Comment by bpt3
2 days ago
Okay, if you want to pass responsibility off to someone else, how does the third party auditor do it?
I'm not talking about checking a compliance box, I'm talking about actually confirming no backdoor exists.
2 days ago
Okay, if you want to pass responsibility off to someone else, how does the third party auditor do it?
I'm not talking about checking a compliance box, I'm talking about actually confirming no backdoor exists.
That's proving a negative. You are always going to end up with something like 'to the best of our ability'.
You figured it out. It's trivial to include a backdoor in a large system of systems, and one placed by a remotely competent adversary will not be found.
So what's the point of a regulation that can't be enforced?
So you claim it's never possible to audit anything?
I'm asking how you expect an auditor to confirm the absence of something in a series of black boxes that a determined and skilled adversary would like to hide.
It's actually quite simple. You fail the audit and block the purchase at the first black box you find :)
2 replies →