How do we know if there aren't a bunch of more undetected backdoors?

I have been thinking about self-hosting my personal photos on my linux server. After the recent backdoor was detected I’m more hesitant to do so especially because i’m no security expert and don’t have the time and knowledge to audit my server. All I’ve done so far is disabling password logins and changing the ssh port. I’m wondering if there are more backdoors and if new ones are made I can’t respond in time. Appreciate your thoughts on this for an ordinary user.

avidamoeba,
@avidamoeba@lemmy.ca avatar

We don’t. That’s why we use multiple layers of security. For example keeping all services accessible only via VPN and using a major OS that a lot of production workloads depend on such as Debian, Ubuntu LTS or any of the RHEL copycats. This is a huge plus of the free tier of Ubuntu Pro BTW. It’s commercial level security support for $0. Using any of these OSes means that the time between a vulnerability being discovered, patched and deployed is as short as possible. Of course you have to have automatic security updates turned on, unattended-upgrades in Debian-speak.

lordnikon,

you don’t and will never will. I would recommend reading a lecture by Ken Thompson the co-creator of Unix for more details on this cs.cmu.edu/…/Thompson_1984_ReflectionsonTrustingT…

radiant_bloom,

We don’t know. However, no one cares about your personal photos ; no one will ever attempt to hack you specifically unless you’re a high value target (in which case, stop hosting your photos anywhere immediately)

The only thing that could get your photos is if an undiscovered backdoor is exploited by someone doing some sort of a mass attack. As far as I know, they’re pretty rare, because people with the means to do them generally have a specific set of people they care about (which you are unlikely to be a part of).

lemmyreader,

We don’t know. However, no one cares about your personal photos ; no one will ever attempt to hack you specifically unless you’re a high value target (in which case, stop hosting your photos anywhere immediately)

To those assumptions I would say : we don’t know. Personal vendettas do exist and we cannot look into the minds of individuals going crazy neither.

radiant_bloom,

That fair enough I guess, really depends on what kinda personal photos you have. I know people are worried about revenge porn, I personally think the only actual remedy is not having any porn of yourself anywhere unless it’s your job 🤷🏻‍♀️

lurch,

unfortunately, mass attacks happen all the time. if you ever had access to the authentication logs of an SSH server with an unfirewalled port 22 into the internet that has been running for a few months, you would see international IPs starting port scans and brute force attacks. there is always someone out there trying to hack random IPs. it’s fucking wild west out there.

billgamesh,

Yeah. I’d recommend using ssh keys and disabling password authentication whenever something is exposed to a public network

4am,

no one will ever attempt to hack you

My brother in Christ, how do you think botnets get built?

HumanPerson,

They did say specifically. I think bothers are usually automated attacks.

mfat,

My ssh auth logs show a lot of login attempts from chinese IPs. That prompted me to install Fail2Ban…

Oha,

We dont.

qprimed,

if you are self hosting and enjoy over-engineering systems… VLANS, ACLs between subnets and IDS/IPS should be part of.your thinking. separate things into zones of vulnerability / least-privilege and maintain that separation with an iron fist. this is a great rabbit hole to fall down if you have the time. however, given a skilled adversary with enough time and money, any network can be infiltrated eventually. the idea is to try to minimize the exposure when it happens.

if the above is not a part of your daily thinking, then don’t worry about it too much. use a production OS like Debian stable, don’t expose ports to the public internet and only allow systems that should initiate communication to the internet to actually do so (preferably only on their well known protocol ports - if possible).

HumanPerson,

This was likely a state-sponsored attack. If your SSH isn’t exposed to the internet this probably wouldn’t have effected you. Also most people run stable distros like Debian on their server, and this particular vulnerability never made it to the stable branch. I would guess that most of the computers you have ever used have backdoors. Even if you run Linux (which may itself have some) you might still have a proprietary UEFI on your motherboard. Something like xz wouldn’t effect you because no government really cares what’s on your server. Smaller attacks can be avoided through common sense. Some people will expose services that require zero authentication to the internet. Follow basic best practices and you will probably be fine.

