Does this matter? We (not just IT people, everyone in the world) always lack the imagination of what could happen, and every time we're caught off guard by the creativity of malicious people. Sometimes a government is to blame, but eventually it's just us. Again, security is a process and a never-ending game of arms race. When you stop playing, they'll get the best of you.
(Disclaimer: this is for the sake of argument. I'm actually a laid-back person and against government surveillance and stuff.)
The past decade has seen an explosion in software being put and used everywhere. With that comes an explosion of bugs that are exploited. Literally hundreds of millions of people have had all their shit stolen from numerous services that have a laissez-faire approach to application security. It's like getting into an automobile accident; you're basically guaranteed to get into at least one in your lifetime. If you've used the Internet, private data of yours is virtually guaranteed to be leaked by at least one service you use.
I'm not a fan at all of excessive government overreach, but the private tech sector is utterly incompetent of policing itself because a) they don't give a shit, and b) no one is holding them accountable enough (you could argue shareholder should, but there's rarely an impact to bottom lines when security breaches happen). The only thing that will make them care is if an impartial 3rd party that can force them to care.
To both of your who replied, yes, there are various other attacks, but that's a different issue that what I was replying to.
And, still, at bulk these things aren't feasible, or even necessary. You're not taking your cynicism far enough. Why does the government need to sorta kinda hope that you might maybe take a flight with your gear someday when they're already capturing all your email and web browsing anyhow? It's a ridiculous theory that you're only entertaining because our trust has decayed to the point that the mere fact that something is an accusation against our government is all but proof that it must be true, no matter how silly it is.
No, the government is not going to set out to physically attack every laptop passing through an airport, because what would that give them that they don't already have, except huge operational costs and risk of detection?
I don't wonder. It'll get hacked and stolen, repeatedly. Government isn't technically competent by itself, and doesn't know how to select those who are.
Our government does not take pride in it. People who can fix things or build things themselves are a danger to corporate interests, so hackers are considered to be dangerous criminals. Nobody gives a fuck if that means we're destroying our own future, because that's our children's problem.
"While the sales are legal, human rights campaigners and cyber-security experts have expressed serious concerns these powerful tools could be used to spy on millions of people and thwart any signs of dissent."
Whilst true, why does this point seem to matter for other countries governments than our own?
Remember that story a few months ago about how some government agency had replaced all its keyboards and mice in response to a malware infestation? A lot of folks (including some here) took this as Yet Another Show of Government Cluelessness. I found myself wondering instead if there was a world in which folks advised by government security experts (i.e., you-know-who) would have a good reason to do something like this and not say why.
There is. It's a world in which their opponents had a zero-day against the Windows USB driver, and a way into the government's supply chain. And in which you-know-who wants to play the same game themselves against opponents elsewhere.
If that's your threat model:
- You are fucked
- You are fucked, and there is nothing you can do about it
- The government won't care about some chassis check
- The government will use methods that nobody else has even considered possible yet
- There is literally nothing you can do, unless you have the backing of another nation.
I find it ridiculous that people build threat models around organisations with almost unlimited resources that will only care about you (enough to tamper with your hardware) if you have done something very, very wrong.
Oh, I get it. Government illegal hacking and capturing of data due to increased infosec doesn't equal to lost consumer confidence, lost taxes and all that (or only to a lesser extent). Priorities, eh..
With the exception of F-Droid, all options you mention cooperate closely with the US security agencies. In case you were not aware, some years ago in Germany you'd see Apple and the local government sending targeted updates for OSX laptops to be tracked.
The problem is not with government or technology. The problem is people. There will always be bad actors in population of sufficient size. It is people who write malware just as it is people who run government. Both are equally subject to unethical behavior. You can defend yourself against other private bad actors with sufficient knowledge, but no amount of knowledge can protect you from a corrupt government.
Untouchable by police? That's a pretty big claim. What would happen if the government were to round up some computers and control 50% or more of the network?
I don't think people are only concerned about the government, but rather the corporations that own your data (via storing the encryption key to use whenever they want, to look through whatever they want)
My real worry is malware and fraud from private actors-- not governments. Criminals seem to be willing to go to amazing technical lengths to steal.
Looking at the personal computer software ecosystem and home computers, which are often bristling with malware, and extrapolating to phones, which will certainly have a larger install-base than personal computers, doesn't seem delusional at all. That's a ripe target for criminals.
If history has told us anything, it's that this won't be fixed until we wake up one day and the majority of the computers in the world are bricked. Then the government will act. Not before.
reply