needs, ranging across penetration tests, secure code review, threat modelling, system architecture design, supply chain security, infrastructure hardening, and more. One of our specialties is designing secure systems for management of cryptographic material, especially in the context of blockchains.
</p>
<p>Our clients are varied, many of them from high risk areas such as financial institutions, blockchain companies managing large quantities of cryptocurrency and electrical grid operators to name a few. We proudly continue to support such organizations, and use the knowledge we have attained to aid all our clients in achieving a better security posture.</p>
</section>
<section> <section>
<h2>Approach</h2> <h2>Approach</h2>
<p>Like most security firms, we often start relationships with full stack audits. We also have enough experience in this industry to admit another firm will find bugs we missed, and vice versa. Our true goal in audits is to understand your threat model and find a path to fundamentally remove entire classes of relevant attack surface.</p> <p>Like most security firms, we often start relationships with full stack audits. We also have enough experience in this industry to admit another firm will find bugs we missed, and vice versa. Our true goal in audits is to understand your threat model and find a path to fundamentally remove entire classes of relevant attack surface.</p>
@ -26,13 +17,13 @@
<li>Can your Google Authenticator codes be phished?</li> <li>Can your Google Authenticator codes be phished?</li>
<li>Can your SMS 2FA solution be SIM Swapped?</li> <li>Can your SMS 2FA solution be SIM Swapped?</li>
<li>Can someone tamper with your Git repos or CI/CD systems?</li> <li>Can someone tamper with your Git repos or CI/CD systems?</li>
<li>Would it be profitable for someone to buy a $50,000 0day to compromise an employee devices?</li> <li>Would it be profitable for someone to buy a $50,000 0day to compromise employee devices?</li>
<li>What happens when the FedEx guy leaves a tampered USB C cable on a conference table?</li> <li>What happens when the FedEx guy leaves a tampered USB C cable on a conference table?</li>
<li>Who reviews the code of your third party dependencies?</li> <li>Who reviews the code of your third party dependencies?</li>
<li>What happens when your IT administrator is compromised? Or a production engineer?</li> <li>What happens when your IT administrator is compromised? Or a production engineer?</li>
<li>Can a change in local political landscape fundamentally halt your business?</li> <li>Can a change in local political landscape fundamentally halt your business?</li>
<li>Can someone buy a server next to yours and steal your secrets via a side channel attack?</li> <li>Can someone buy a server next to yours and steal your secrets via a side channel attack?</li>
<li>How do you know the offline laptop with the keys to the kingdom has not been tampered with?</li> <li>How do know the offline laptop with the keys to the kingdom has not been tampered with?</li>
<li>Do you have a plan for <i>when</i> your production systems are compromised?</li> <li>Do you have a plan for <i>when</i> your production systems are compromised?</li>
</ul> </ul>
<br /> <br />
@ -51,7 +42,7 @@
<ul> <ul>
<li>We will never ask you to give us access to production systems or have any power over your org.</li> <li>We will never ask you to give us access to production systems or have any power over your org.</li>
<li>Anyone with access to significant value is at personal risk. We teach distrust to protect people.</li> <li>Anyone with access to significant value is at personal risk. We teach distrust to protect people.</li>
<li>We will always provide a way for you to build and verify any binaries we provide.</li> <li>We will always provide a way for you to build and verify any binaries we provide yourself.</li>
<li>We are happy to provide you any background research we legally can so you can make your own conclusions.</li> <li>We are happy to provide you any background research we legally can so you can make your own conclusions.</li>
</ul> </ul>
@ -60,7 +51,7 @@
<h4>Transparency</h4> <h4>Transparency</h4>
<ul> <ul>
<li>We regularly open source our research and common advice to get input and corrections from others in our industry.</li> <li>We regularly open source our research and common advice to get input and corrections from others in our industry.</li>
<li>Prices are always the same. We will sometimes adjust based on demand, but everyone is offered the same rates.</li> <li>Prices are always public. We will sometimes adjust based on demand, but everyone is offered the same rates.</li>
<li>With the exception of fully Open Source projects, which we offer a universal 15% discount on.</li> <li>With the exception of fully Open Source projects, which we offer a universal 15% discount on.</li>
</ul> </ul>

View File

@ -1,119 +0,0 @@
<!DOCTYPE html>
<html lang="{{ page.lang | default: site.lang | default: en }}">
{%- include head.html -%}
<body>
<div class="container">
{%- include header.html -%}
<main>
<h2>What are your biggest security challenges?</h2>
<hr />
<section class="flex-container">
<div class="flex-container-inner">
<h3>Contact us to take your security posture to the next level.</h3>
<p>We look forward to learning about your project and helping you bolster your security program.</p>
<h4>Meet The Team</h4>
<p>Lance Vick | <a mailto="lance@distrust.co">lance@distrust.co</a> | <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/6B61ECD76088748C70590D55E90A401336C8AAA9">PGP</a></p>
<p>Ryan Heywood | <a mailto="ryan@distrust.co">ryan@distrust.co</a> | <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/88823A75ECAA786B0FF38B148E401478A3FBEF72">PGP</a></p>
<p>Danny Grove | <a mailto="danny@distrust.co">danny@distrust.co</a> | <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD">PGP</a></p>
<p>Anton Livaja | <a mailto="anton@distrust.co">anton@distrust.co</a> | <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D">PGP</a></p>
<p>Shane Engleman | <a mailto="shane@distrust.co">shane@distrust.co</a> | <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/3D7C8D39E8C4DF771583D3F0A8A091FD346001CA">PGP</a></p>
</div>
<div class="flex-container-inner">
<div class="form-container">
<form onsubmit="return validateForm()" action="/submit-email" method="post">
<div class="form-flex-container">
<div>
<label for="name" class="form-label">Name</label>
<input type="text" id="name" name="name" class="form-input">
</div>
</div>
<label for="email" class="form-label required">Email</label>
<input type="email" id="email" name="email" class="form-input" required>
<label for="company-name" class="form-label">Company Name</label>
<input type="text" id="company-name" name="company-name" class="form-input">
<label for="service" class="form-label required">Service You Are Interested In</label>
<select id="service" name="service" class="form-select" required>
<option value="" disabled selected>Select option</option>
<option value="digital-asset-custody">Digital Asset Custody (threat modelling, design,
tooling,
system architecture, security assessments)</option>
<option value="blockchain-security">Blockchain Security (smart contracts, system
architecture
design)</option>
<option value="software-security-assessment">Software Security Assessment (penetration
tests, code
reviews, threat modelling, system architecture design, infrastructure hardening,
operating
system etc.)</option>
<option value="engineering">Engineering (tooling development, devops engineering)
</option>
</select>
<label for="help" class="form-label required">How can we help?</label>
<textarea id="help" name="help" class="form-textarea" required></textarea>
<label for="hear-about" class="form-label">How did you hear about Distrust?</label>
<select id="hear-about" name="hear-about" class="form-select" onchange="toggleOtherField()">
<option value="" disabled selected>Select option</option>
<option value="referral">Referral</option>
<option value="social-media">Social Media</option>
<option value="audit-report">Audit Report</option>
<option value="other">Other</option>
</select>
<div id="other-field" style="display:none;">
<input type="text" id="other-source" name="other-source" class="form-input" placeholder="Please specify">
</div>
<!-- TODO: add captcha of some sort -->
<button type="submit" class="form-submit-button">Submit</button>
</form>
</div>
</div>
</section>
</main>
<br />
{%- include footer.html -%}
</div>
</body>
<script>
function toggleOtherField() {
var hearAbout = document.getElementById('hear-about').value;
var otherField = document.getElementById('other-field');
if (hearAbout === 'other') {
otherField.style.display = 'block';
document.getElementById('other-source').required = true;
} else {
otherField.style.display = 'none';
document.getElementById('other-source').required = false;
}
}
function validateForm() {
var inquiryType = document.getElementById('inquiry-type');
var services = document.getElementById('services');
var hearAbout = document.getElementById('hear-about');
if (inquiryType.value === "") {
alert("Please select a valid Inquiry Type");
return false;
}
if (services.value === "") {
alert("Please select a valid Service you are interested in");
return false;
}
return true;
}
</script>
</html>

