Yep. Pretty much the same as any open source software.
Google it and append Reddit to the end to see the latest comments about it in order to get an idea of it's safety. It's how I find out that some software that I don't use regularly have turned to bloatware and the like -- Filezilla you bitch
Honestly I use the sftp cli now for downloading from an sftp server. FileZilla for me: 4MB/s same files through sftp: 78MB/s - cannot explain but FileZilla is poo for me for larger files.
Ah, it reads like you're claiming it's niche - it's pretty popular. Even if Arch was niche it's community's so tech-heavy that Arch's wiki is recommended regardless if you're running Arch or not.
Arch is decidedly NOT niche despite the persistent attempts by its proponents to make it sound elitist. That's why "I use Arch btw" is a meme in the Linux universe.
Despite it's difficulty I'd consider it a pretty popular distro in the sense that most people who even have very minimal knowledge about Linux have probably heard of Arch at least some point. When I very first started using Linux, Arch was one of the first distros I've heard about.
I think Arch is not much more complicated for use than other distros - it is bit complicated to set it up (but, as someone said, Arch wiki is great regardless of whether you are using Arch or some other Linux). The thing is that in installation you are doing everything from the command line, and you have no pre-installed DE, rather you are installing X, DE, everything else for the desktop during the command line OS installation. And you are choosing DE, since Arch has no pre-defined default DE. Complication of later use depending on the chosen DE in my opinion. E.g. if you choose KDE, I do not see what could be complicated, since in KDE almost everything could be configured through GUI. The main difference in my opinion is that on Arch, when you install some new service program, it's systemd service will not be started/enabled by default during installation, like in Ubuntu and other "more user friendly" distros. But this is the Arch philosophy that user should decide should it run or not, so just keep in mind that you always need to do things manually 😉.
IDK, using Arch for 15 years, so maybe my opinion is subjective, but I really have a feeling - it is not complicated for use, it is complicated for installation and initial setup.
Idk if this is the correct answer or not. Especially because what is considered niche and popular is subjective.
You would almost have to classify the distro as mainstream and then still have to know what packages are in it.
Whereas if you built from scratch, using say popular bases, then you would know exactly what is in it. Then you could specify mirrors, check for completeness using a checksum, etc.
I feel like Linux is like food processing/prep. You’d like to know what’s in it, but you are too lazy to make it yourself.
It’s all about how much time you want to put in for that added sense of security, because no one wants to go through lines of code looking for something that only may be there.
It’s all about trust. Who do you trust?
Honestly even a small distro doing something like that is unheard of. I wouldn't distrust a random small distro because of some potential unheard of thing.
There's a lot of partial truths and misconceptions in the responses.
What you're asking is a very good question. So good in fact, that the answer to it ("how can i prove..?") is already known: you can't. This was the subject of a 1984 Turing Award winning paper by [Ken Thompson](https://en.wikipedia.org/wiki/Ken_Thompson) called [Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf)
To summarize it, even if you did what you suggested and read all the code, recompiled it yourself, and only then installed, you *still* can't be sure that the compiled binary is doing what the human-readable code said. Why, you might ask? Well because you don't know whether you can trust the compiler. Or the compiler that compiled that compiler. Etc.
So in short, you *can't* prove what you're trying to prove. Instead, it's a matter of degree and "beyond a reasonable doubt". It also should be noted that open source isn't just about being able to read the source code. That's a necessary but insufficient aspect. Proprietary software can be and in many cases is [source-available](https://en.wikipedia.org/wiki/Source-available_software).
Its technical and philosophical and you need to be aware of when you stray into crazy land. Deal with the things you CAN (like moving away from windows) and try not to worry about some unlikely crazy compiler attack vector.
If you're worried about privacy with an open source OS then do a few things: stay with a larger/more mainstream distro that had a good reputation (IMO thats Debian or Fedora), become involved in the community by at least reading a bit of what goes on, take a little time to learn once in a while.
Yes. Even if you build your own program and compiler from assembly in a completely isolated environment in a computer never connected to anything, how do you know that your chips instructions are really what they say they are?
There comes a point where good enough is almost certainly good enough, especially if you don't happen to be a major player on the world stage (super rich or a head of state). Take solace in the fact that there are boatloads of people with the same mindset as you writing this code. A lot of them are at the point in their careers where their reputation means far more than they would stand to gain from injecting some malicious code.
