That's my point, really. The question is what is the minimum number of engineers needed to be compromised in order for a malicious change to be introduced and not be noticed before it does its intended harm. Think of that as an equivalent to the Bus Factor, which, thanks to your prompting, I will call the Wrench Factor.
As you say, the threat model has to start considering meatspace security, but there are some advantages here relative to traditional military/industrial settings, in that we can imagine reputations being held by pseudonymous identities, and audits being assigned to random groups of them, without each other's knowledge, to prevent collusion.
There has to be some point at which an attack becomes infeasible (or at least unprofitable), if it requires simultaneously kidnapping thousands of people in multiple jurisdictions, without anyone noticing. Having various dead man's switches and zero-knowledge silent alarm protocols could do a lot to raise the cost of such attacks.
That's my point, really. The question is what is the minimum number of engineers needed to be compromised in order for a malicious change to be introduced and not be noticed before it does its intended harm. Think of that as an equivalent to the Bus Factor, which, thanks to your prompting, I will call the Wrench Factor.
As you say, the threat model has to start considering meatspace security, but there are some advantages here relative to traditional military/industrial settings, in that we can imagine reputations being held by pseudonymous identities, and audits being assigned to random groups of them, without each other's knowledge, to prevent collusion.
There has to be some point at which an attack becomes infeasible (or at least unprofitable), if it requires simultaneously kidnapping thousands of people in multiple jurisdictions, without anyone noticing. Having various dead man's switches and zero-knowledge silent alarm protocols could do a lot to raise the cost of such attacks.