View File

@ -8,7 +8,7 @@
{%- include header.html -%} {%- include header.html -%}
<main> <main>
<section class="flex-container"> <section class="flex-container extra-spacing">
<div class="flex-container-inner"> <div class="flex-container-inner">
<div class="text-well"> <div class="text-well">
<h2>Understand and mitigate security threats others won't see coming.</h2> <h2>Understand and mitigate security threats others won't see coming.</h2>
@ -22,14 +22,21 @@
<div id="carousel"></div> <div id="carousel"></div>
<br> <br>
<div style="margin-left: 10px; font-size: 14px"> <div style="margin-left: 10px; font-size: 14px">
<a style="color: rgb(73, 73, 73)" href="../assets/js/carousel-items.json">Full list of articles</a> <a style="color: rgb(73, 73, 73)" href="/assets/js/carousel-items.json">Full list of articles</a>
</div> </div>
</div> </div>
</section> </section>
<hr /> <!-- <div>
<a href="{{ site.posts.first.url }}">
<img id="lp-post-img" src="{{ site.posts.first.cover_image }}"
alt="Cover image for {{ site.posts.first.title }}">
<h2>Latest Post: {{ site.posts.first.title }}</h2>
</a>
</div> -->
<section class="">
<section class="extra-spacing">
<div class="flex-container-inner"> <div class="flex-container-inner">
<div class="text-well"> <div class="text-well">
<h2>We specialize in working with high risk clients.</h2> <h2>We specialize in working with high risk clients.</h2>
@ -43,94 +50,92 @@
<div class="companies"> <div class="companies">
<div> <div>
<a href="https://coinbase.com"> <a href="https://coinbase.com">
<img style="height: 30px" src="assets/base/companies/coinbase-white.svg" /> <img style="height: 30px" src="/assets/base/companies/coinbase-white.svg" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://bitgo.com"> <a href="https://bitgo.com">
<img src="assets/base/companies/bitgo-logo-white.svg" /> <img src="/assets/base/companies/bitgo-logo-white.svg" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://bishopfox.com"> <a href="https://bishopfox.com">
<img style="height: 30px; filter: invert(100%) sepia(100%) saturate(0%) hue-rotate(288deg) brightness(102%) contrast(102%);" src="assets/base/companies/bishop-fox-dark.png" /> <img style="height: 30px; filter: invert(100%) sepia(100%) saturate(0%) hue-rotate(288deg) brightness(102%) contrast(102%);" src="/assets/base/companies/bishop-fox-dark.png" />
</a> </a>
</div> </div>
</div> </div>
<div class="companies"> <div class="companies">
<div> <div>
<a href="http://www.falconx.io/"> <a href="http://www.falconx.io/">
<img style="height: 20px" src="assets/base/companies/falconx-white.svg" /> <img style="height: 20px" src="/assets/base/companies/falconx-white.svg" />
</a> </a>
</div> </div>
<div> <div>
<a href="http://www.turnkey.io/"> <a href="http://www.turnkey.io/">
<img style="filter: invert(100)" src="assets/base/companies/turnkey-black.svg" /> <img style="filter: invert(100)" src="/assets/base/companies/turnkey-black.svg" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://exodus.com"> <a href="https://exodus.com">
<img src="assets/base/companies/exodus-white.svg" /> <img src="/assets/base/companies/exodus-white.svg" />
</a> </a>
</div> </div>
</div> </div>
<div class="companies"> <div class="companies">
<div> <div>
<a href="https://siderolabs.com"> <a href="https://siderolabs.com">
<img style="height: 60px" src="assets/base/companies/sidero-labs-white.png" /> <img style="height: 60px" src="/assets/base/companies/sidero-labs-white.png" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://zoom.com"> <a href="https://zoom.com">
<img style="height: 35px;" src="assets/base/companies/zoom-white.png" /> <img style="height: 35px;" src="/assets/base/companies/zoom-white.png" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://mystenlabs.com"> <a href="https://mystenlabs.com">
<img style="height: 25px" src="assets/base/companies/mysten-labs-white.svg" /> <img style="height: 25px" src="/assets/base/companies/mysten-labs-white.svg" />
</a> </a>
</div> </div>
</div> </div>
<div class="companies"> <div class="companies">
<div> <div>
<a href="http://www.ankr.com/"> <a href="http://www.ankr.com/">
<img style="height: 75px; filter: invert(100%) sepia(100%) saturate(0%) hue-rotate(288deg) brightness(200%) contrast(102%);" src="assets/base/companies/ankr.png" /> <img style="height: 75px; filter: invert(100%) sepia(100%) saturate(0%) hue-rotate(288deg) brightness(200%) contrast(102%);" src="/assets/base/companies/ankr.png" />
</a> </a>
</div> </div>
<div> <div>
<a href="http://www.hashicorp.io/"> <a href="http://www.hashicorp.io/">
<img style="height: 60px" src="assets/base/companies/hashicorp-white.png" /> <img style="height: 60px" src="/assets/base/companies/hashicorp-white.png" />
</a> </a>
</div> </div>
<div> <div>
<a href="http://www.b1.com/"> <a href="http://www.b1.com/">
<img style="filter: invert(100)" src="assets/base/companies/block-one-dark.svg" /> <img style="filter: invert(100)" src="/assets/base/companies/block-one-dark.svg" />
</a> </a>
</div> </div>
</div> </div>
<div class="companies"> <div class="companies">
<div> <div>
<a href="http://www.ledn.io/"> <a href="http://www.ledn.io/">
<img src="assets/base/companies/ledn-white.svg" /> <img src="/assets/base/companies/ledn-white.svg" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://fitbit.com"> <a href="https://fitbit.com">
<img src="assets/base/companies/fitbit-white.png" /> <img src="/assets/base/companies/fitbit-white.png" />
</a> </a>
</div> </div>
<div> <div>
<a href="https://dfns.co"> <a href="https://dfns.co">
<img src="assets/base/companies/dfns-color.png" /> <img src="/assets/base/companies/dfns-color.png" />
</a> </a>
</div> </div>
</div> </div>
</div> </div>
</section> </section>
<hr/>
<section class=""> <section class="">
<div class="flex-container-inner" style="align-items: baseline"> <div class="flex-container-inner" style="align-items: baseline">
<div class="text-well"> <div class="text-well">

27
_layouts/post.html Normal file
View File

@ -0,0 +1,27 @@
<!DOCTYPE html>
<html lang="{{ page.lang | default: site.lang | default: en }}">
{%- include head.html -%}
<body>
<div class="container">
{%- include header.html -%}
<article class="post">
<h1>{{ page.title }}</h1>
<div class="entry">
{{ content }}
</div>
<div class="date">
Written on {{ page.date | date: "%B %e, %Y" }}
</div>
</article>
{%- include footer.html -%}
</div>
</body>
</html>

View File

@ -69,7 +69,7 @@
<section class="flex-container"> <section class="flex-container">
<div class="flex-container-inner"> <div class="flex-container-inner">
<div class="text-well"> <div class="text-well">
<h3>StageX</h3> <h3>[Stage<sup>x</sup>]</h3>
<a href="https://codeberg.org/stagex/stagex" target="_blank" rel="noopener noreferrer">https://codeberg.org/stagex/stagex</a> <a href="https://codeberg.org/stagex/stagex" target="_blank" rel="noopener noreferrer">https://codeberg.org/stagex/stagex</a>
<p>Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.</p> <p>Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.</p>
</div> </div>
@ -103,26 +103,6 @@
</ul> </ul>
</div> </div>
</section> </section>
<hr />
<section class="flex-container">
<div class="flex-container-inner">
<div class="text-well">
<h3>git-sig</h3>
<a href="https://git.distrust.co/public/git-sig" target="_blank" rel="noopener noreferrer">https://git.distrust.co/public/gitsig</a>
<p>The simple multisig toolchain for git repos.</p>
</div>
</div>
<div class="flex-container-inner">
<ul>
<li>Attach any number of signatures to any given git ref</li>
<li>Verify git history contains a minimum threshold of unique commit signatures</li>
<li>Verify signatures belong to a defined GPG alias group</li>
<li>Verify code changes made since last time minimum valid signatures were present</li>
</ul>
</div>
</section>
</main> </main>
{%- include footer.html -%} {%- include footer.html -%}

