How do we know if there aren't a bunch of more undetected backdoors?

nelsnelson, 2 months ago

Security is not a wall. It is a maze.

shortwavesurfer, 2 months ago

I would say you can’t, but if you are using open source software, then somebody can and will find them eventually and they will be patched. Unlike with closed source software, you will never know if it has a backdoor or not. This whole episode shows both the problems with open source, being lack of funding for security audits, and the beauty of open source, being that eventually it will be detected and removed.

MonkeMischief, 2 months ago

I’m not a security specialist either. I learn new things every day, but this is why my NextCloud is accessible through TailScale only and I have zero ports exposed to the outside world.

The only real convenience I lose is being able to say “check out this thing on my personal server” with a link to someone outside my network, but that’s easily worked around.

redcalcium, 2 months ago

Next: how do we know tailscale’s network hasn’t been backdoored?

ReversalHatchery, 2 months ago

Headscale. And then you don’t even have to trust any outside auth provider to not log in in your name.

MonkeMischief, 2 months ago

I figure there’s a certain amount of trust you have to have in strangers for a LOT of things we use every day.

I try to be selective with where I put that trust, especially when I can’t just homebrew an advanced custom solution, but I figure Tailscale is much better than attempting to just host it on my LAN with an open a port to the big scary web and hope a bot doesn’t find a gap and ransomware it all lol.

3-2-1 backups and a certain bit of trust.

Because heck, even CPUs have been found with exploitable microcode. (Spectre and Meltdown?) At some point you just gotta balance “best rational protection” with not going insane, right?

Headscale mentioned here is pretty neat too, but I feel like spinning up Dockers on Proxmox and Tailscale is as much moving parts as I’m willing to manage alongside everything else in life. :)

mfat, 2 months ago

I think you can use Tailscale Funnels for that.

sgtlion, 2 months ago

You can’t trust any of it to be totally secure, it’s effectively impossible. But, this is true of all software, at least open source is being audited and scrutinised all the time (as demonstrated).

All you can do is follow best practices.

avidamoeba, 2 months ago

We don’t. That’s why we use multiple layers of security. For example keeping all services accessible only via VPN and using a major OS that a lot of production workloads depend on such as Debian, Ubuntu LTS or any of the RHEL copycats. This is a huge plus of the free tier of Ubuntu Pro BTW. It’s commercial level security support for $0. Using any of these OSes means that the time between a vulnerability being discovered, patched and deployed is as short as possible. Of course you have to have automatic security updates turned on, unattended-upgrades in Debian-speak.

qprimed, 2 months ago

if you are self hosting and enjoy over-engineering systems… VLANS, ACLs between subnets and IDS/IPS should be part of.your thinking. separate things into zones of vulnerability / least-privilege and maintain that separation with an iron fist. this is a great rabbit hole to fall down if you have the time. however, given a skilled adversary with enough time and money, any network can be infiltrated eventually. the idea is to try to minimize the exposure when it happens.

if the above is not a part of your daily thinking, then don’t worry about it too much. use a production OS like Debian stable, don’t expose ports to the public internet and only allow systems that should initiate communication to the internet to actually do so (preferably only on their well known protocol ports - if possible).

thingsiplay, 2 months ago

We can’t know. If we would know, those weren’t undetected backdoors at all. It’s not possible to know something you don’t know. So the question in itself is a paradox. :D The question is not if there are backdoors, but if the most critical software is infected? At least what I ask myself.

Do you backups man, do not install too many stuff, do not trust everyone, use multiple mail accounts and passwords and 2 factor authentication. We can only try to minimize the effects of when something horrible happens. Maybe support the projects you like, so that more people can help and have more eyes on it. Governments and corporations with money could do that as well, if they care.

HumanPerson, 2 months ago

This was likely a state-sponsored attack. If your SSH isn’t exposed to the internet this probably wouldn’t have effected you. Also most people run stable distros like Debian on their server, and this particular vulnerability never made it to the stable branch. I would guess that most of the computers you have ever used have backdoors. Even if you run Linux (which may itself have some) you might still have a proprietary UEFI on your motherboard. Something like xz wouldn’t effect you because no government really cares what’s on your server. Smaller attacks can be avoided through common sense. Some people will expose services that require zero authentication to the internet. Follow basic best practices and you will probably be fine.