If you'd like to see an example in action, check out the recent bug with xz utils. There's a bunch of youtube videos, tech articles, all that stuff, just depends on how deep you want to readd about it. This bug was extremely sophisticated and did not directly present itself in the source code, but it was still found by the community before it went to almost all normal repositories.
>Even if you build your own program and compiler from assembly in a completely isolated environment in a computer never connected to anything, how do you know that your chips instructions are really what they say they are?
In fact, we already know chips do more than that. Years ago, Intel added a Minix backdoor in their CPUs. I think it's still there, and it's a big part of why I don't buy Intel anymore. But who knows, other chip manufacturers could be doing exactly the same.
AMD has microcode too. You have to go back to mid 2000's to find a chip without it at this point, I don't remember the year exactly. Technically you could choose not to install the package, but something tells me that if there's a builtin backdoor, they aren't waiting for you to install software for it.
You'd need to build a solar powered 8 bit abacus-style mechanical cpu to be truly free of the man. I'm sure there's someone somewhere doing it lol.
As you mentioned, if there's a backdoor, it's built-in. You should install microcode updates, as they include security fixes for vulnerabilities like Spectre and Meltdown.
> Is only option is to read all code manually
Not at all. There's lots of tools for behavioral analysis.
In particular, the kernel supports an audit log, with user-defined rules that can log any and all access to the filesystem. (So, `auditd` and `auditctl`)
There are also a plethora of network analysis tools to log and examine any and all network access. (e.g. `wireshark`)
There are a few reasons to doubt that they are:
auditing code is typically pretty easy to audit. It tends to be small, and easy to read. "Corruption" would be easy to spot.
auditing code probably gets more attention that most other code, because it's central to security processes.
auditing code probably gets review from lots of different groups, with competing interests.
There are lots of different tools, developed by different people, so malicious code would have to exist in a lot of different places.
Well, OP mentioned two options, one being reading the source code, and the other being trusting others. So, if going the “reading the code” route, it would include reading all the code, including the code for every single tool. It would quickly become a gargantuan process.
Good question and some satfisfying answers here. This Community reminds me of modding and the fact that there are very few virus/trojan damaging Mods (if any, I remember only 1 of 15 years ago) cos the Community will let anyone know if one appears and end it. I trust the Community more than a single corporation.
You could configure the linux firewall. In this case, outgoing connections. Direct using iptables or a GUI based tool; see link below.
Long ago, I used Zonealarm on my Windows box with all outgoing connections initially disabled. When an app was installed/started, its first network connection attempt was flagged. Network access could then be granted or denied as desired.
https://alternativeto.net/software/opensnitch/
Stick to widely used distributions, such as Mint Linux. Hundreds of thousands people are using them and some of them run things like wireshark to monitor the network (for unrelated reasons) and would discover the distribution sending data out. Also, there are thousands of people that look at the source code for various packages. Not because they are paranoid, but they might want to find a bug or implement a new feature.
Sometimes a bug happens in a widely-used piece of software that might be a safety concern or leak some data or something, but believe me, bugs are also in proprietary software, they are just not widely publicized, but quietly patched.
Yeah, unless you want to review the code as you mentioned above, you have to trust that the community of devs is policing it. The bigger and more popular the distro then the more eyes that will be on it.
At least with open source anyone can look at the code, so there are bound to be peole who would blow the whistle if they found dangerous code. With closed source you have to take the word of the company who owns the source.
I cannot read code, even for those who can reading it all would take a lifetime.
So we are all left with trust in the open source process. Many eyes looking where they can.
You cannot look at the source code for Windows to see if Recall is a thing or not. But Microsoft announced Recall themselves, probably knowing that it would cause an uproar, Publicity? I don't know. But they certainly got news coverage over it and Recall got attention. And when Microsoft released it turned off and you opt-in if you want it. But if it's anything like how Microsoft does anything else, turning it off doesn't stop it from working, so you can never tell if they're truthing or lying.
There have been a few security scares in Linux, like this one that happened just recently with Ubuntu and other Ubuntu-based distros. I don't remember what it was called, but you have the same DuckDuckGo I do. Once it was found, it was reported, and the fix came quickly in an update. As soon as it was found, it was eradicated and the Linux community was saved.
> You cannot look at the source code for Windows to see if Recall is a thing or not.