View File

@ -0,0 +1,298 @@
---
layout: post
title: Adventures In Supply Chain Integrity
date: 2024-03-28
cover_image: "/assets/images/whale_shark.jpg"
authors:
- name: Ryan Heywood
bio: Professional bonker / twerker.
twitter: le twitter
- name: Anton Livaja
bio: Professional banana juggler.
twitter: antonlivaja
- name: Lance R. Vick
bio: Dolphin trainer
twitter: no.
---
When a compiler is used to compile some piece of software, how do we verify
that the compiler can be trusted? Is it well known who compiled the compiler
itself? Usually compilers are not built from source, and even when they are,
they are seeded from a binary that itself is opaque and difficult to verify.
How does one check if the supply chain integrity of the compiler itself is
intact, even before we get to building software with it?
Compiler supply chains are obscured and at many points seeded from binaries,
making it nearly impossible to verify their integrity. In 1984, Ken Thompson
wrote "Reflections on Trusting Trust" and illustrated that a compiler can
modify software during the compilation process, compromising the software. Put
simply, this means that reviewing the source code is not enough. We need to be
sure that the compiler itself isn't compromised, as it could be used to modify
the intended behavior of the software.
What about the software that's built using the compiler? Has the source code
been modified during compilation? Has the resulting binary of the software been
tampered with, perhaps in the CI/CD runner which runs an OS with a
vulnerability in one of its sub dependencies? Or perhaps the server host has
been compromised and attackers have gained control of the infrastructure?
These are difficult software supply chain security issues which are often swept
under the rug or completely overlooked due to lack of understanding. To
eliminate this surface area of attack, we need a good answer to these
questions, and more importantly we need tooling and practical methods which can
help close these gaps in the supply chain.
This line of questioning becomes especially concerning in the context of widely
used software, such as images pulled from DockerHub, package managers, and
Linux distributions. Software procured via these channels are used widely and
are pervasive in almost all software and as such pose a severe attack vector.
If the maintainer of a widely used DockerHub image has their machine
compromised, or are coerced or even forced under duress to insert malicious
code into the binaries they are responsible for, there is no effective measure
in place to detect and catch this, resulting in millions of downstream
consumers being impacted. Imagine what would happen if the maintainer of a
default DockerHub image of a widely used language was compromised, and the
binary they released had a backdoor in it. The implications are extremely far
reaching, and would be disastrous.
There are two distinct problems at hand which share a solution:
1. How do we ensure that we can trust the toolchain used to build software
2. How do we ensure that we can trust software built with the toolchain
The answer to both questions is the same. We achieve it via verifiability and
determinism. To be clear, we are not trying to solve the problem of the code
itself being compromised in the source. If the source code is compromised,
determinism does not help prevent that. If the code is reviewed and verified as
being secure, then determinism and multiple reproductions of the software
add a set of excellent guarantees.
Deterministically built software is any software which always compiles to the
same bit-for-bit exact binary. This is useful because it makes it trivial to
check the integrity of the binary. If the binary is always the same, we can use
hashing to ensure that nothing about the binary has changed. Typically minor
differences which are introduced during the build process, such as time stamps,
mean that software is typically non-deterministic. By pinning all aspects of
the environment the software is built in and removing any changing factors such
as time and user or machine IDs, we can force the software to always be
bit-for-bit.
Now, imagine a scenario where a developer is compiling software, and they are
not doing it deterministically. Any time they build the software, they have no
way to easily verify if the binary changed in a meaningful way compared to the
previous one without doing low level inspection. With determinism, it's as
simple as hashing one binary, repeating the compilation, hashing the second
result, and comparing it with the original. This is great, but it's still not
enough to ensure that the binary can be trusted, as there may be malware which
always modifies the binary in the same manner. To mitigate this, we can build
the software on multiple different machines, ideally by different maintainers,
using different operating systems and even different hardware, as it's much
less likely that multiple diverse stacks and individuals are compromised by the
same malware or attacker. Following this process, we can eliminate the risk of
modification during compilation going undetected. To add a layer of trust that
the hashes can be trusted, we can use cryptographic signing, as is customary
for many software releases.
Assessing the current state of affairs regarding software package managers and
Linux distributions, and how far they have gone to mitigate these risks, we
performed an analysis of popular projects:
Alpine is the most popular Linux distribution (distro) in the container
ecosystem and has made great strides in providing a minimal `musl` based
distribution with reasonable security defaults and is suitable for a lot of use
cases, however in the interest of developer productivity and low friction for
contributors, none of it is cryptographically signed.
Debian (and derivatives like Ubuntu) is one of most popular option for servers
and is largely reproducible and also signs all packages. Being `glibc` based
with a focus on compatibility and desktop use cases, it results in a huge
number of dependencies for almost any software run on it, enacts partial code
freezes for long periods of time between releases, and often has very stale
packages as various compatibility goals block updates. This overhead introduces
a lot of surface area of malicious code to hide itself in. Unfortunately, due
to its design, when building software deterministically on this OS, each and
every repo needs to keep costly snapshots of all dependencies to reproduce
build containers, as Debian packages are archived and retired after some time
to servers with low bandwidth. This creates a lot of friction for teams who, as
a result, have to archive often hundreds of .deb files for every project, and
also has the added issue of Debian having very old versions of software such as
Rust, which is a common requirement. This can be quite problematic for teams
who want to access latest language features. Even with all this work, Debian
does not have truly reproducible Rust (which will be discussed later in this
post), and packages are signed only by single maintainers whom we have to fully
trust that they didn't release a compromised binary.
Fedora (and RedHat based distros) also sign all packages, but otherwise suffer
from similar one-size-fits-all bloat problems as Debian with a different coat
of paint. Additionally, their reliance on centralized builds has been used as
justification for them to not pursue reproducibility at all which makes them a
non-starter for security focused use cases.
Arch has very fast updates as a rolling release distro, and package definitions
are signed and often reproducible, but they change from one minute to the next,
still resulting in the challenge of having to come up with a solution to pin
and archive sets of dependencies that work well together for software that's
built using it and requires determinism.
Nix is almost entirely reproducible by design and allows for lean and minimal
output artifacts. It is also a big leap forward in having good separation of
concerns between privileged immutable and unprivileged mutable spaces, however
like Alpine there is no maintainer-level signing in order to reduce the
friction for hobbyist that wants to contribute.
Guix is reproducible by design as well, borrowing a lot from Nix. It also does
maintainer-level signing like Debian. It comes the closest to the solution we
need, but it only provides single signed package contributions, and a `glibc`
base with a large dependency tree, with a significant footprint of tooling to
review and understand to form confidence in it. This is still too much overhead
we simply don't want or need for use cases like container builds of software,
lean embedded operating systems, or any sensitive system where we want the
utmost level of supply chain security assurance.
For those whose goal is to build their own software packages deterministically
with high portability, maintainability, and maximally easy supply chain
auditability, none of these solutions hit the mark.
On reflecting on these issues, we concluded we want the `musl`-based
container-ideal minimalism of Alpine, the obsessive determinism and full-source
supply chain goals of Guix, and a step beyond the single-signature packages of
Debian, Fedora, and Arch. We also concluded that we want a fully verifiable
bootstrapped toolchain, consisting of a compiler and accompanying libraries
required for building most modern software.
You may know where this is going. Here is where we made the totally reasonable
and not-at-all-crazy choice to effectively create…
## Yet *Another* Linux Distribution
Lets take a look at some of the features we care about most compared to make
it more clear why nothing else hit the mark for us.
A comparison of `stagex` to other distros in some of the areas we care about:
| Distro | Containerized | Signatures | Libc | Bootstrapped | Reproducible | Rust Deps |
|--------|---------------|------------|-------|--------------|--------------|-----------|
| Stagex | Native | 2+ Human | Musl | Yes | Yes | 4 |
| Guix | No | 1 Human | Glibc | Yes | Yes | 4 |
| Nix | No | 1 Bot | Glibc | Partial | Mostly | 4 |
| Debian | Adapted | 1 Human | Glibc | No | Partial | 232 |
| Arch | Adapted | 1 Human | Glibc | No | Partial | 262 |
| Fedora | Adapted | 1 Bot | Glibc | No | No | 166 |
| Alpine | Adapted | None | Musl | No | No | 32 |
We are leaving out hundreds of distros here, but at the risk of starting a holy
war, we felt it was useful to compare a few popular options for contrast to the
goals of the minimal container-first, security-first, deterministic distro we
put together.
We are not the first to go down this particular road road. The Talos Linux
project built their own tiny containerized toolchain from gcc to golang as the
base to build their own minimal immutable k8s distro.
Getting all the way to bootstrapping rust, however, is a much bigger chunk of
pain as we learned…
## The Oxidation Problem - Bootstrapping Rust
Getting from gcc all the way to golang was mostly pain-free, thanks to Google
documenting this path well and providing all the tooling to do it. One only
needs 3 versions of golang to get all the way back to GCC.
Bootstrapping Rust is a bit of an ordeal. People love Rust for its memory
safety and strictness, however we have noticed supply chain integrity is not
an area where it excels. This is mostly because Rust changes so much from one
release to the next, that a given version of Rust can only ever be built with
its immediate predecessor.
If one follows the chicken-and-egg problem far enough the realization dawns
that in most distros the chicken comes first. Most included a non-reproducible
“seed” Rust binary presumably compiled by some member of the Rust team, then
use that to build the next version, and then carry on from there. This means
even some of the distros that _say_ their Rust builds are reproducible have a
pretty big asterisk. We wont call anyone out - you know who you are.
Granted, even if you were to build all the way up from the OCaml roots of Rust
(if you can find that code and then get it to build), you would still require a
trusted OCaml compiler. Software supply chains are hard, and we always end up
back at the famous Trusting Trust Problem.
There have been some amazing efforts by the Guix team to bootstrap GCC and the
entire package chain after it with a tiny human-auditable blob of x86 assembly
via the GNU Mes project. That is probably in the cards for our stack as well,
however for the short term we wanted to at least go as low in the stack as GCC
like we do with go as a start which is already a sizable effort. Thankfully,
John Hodge (mutabah), a brilliant (crazy?) member of the open source community,
created “mrustc” which implements a minimal semi-modern rust 1.54 compiler in
C++ largely from transpiled Rust code. It is missing a lot of critical features
that make it unsuitable for direct use, but it _does_ support enough features
to compile official Rust 1.55 sources, which can compile Rust 1.56 and so on.
This is the path Guix and Nix both went down, and we are taking their lead
here.
Mrustc at the time lacked support for musl libc which threw a wrench in things,
but after a fair bit of experimentation we were able to patch in support musl
and get it upstream.
The result is we now have the first deterministic `musl` based rust compiler
bootstrapped from 256 bytes of assembly, and you can reproduce our builds right
now from any OS that can run Docker 26.
## Determinism and Real World Applications
To demonstrate how determinism can be used to prevent real world attacks in
practical terms let's consider a major breach which could have been prevented.
SolarWinds experienced a major security breach in which Russian threat actors
were able to compromise their infrastructure and piggyback on their software to
distribute malware to their entire client base. The attackers achieved this by
injecting malicious code into SolarWinds products, such as the Orion Platform,
which was then downloaded by the end users. This seems like a very difficult
thing to protect from, but there is a surprisingly simple solution. If
SolarWinds leveraged deterministic builds of their software, they would have
been able to detect that the binaries of the software they are delivering to
their clients have been tampered.
To achieve this, there are a few ways they could have gone about this, but
without getting too deep into implementation details, it would have sufficed to
have multiple runners in different isolated environments, or even on different
cloud platforms, which would reproduce the deterministic build and compare the
resulting hashes in order to verify the binaries have not been tampered. If any
of the systems built the software and got a different hash - that would be a
clear signal that further investigations should be made which would have likely
lead to the detection of the intruder. Without this approach, SolarWinds was
completely unaware of their systems being infiltrated for months, and during
this period large quantities of end user data was exfiltrated, along with their
tooling. Considering SolarWinds is a cybersecurity software and services
provider, the tools stolen from them were then likely used to further develop
and weaponize the attacker's capabilities.
## Future Work
These initial efforts were predominately sponsored with financial and
engineering time contributions from Distrust, Mysten Labs, and Turnkey, who all
share threat models and container-driven workflows Stagex is designed to
support.
While we all have a vested interest to help maintain it, we all felt it
important this project stand on its own and belong to the community and are
immensely appreciative to a number of volunteers that have very quickly dived
in and started making significant contributions and improvements.
As of writing this, Stagex has 100+ packages covering some of the core software
you may be using regularly, all built using the deterministically built
toolchain, and of course the software itself also built deterministically. Some
of the packages include `rust`, `go`, `nodejs`, `python3.8`, `curl`, `bash`,
`git`, `tofu` and many more.
We would like to support building with `buildah` and `podman` for build-tooling
diversity. We would also love help from the open source community to see GCC
bootstrapped all the way down to x86_assembly via Mes. This may require using
multiple seed distro containers to work in parallel to ensure we dont have a
single provenance source for that layer.
We are also actively on and have made some progress towards the addition of
core packages required to use this distribution as a minimal Linux OS.
If you have need for high trust in your own build system, please reach out and
we would love to find a way to collaborate.
## References
* [Bootstraping rust](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/)
* [Full source bootstrappin](https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/)
* [Running the "Reflections on Trusting Trust" Compiler](https://research.swtch.com/nih)
* [Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)

