An intro to DeepSeek's distributed file system

What are the odds 3fs is backdoored?

I think that's a pretty odd concern to have. What would you imagine that looks like? If you're running these kinds of things securely, you should be locking down the network access to the hosts (they don't need outbound internet access, and they shouldn't need inbound access from anything except your application).

> I think that's a pretty odd concern to have.

Thinking about security risks is an odd concern to have?

I think that worrying that a self-hosted file system has a backdoor to exfiltrate data is an odd concern. Security concerns are (obviously) normal, but you should not be exposing these kinds of services to the public internet (or giving them access to the public internet), eliminating the concern that it's giving your data away.

> I think that worrying that a self-hosted file system has a backdoor to exfiltrate data is an odd concern.

Great security teams get paid to "worry", by which I mean "make a plan" for a given attack tree.

Your use of "odd" looks like a rhetorical technique to downplay legitimate security considerations. From my point of view, you are casually waving away an essential area of security. See:

https://www.paloaltonetworks.com/cyberpedia/data-exfiltratio...

> but you should not be exposing these kinds of services to the public internet (or giving them access to the public internet), eliminating the concern that it's giving your data away.

Let's evaluate the following claim: "a "properly" isolated system would, in theory, have no risk of data exfiltration. Now we have to define what we mean. Isolated from the network? Running in a sandbox? What happens when that system can interact with a compromised system? What happens when people mess up?

From a security POV, any software could have some component that is malicious, compromised, or backdoored. It might be in the project itself or in the supply chain. And so on.

Defense in depth matters. None of the above concerns are "odd". A good security team is going to factor these in.

P.S. If you mean "low probability" then just say that.

I agree with the parent commenter. I think it's fair to be concerned with backdoors but this is a distributed file system which can be completely isolated from the outside world. If you're so worried, you could run it in an airgapped Faraday cage and do all your training in that environment. Just don't run it on any centrifuges.

I think these kinds of concerns are more valid for storage systems which serve online traffic or have some kind of connection to the outside world.

> If you're so worried, you could run it in an airgapped Faraday cage and do all your training in that environment. Just don't run it on any centrifuges.

Really? More rhetoric that minimizes legitimate security concerns?

Again, if someone wants to make the claim that such concerns are "low probability" that would at least be defensible.

In this case, I think the concern about security is overly paranoid. DeepSeek isn't just some unknown nickname of a random developer on GitHub, it's a legitimate company that has made headlines, has a known CEO, publishes research, and is actively trying to attract talent. They've open-sourced a lot of their work, including 3FS, which is fully available on GitHub. So while a backdoor is theoretically possible (just like an asteroid hitting Earth), I think the original poster's question is exaggerated and likely influenced by the fact that the company is Chinese.