Not hard. Impossible. Have you seen obfuscated C? Is it possible for enough people to read it and understand it that it would make a difference? What about if you can read it but I can't? Do I trust you? How many people have to verify it before a non-expert can trust it? Theoretically, none. Everyone could be in on the conspiracy except me.
And how do I verify that the code I've just read is what shipped on my computer? If I install it myself, how do I verify the CD or ISO I have is what I read? If I compiled it myself, how do I verify the compiler didn't change anything? What about the system that compiled the code, do I trust that? How far back do I have to go before I have trusted everything?
And then what about hardware? Is there a chip that changes some of the code that's running? Can I verify every piece of hardware in my system, a 16-core CPU with 64GB of RAM and a high-end video card? How do I even do that? And what are the odds I am a world class C coder and a world-class hardware expert?
And then what about client code? Am I a world-class Javascript expert too, with full source access to the Django backend? And the system that is running that server code, do I have access to that hardware to make sure it's not going to compromise my security?
No. Fully trusting a computer is impossible. It doesn't mean we shouldn't try, we should at least make it as hard as possible for the bad guys to trick us. But what's better, IMO, is to create an environment where it's detrimental to companies to trick their users like that. Apple seems to have gotten a lot of great press for standing up in this situation. There's a market for it.
Can you trust Apple tech? Maybe not. But can you trust it more than Google or Microsoft or Samsung or Facebook or Amazon etc etc? It does seem that way. Without being a world-class expert in everything, eventually you have to trust someone.
Sure, you can't be 100% sure of anything. In the same vein, you can't even be sure that the world is real. The fact you can't have 100% assurances doesn't mean anything. What matters is how strong you make your assurances. A company having an existing system allowing for the installation of backdoored firmware is an example of something that shouldn't be possible. It should be possible to reasonably assure that someone cannot flash something onto a person's phone without either wiping the data or having the update signed by the user.
> No. Fully trusting a computer is impossible. It doesn't mean we shouldn't try, we should at least make it as hard as possible for the bad guys to trick us.
I completely agree. I liken it to something like world-peace: It's an ideal, and we'll probably never get there. Doesn't mean we shouldn't try to get there though.
And how do I verify that the code I've just read is what shipped on my computer? If I install it myself, how do I verify the CD or ISO I have is what I read? If I compiled it myself, how do I verify the compiler didn't change anything? What about the system that compiled the code, do I trust that? How far back do I have to go before I have trusted everything?
And then what about hardware? Is there a chip that changes some of the code that's running? Can I verify every piece of hardware in my system, a 16-core CPU with 64GB of RAM and a high-end video card? How do I even do that? And what are the odds I am a world class C coder and a world-class hardware expert?
And then what about client code? Am I a world-class Javascript expert too, with full source access to the Django backend? And the system that is running that server code, do I have access to that hardware to make sure it's not going to compromise my security?
No. Fully trusting a computer is impossible. It doesn't mean we shouldn't try, we should at least make it as hard as possible for the bad guys to trick us. But what's better, IMO, is to create an environment where it's detrimental to companies to trick their users like that. Apple seems to have gotten a lot of great press for standing up in this situation. There's a market for it.
Can you trust Apple tech? Maybe not. But can you trust it more than Google or Microsoft or Samsung or Facebook or Amazon etc etc? It does seem that way. Without being a world-class expert in everything, eventually you have to trust someone.