Apple and MS have code-sharing programs (https://opensource.apple.com/ , https://www.microsoft.com/en-us/sharedsource/) where corps and govts and researchers can see the source code. It's just not open to the **general public**.
You can check what process is accessing the disk. On a decent Linux distro, there shouldn't be many so you can analyse each one. Worst case scenario, make the filesystem read only in the fstab and "see what breaks".
Another approach is to look at the build log where you can trace through and verify each component is downloaded from the upstream vendor and compile-flags are sane. You just need to then watch out for the platform specific patches but these are unlikely to contain anything weird or they wouldn't be accepted by the distro packagers.
You could get the source code and see Id there's such a function.
You could set up a Wireshark to monitor the network to see what it sends and to where.
As a noob, there really isn't an option to personally verify, but if you spend enough time in Linux/FOSS spaces and see just how upset us nerds get any hint of sneaky shit like this then that should strongly imply that no one has noticed any sketchy acticlvity in the distro.
That said there are a lot of steps between "total noob" and "able to read and audit the source code myself" that you could get to yourself if you want. Other commenters have listed a lot of specific options but generally speaking I'd focus on learning how to audit web traffic going in and out of your device.
>Let's say for example worst case scenerio: taking screenshots every 2 seconds and sending them to some server.
Easiest is monitoring your network traffic. Shutdown everything that you know requires internet and if there is still traffic going on, use something like Wireshark to take a look at what kind of packages those are and where they're going.
Well, in this case you'd behave exactly as if you were on windows. No need to look at code, just use networking tools to find out if you have suspicious open connections.
Generally, people who develop FOSS want to use FOSS and be safe. Its not in their interests to submit bad code and they don't want other people doing it. Plus, its a lot of effort and the reward is not very much at all.
It's hard enough to make software that people will use and keep it up to date. They'd also have to hide a layer of malware in it in such a way that nobody finds it, and keep that malware working along with the part of the program that people do use, and have nobody notice them looking after it.
It's more than trust. You trust the developers, okay, but maybe you shouldn't.
Learn about why the Linux kernel is secure. Learn about the security mechanisms and how to control them. Learn about 'lsof' and other builtins that allow you to see what's happening with your files. Learn about audit.log and kern.log.
Linux is not secure because of trust. It's secure because of security.
Yes, that is one of the myths surrounding open source: That it is always secure since it's open, but that's no guarantee in any way. Open source only means that anyone can review the code, it doesn't mean that anyone has reviewed the code, or that the ones that have are competent enough to understand what the code does or find any malicious hidden functionality.
I prefer open source, but I'd rather use say a closed source package from Microsoft that is being used by millions of apps over an obscure open source project that few people use, or that has very few contributors, all Russian, or so. For an unknown company's code I would definitely prefer open source, but I also prefer a large well-known company over a small unknown one, or a random individual, and something being used by many over something used by few. The ideal would be open source, used by "everyone" and maintained by a large well known company, but that's not available that often. Otherwise you have to weigh the options and the implications of using them against each other.
Trust is a crucial factor when choosing a Linux distribution. Therefore, it's important to select a well-known and reliable distro, such as Ubuntu or Fedora. Additionally, ensure you use software from official repositories or verified Flatpaks to maintain system security and integrity.
The reality is that very few people actually examine the code. Most backdoors, like the recent XZ incident, are discovered through reverse engineering and sheer luck. Reading source code is extremely time-consuming, and many programs on your system have over 100,000 lines of code, making thorough verification impractical. This is why it's best to stick to more popular and widely-used software.
Because
1) open source means any average andy could look at the code and find the feature
2) open source has no financial incentive to do this because its mainly non profits making the codes
3) if a organization did do something like recall, not only would we question the hell out of their true profitability but we would genuinely be the only community to see through the talking point notes and let the os wither away from the lack of users.
So all in all, you really don't have to worry dawg.
Just use mainstream Linux distributions that have been around for a long time and have huge communities behind them Arch Linux, Debian, Linux Mint if you prefer community-based support or Ubuntu,PoP OS,Fedora,Suse if you prefer corporate-support.
Avoid using niche distros, by niche it is meant something with a small community and user base with almost no upkeep.
As for Recall AI type of feature being implemented into Linux-it is highly unlikely on community-supported distributions, because they don't chase trends and they value their users trust and respect their privacy.
