[zabuni]

1) Apple has shown substantial backbone in fighting against the US government when pressed to exploit a phone.

2) The other choice is a device made by a Chinese or Korean company with a semi-open operating system made by a US company.

3) Either device will have a totally closed baseband chip.

4) Deploying and maintaining secure Linux environment on a Laptop is a full time job that requires expertise journalists don't have.

5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.

[alasdair_]

>2) The other choice is a device made by a Chinese or Korean company with a semi-open operating system made by a US company.

All iPhones are made in China by a Chinese company.

[md_]

What are the options for someone who wants a fully trusted supply chain? Is there a modern smartphone made with provably secure hardware (and which I can verify is actually running that hardware and not some behave-alike SOC)?

From my somewhat-naive perspective, it seems like the alternative is an Android phone made in China by a Chinese company, which seems not obviously superior.

[zer0tonin]

They are made by Foxconn, which is a Taiwanese company.

[na85]

Does that make it meaningfully better?

[marcosdumay]

Hum...

> 1) Apple has shown substantial backbone in fighting against the US government when pressed to exploit a phone.

And the phone was exploited anyway. The only thing that was established is that Apple must not be forced to help.

> 2) The other choice is a device made by a Chinese or Korean company with a semi-open operating system made by a US company.

That makes both alike.

> 3) Either device will have a totally closed baseband chip.

This is the one the iPhone got right. On the iPhones, it is insulated by a closed interface.

> 4) Deploying and maintaining secure Linux environment on a Laptop is a full time job that requires expertise journalists don't have.

Ditto for Android, iOS, Windows, OS/2, AIX, GNU/Hurd... And anything else you may think about.

> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.

Open source is a necessary condition for securing against any targeted attack. It's just far from sufficient. Also, pre-compiled binaries can help you.

Anyway, both platforms are pretty much closed.

[tptacek]

No, open source is not a necessary condition for security. But we agree that it's insufficient, which is progress.

[schoen]

> 5) Open versus closed source is a red herring. Everyone is using pre-compiled binaries.

With a very salutary trend toward reproducible builds, which will help prove a connection between the source and binaries. (Though it's taking years to get there.)