Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Setting aside problems with this particular device, the whole "trust the open-source hardware" model is inherently flawed. Every useful security hardware will be commoditized, then faked and/or trojaned. We can't take the open-source software approach and rely on many volunteer eyes catching vulnerabilities and backdoors. First, there just aren't enough skilled professionals capable of proper hardware review. And second, how can you be sure the device in your hand strictly meets its specs? there's no such things as digital signatures and reproducible builds for hardware. Vendor reputation is all we have for now.

Can we do something about this?



If someone sells you a quantum computer, there exists protocols that allow you to check if the QC is working as intended without inspecting the internals [1]. You merely have to pass some special (randomized) inputs and check the outputs.

Does anybody know what sort of verification protocols exist for classical security devices, where you can verify that the device is working as intended without inspecting the hardware?

[1] https://arxiv.org/abs/1911.08101


To do something about this requires supply chain security that you won't find outside governments that are able to realize economies of scale.


Librem is working towards such a supply chain, right? The Librem 5 costs $2k but is made entirely in the US


Assembled, not made.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: