#transparencylog — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #transparencylog, aggregated by home.social.
-
There's been an update to the #Google #Pixel Binary #TransparencyLog: https://security.googleblog.com/2023/08/pixel-binary-transparency-verifiable.html with technical details at https://developers.google.com/android/binary_transparency/overview and https://developers.google.com/android/binary_transparency/pixel
This binary transparency log has been collecting all publicly released factory images for Pixel 6 and newer devices. If an images is included in the log, it is publicly known to exist. If it is not included, then it might be a targeted attack. So even when signing keys leak or are used through potential insider attacks, an attacker is left with only two choices: make public that a (potentially malicious) image was signed with the misused key and expose it to analysis, or not push it to the log and therefore make it detectable as not officially published.
I have been running a #TransparencyLog #Witness for multiple logs. including the Pixel log, for a while at our Institute of Networks and Security at #JKU (Johannes Kepler University) Linz, feeding into 2 different redistributors for these co-signatures: https://github.com/mhutchinson/mhutchinson-distributor/tree/main/distributor/logs and https://github.com/WolseyBankWitness/rediffusion/tree/main/logs. Running a witness is low effort, takes minimal resources, and strengthens the security of transparency logs. If you can, please start more long-lived (that's the most important property) witnesses in other geo-political regions for even better decentralization of trust 😉