On Trust and Security

Since a few months we have been reading and discussing the Snowden’s documents. Most of the information present in these NSA documents is not new since we have been discussing the possibility of similar facts at lenghts in many occasions. For example, years ago the modifications introduced in the cryptographic algorithm DES by the NSA led initially to suspicions: were they backdoors or algorithm improvements? (In this case later it turned out to be improvements.)

The real difference is that now we know that our worst suspicions in many recent cases were correct.

So what can or should we do? This is a very interesting and hard question since the main issue in my opinion is that we are mostly dealing with the possible introduction of backdoors in hardware and software, for example to weaken cryptographical algorithms. As normal, even if technical-savy, users we do not have personally the competences nor the resources to verify that all hardware and software we use, from mobile phone to super-computers, are clean of backdoors. So we have to trust third parties, in particular hardware and software makers, that hardware, operating systems, applications, libraries (in particular cryptographic libraries) etc. do not have hidden functionalities or backdoors.

This is not new, we trust car, train, airplane makers with our life, so we should also trust hardware and software makers with our information, or not?

Is our trust in today ICT companies well-founded?