View File

@ -9,7 +9,7 @@
--selection-text: #000; --selection-text: #000;
--background-color: #282828; --background-color: #282828;
--text-color: var(--base-color); --text-color: var(--base-color);
--placeholder-color: rgba(0, 0, 0, 0.5); --placeholder-color: var(--base-color);
--link-color: var(--base-color); --link-color: var(--base-color);
--code-color-1: #aaaaaa; --code-color-1: #aaaaaa;
--code-color-2: #ffffcc; --code-color-2: #ffffcc;

View File

@ -384,9 +384,12 @@ select,
textarea { textarea {
width: 100%; width: 100%;
resize: none; resize: none;
background-color: white; background-color: var(--background-color);
color: black; color: var(--text-color);
caret-color: black; caret-color: var(--text-color);
font-size: $base-font-size;
font-family: $base-font-family;
line-height: $base-line-height;
} }
input, input,
@ -431,50 +434,6 @@ textarea {
vertical-align: top; vertical-align: top;
} }
/**
* Contact Form
*/
.required:after {
content: "*";
color: red;
}
.form-label {
display: block;
margin-bottom: 5px;
}
.form-input,
.form-select,
.form-textarea {
width: 100%;
padding: 8px;
margin-bottom: 10px;
height: 40px;
}
.form-textarea {
height: 100px;
}
.form-checkbox-container {
display: flex;
flex-direction: column;
}
.form-submit-button {
padding: 10px 20px;
background-color: #4CAF50;
color: white;
border: none;
cursor: pointer;
height: 40px;
}
.form-submit-button:hover {
background-color: #45a049;
}
/** /**
* Homepage * Homepage
*/ */
@ -498,8 +457,8 @@ textarea {
} }
section { section {
margin-top: 48px; margin-top: 24px;
margin-bottom: 48px; margin-bottom: 24px;
} }
.extra-spacing { .extra-spacing {
@ -934,7 +893,6 @@ pre {
opacity: 1; opacity: 1;
visibility: visible; visibility: visible;
} }
/** end carousel */ /** end carousel */
/** /**

Binary file not shown.

