<snip>

>>Yes, but the truth is that for most end-users, and I include myself in that definition even though I have studied infosec quite a bit, it becomes practically impossible to detect and prevent. There can be, as Al has pointed out, low level backdoors that only real security researchers are going to discover. I have come to the opinion that there are now so many security researchers all looking to make a name for themselves that they will find the backdoors and nasty business going on. They will publish and we will get to know about it. There are enough independent "policemen" / researchers out there that it will be hard for mainstream hardware / software vendors to really get away with serious security breaches, imo.
>
>I used to share that opinion, but now I'm not so sure. Legend has it that:
>
>- nation-states are actively buying zero days
>- in addition to in-house efforts to develop their own
>
>Quite recently I read an article (can't find it now, of course :() The gist was a former employee of a US intelligence agency claiming that at any given time that agency had literally hundreds of zero-days for every imaginable platform. When one was disclosed and/or patched they'd scratch it off their list, but that just reduced it to 99. In the meantime their army of ultra-bright, well-funded analysts were busy finding more all the time.
>
>So, it's becoming a contest between:
>
>- in the red corner, software and equipment vendor security teams, and "ethical" hackers some of whom are not well funded compared to nation-states
>
>- in the blue corner, black hats driven by the profit motive, and well-funded nation-states
>
>The question is, who does one bet on?

Yes, I also read that article. The problem becomes unteneable for you and me as average computer users. We are not in a position of a nation-state / corporate entity nor do we have the knowledge, time and skills to be the whitehat hacker / full-time brilliant security researcher. So we are stuck in the middle. In that scenario I feel that maybe 3rd party, independent researchers will discover something and expose it but, of course, maybe not. What else can one realisticaly do, though, against players at the level of nation state.