Back to homepage

Reflections on Trusting Trust

October 21, 2023

I want to start by saying that I personally use Signal, ProtonMail, GrapheneOS, etc., and I find them to be very important projects to have in our modern society, where every tech company seems to invade our privacy in ways we can’t fully comprehend.

However, I notice many people who recommend these solutions blindly, without giving it a second thought. I always think that if I were a shady government department, I would do the exact same thing: promote a privacy-focused, open-source solution that many content creators endorse repeatedly, displaying open-source audits, reverse-engineering the apps, and sniffing network requests to prove their trustworthiness.

Here are some ways to challenge their security and privacy claims:

  • Are they a non-profit organization? Or could they be bought tomorrow and legally change their algorithms?
  • Is their code open source? Has it been audited by a trusted third party?
  • Are they using reproducible builds? Have you compiled the code locally and compared the hashed value with the online ones?
  • Do you trust the compilers in use and believe that apps developed with them won’t be compromised?
  • Do you trust the DNS serving you the open-source packages to build the app?
  • Do you trust the website displaying the checksums and hash values, ensuring it hasn’t been intercepted?
  • Do you trust that there are no backdoors in the cryptographic standards and toolkits in use?
  • Do you trust the hardware running those apps and believe it hasn’t been compromised itself?

The list goes on, which brings me to a lecture published by Ken Thompson in August 1984, “Reflections on Trusting Trust,” which highlights a crucial point: you can’t trust code you didn’t create entirely yourself. No amount of source-level verification or scrutiny can protect you from using untrusted code, especially if you don’t trust the compiler itself.

I was recently watching Jack Ryan on Amazon Prime, and in one scene, it showed him contacting his assets via a random car dealership website, obfuscated in plain sight. I believe this is how actual malicious users operate on the internet, hiding in plain sight but obfuscated enough that you won’t second-guess it if you see it. We’ve witnessed many crimes happening over game chats and Discord channels over the years.

I encourage you to continue using these technologies but with an awareness of the challenges and potential risks they may pose.

Let’s wrap up with a couple of xkcd’s comics that sums it up