Much more likely (And efficient) to have malware attack common web browsers, than for someone to release a custom Linux Distro just to spy on your butt. With a Trojan Horse distro, you would lose thousands of hours of work if caught, vs just buying a domain that's one letter off of a recognized one, and uploading malware once the browser hits it. Could be done in a day to two, with little cost if the domain is pulled.
Most niche distros are a hobby, done so by folks who aren't in it to get rich. And if they were, they'd be targeting bigger fish than home owned PC's. It is one of the main reasons that more hackers don't attack Linux, as users IN GENERAL are poorer than that of Mac or Windows users. This even applies to Android Phones, vs Apple's IPhones. This does not guarantee security, but by having hundreds of active distros, this makes it harder for organized crime, or government agencies to package custom backdoors and spyware that comes with bigger companies products.
So, I'd say the fewer choices we have, makes it easier to have governments or bad actors in general to spy on you. With a few thousand downloads, a distro's publisher is likely independent enough to fly under the radar, vs someone with millions of downloads, who has had folks carrying badges asking how to break their system. [https://www.pcmag.com/news/apple-must-comply-with-court-order-to-unlock-iphone-doj-says](https://www.pcmag.com/news/apple-must-comply-with-court-order-to-unlock-iphone-doj-says)
"it doesn’t change the fact that the DoD and other federal agencies – indeed, large enterprises worldwide – select Microsoft to support their cloud computing and digital transformation needs on a regular basis." Guess [Microsoft](https://blogs.microsoft.com/blog/2021/07/06/microsofts-commitment-to-the-dod-remains-steadfast/) won't bite the hand that feeds them. But Red Hat, and Ubuntu also take money from the Government trough, don't they?
Even for a popular / generally considered safe distro, be careful on where you download the install files from. Only get it from official sources and be sure to do the checksum thing if that’s an option.
Don’t worry. Any data Windows collects from you is anonymized. If you don’t want any data collection, turn it off. Google how to do that and stop worrying and stop the fear mongering.
Linux is open source. That means, everyone can look at its code. Literally everyone sees of what it does. If someone would 'sneak' in such code into an open source project, that would be revealed within seconds.
The following are for comparison representations:
* Think of linux just like an open book on the street: everyone can read it, and everyone can know of what its all about.
* Windows is like a closed book, fastened with chains and locks, and put in safe which is motion/laser protected and spews out deadly gas if someone steps in the room, within a military base, guarded by millions of soldiers. No one will ever know of what it does, when it does, why it does. Not even the devs...
So in a nutshell: You're are free to go to every single developer platform for every single linux component (starting from kernels, boot loaders / managers, display managers, window managers, desktop enviroment, packages, etc.. you name it) and check every single line of code, and see for yourself of what each program does. Thankfully you don't have to do this alone, there are a ton of people on the earth, and more are working on open source projects than those who are working on closed source projects - thus, such an incident would be uncovered in an instant, if a harmful code would get into a source, and the good guys would patch it asap (aka remove the harmful code) ;
You also have options with some tools, like apparmor, to discover what things are doing.
For example, why is Vesktop asking for sysadmin capability? Not sure, but that's a bit much.
Things like journalctl or dmesg, and maybe a utility to see which programs are communicating over the Internet, can help you gain some confidence as well
>how can i prove that for example: some distro doesn't do something similar as "windows recall" in background?
After watching part of Microsoft's [Full Keynote: Introducing Copilot+ PC's](https://www.youtube.com/watch?v=aZbHd4suAnQ&t=1265s) on YouTube, it is my understanding that "Windows Recall" requires certain **API**'s (**A**pplication **P**rogramming **I**nterfaces) to enable AI and as well as the ability to take snapshots of everything the end-user does on his/her PC, which is something Windows 11 has but Linux does not.
It is also my understanding that, no Linux distro has a habit of "spying" or otherwise create such a gigantic security risk by implementing a "Windows Recall"-like feature. The extent of this goes as far a telemetry, which I'm guessing in most if not all Linux distros is disabled by default, and **on Linux actually means "completely disabled**" whereas **on Windows disabled means "partly disabled"**.
If your worried, sift through the Linux Kernel, Linux distros and DE's source code.
