Building a secure OS isn't "that difficult" (as in, its quite feasible). Building a secure OS that runs software people want to run and need for work and can communicate with insecure computers (aka the internet) is a complete different story :) Everything that is 3rd party is potentially tainted, and that includes usually the compiler and the build toolchain. Some projects like OpenBSD integrate some 3rd party software into their own codebase, and do an audit to make sure no major holes are present. But unless you're using it as a firewall or to serve some static files, sooner or later you'll need 3rd party software from external sources. And if even in your codebase some "easter eggs" are difficult to detect (look at OpenSSL, the heartbleed vuln went unnoticed for what? 2 years?), it is almost impossible for external programs.

Until you access that specific secret non-documented register that is available after some fancy port-knocking (bit-knocking) that will leave an internal gate to 1 instead of 0... Given that most chips do have extra circuitry for internal testing, this would be almost trivial to implement and very very difficult to detect.

And if you really think about it, signed repositories only protect you against tampering with the actual packages, not the source. I'd guess it would be quite feasible to gain access one of the most well-known-less-cared-about libraries (or their servers) and add some easteregg to the code (think stuff like libjpg, libpng, zip handling, etc), and the fancy signed package would be silently built and installed downstream.

The sad truth is that even the source code isn't enough to guarantee that no backdoor exists, if its done in a competent fashion.

Oblig. XKCD http://xkcd.com/538/

On the other hand, many "cloud" services are actually grid services that run on many, redundant, small servers, in contrast to the blade center HP and IBM tries to shove down your throat. One example is GMail and the assorted google services. So, while I understand your point about virtualization, cloud and virtualization are two very different and very distinct things.

It depends how you measure it. In a pure cpu-power-per-watt, 1U servers are way cheaper than an equivalent blade solution, easier to service, and will run cooler. They do take more space, but asset depreciation on a 50K blade cage vs 30K of 1U servers is bigger in the blades.

Well, its not, and this is one of the biggest fallacies of virtualization. It wildly varies according to the workload and your configuration. For small workloads, you may even spend more in hardware to provide proper virtualization than you had to pay for a metal solution. You do gain flexibility, and yes, when well done, you may take more advantage of your hardware, but this is not a novel concept. When possible, solutions like linux containers, solaris zones and freebsd jails allows at least some level of flexibility with a smaller execution footprint.
And regarding usage... well, most cpu's even implement an instruction that internally halts the cpu if not in use. Cpu consumption varies according to the workload, and most of the specs mention max consumption, not average consumption. It may even happen that your beefier setup actually spends more power per vm than single dedicated servers.

Yes, but is it cheaper? As an example, almost all industrial processes wastes copious amounts of water, when often more sofisticated and reusable replacements are available. But water is cheaper. Its a bit like saying "this aluminium package is 20% smaller, so we can stop using cardboard packaging because it generates less waste". I would like to see proper metrics on that, not sure if it is that obvious.

You could say the same about the US. In fact, you could assume that, for every Snowden, you have 10 guys in guantanamo with the same info. Or in a secret detention camp somewhere around the world. Russia doesn't really care about international propaganda, USA does - thats why you have a different perception of both countries. I'd assume Russia is nearby; When it was the last time Russia invaded a country on the other side of the world?

Except the ones that run away. Starts sounding familiar, right?

Are you fucking kidding me? American companies seizing assets from foreigners (paypal, mastercard, etc); Widespread political pressure to send the guy to the US; The fact that the USA is the only democratic country with concentration camps that is not sanctioned by the UN at any level; USA cannot issue an international warrant for his capture without being laughed at; That didn't stop them. At all.

Sure. You have right-wing batshit crazy people everywhere you can get a wealthy median-class lifestyle. Some of them even get elected.

Where is the debate between two parties in the US? The illusion of choice is not the same as choice. And since lobbyists control both sides, its more about keeping apearences than "the people". Your democratic system is a knotch above a middle-eastern country.

No they don't. One defends wealthy people and interest groups by catering to a more conservative agenda, and the other one goes a more liberal approach. There is no actual difference. Want proof? Move to another country and see the difference.

Or not. That's why you have both chinese and russian dissidents. And USA is the country that went after Assange as a 'traitor', regardless of his nationality. From the other side of the pond, USA does look like a police state straight out of 1984 - not only because of the huge levels of incompetence while monitoring people, but also because of what you just said. The level of brainwash that takes for someone to say "my democratic system is better" when its not actually democratic NOR pluralist is an indoctrinator's dream come true. Have a good look at the Roman empire, and why it has fallen. History has a tendency to repeat itself.

Is that intended as the original poem, or the Iron Maiden version? :D

Most of those security consultants you talk about don't even know what OpenSSL is. They know its the certificates thinggy that its used by several packages, that's it.

I do get your point, but you're assuming they are able to captivate the relevant market share. If the difference is having 3% of the total market selling product, or supplying 60% of the total OEM parts, while simplifying both and time to market, plus deterring competition from investing on this area by providing availability of the parts, the argument falls apart. Using your math, the turnover for the whole car only makes sense if the battery approach would captivate less than 10x their total market of vehicles (eg. for 3% total market for cars vs 31% of total market for parts, parts are more profitable in absolute values). And batteries are not like semiconductors, they have way bigger profit margins than the car as a whole.

You only know that after you know the password. a brute-force attack (even a dictionary-based one) would try at least an order of magnitude more combinations.

I actually memorize passwords both more "random" and biger thant that one. I don't need to memorize fifty. I need to memorize 5 separate hashes, and then use them as A, B, C, D, E, F, AB, AC, ... ABC, ACD, etc according to the relevancy of the password. Memorizing 50 hashes is stupid, but since I know probably more than 100 metal lyrics, I could also pull it off (ever tried a 200 character password?). And if I'm something, is lazy.

I was referencing this specific slide http://www.openbsd.org/papers/... They clearly state their portability goal is mostly POSIX-compatible, but after a second read it is not obvious it its being used as a base reference, as you point out.