[comex]

> Once hardware begins to turn against you, there seems to be nothing anyone can do to protect themselves. Encryption doesn't work against an adversary that has access to your computer's memory.

In the future (or today, depending on your setup), IOMMU. In the present, there is no evidence that baseband backdoors of this type actually exist (as opposed to hacks). When the adversary adds backdoors deeper in the hardware? ...well, we'll see if that is discovered someday.

To editorialize a bit, I guess it can't hurt to worry about and try to head off anticipated future threats - it's not like anticipating different threats is mutually exclusive - but still, I somehow can't shake the feeling that people's emphasis on secret backdoors unduly weights threats that are easier to romanticize over more pragmatic but more dangerous ones.

[devconsole]

The reason it's good to proactively think of future threats is because so many past concerns have proven to be true. Several months ago, no one on Hacker News really believed that BIOS backdoors were much of a threat. But today it's a well-established fact, for example.

The tools of law enforcement probably aren't going to be revealed, and they're hard to discover. Nobody knew about the zero-day exploit employed against Tor browser, for example, and there are almost certainly many more tricks like that up their sleeve. They already take steps to conceal them; parallel construction is an unfortunate reality. And since there's not much justification for a whistleblower to reveal the techniques, it's unlikely someone will come out and talk about them. We'll probably need to think along the lines of "What's technologically possible, and how is it useful to law enforcement?" It's not a good idea to wait until a weapon is used before thinking about how to react to it.

The history of communications technology and how governments have reacted to the technology is actually quite fascinating. Wiretaps used to be extremely commonplace, and since there's not too much legal protection from the government rifling through your digital life at will (at least compared to getting permission for wiretapping your phone), it seems like it's better to err on the side of caution.

It's also important to realize that even though some governments follow due process, several powerful ones don't. Also, there are other global other considerations. The US has made it pretty clear that their legal restrictions are designed to apply to US citizens, not any foreign person. You may be forced into a situation of choosing which governments you'll trust, especially when cross-nation collaboration becomes even more pervasive. Assuming that other countries adopt a similar attitude of "Our citizens are protected; other citizens are examined," then the US may simply outsource their databases of information to be examined by some other government, like any other member of the Five Eyes.

I understand your concern and skepticism though. It was a question I've often wrestled with myself.

[zaroth]

  Nobody knew about the zero-day exploit employed against Tor browser,
  for example, and there are almost certainly many more tricks like that
  up their sleeve.

I had actually been patched already upstream, so it was not really a zero-day. I'm not sure if it a patched Tor Browser Bundle had been released and people just hadn't upgraded, or if the patch hadn't made its way to the bundle yet.