How do we know if there aren't a bunch of more undetected backdoors?

fxdave, 2 months ago

Afaik, most phones are backdoored that can be abused using tools like “pegasus” which led to a huge indignation in Hungary. I don’t belive PCs are exceptions. Intel ME is a proprietary software inside the CPU, often considered as a backdoor in Intel. AMD isn’t an exception. It’s even weirder that Intel produces chips with ME disabled for governments only.

ricdeh, 2 months ago

They are not produced for governments only, almost every consumer-grade CPU can have its ME disabled or at least scuttled, thanks to efforts like me_cleaner!

fxdave, 2 months ago

Have you tried it?

Petter1, 2 months ago

We don’t.

istanbullu, 2 months ago

I’m pretty sure most closed source software is already backdoored.

caseyweederman, 2 months ago

It’s a feature!

VinesNFluff, 2 months ago

Cheeky answer: https://pbs.twimg.com/media/FWr61WZXoAcjx9R.jpg

Actual answer:
Theoretically anyway, open source software’s guarantee of “no backdoor” is that the code is auditable, and you could study it and know if it has any holes and where. Of course, that presumes that you have the knowledge AND time to actually go and study thousands of lines of code. Unrealistic.
Slightly less guaranteed but still good enough to calm my mind, is the idea that there is a whole-ass community of people who do know their shit and who are constantly checking this.

Do note that like. Closed source software is known to be backdoored, only, the backdoors are mostly meant for either the owners of the software (check the fine print folks) or worse, the governments.

The biggest thing that you should note is that: It is unlikely that you (or I or most of the people here) are interesting enough that anyone will actually exploit those vulnerabilities to personally fuck you over. Your photos aren’t interesting enough except as part of a mass database (which is why Google/Facebook want them). Same for your personal work data and shit.

Unless those backdoors could be used to turn your machine into a zombie for some money-making scheme (crypto or whatever) OR you’re connected to people in power OR you personally piss off someone who is a hacker – it is very unlikely you’ll get screwed over due to those vulnerabilities :P

bigmclargehuge, 2 months ago

Just a point to add: this backdoor was (likely) planned years in advance; it took ONE guy a couple weeks (after the malicious code was released) to find it because he had nothing else going on that evening.

I’m relatively confident that the FOSS community has enough of that type of person that if there are more incidents like this one, there’s a decent chance it’ll be found quickly, especially now that this has happened and gotten so much attention.

Tlaloc_Temporal, 2 months ago

Even better: there are also backdoors in closed-source software that will never be found. There may be fewer backdoors inserted, but the ones that get in there are far more likely to stay undiscovered.

onlinepersona, 2 months ago

How do you know what you don’t know?

That’s basically what you’re asking. If you have an answer to that general question, it will answer your specific question.

Anti Commercial AI thingyCC BY-NC-SA 4.0

xlash123, 2 months ago

The best you can do is use OSS software that has been battle tested. Stuff like OpenSSH and OpenVPN are very unlikely to have backdoors or major vulnerabilities currently being exploited. If you don’t trust something to not be vulnerable, you’re best to put it behind a more robust layer of authentication and access it only by those means.

Oha, 2 months ago

We dont.