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
assets/base/rss.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 6.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 2.0 MiB

View File

@ -10,13 +10,15 @@ collapsibleButton.addEventListener("click", function () {
}); });
document.addEventListener('DOMContentLoaded', function () { document.addEventListener('DOMContentLoaded', function () {
fetch('../assets/js/carousel-items.json') if (window.location.pathname === "/index.html") {
fetch('/assets/js/carousel-items.json')
.then(response => response.json()) .then(response => response.json())
.then(data => { .then(data => {
createCarouselItems(data); createCarouselItems(data);
initializeCarousel(); initializeCarousel();
}) })
.catch(error => console.error('Error loading JSON:', error)); .catch(error => console.error('Error loading JSON:', error));
}
}); });
function createCarouselItems(items) { function createCarouselItems(items) {

View File

@ -1,190 +0,0 @@
anton@distrust.co
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGI/PwIBEACfbDXsSIoZzZP8jrk7h2D98bUW2lRYxxpRqjLfvr5M1z3VNHCC
HaHXIPhqTdu6BXWKJJxcdkvp4z5u6aykcAjcRi0MpcTX5tU9RnSvA1HIdDmLukIy
JFEPHxoCeeFBSgmtWYczn3eSmsAQBKCLFsEmVyjpivGlphFAfzcDqtKLhaQVjVU8
YTPty7JIoiYSvCXTHCdYenfQmbpldFuT/60xsc9PJP6wMGdszDc16XIPZUKBfRtf
qPQZPN37SHczuqCrrOr+8+4q1ZcxBRAZxcPpfPk7WG1UDfTZFLvEdNCIaG0+FDkQ
8yvrS/GC9UgO3uRieZ8K4Cd0iMR96nvizqQFHvB/Wn1VwGlptYnlbEcVXttV7v1F
PBtojkEALKXNUxupesnu4YgY09pJAqdhLB89Yk+7SBZWY7C8Ero79f6+ClkHWzM5
WJHOubKf91syeyqjlqdaxlHhVWH3gqpvFy42seXlmwPSRaKNuaHSwXizPmHinnSs
2uFaRdKevJ4MuhjIxXQlMRFzC74X8CIW5IJ4vK+zcslBFCpe1CuwDQoesY2Wblv+
E40YgtUDuDKO1keintjtxD1z5/8SUFLNQhUPx0v08P+p6C3AaVL5s2OtH7KJiDaP
SuT+V66FaKYLBmi0+ogIuStEJ8abtoRoWj9TWEMhrtnPv+5Qocr32cPgSQARAQAB
tB5BbnRvbiBMaXZhamEgPGFudG9uQGxpdmFqYS5tZT6JAlQEEwEKAD4WIQT0v1yB
7Hil3TQcke7cS30fUuC6TQUCYj8/AgIbAQUJA8JnAAULCQgHAgYVCgkICwIEFgID
AQIeAQIXgAAKCRDcS30fUuC6TRDOD/9DTjXjXvQJEBP0O0DCNEYSOxEeecZNslNo
5z9G7skCjzKU4Ytl7X1w/xE+LtpqrluDXzomLcoHPa5KN3kaiSwnzYXe4FWwv2Xd
1TmPyDzJJ8A/DGGOjYndVSpYKO2kKuxT/S2xg4KrfXr/oc8mIR0rqs3a/46GMqHR
sz4D5Gm62XfK/x+WIHbHi+CQsHAzwfBKUzReeqROLicJya/QKOaMDMtQpoMcTHPs
hLj1uKwl6ThGKM8cEzQvFxv1PknCOcqDdIMTrNHIsgY7VWs/bohGCZ7nf3lJ9aMY
17vZ0RrslJz+wCLUSxgEFqcJwsauHqEttTGAy+Uqi8Iunr9WP+unXsvmjNEWCkpr
OSP6wAb9KaLHc0dL22vRuOtAeLGE4vRrm+++uTuehz2tYHGKP3+AjHXeNTg5ejRe
34KPzl/LbxTDRyqx9n/XdLQLVvOxwo8ecm+bDsFqQ7of16C9/v7FJBGtcLVpQzVe
MD7d/6ABL73MtdGpJNC63fwPZnuNrEIrRKuOmpOq4YZsHmqqzgeuQAochd5PLt+N
Nti+FZ94/WiN5EKzjQO2HsmbXXJslY8lvsz5WHA5K68DMdb6ae0fBzRB4Jdg1+7y
F2LXE5k9rPDC0G0lyCEtZJWDhk4QbR5tEw/EQ0dH73843K2c4YoZjmw59DVMe8LO
rlrlm0qr7IkDSQQTAQoBMwIbAQULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAIZAVMU
gAAAAAAQADpwcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly90d2l0dGVyLmNvbS9hbnRv
bmxpdmFqYS9zdGF0dXMvMTc2MDczMzM2OTIzNzk1MDUyNzUUgAAAAAAQABxwcm9v
ZkBhcmlhZG5lLmlkZG5zOmFudG9ubGl2YWphLmNvbT90eXBlPVRYVDcUgAAAAAAQ
AB5wcm9vZkBhcmlhZG5lLmlkaHR0cHM6Ly9tYXN0b2Rvbi5vbmxpbmUvQGFudG9u
LxSAAAAAABAAFnByb29mQGFyaWFkbmUuaWRkbnM6bGl2YWphLm1lP3R5cGU9VFhU
FiEE9L9cgex4pd00HJHu3Et9H1Lguk0FAmYEi+AFCQeHs94ACgkQ3Et9H1Lguk3S
DBAAlvb+co0gPU0qJXOZld3UBY8stUK1VYeayWTHJ9977lnZzJ+gKUalbhsKvj5K
i7w6l2Xe+4VJzjpmc1I0pAR9anoKwscR/bdseXuXQJJ6x7E3Xn3ZZNyfk1M8jVns
KeTQ17quVy9m8qYJ3057sQ/oxXACYAD1D+mjhS5FrFU6XfBcEvaRYT26TEAwYadZ
I/KNFZfnEs0ZGDgiw14lrTCkMZuEyWNm0/2qVIC3FCSNTm51NRMmD3YbM4VgAc+l
nk9f9bRurGA2rUZJ/BNvGvalhD1rwxWg71XeXvnbk7+UqCkdtNfRtmVAvdpJ+EzW
VbRSX2CgJHff+E4yv5cCI1sB6GD9ODDTucPTY+uMuZOXM2k9k6lSt2wDp2FJ6bpo
IRoUl1D4pSNQEsGA1znL+CZLC9IEih+EXxfALzV2sy+laaTkMJCmXJQOke5egDhk
VK5E5Z9jyhK9YtFZFOReoo4eecgpxXMIQV/9aeQe/HCJwkYIWNbkRpTDeW6UGyuv
vwQuRG4qYVJL0hDSwLgUhq24eJyrHwSOhcW7f/iYlaGvUvfbELe2AJVYRH0q2iw7
dQ9PZAK89+vFcTc9wBlZGKgt/2pNeUWt6KuPGaRLJ/+eslrNBK8Qv9f8Ypgbf3vB
tIoZPeymyiqXFrkBPGiwf5dmFnrDX+r2au6zK9qxeG7Qyii0J0FudG9uIExpdmFq
YSAoV29yaykgPGFudG9uQGRpc3RydXN0LmNvPokCVAQTAQoAPgIbAQULCQgHAgYV
CgkICwIEFgIDAQIeAQIXgBYhBPS/XIHseKXdNByR7txLfR9S4LpNBQJmBIvgBQkH
h7PeAAoJENxLfR9S4LpNjdkP/197r74C9CbEunom3ZXF0Br21nclOIUuhfxriNgy
Tt4UQ3JdTaGaxN9cyWfXufjSNIWSgJsOCWWNBxO8THQForvbqsDZebJGeTdEsw1y
4P+RMh4feiZ6iBCyEaYS3XCCPds8YLQbsAP/EeGTjn0PU+wtd/QtG/iwcXh4K8A1
GRt2D0GigGN3SebwenMvMv2KiF7onH+3y7IhtgkkTEbOg0F52Qfk6p2gM0X0yqKA
ppU4XAmX6kTXi3GrUB0tsykv7MWvSc38fflI1T4XycoQzoQ94Uk7veDa7QM7BIJv
G73HpJU+e2AISrJSTcu/T1J9GyqyjAMv9Y2POF+Zu9PyJORdNBarOebSnkeZxftf
