Wednesday 4 March 2015
Could we reach a state where most hardware and software is compromised by third parties at its creation, because the hardware and software you need to develop more hardware and software has already been compromised by those third parties? I think we could. Apart from all the challenges we already face, the "Internet Of Things" may make it extremely difficult to isolate potentially vulnerable systems from the Internet. Imagine an environment saturated with poorly secured devices capable of monitoring RF side channels, for a start.
So far I've seen little evidence of systematic attempts to compromise software at source. Perhaps the organizations with the capability do it undetectably, but you would expect some less-competent actors to try it and be exposed. The best explanation I've heard is that people aren't trying to do this because currently it's cheaper to find vulnerabilities in other ways. Hopefully that won't always be true.
If we get into that everything-compromised state, would we know? Would there be a single winner, able to use its unlimited reach to undermine and outflank its competitors? Or would there be multiple winners, with every system containing an entire ecosystem of backdoors and subversion? How could we get out of that state? Would the bugginess of computer systems turn out to be a blessing or a curse?