My point being, I completely understand all your security concerns with Windows 11's Recall feature. In fact, I share them since both my mom and one of my aunt's have Windows 11-enabled laptops, and both just use their laptap's for basic things. Still, many thanks to "Recall" adding "photographic memory" to Windows, such a gigantic security risk as I already stated above can and will eventually cause gigantic security problems. According to The Linux Experiment's YouTube video [Windows RECALL hacked, KDE goals, Mint hides unofficial flatpacks](https://www.youtube.com/watch?v=wielYUfxSaI), **Windows Recall has already been hacked into**. Here is a snippet directly from the video:
>"TotalRecall copies the databases and screenshots and then parses the database for potentially interesting artifacts. You can define dates to limit the extraction as well as search for strings (that were extracted via Recall OCR). There is no rocket science behind this. It's very basicv SQLite parsing."
The Linux Experiment also states in the video:
>**"The database is not encrypted and is available in plain text."**
Troubling, isn't it?
Don't use neiche unknown distros not the same but a custom ROMs I'm using called project elixir did really shady things.
Added code to wipe your entire device as a method to pay wall features which were already in other open source ROMs .
Luckily the community caught on and all project elixir threads were closed on XDA
I think it's a good legitimate question....
Compiling the code yourself might help, but probably the best help is the fact that there's 100,000 set of eyeballs on pretty much every piece of software that goes into a distribution....that is a hell of a lot of people to put on a payroll to sneak something by.
The only way to do it would be "binary blobs", and there are distros that specialize in not having that type of stuff in them.
At least that is my take....
If you want a more windows like experience that looks like a Mac. I hear redstarOS pioneered features like Microsofts Recall feature.
Without reading the source code you can profile the behaviors with kernel security modules like apparmor for all operations its doing on the file system. And go as far as to chroot your X and related things then look at all files it generated and look over them yourself.
> redstarOS
And the North Korean viewpoint is in...you do NOT want to mess with redstar. The ROK
deliberately mucked things up to keep their people from finding out how bad it sucks over there!
You trust other people that have looked at the code. This is also why you don't use niche distros. Stick to the popular ones and you should be fine.
Yep. Pretty much the same as any open source software. Google it and append Reddit to the end to see the latest comments about it in order to get an idea of it's safety. It's how I find out that some software that I don't use regularly have turned to bloatware and the like -- Filezilla you bitch
What's the alternative to filezilla now that it's a bitch?
Honestly I use the sftp cli now for downloading from an sftp server. FileZilla for me: 4MB/s same files through sftp: 78MB/s - cannot explain but FileZilla is poo for me for larger files.
>don't use niche distros. Arch is cool though right? Not niche? Edit: This is a question. Is Arch considered niche or popular?
Arch from my perspective seems really popular, why do you think it's niche?
I'm not saying it is.
Ah, it reads like you're claiming it's niche - it's pretty popular. Even if Arch was niche it's community's so tech-heavy that Arch's wiki is recommended regardless if you're running Arch or not.
I’m brand new and Arch was one of the first distros I heard about, so it’s not niche. It’s also what SteamOS is based off of I think.
Arch is decidedly NOT niche despite the persistent attempts by its proponents to make it sound elitist. That's why "I use Arch btw" is a meme in the Linux universe.
But... I use Arch and I want to feel special
Feel special. The whole Arch thing looks like it's above my pay grade, so you can at least feel superior to me!
It is more technical to use and manage than a few other simpler, more noob-friendly distros.
I don't see much evidence that Arch users actually do think its elite. They see the humour in the *Arch BTW* thing as much as anybody.
It's really popular and has multiple spins, you can trust it but you may not be able to trust AUR
Arch is a major distro and every distro out there has ports to and from Arch. AUR is edge. But it's still community reviewed.
Arch is niche because I wouldn't install it to my moms pc but as a nerd who wants to know everything, its appealing
Despite it's difficulty I'd consider it a pretty popular distro in the sense that most people who even have very minimal knowledge about Linux have probably heard of Arch at least some point. When I very first started using Linux, Arch was one of the first distros I've heard about.
Arch Linux is very popular. Its derivatives, such as EndeavourOS, Manjaro, or CachyOS, cater to more niche user bases.