Edit: Also remember, google photos once flagged a picture of a child that the child’s father had taken for medical reasons as abuse, so self-hosted may not be completely private or secure, but it’s better than the alternative.

pr06lefs,

We don’t know. But if there were well known backdoors to mainstream security practices we might see more companies that depend on security shutting down, or at least shutting down their online activities. Banks, stock trading, crypto exchanges, other enterprises that handle money, where hacking would be lucrative.

taladar,

I don’t think you need to worry about backdoors with most of those. Worry more about unfixed security holes due to an extreme emphasis on “stability” as in using old versions when fixes have already been released when it comes to anything hosted by large companies.

wizardbeard,

There’s a concept of acceptable levels of risk. Companies are not going to shut down out of fear, or miss out on the business opportunities of online presence. There’s money to be made.

Even with things as serious as spectre allowing full dumping of CPU and RAM contents simply by loading a website, I can’t think of a single company that just said “well shit, better just die”.

Serious, potentially business ending, security issues usually have a huge amount of effort when discovered put into mitigations and fixes. Mitigations are usually enough in the immediate “oh shit” phase. Defense in depth is standard practice.

mfat,

There are several known instaces of crypto exchages getting hacked.

tamagotchicowboy,
@tamagotchicowboy@hexbear.net avatar

There probably are, there’s a reason why super high security systems aim for airgapping of sorts, and even that’s not immune.

lemmyreader,

Good question. I have asking myself the same thing as well. In case of ssh it is possible to use 2FA with a security key, which is something I’d like to put in my todo.txt

xlash123,
@xlash123@sh.itjust.works avatar

The best you can do is use OSS software that has been battle tested. Stuff like OpenSSH and OpenVPN are very unlikely to have backdoors or major vulnerabilities currently being exploited. If you don’t trust something to not be vulnerable, you’re best to put it behind a more robust layer of authentication and access it only by those means.

MazonnaCara89,
@MazonnaCara89@lemmy.ml avatar

Ah shit we are back to “Ken Thompson Compiler Hack” again

cypherpunks,
@cypherpunks@lemmy.ml avatar

for those unfamiliar: Reflections on trusting trust by Ken Thompson

hperrin,

If backdoors exist, they’re probably enough to get your data no matter where it’s stored, so self hosting should be fine. Just keep it up to date and set up regular automatic backups.

MonkeMischief,

I’m not a security specialist either. I learn new things every day, but this is why my NextCloud is accessible through TailScale only and I have zero ports exposed to the outside world.

The only real convenience I lose is being able to say “check out this thing on my personal server” with a link to someone outside my network, but that’s easily worked around.

redcalcium,

Next: how do we know tailscale’s network hasn’t been backdoored?

ReversalHatchery,

Headscale. And then you don’t even have to trust any outside auth provider to not log in in your name.

MonkeMischief,

I figure there’s a certain amount of trust you have to have in strangers for a LOT of things we use every day.

I try to be selective with where I put that trust, especially when I can’t just homebrew an advanced custom solution, but I figure Tailscale is much better than attempting to just host it on my LAN with an open a port to the big scary web and hope a bot doesn’t find a gap and ransomware it all lol.

3-2-1 backups and a certain bit of trust.

Because heck, even CPUs have been found with exploitable microcode. (Spectre and Meltdown?) At some point you just gotta balance “best rational protection” with not going insane, right?

Headscale mentioned here is pretty neat too, but I feel like spinning up Dockers on Proxmox and Tailscale is as much moving parts as I’m willing to manage alongside everything else in life. :)

mfat,

I think you can use Tailscale Funnels for that.

neo,
@neo@lemmy.comfysnug.space avatar

Reading the source code for everything running on your machine and then never updating is the only way to be absolutely 100% sure.

possiblylinux127,

Even with that you will miss something

rotopenguin,
@rotopenguin@infosec.pub avatar

This is a sliver of one patch, there is a bug here that disabled a build tool that breaks the attack. Can you find it?

https://infosec.pub/pictrs/image/f55ead66-fbfd-445a-8d88-c10d0d9b5309.png

rotopenguin,
@rotopenguin@infosec.pub avatar

hintIt is one singular character. Everything else is fine.

genuineparts,
@genuineparts@infosec.pub avatar

SolutionIt’s the dot on line 9

AnnaFrankfurter,

MaybeDot after include

nelsnelson,

Security is not a wall. It is a maze.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • linux@lemmy.ml
  • fightinggames
  • All magazines
    •