O/bvjMJxiffYbJ7AkYuaapf5YBEW+Z1plMGZ1KuatUQrswdxnGndfoMQKAF3nLa+
ECH63bbSX7/mlxeI7sjH4qu+dGr0uPn5ZRzSrXrGVcLuCzZdQCbkqTPKtjVTA6OA
ju6L2RL+KvV+zOdivayMEjSceS611X2gVU64agLHemHa82iba7o3PlGuaE3DhAOb
Klq+ued006fVfyqt+hExs3vLt3rgC/izGtSf7IJ1OvBAwTpCCW6kTAGMdRcts2+U
ba9VGBg80LcFWNjDosZnCKGWSqcLfJBTrWUYIpVlXzFP/eCrXhDrYrHoQG+lHAnl
cOnTuQINBGI/QhgBEADV21O5M7mpgNX65XNW1k/ZvyB4Ic7CbV1/DUQhG2BNxujY
61acndlQTP3qBB9h/lIsJpyi6ybYZyRZGK6wDx9CkEiVYwIqgAjMNl4IwaFZ2JB9
4bOkoxIUGH6bScnyvt9QmqvjEbwwHpBxd2qY1Kl+gb4daygjxSl+4YQ85O1ptvBC
AiyHs4MtnW+9G0hobv/WVPJWdmaFlw8tnqPGN+OVdvqn/OeyrQjaKU3Kr2Fy1iz3
Fvg1eO7sYqdBpUUJNusTNIojEK3FneAOVawDd1afF4eR70DD+oWbUCmHfPVopTr3
8pwDTanf6no2HVlRm4Z0NaultI8l3ebWl5PhTMdRYVsmINJZAJXkd+bWOpAlGvSl
ZicxiMmJKK3MFvnME+958W6s8e8/0Z+xafmWM7vCvQbZwrHkz1vasBxHxkkpGZb6
ViQx0sABLxig9bZFU0qKOT6ns7CQbEsxsrOO9+v2JzRqYtufj/yYZpAwMOeJAKD2
dLqeJTzq4liIzOpgU4bZaX+dP0ki6nM97e9xsXB1Fce2WaPedogI3V1xPiG7YEm8
dv5h9R/r0bd3sEQezDCat8L57czeEx5xAJhNgliWOFABQGqFh2KGYxrOkJ68jJXz
u81qhnti2VcwiuEFruOFfpF9e7EZssYEScIsCKhuTjnVgEzMDsZXkotaX2+bNQAR
AQABiQRyBBgBCgAmFiEE9L9cgex4pd00HJHu3Et9H1Lguk0FAmI/QhgCGwIFCQPC
ZwACQAkQ3Et9H1Lguk3BdCAEGQEKAB0WIQThBngeAHq5HJidszJEqGz/H98OhQUC
Yj9CGAAKCRBEqGz/H98OhTwrEACugSSyiATKtS7UW9ETMfL1yCOlB+oa64ALQkOH
O/+1zUBvs+Z6wlIMEiU4nWOV81yzaEcRPzJ8Nr2da8KxVhgHFDg5EZ3i8u1mLkhf
asdFlt+7c71Ezc7j0HOD2U0T6Gx5IZfvtUp2CtVrS6KEZa+omVEqXzq0mDC3mQED
WZKqOowsQeWwJazXw2MmeRtoo1xshgKdaHQwiunVDNGcBhwGU6/2ionVbzevROO1
eYFS+83ubiYIy41hooaynibO8G9j30fMyaMYM8jK7kVc+yyN3xoIV96BE7BlSRbk
ecQyWk2R3jrQov0ic5vA83qr8Ea7hZXsIy4sWG+J7KrK4kQ+kEh0rCxIvI5vq6rz
zKHIsGkTpQQrdGiV3pcXuJji6nYM94MES95eZEedvkeKEqW6YB8ZPxrGIAvt9JaV
0BX9AD1xCGYFdUe2psyPiHgnB5m6oicA65HnDppYAeUQmbxnrOXTg8Ucc73s2/Im
4G16aQ6DlPKJJd0DzoiLrhuafJTxDiDVZY3l2jWdvz/acBIUJZl3lPJeBUKe3rE/
6EjSz2cCAkN8vJbEx+sKX7F/lYL5kVUW2b6nmnYGj/P+aoy+pBgX2RY/sp4DHT2i
GmMkH+j1Wrlxm2bICGyPZoj8FOJsh7r4PR2ILwnE/Q4DgLAEZhBTorihqMDmExwX
x45IdgAPD/9oYRu5WLC6/FtFiXk3jpaqLngoTp01J8uLpSJE6CBN7q+57j+ElvVs
vOzWmmvVQX4ocGt//1mMdaqlxlrfb7Kk7lSVT2x5UXo+EBAzm7F/uvvLvUR4fnnd
Uuo0fm50p033z1th0vjal0ehKUwsTsUdH/phSqlTZ0PMdY2iteF+A5kiFgGXpZf3
PzG/24uKU4Fzg4Fw3XWc5CQ3ZqQwPIuvrlu/LAPXibHMbFGoz5YheHNP4UIp4bCo
2+yTp5giirxbCO89OvZ2pdqVefXI7JZKc1FP5e+Bz85JMVnlOcwVzHPQu2piog5l
rg58NYfApepGeFJDuA2n9EdGVzZJoS2RR08KRguEZWQ1o/VJzMswmzvOS6C5LQG8
VMAaeu98KkFlNmg1yhEqiXGqhKN7XiTY9MmD9J2SQqaOFywMeE+CTfjKFvGfpvx1
S0dW7Yp5MePJQLlsBRphjdIBQFOc546+GVf4+f4UOlwN2M3LWRKqGC3Jfyf8/ELn
F2gd9C8N4v6yQBkvTRCD1M8orIFKbMQaBDSXZo7wm/ftMfxDCvrjMvlF0vSfGpO2
0GVkEtysOpu34am9nmxUX1LTQAdpM6091FxZgN05Uy/QNwhkIQo6yCwMoijuVJ/c
fQBRGENoxOywgIYAy5tn/tbx5o81FvhxFee3coCFffyt0DzpIfai7IkEcgQYAQoA
JgIbAhYhBPS/XIHseKXdNByR7txLfR9S4LpNBQJmBIv9BQkHh7DlAkDBdCAEGQEK
AB0WIQThBngeAHq5HJidszJEqGz/H98OhQUCYj9CGAAKCRBEqGz/H98OhTwrEACu
gSSyiATKtS7UW9ETMfL1yCOlB+oa64ALQkOHO/+1zUBvs+Z6wlIMEiU4nWOV81yz
aEcRPzJ8Nr2da8KxVhgHFDg5EZ3i8u1mLkhfasdFlt+7c71Ezc7j0HOD2U0T6Gx5
IZfvtUp2CtVrS6KEZa+omVEqXzq0mDC3mQEDWZKqOowsQeWwJazXw2MmeRtoo1xs
hgKdaHQwiunVDNGcBhwGU6/2ionVbzevROO1eYFS+83ubiYIy41hooaynibO8G9j
30fMyaMYM8jK7kVc+yyN3xoIV96BE7BlSRbkecQyWk2R3jrQov0ic5vA83qr8Ea7
hZXsIy4sWG+J7KrK4kQ+kEh0rCxIvI5vq6rzzKHIsGkTpQQrdGiV3pcXuJji6nYM
94MES95eZEedvkeKEqW6YB8ZPxrGIAvt9JaV0BX9AD1xCGYFdUe2psyPiHgnB5m6
oicA65HnDppYAeUQmbxnrOXTg8Ucc73s2/Im4G16aQ6DlPKJJd0DzoiLrhuafJTx
DiDVZY3l2jWdvz/acBIUJZl3lPJeBUKe3rE/6EjSz2cCAkN8vJbEx+sKX7F/lYL5
kVUW2b6nmnYGj/P+aoy+pBgX2RY/sp4DHT2iGmMkH+j1Wrlxm2bICGyPZoj8FOJs
h7r4PR2ILwnE/Q4DgLAEZhBTorihqMDmExwXx45IdgkQ3Et9H1Lguk2yfg/9EKog
RzBm3UnPnCYzDAwY2nMT/GCuDfVqvDKeidl9QtdBJS8Imx7726z8+oWWr8tn+Jgx
EYR3Jy8W8MWSMQl4ouAoIWgB68RUsXGghWNZo8+YOqHBZmrnNdfb3zspID0lM8Kl
WLSzKUCuBCs+Zge3qN8YfJ5MUSok8WLGKsV4lPW8F50/dz9KYJKGeN0mjr2n0t8G
6dmdKgsuHOoQu13V/0S+Jv+JuDnFAOvimpqcJVXw7zEhSoexjYGj4dSBY/qXAbjN
lZZsp0fC3wh9gs+vMde4Hy7t7MDtd0p9xvqNqX17YWrEmRFCnmVz8mCvKcO3YDkK
vtttwH3zLsOdJRoS+PE+AY2oVoItzOjIgaYfSKlzU2r0jf45z6VaYbQowOYA1Kye
bi+0kMuGufhG22OroHQMNUdHu6buU4f5QWCjWFnbvVqkELTlxaxhd3JBuZQGBED/
FhRWRBdpZlUKe2hhzJGLnosPDE1M2ZGzdJUDfEITfXmH97imthc6b+FYiIaIczj5
zm12XEKe/LN94ZLr+tVov6tqcsSujZkuCS2NwT66KfBZy7EeqCjXqBb/QFE/HU4S
76D47BcnQs/1L9GV+hJ8WrmAaWdh31DL+ykdVo4E691/BXrP6SPNkGHPF0yqypeS
6QL+1LF8SfJ7g5iGzVCXxHB6c9UgFB4idvVgdhW5Ag0EYj9CgAEQAKLQcs6O7g7o
VRocDoBi0ijc7fY4KhzwPIegzQPT5k4qrzECBkOVZM6j4U20hj8LBwiFL+z85iWS
rNpZiNeTaE2XAuudHQWxYGrrknw1+SSGkTljR8Kro+Fk48hUdFkQC8AcxtY+QF9T
wTLDtcGXsRDwo/Vl76Zs6LC8fRnsFxHKtGB25tHNJf7EVuwLRuQptNkBfYfCFKIl