Edit: Also remember, google photos once flagged a picture of a child that the child’s father had taken for medical reasons as abuse, so self-hosted may not be completely private or secure, but it’s better than the alternative.

tamagotchicowboy, 2 months ago

There probably are, there’s a reason why super high security systems aim for airgapping of sorts, and even that’s not immune.

Lmaydev, 2 months ago

You don’t. Hackers often exploit things like this for ages before they are found. Every bit of non simple software also has bugs.

But chances are you won’t be the target.

Just keep everything updated and you should be alright.

possiblylinux127, 2 months ago

And implement least privilege and automatic updates

huginn, 2 months ago

The main solace you can take is how quickly xz was caught: there is a lot of diverse scrutiny on it.

Deebster, 2 months ago

Hmm, not really. It’s only because it nerd-sniped someone who was trying to do something completely unrelated that this came to light. If that person has been less dedicated or less skilled we’d still probably be in the dark.

N0x0n, 2 months ago (edited 2 months ago)

Call me names… But sometimes the story has far more branched backstories than they actually shed into light.

Trust nobody, not even yourself.

possiblylinux127, 2 months ago

The thing is there are a few thousand of those people

Deebster, 2 months ago

Maybe millions of potential eyes, but all of them are looking at other things! Heartbleed existed for two years before being noticed, and OpenSSL must have enormously more scrutiny than small projects like xz.

I am very pro open source and this investigation would’ve been virtually impossible on Windows or Mac, but the many-eyes argument always struck me as more theoretical/optimistic than realistic.

SpaceCadet, 2 months ago

Heartbleed existed for two years before being noticed

That’s a different scenario. That was an inadvertently introduced bug, not a deliberately installed backdoor. So the bad guys didn’t have two years to exploit it because they didn’t know about it either.

It’s also not new that very old bugs get discovered. Just a few years ago a 24 year old bug was discovered in the Linux kernel.

Deebster, 2 months ago

And are bugs harder to find than carefully hidden backdoors? No-one noticed the code being added and if it hadn’t have had a performance penalty then it probably wouldn’t have been discovered for a very long time, if ever.

The flip side to open-source is that bad actors could have reviewed the code, discovered Heartbleed and been quietly exploiting it without anyone knowing. Government agencies and criminal groups are known to horde zero-days.

possiblylinux127, 2 months ago

That’s the neat part, you don’t. However if you stay up to date it is not a big deal.

Valmond, 2 months ago

Well not too up to date as we just have witnessed 😁

possiblylinux127, 2 months ago

Just use a stable system

Ookami38, 2 months ago

You never know what security holes exist until they’re exploited. Nothing you can really do about that. Security and convenience have always, and will always, be a trade off and a matter of personal acceptability. If you host anything, it will be potentially vulnerable, way less so if you take proper precautions. If you’re not just overtly insecure, you’ll probably be fine, but there’s no way to say for sure.

arisunz, 2 months ago

That’s the neat part, we don’t!

…but, we at least can have a shot of finding them.

In the meantime, I’d advise you to keep an eye out and maybe look into threat models. As people said in this thread already, bad actors probably don’t care about your personal photos.

dylanmorgan, 2 months ago

Unless OP is a celebrity or politician. Or knows they have an enemy with the resources to find and exploit potential backdoors.

friend_of_satan, 2 months ago

As many have pointed out, you don’t know that there is not a back door in your software.

One way to defend against such an unknown is to have a method of quickly reinstalling your system, so if you ever suspect you have been compromised you can reload your OS from scratch and reconfigure it with minimal fuss. This is one reason I recommend folks learn one of the configuration management systems like ansible or puppet, and use those to configure your Linux servers. Having config management also helps you recover anfter unexpected hardware failures.

Defense is done in layers. No one layer will protect you 100%. Build up several layers that you trust and understand.

mfat, 2 months ago

Very good points. Call me paranoid but i always fear I might fail to notice the symptoms of something nasty going on. I wish linux had a built-in, easy-to-use auditing/alerting system. I know this can be achived by experts but others have no idea what’s actually going on on their machines.

friend_of_satan, 2 months ago (edited 2 months ago)

Dude, you’re so not paranoid. This stuff has happened to me. I had a Wordpress blog that was hacked and the exploit was stored in the DB so even after reloading the OS I still was infected because I hadn’t sanitized my database. Luckily it was just Google search viagra spam, and it was a valuable lesson.