Description
Bitcoin is probably the most valuable code running anywhere, but a lot of it is maintained like any other open source project: small teams, limited time, CI nobody has looked at hard. We tell users to verify instead of trust. We're worse at doing that for the code itself.
The attacks that worked recently were proofs of concept. The maintainer-takeover that backdoored XZ was a manual, multi-year con; the next ones will be cheaper and faster. AI lets an attacker manufacture a plausible contributor history, open convincing pull requests at scale, and seed package registries with hallucinated-then-squatted dependency names. CI keeps getting more interconnected, which means more tokens to leak and more actions to poison downstream. This talk is about getting ahead of that curve rather than cleaning up after it.
Topics that I'll cover (not exhaustively) and how to secure/harden against them:
- Supply chain attacks
- CI/Actions vulnerabilities
- Social engineering
- Binary blobs & the unauditable
About the Speaker
Jose Storopoli: PhD in Computational Statistics. Engineer Lead at Alpen Labs.
Rust Bitcoin ecosystem maintainer and contributor.
Social Links
Github: https://GitHub.com/storopoli
Twitter: https://x.com/storopoli
Website: https://storopoli.com
Talk Details
Length of Talk
15 to 30 minutes
Preferred Day/Time Slot
Any day/time will work.
Description
Bitcoin is probably the most valuable code running anywhere, but a lot of it is maintained like any other open source project: small teams, limited time, CI nobody has looked at hard. We tell users to verify instead of trust. We're worse at doing that for the code itself.
The attacks that worked recently were proofs of concept. The maintainer-takeover that backdoored XZ was a manual, multi-year con; the next ones will be cheaper and faster. AI lets an attacker manufacture a plausible contributor history, open convincing pull requests at scale, and seed package registries with hallucinated-then-squatted dependency names. CI keeps getting more interconnected, which means more tokens to leak and more actions to poison downstream. This talk is about getting ahead of that curve rather than cleaning up after it.
Topics that I'll cover (not exhaustively) and how to secure/harden against them:
About the Speaker
Jose Storopoli: PhD in Computational Statistics. Engineer Lead at Alpen Labs.
Rust Bitcoin ecosystem maintainer and contributor.
Social Links
Github: https://GitHub.com/storopoli
Twitter: https://x.com/storopoli
Website: https://storopoli.com
Talk Details
Length of Talk
15 to 30 minutes
Preferred Day/Time Slot
Any day/time will work.