fLlZZCpMbvB9hUvOCnRuq2iKzg/CQnzgGZTg/cevQEdlS7oRuBKOyKXFsD004rZT
pxF0HYF5qhCALhtNyNWENS1AuZlu/mDxkeX+ozIATxd39cA5ATWv1M204xtB6xii
e/Y7cdWCwH3dyS46eu0u87fKJ3Q3VpXw4lTOc+7KRuMlRaT0l9c7Vm8EJCdFqfAd
x0zf3ANXeJt8tXQ0sH6B9ezVoiEv+rW1sFS6SQLwxmRjT+UP6QGaE+84BxYHs0NR
zS+oRYOrbBUtMH6UHAB5JArA3Udp7HUJQDoedTS5D6sOEdYI5G3/Wk7tbwBhL2wt
FF0kzJ1bzGqPFQNefYmahFzmqwhDnv0MPQARzun9ZdfvGBccsQHhAThjA+jmvCeu
2/XF/CXJNUklpxxRrtg9+VtMYEqVYaiT3Pl17a61XuBNdWaN6dv2r4EIvWNz4dLD
/hKwpdeKRe8i3JsDCK+aII+XOSeSIwhzABEBAAGJAjwEGAEKACYWIQT0v1yB7Hil
3TQcke7cS30fUuC6TQUCYj9CgAIbDAUJA8JnAAAKCRDcS30fUuC6TUxKEACW6cm+
T+DRnWtP4W7pNpwSZ2IcbX1rSsTwTJ+NFXIOg16u0VtuRyZZsLEtNI2HeMD9X/lz
dgXT2MQpdKdogRi8Goonsn4ed8PU66bKg4iZr4S8zLKnAKioyQLNKCDl2e3FnYmM
7EDKUzXiF/2TPLB+/vbcQccWzlHe9A2G0YuerBhGaabbQeTw3rtLQ/r1mcaljsTx
76iatVcY4BJu3h4DPfzgtbyxcZUYCYPityhi9LysuQaiNtBDxs1fW8MTPNVV5lFA
cEo6ox6JDFH7DWDSe+7QcS8aoyQ3L4hqTnDVlQKmgCnnSSlm+iaifZtm14TntRP/
2KPTzhStWlLwE7Un4UNbsayYCJseSM9olPppTsZfCNnO9CNvP+3nITlFWPUHEd0v
0meEIkHOEDRsKoF8R/+B1KK0lLGtXRHE7KqZACNWgxw/1g+Qesq0FbuVQ1JbjdpA
tsCtUeVS/mp4IAljeV8ic+bB8XGQ1lUuKX+RsctXO5vmkh0wEVLAs7y4qTOXFe1q
QzYjh1AO1T15oyKhVgDTR9MeI3vJF1XFi5GrBSJvoGAfKdkOyvMt0/BagtEMIDm2
SgPRJzHp7ziBDuejklrWenPw2Gde7QjZbyvTFyC4gSJLcZaI7nvwoTiO8EevcAel
0N1MSsacKnn6ZxRZOsgcjFfgw/jh7mS9qaPdTokCPAQYAQoAJgIbDBYhBPS/XIHs
eKXdNByR7txLfR9S4LpNBQJmBIv+BQkHh7B9AAoJENxLfR9S4LpNS+4QAJrg+KoY
Yrug4rcpyrFwumZbnD92EpndQlPnbPpjsrahkheF55CJNzBgPhj8PF4xO5qXxjhe
qdwLl1Z+ceoN1lRWlxvHwebYgjabOH57V2RHSaWU9TsWw7HDhxUS1S1THQyNmRSD
e9MAS03MYiQS+J5jtQ831yTaA2Z3ru0S8kSWClS6KaiZzwNOWI7kkiP4IXX+vpe/
LfORcac9vvOkU/FNs3wbTzrM0iSsWd3bBQ3CiYHn8hIXgKypTslklqzJ0HEFukI0
YxjZpGTRbQpjez7ONDP79DmjEFkqDPqvJPAprVlLeOI6mfOH5v0sZAsBhlNhsU9z
My+jbno+aXDrH3ZjzfgO4vHWTuPr/gTcb966keiBZUwzW9o2dW4u5eHQFvLwEbFX
OhoQJk2Fzg9p4cNAEV6v7rSbPPqYcLLxykvh9od1st+Ph5cCs64N8rH1xgLxSXD+
o9NjWIPhBq7HHO2UoJjQOz0A7oRsruP3F2Cih5ynO6prYs7w2/5lsc4G8Hwdcp70
8Yh3OCR4RmDLMPAQMEHH/MN09dJimKs0qthoyWUWii6uOkc835kFR14uMeY33sCS
oIBZ7SOSpX3B7Wg7T3uuKGpSLUY7CakkFliS3RN9HHgoormeDyYx+mJOhRfsamNR
TqIZTulLFdusm8O3fbr6pzO+KjIIfkxWmSOIuQINBGI/QqwBEADVM+ZEQiaigHLI
jJQmbZLDZjFM6z6xBNhDdCFP0pwduxMBUo33w5+45fc0FdyFeu6IkEX1OlSYFIsB
YZBqmGyw45FifFFNFI69eH3QYAwS3qJndoTpJzbyRQhbpk8HzcjhXOHmHR2rZY0M
sSIIvLd82LyGgEhyxhgv1jcLo/vHs7r81OZqHQH2yWEf52mUUeylsWLQRlxqlpJ5
qwQd3I8uCKNYwm9RZotVrE4wcNHkXZ2LB5kfEikEwoYcheA41vMcKQm5Wg6tGVyV
SR+pEdIGK7l6FM6doyAb5901gLJFLHJR91IQwYGwRHwkdAocNzb0G7ckjrMHDgGE
AVYSbibrwQbkn7ZERjy5xJJqzhdatO/+xSJWMJZUXPdXLQ4TdLt9crHTMOxqDZJb
AwliVy/4cbRrjsMax41P1y2CqeK1dXn/JNbIT2hXW7S2U+4U2Xay6eo1dlRe7Tg5
+4WUodxjjvb3lk5TEY+CywBNfZ0UqVlRwpUmwtK69i0A8M2ZLnhIWqnjanXAEQfU
BO4k/ZZh+DbX9FWMZhaaQC5k44jI37ak/GX1CFZjqZvobsfJSONmaWjRsSJXZesB
hh+NX9nAyH/rUpiXH0plgu5/6fM4eqLNKFeeyZWz2n3+xdcvy/1TN/KEGtdzOGKj
VZtfcqE1T+mMn0PUlRrxifrACXa6HwARAQABiQI8BBgBCgAmFiEE9L9cgex4pd00
HJHu3Et9H1Lguk0FAmI/QqwCGyAFCQPCZwAACgkQ3Et9H1Lguk3mMBAAk/vaSdm3
LrZtx5qXr1+atQsNm0+s1KXdCFfcFzMh47dgaSUb7F/UraWxXgVTKYjhXAlgnO8O
6yXqD0YP95bYJWB8VK8QxLpdsurItLfu1mJS42ZbaBIQ7pL1V0MXWJu0fv3KPGYT
5SVrelEb86YjdNoT1lrq//T8qBBkXZx67ELvmVd2RU6DUX0YSN7yboQ+yM4cn/Y2
5R+uOkn03YaBWMlKihZY8A84yD1eh5ok5RDd3F74veWDZBSDpCrzfOp/vNMRlRZR
i7DxTXIAgw0JT8PvYqOrP4nEi3jY4fzX65RIzE7/2GVwoJBY054r34hQuS3PA2/e
xe5wDHOaZz7FmlS7S0TVIHB9rt7d8twcGCSK/40PCgN7gLp259hHKMJLISe5jEI9
5Mk1YFqxQPGFUD4m5fTfRzgjtr6p9pXu8dRsbFeO31oldO+2SgbDHhGXyMnNJZgZ
iAp1VXr7VLcmC1ZiOYgYSzSSGaduevoKZ4S+CcTfwx1IpgH2Pe0DTxX5Jhu5uyfk
0ARXWYLMUBKHYF5ri44PTgCuDBYoUs9W1LpdP3sUvVgBEcuon50yppPuE9H/xb6o
MAt6BWGt8BICA76V3hUAQiC1J9HzTCYocvHv46Zee3o7bTMhBlpYEXNEMb3D5k2m
9i6XdwqrFoonLx0o+OKU74EpXmY+pBcVW0WJAjwEGAEKACYCGyAWIQT0v1yB7Hil
3TQcke7cS30fUuC6TQUCZgSL/gUJB4ewUQAKCRDcS30fUuC6TRSnD/9XtR1l/VSQ
BsJqqIF1+2JjOTUGJseb3CrH9JtAfMyHk0bQIIkmsE/cEbD+JBE1GS6IgyoNo054
U/TSIg24UIWtDDBAW6ujh5E/lcK9xSN/uCRdmRUoDPen2z6FEh0M0SjO2LsWpnrU
5UAPy06zBNbTXT7a21lhPK0ZT+VFZOtUij0CXARkIzCBOITsjhs6LwMcJ4t2Od+D
OqSmu7mTD8g1tsmGArFV79GDDc2L86Tq2vsXkZZ1OeHPOBfiZH5xlmYhjcDX2Z8c
rpA3n819IWQX1WA8zMi7lRRtbT3ELXNStYL4lO1d0Qd2ZZKFgVTbh6+Vx7kOc7Tg
hu9O4QVmlWeruDMYJpOayTZ1PNAOgCu2nfMA2UVhDXRcgAFYxmAF4droIsIpt1Fl
tuGMJbly1SS/LVAY6wAQQeg4mzJbDP4I6ySMM5MBC9yytzastQwptWarznFuK6/h
5jIMmp/fU3zeae7wXcAqpj3fN04LZwA32I2diMegg9BZFc94uSldQLgp+haceo2K
51t44jjYXEQQM1vAplRH6evoRYB/dCa7fbUVNBrLGLcLVxbT4zll1soN0ZEedNwn
Yf2Kt+zYlCosB0/O+u8Ym+4Otjv/3+tK6LZDMjJO5LaKO8oAqKIhyddVZB7W/Avw
fbv5KWxmjZSWuLgbNQWxS4RKyNwed3VV4w==
=azKT
-----END PGP PUBLIC KEY BLOCK-----

