Ken Thompson shows how even a programmer who trusts no binary downloaded from the Internet, and compiles every executable himself, will still get pwned. Even if you compile everything yourself, there is no guarantee that the compiler you used is itself not compromised, and can inject vulnerabilities into your machine code.

The paper won the Turing Award of 1983.

References

• Stanford CS lecture, just turned up in DDG: https://web.stanford.edu/class/cs208e/cgi-bin/main.cgi/static/lectures/18-ReflectionsOnTrustingTrust/ReflectionsOnTrustingTrust.pdf.
• https://amturing.acm.org/award_winners/thompson_4588371.cfm.