New Crowdin translations by GitHub Action

i18n/eo/basics/common-threats.md

@@ -9,13 +9,14 @@ description: Via modelo de minaco estas propra, sed ĉi tiuj estas iuj el la afe
 - <span class="pg-purple">:material-incognito: Anonimeco</span> - Protekti vian enretan agadon kontraŭ via reala idento, protektante vin kontraŭ homoj kiuj celas trovi *vian* identon, specife.
 - <span class="pg-red">:material-target-account: Laŭcelaj Atakoj</span> - Esti protektita kontraŭ retentruduloj aŭ aliaj malbonintencaj agantoj kiuj celas eniri al *viaj* datumoj aŭ aparatoj, specife.
 - <span class="pg-orange">:material-bug-outline: Malaktivaj Atakoj</span> - Esti protektita kontraŭ aferoj kiel malicaj programoj, datumaj breĉoj, kaj aliaj atakoj kiuj okazas kontraŭ multaj homoj samtempe.
+- <span class="pg-viridian">:material-package-variant-closed-remove: Supply Chain Attacks</span> - A vulnerability or exploit introduced into otherwise good software either directly or through a dependency from a third party.
 - <span class="pg-teal">:material-server-network: Provizantoj de Servoj</span> - Protekti vian datumon kontraŭ provizantoj de servoj (ekz. per E2EE, kiu faras vian datumon nelegebla por la servilo).
 - <span class="pg-blue">:material-eye-outline: Amasgvatado</span> - Protekto kontraŭ registaraj agentejoj, organizoj, retejoj, kaj servicoj kiuj kunlaboras por supri vian agadon.
 - <span class="pg-brown">:material-account-cash: Gvatkapitalismo</span> - Protekti vin kontraŭ grandaj reklam-servoj, kiaj Google kaj Facebook, kaj kontraŭ tuta gamo da triaj datum-kolektantoj.
 - <span class="pg-green">:material-account-search: Publika Ekspozicio</span> - Limigi la informon pri vi, kiuj estas alireblaj interrete per serĉiloj aŭ de la popolo.
 - <span class="pg-blue-gray">:material-close-outline: Cenzuro</span> - Eviti cenzuritan aliron al informo aŭ esti cenzurita kiam vi esprimas vin interrete.
 
-Kelkaj el tiuj minacoj eble estas plej gravaj por vi ol aliaj, depende de viaj specifaj zorgoj. Ekzemple, programisto kun aliro al valora aŭ kritika datumo eble ĉefe zorgas pri <span class="pg-red">:material-target-account: Laŭcelaj Atakoj</span>, sed ĝi verŝajne ankaŭ volas protekti siajn personajn datumojn kontraŭ la kolektado de <span class="pg-blue">:material-eye-outline: Amasgvatado</span>. Simile, multaj homoj eble ĉefe zorgas pri la <span class="pg-green">:material-account-search: Publika Ekspozicio</span> de siaj personaj datumoj, sed oni ankaŭ zorgus pri aferoj de sekureco, kiel <span class="pg-orange">:material-bug-outline: Malaktivaj Atakoj</span>—kiel malicaj programoj infektantaj de siaj aparatoj.
+Kelkaj el tiuj minacoj eble estas plej gravaj por vi ol aliaj, depende de viaj specifaj zorgoj. For example, a software developer with access to valuable or critical data may be primarily concerned with <span class="pg-viridian">:material-package-variant-closed-remove: Supply Chain Attacks</span> and <span class="pg-red">:material-target-account: Targeted Attacks</span>. They will likely still want to protect their personal data from being swept up in <span class="pg-blue">:material-eye-outline: Mass Surveillance</span> programs. Simile, multaj homoj eble ĉefe zorgas pri la <span class="pg-green">:material-account-search: Publika Ekspozicio</span> de siaj personaj datumoj, sed oni ankaŭ zorgus pri aferoj de sekureco, kiel <span class="pg-orange">:material-bug-outline: Malaktivaj Atakoj</span>—kiel malicaj programoj infektantaj de siaj aparatoj.
 
 ## Anonimeco kontraŭ Privateco
 
@@ -57,6 +58,31 @@ By design, **web browsers**, **email clients**, and **office applications** typi
 
 If you are concerned about **physical attacks** you should use an operating system with a secure verified boot implementation, such as Android, iOS, macOS, or [Windows (with TPM)](https://learn.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process). You should also make sure that your drive is encrypted, and that the operating system uses a TPM or Secure [Enclave](https://support.apple.com/guide/security/secure-enclave-sec59b0b31ff/1/web/1) or [Element](https://developers.google.com/android/security/android-ready-se) to rate limit attempts to enter the encryption passphrase. You should avoid sharing your computer with people you don't trust, because most desktop operating systems don't encrypt data separately per-user.
 
+<span class="pg-viridian">:material-package-variant-closed-remove: Supply Chain Attacks</span>
+
+Supply chain attacks are frequently a form of <span class="pg-red">:material-target-account: Targeted Attack</span> towards businesses, governments, and activists, although they can end up compromising the public at large as well.
+
+<div class="admonition example" markdown>
+<p class="admonition-title">Example</p>
+
+A notable example of this occurred in 2017 when M.E.Doc, a popular accounting software in Ukraine, was infected with the *NotPetya* virus, subsequently infecting people who downloaded that software with ransomware. NotPetya itself was a ransomware attack which impacted 2000+ companies in various countries, and was based on the *EternalBlue* exploit developed by the NSA to attack Windows computers over the network.
+
+</div>
+
+There are few ways in which this type of attack might be carried out:
+
+1. A contributor or employee might work their way into a position of power within a project or organization, then abuse that position by adding malicious code.
+2. A developer may be coerced by an outside party to add malicious code.
+3. An individual or group might identify a third party software dependency (also known as a library) and work to infiltrate it with the above two methods, knowing that it will be used by "downstream" software developers.
+
+These sorts of attacks can require a lot of time and preparation to perform and are risky because they can be detected, particularly in open source projects if they are popular and have outside interest. Unfortunately they're also one of the most dangerous as they are very hard to mitigate entirely. We would encourage readers only use software which has a good reputation and makes an effort to reduce risk by:
+
+1. Only adopting popular software that has been around for a while. The more interest in a project the greater likelihood that external parties will notice malicious changes. A malicious actor will also need to spend more time gaining community trust with meaningful contributions.
+2. Finding software which releases binaries with widely-used, trusted build infrastructure platforms, as opposed to developer workstations or self-hosted servers. Some systems like GitHub Actions let you inspect the build script that runs publicly for extra confidence. This lessens the likelihood that malware on a developer's machine could infect their packages, and gives confidence that the binaries produced are in fact produced correctly.
+3. Looking for code signing on individual source code commits and releases, which creates an auditable trail of who did what. For example: Was the malicious code in the software repository? Which developer added it? Was it added during the build process?
+4. Checking whether the source code has meaningful commit messages (such as [conventional commits](https://conventionalcommits.org)) which explain what the change is supposed to accomplish. Clear messages can make it easier for outsiders to the project to verify, audit, and find bugs.
+5. Noting the number of contributors or maintainers a program has. A lone developer may be more susceptible to being coerced into adding malicious code by an external party, or to negligently enable undesirable behavior. This may very well mean software developed by "Big Tech" has more scrutiny than a lone developer who doesn't answer to anyone.
+
 ## Privateco Kontraŭ Servaj Provizantoj
 
 <span class="pg-teal">:material-server-network: Provizantoj de Servoj</span>