Remix clone Hacker News

> I think that worrying that a self-hosted file system has a backdoor to exfiltrate data is an odd concern.

Great security teams get paid to "worry", by which I mean "make a plan" for a given attack tree.

Your use of "odd" looks like a rhetorical technique to downplay legitimate security considerations. From my point of view, you are casually waving away an essential area of security. See:

https://www.paloaltonetworks.com/cyberpedia/data-exfiltratio...

> but you should not be exposing these kinds of services to the public internet (or giving them access to the public internet), eliminating the concern that it's giving your data away.

Let's evaluate the following claim: "a "properly" isolated system would, in theory, have no risk of data exfiltration. Now we have to define what we mean. Isolated from the network? Running in a sandbox? What happens when that system can interact with a compromised system? What happens when people mess up?

From a security POV, any software could have some component that is malicious, compromised, or backdoored. It might be in the project itself or in the supply chain. And so on.

Defense in depth matters. None of the above concerns are "odd". A good security team is going to factor these in.

P.S. If you mean "low probability" then just say that.

▲

xmprt 5 days ago | parent [-]

I agree with the parent commenter. I think it's fair to be concerned with backdoors but this is a distributed file system which can be completely isolated from the outside world. If you're so worried, you could run it in an airgapped Faraday cage and do all your training in that environment. Just don't run it on any centrifuges.

I think these kinds of concerns are more valid for storage systems which serve online traffic or have some kind of connection to the outside world.

▲

antonvs 3 days ago | parent | next [-]

Attackers, whether state-level, corporate, or criminal, all rely on ignorance like this. It also probably involves denial: you want to believe your systems are safe, so you delude yourself into thinking that minimal protections are sufficient.

I wrote a longer comment about this here: https://news.ycombinator.com/item?id=43745423

▲

xpe 5 days ago | parent | prev [-]

> If you're so worried, you could run it in an airgapped Faraday cage and do all your training in that environment. Just don't run it on any centrifuges.

Really? More rhetoric that minimizes legitimate security concerns?

Again, if someone wants to make the claim that such concerns are "low probability" that would at least be defensible.

▲

lossolo 5 days ago | parent [-]

In this case, I think the concern about security is overly paranoid. DeepSeek isn't just some unknown nickname of a random developer on GitHub, it's a legitimate company that has made headlines, has a known CEO, publishes research, and is actively trying to attract talent. They've open-sourced a lot of their work, including 3FS, which is fully available on GitHub. So while a backdoor is theoretically possible (just like an asteroid hitting Earth), I think the original poster's question is exaggerated and likely influenced by the fact that the company is Chinese.

	▲	xpe 5 days ago \| parent \| next [-]
		> and likely influenced by the fact that the company is Chinese Let's rephrase this. It is not simply that DeepSeek is a Chinese company. It is because of its links to the CCP [1] [2] and the CCP's cyber operations. [1]: https://www.scmp.com/news/china/politics/article/3306943/chi... [2]: https://www.journalofdemocracy.org/online-exclusive/why-deep...
	▲	5 days ago \| parent \| prev \| next [-]
		[deleted]
	▲	xpe 5 days ago \| parent \| prev \| next [-]
		DeepSeek has been caught making backdoors. https://www.cisecurity.org/insights/blog/deepseek-a-new-play...
	▲	xpe 5 days ago \| parent \| prev [-]
		> DeepSeek isn't just some unknown nickname > just like an asteroid hitting Earth So much one-sided rhetoric.