Linux

Reading the source code for everything running on your machine and then never updating is the only way to be absolutely 100% sure.

I would say you can't, but if you are using open source software, then somebody can and will find them eventually and they will be patched. Unlike with closed source software, you will never know if it has a backdoor or not. This whole episode shows both the problems with open source, being lack of funding for security audits, and the beauty of open source, being that eventually it will be detected and removed.

I'm not a security specialist either. I learn new things every day, but this is why my NextCloud is accessible through TailScale only and I have zero ports exposed to the outside world.

The only real convenience I lose is being able to say "check out this thing on my personal server" with a link to someone outside my network, but that's easily worked around.

You can't trust any of it to be totally secure, it's effectively impossible. But, this is true of all software, at least open source is being audited and scrutinised all the time (as demonstrated).

All you can do is follow best practices.

We don't. That's why we use multiple layers of security. For example keeping all services accessible only via VPN and using a major OS that a lot of production workloads depend on such as Debian, Ubuntu LTS or any of the RHEL copycats. This is a huge plus of the free tier of Ubuntu Pro BTW. It's commercial level security support for $0. Using any of these OSes means that the time between a vulnerability being discovered, patched and deployed is as short as possible. Of course you have to have automatic security updates turned on, unattended-upgrades in Debian-speak.

if you are self hosting and enjoy over-engineering systems... VLANS, ACLs between subnets and IDS/IPS should be part of.your thinking. separate things into zones of vulnerability / least-privilege and maintain that separation with an iron fist. this is a great rabbit hole to fall down if you have the time. however, given a skilled adversary with enough time and money, any network can be infiltrated eventually. the idea is to try to minimize the exposure when it happens.

if the above is not a part of your daily thinking, then don't worry about it too much. use a production OS like Debian stable, don't expose ports to the public internet and only allow systems that should initiate communication to the internet to actually do so (preferably only on their well known protocol ports - if possible).

We can't know. If we would know, those weren't undetected backdoors at all. It's not possible to know something you don't know. So the question in itself is a paradox. :D The question is not if there are backdoors, but if the most critical software is infected? At least what I ask myself.

Do you backups man, do not install too many stuff, do not trust everyone, use multiple mail accounts and passwords and 2 factor authentication. We can only try to minimize the effects of when something horrible happens. Maybe support the projects you like, so that more people can help and have more eyes on it. Governments and corporations with money could do that as well, if they care.

This was likely a state-sponsored attack. If your SSH isn't exposed to the internet this probably wouldn't have effected you. Also most people run stable distros like Debian on their server, and this particular vulnerability never made it to the stable branch. I would guess that most of the computers you have ever used have backdoors. Even if you run Linux (which may itself have some) you might still have a proprietary UEFI on your motherboard. Something like xz wouldn't effect you because no government really cares what's on your server. Smaller attacks can be avoided through common sense. Some people will expose services that require zero authentication to the internet. Follow basic best practices and you will probably be fine.

Edit: Also remember, google photos once flagged a picture of a child that the child's father had taken for medical reasons as abuse, so self-hosted may not be completely private or secure, but it's better than the alternative.

There probably are, there's a reason why super high security systems aim for airgapping of sorts, and even that's not immune.

You don't. Hackers often exploit things like this for ages before they are found. Every bit of non simple software also has bugs.

But chances are you won't be the target.

Just keep everything updated and you should be alright.

The main solace you can take is how quickly xz was caught: there is a lot of diverse scrutiny on it.

That's the neat part, you don't. However if you stay up to date it is not a big deal.

You never know what security holes exist until they're exploited. Nothing you can really do about that. Security and convenience have always, and will always, be a trade off and a matter of personal acceptability. If you host anything, it will be potentially vulnerable, way less so if you take proper precautions. If you're not just overtly insecure, you'll probably be fine, but there's no way to say for sure.

That's the neat part, we don't!

...but, we at least can have a shot of finding them.

In the meantime, I'd advise you to keep an eye out and maybe look into threat models. As people said in this thread already, bad actors probably don't care about your personal photos.

As many have pointed out, you don't know that there is not a back door in your software.

One way to defend against such an unknown is to have a method of quickly reinstalling your system, so if you ever suspect you have been compromised you can reload your OS from scratch and reconfigure it with minimal fuss. This is one reason I recommend folks learn one of the configuration management systems like ansible or puppet, and use those to configure your Linux servers. Having config management also helps you recover anfter unexpected hardware failures.

Defense is done in layers. No one layer will protect you 100%. Build up several layers that you trust and understand.

While others are saying “no one cares about your personal photos” personal info is not the target of backdoor attacks like this. It’s more likely an attempt to get access to lots of processing power for a crypto mine or botnet.

It’s best practice to have the minimum packages required to run whatever service you are running, don’t add other stuff that you won’t be using. Using a distro that is “outdated” like Debian stable can help since the packages have had more time out in the wild to be tested.

I am sure that the xz incident has raised a lot of alarms across many projects.

"We don't" is the short answer. It's unfortunate, but true.

We don't know. But if there were well known backdoors to mainstream security practices we might see more companies that depend on security shutting down, or at least shutting down their online activities. Banks, stock trading, crypto exchanges, other enterprises that handle money, where hacking would be lucrative.

We don’t know. However, no one cares about your personal photos ; no one will ever attempt to hack you specifically unless you’re a high value target (in which case, stop hosting your photos anywhere immediately)

The only thing that could get your photos is if an undiscovered backdoor is exploited by someone doing some sort of a mass attack. As far as I know, they’re pretty rare, because people with the means to do them generally have a specific set of people they care about (which you are unlikely to be a part of).

Self hosting personal photos doesn't generally require opening anything up to the internet, so most backdoors would not be accessible by anyone but you.

you don't and will never will. I would recommend reading a lecture by Ken Thompson the co-creator of Unix for more details on this https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

Good question. I have asking myself the same thing as well. In case of ssh it is possible to use 2FA with a security key, which is something I'd like to put in my todo.txt