←back to thread

An intro to DeepSeek's distributed file system

(maknee.github.io)
621 points sebg | 1 comments | 17 Apr 25 12:50 UTC | HN request time: 0.197s | source
Show context
mertleee ◴[17 Apr 25 14:40 UTC] No.43717579[source]
What are the odds 3fs is backdoored?
replies(2): >>43717673 #>>43719993 #
huntaub ◴[17 Apr 25 14:46 UTC] No.43717673[source]
I think that's a pretty odd concern to have. What would you imagine that looks like? If you're running these kinds of things securely, you should be locking down the network access to the hosts (they don't need outbound internet access, and they shouldn't need inbound access from anything except your application).
replies(1): >>43719290 #
xpe ◴[17 Apr 25 16:42 UTC] No.43719290[source]
> I think that's a pretty odd concern to have.

Thinking about security risks is an odd concern to have?

replies(1): >>43719353 #
huntaub ◴[17 Apr 25 16:48 UTC] No.43719353[source]
I think that worrying that a self-hosted file system has a backdoor to exfiltrate data is an odd concern. Security concerns are (obviously) normal, but you should not be exposing these kinds of services to the public internet (or giving them access to the public internet), eliminating the concern that it's giving your data away.
replies(3): >>43720196 #>>43720467 #>>43745423 #
xpe ◴[17 Apr 25 18:24 UTC] No.43720467[source]
> I think that worrying that a self-hosted file system has a backdoor to exfiltrate data is an odd concern.

Great security teams get paid to "worry", by which I mean "make a plan" for a given attack tree.

Your use of "odd" looks like a rhetorical technique to downplay legitimate security considerations. From my point of view, you are casually waving away an essential area of security. See:

https://www.paloaltonetworks.com/cyberpedia/data-exfiltratio...

> but you should not be exposing these kinds of services to the public internet (or giving them access to the public internet), eliminating the concern that it's giving your data away.

Let's evaluate the following claim: "a "properly" isolated system would, in theory, have no risk of data exfiltration. Now we have to define what we mean. Isolated from the network? Running in a sandbox? What happens when that system can interact with a compromised system? What happens when people mess up?

From a security POV, any software could have some component that is malicious, compromised, or backdoored. It might be in the project itself or in the supply chain. And so on.

Defense in depth matters. None of the above concerns are "odd". A good security team is going to factor these in.

P.S. If you mean "low probability" then just say that.

replies(1): >>43725307 #
xmprt ◴[18 Apr 25 05:34 UTC] No.43725307[source]
I agree with the parent commenter. I think it's fair to be concerned with backdoors but this is a distributed file system which can be completely isolated from the outside world. If you're so worried, you could run it in an airgapped Faraday cage and do all your training in that environment. Just don't run it on any centrifuges.

I think these kinds of concerns are more valid for storage systems which serve online traffic or have some kind of connection to the outside world.

replies(2): >>43727566 #>>43745433 #
1. antonvs ◴[20 Apr 25 18:15 UTC] No.43745433[source]
Attackers, whether state-level, corporate, or criminal, all rely on ignorance like this. It also probably involves denial: you want to believe your systems are safe, so you delude yourself into thinking that minimal protections are sufficient.

I wrote a longer comment about this here: https://news.ycombinator.com/item?id=43745423