[sprafa]

If you’re going against a three letter agency, Israeli or Chinese intelligence, you also have to consider all of your hardware sourcing. They don’t even need to compromise vendors, they just need to intercept a package en route.

Not sure where OP was coming from. It’s virtually impossible to protect yourself against a dedicated advanced persistent threat group.

[no-dr-onboard]

In the purest, most academic sense of the conversation; yes, it is impossible to comprehensively defend against 0-days, APTs and nation states.

If we want to be pragmatic about the discussion, then it’s all about your threat model. In that sense, OP is right. If you’re a mom and pop shop selling a catalog of hardware, your LAMP stack isn’t going to face the same scrutiny as a “GooFacePayZon”. According to how he defines his threat model, he can call himself ‘secure’.