18
blog.md Normal file
View File

@ -0,0 +1,18 @@
---
layout: page
title: Blog
permalink: /blog.html
---
<div class="posts">
{% for post in site.posts %}
<article class="post">
<h1><a href="{{ post.url }}" title="{{ post.title }}">{{ post.title }}</a></h1>
<div class="entry">
{{ post.excerpt }}
</div>
<h4>Written on {{ post.date | date: "%B %e, %Y" }}</h4>
<a href="{{ post.url }}" class="read-more">Read More</a>
</article>
{% endfor %}
</div>

View File

@ -1,6 +1,19 @@
--- ---
title: Contact title: Contact
layout: contact layout: home
permalink: /contact.html permalink: /contact.html
--- ---
Send an email to `sales@distrust.co` to schedule a free introductory consultation.
## Emails
- [sales@distrust.co](mailto:sales@distrust.co)
- [team@distrust.co](mailto:team@distrust.co)
## Team
- Lance Vick \<[lance@distrust.co](mailto:lance@distrust.co)\> [6B61 ECD7 6088 748C 7059 0D55 E90A 4013 36C8 AAA9](https://keys.openpgp.org/vks/v1/by-fingerprint/6B61ECD76088748C70590D55E90A401336C8AAA9)
- Ryan Heywood \<[ryan@distrust.co](mailto:ryan@distrust.co)\> [8882 3A75 ECAA 786B 0FF3 8B14 8E40 1478 A3FB EF72](https://keys.openpgp.org/vks/v1/by-fingerprint/88823A75ECAA786B0FF38B148E401478A3FBEF72)
- Anton Livaja \<[anton@distrust.co](mailto:anton@distrust.co)\> [F4BF 5C81 EC78 A5DD 341C 91EE DC4B 7D1F 52E0 BA4D](https://keys.openpgp.org/vks/v1/by-fingerprint/F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D)
- Shane Engelman \<[shane@distrust.co](mailto:shane@distrust.co)\> [3D7C 8D39 E8C4 DF77 1583 D3F0 A8A0 91FD 3460 01CA](https://keys.openpgp.org/vks/v1/by-fingerprint/3D7C8D39E8C4DF771583D3F0A8A091FD346001CA)