The major selling point of open-source software is transparency—you know what you’re getting, with fewer zero-day security issues, etc. But what if I told you that this selling point is a smokescreen? Of course, it’s not as opaque as closed-source software, but the illusion of security persists.
Now, imagine I’m an empire that wants to control and ensure my supremacy remains unchallenged. I’m not content with merely stationing troops in subordinate countries and regions—I want to hear and see what every individual is saying or doing at any time.
Welcome to modern software and applications.
For this to work, the empire must compromise the top investors and owners of the most widely used operating systems and applications. These companies only need a few employees in key roles—positions where they can push custom updates to targeted individuals—to also work for the government. These updates, disguised as routine patches, could enable surveillance on specific users.
The compromised software could be anything: hardware drivers (keyboard, mouse, GPU, audio), productivity tools (PDF readers, office suites, browsers), or even the OS itself. While regular users receive legitimate updates, targeted individuals get malicious ones that temporarily grant the empire access to their devices.
Example Scenario
The empire wants to spy on a foreign scientist. First, they identify all the software used by the scientist and their family. Then, they exploit their double agents in tech companies to push custom "updates" that install spyware. Since modern systems and apps update frequently (sometimes daily), these malicious updates blend in seamlessly.
To maintain the illusion of opposition, the empire stages public conflicts with these tech companies—fining them occasionally, feigning regulatory battles, and even awarding them lucrative government contracts to offset penalties. Meanwhile, the empire ensures these companies operate in a legal gray area, where non-compliance with surveillance demands can be used as leverage to force cooperation.
The Open-Source Deception
If you’ve used Linux, you know how updates work: hundreds of small packages are updated regularly, with some distributions pushing daily patches. Even if you use only open-source software, how can you verify that every update is genuine? Could a malicious package slip in unnoticed?
A prime example is Android. While it’s open-source in theory, most phones run heavily modified versions that are effectively closed-source. Even if you find a phone that lets you compile your own Android OS, the hardware is often low-quality and expensive. The preinstalled versions? They could easily include dormant spyware, remotely activated when needed.
The Solution: Transparent, Verifiable Builds
All software should have its source code publicly available on platforms like GitHub or GitLab, with built-in CI/CD workflows that compile and publish packages automatically. This ensures that the software you install matches the publicly visible code.
Each device (phones, computers) should have local CI/CD software that:
- Downloads the source code.
- Compiles it locally.
- Verifies the hash against the public release to ensure integrity.
This is the only way to minimize the risk of spyware. Additionally, hosting code on public platforms ensures zero-day vulnerabilities are reported and patched quickly.
Governments should mandate this framework for all software sold in their regions. Without it, true security is impossible.
