Yeah, I always verify the hashes of updated binaries match what I compile myself in parallel. Also that takes too much time so I just never update anything and have a homebrew version of 'Damn Vulnerable Linux'.
Long-term, there may eventually come a solution to this problem in the form of [binary transparency](https://wiki.mozilla.org/Security/Binary_Transparency). However, we're obviously a long way away from that being the norm, and there's still the problem of supply-chain attacks on hardware to consider.
I doubt the hardware supply chain can ever be secured. Even if you were to open-source every single part of manufacturing, there is no reliable way to ensure that the chip you, as a customer, have obtained, hasn't been backdoored. You'd have to delid it and put it under an X-Ray if that even resolves the tiny featuresin modern CPUs.
With an open hardware design, periodically de-liding and examining a random sample of available consumer hardware would probably sufficient to protect the general consumer population, and targeted attacks become very difficult if you purchase your hardware from a store rather than order it by mail.
Even so I agree that examining all hardware in that manner is impractical. A better approach might be having a small, simpler core of secure open-source hardware managing your root of trust, and trying our best to mitigate the impact of compromises in the more complicated components (like the motherboard, CPU, etc) with approaches such as requiring open source firmware, sandboxing individual components by filtering their external communications through open hardware, and limiting their access to sensitive data like encryption keys. Obviously there's only so far you can go with that, but I don't think it's an entirely hopeless battle either.
>With an open hardware design, periodically de-liding and examining a random sample of available consumer hardware would probably sufficient to protect the general consumer population, and targeted attacks become very difficult if you purchase your hardware from a store rather than order it by mail.
How do you trust the person that verifies the CPU? Can you trust the X-Ray imaging machine? Is the X-Ray Machine verified to be open source and not backdoored to hide backdoors (aka bootstrapping trust).
You'd have multiple trusted independent parties from multiple international jurisdictions reviewing the hardware design, not just one. And yes, obviously the X-Ray machines would need to be verified using similar techniques.
The same way you trust anybody? If you're so paranoid that you believe literally everyone is out to get you, then you're not going to be able to function in any society, let alone one as interconnected and interdependent as our own.
How do you trust your hash program? How do you trust the cryptographers who came up with the hash algorithm? How do you trust your compiler is faithfully interpreting the source code you're reading?
IMO if you're at the point where you believe you can't trust multiple decentralized, independent, multi-jurisdictional bodies all telling you the same thing: that the hardware they've tested matches the published design, you've reached a level of paranoia where no amount of reassurance, technological or otherwise, will satisfy you.
I suppose if you really wanted to you could build your own X-Ray machine from scratch and check the design yourself. That's probably not much more difficult than going line-by-line and manually verifying the source code of your entire software tool chain because you don't trust anyone else who's read the source code enough to believe them when they tell you they've already verified that everything looks correct and that your text editor probably isn't lying to you about the contents of your source files. Which is to say probably totally impractical, but again, that's kinda my point.
Yeah, try to do that on a mainstream Linux distro for example.
While I'm not saying maintainers & users are checking all changes in packages, all the work happens in the open & all the source is compiled on distro infrastructure.
So once you actually do an atack like this and it is discovered, you can be sure anything done by the maintainer will be combed with a very fine brush & the account disabled.
Given that it can take years to build the trust needed to become mainatiner of an important package, only to loose it all once you atack is known, I really can't see this used for anythin else than very targetted high stakes attack omce off attack, definitelly not for any long term dragnet surveilance.
