Remember Who You Trust

Day 15 in #100DaysToOffload

Introduction

No, I am not writing an analysis on humans and trust (although that would be interesting). Rather, I am talking about the software we trust. I am not a security professional by any means, but I am able to learn more! These are some thoughts I have on the subject.

Trust

When I refer to trust here, I mean software and its developers that you trust to run, perhaps regularly. Untrusted software may be isolated in a VM, for example. Something must be trusted when you use a computer. At the very least, your OS and hardware. Even if you do not want to trust Microsoft (if you use Windows), but use Windows, you inherently do. Should you not, having them control your OS fundamentally breaks your trust model.

The apps you run

As you fundamentally trust your OS, running their default apps reduces the amount of trusted parties and is one reason I use Safari. I remember a discussion on a Privacy/Security room on Matrix, and someone (who had to use Windows) talked about how they use different apps than the MS-provided ones as they do not trust MS. As stated, their model is contradictory. Reducing trusted parties will almost always help (as less parties could theoretically be bad actors).

A similar expereince came where someone said they use Firefox on iOS instead of Safari as because Safari is not open-source[^1], it cannot be trusted. After reading this, you can probably already tell the problem with this.[^2]

Hardware?

Hardware is somewhat more tricky, as there are less options. Making software is one thing, and distrubution is less complicated (extreme understatement) than making your own computer from scratch. There are certain hardware vendors you will always have to trust. That is why it is (almost) impossible to avoid the U.S. with technology, so many hardware components are at the very least engineered there.

Afterword

As stated, I am not an expert on this subject. If you found a mistake, error, or flawed thinking and/or want to talk about it, please contact me to let me know for my sake, and anyone else who reads this :)


[1] Being open-source should not be the only criteria for trust, either. One example [2] Just in case you do not (and that is fine!), the user already trusts Apple with their OS, so they do trust Safari as it is made by Apple