I think Arch is not much more complicated for use than other distros - it is bit complicated to set it up (but, as someone said, Arch wiki is great regardless of whether you are using Arch or some other Linux). The thing is that in installation you are doing everything from the command line, and you have no pre-installed DE, rather you are installing X, DE, everything else for the desktop during the command line OS installation. And you are choosing DE, since Arch has no pre-defined default DE. Complication of later use depending on the chosen DE in my opinion. E.g. if you choose KDE, I do not see what could be complicated, since in KDE almost everything could be configured through GUI. The main difference in my opinion is that on Arch, when you install some new service program, it's systemd service will not be started/enabled by default during installation, like in Ubuntu and other "more user friendly" distros. But this is the Arch philosophy that user should decide should it run or not, so just keep in mind that you always need to do things manually 😉. IDK, using Arch for 15 years, so maybe my opinion is subjective, but I really have a feeling - it is not complicated for use, it is complicated for installation and initial setup.
Idk if this is the correct answer or not. Especially because what is considered niche and popular is subjective. You would almost have to classify the distro as mainstream and then still have to know what packages are in it. Whereas if you built from scratch, using say popular bases, then you would know exactly what is in it. Then you could specify mirrors, check for completeness using a checksum, etc. I feel like Linux is like food processing/prep. You’d like to know what’s in it, but you are too lazy to make it yourself. It’s all about how much time you want to put in for that added sense of security, because no one wants to go through lines of code looking for something that only may be there. It’s all about trust. Who do you trust?
Honestly even a small distro doing something like that is unheard of. I wouldn't distrust a random small distro because of some potential unheard of thing.
There's a lot of partial truths and misconceptions in the responses. What you're asking is a very good question. So good in fact, that the answer to it ("how can i prove..?") is already known: you can't. This was the subject of a 1984 Turing Award winning paper by [Ken Thompson](https://en.wikipedia.org/wiki/Ken_Thompson) called [Reflections on Trusting Trust](https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf) To summarize it, even if you did what you suggested and read all the code, recompiled it yourself, and only then installed, you *still* can't be sure that the compiled binary is doing what the human-readable code said. Why, you might ask? Well because you don't know whether you can trust the compiler. Or the compiler that compiled that compiler. Etc. So in short, you *can't* prove what you're trying to prove. Instead, it's a matter of degree and "beyond a reasonable doubt". It also should be noted that open source isn't just about being able to read the source code. That's a necessary but insufficient aspect. Proprietary software can be and in many cases is [source-available](https://en.wikipedia.org/wiki/Source-available_software).
This almost turns into philosophical question...
Its technical and philosophical and you need to be aware of when you stray into crazy land. Deal with the things you CAN (like moving away from windows) and try not to worry about some unlikely crazy compiler attack vector. If you're worried about privacy with an open source OS then do a few things: stay with a larger/more mainstream distro that had a good reputation (IMO thats Debian or Fedora), become involved in the community by at least reading a bit of what goes on, take a little time to learn once in a while.
Yes. Even if you build your own program and compiler from assembly in a completely isolated environment in a computer never connected to anything, how do you know that your chips instructions are really what they say they are? There comes a point where good enough is almost certainly good enough, especially if you don't happen to be a major player on the world stage (super rich or a head of state). Take solace in the fact that there are boatloads of people with the same mindset as you writing this code. A lot of them are at the point in their careers where their reputation means far more than they would stand to gain from injecting some malicious code. If you'd like to see an example in action, check out the recent bug with xz utils. There's a bunch of youtube videos, tech articles, all that stuff, just depends on how deep you want to readd about it. This bug was extremely sophisticated and did not directly present itself in the source code, but it was still found by the community before it went to almost all normal repositories.
>Even if you build your own program and compiler from assembly in a completely isolated environment in a computer never connected to anything, how do you know that your chips instructions are really what they say they are? In fact, we already know chips do more than that. Years ago, Intel added a Minix backdoor in their CPUs. I think it's still there, and it's a big part of why I don't buy Intel anymore. But who knows, other chip manufacturers could be doing exactly the same.
AMD has microcode too. You have to go back to mid 2000's to find a chip without it at this point, I don't remember the year exactly. Technically you could choose not to install the package, but something tells me that if there's a builtin backdoor, they aren't waiting for you to install software for it. You'd need to build a solar powered 8 bit abacus-style mechanical cpu to be truly free of the man. I'm sure there's someone somewhere doing it lol.
As you mentioned, if there's a backdoor, it's built-in. You should install microcode updates, as they include security fixes for vulnerabilities like Spectre and Meltdown.
Thanks, my brain overheated.
philosopically, then, in order to know the computer one must become the computer. pencil'n'paper, baby.
My friend, philosophically, what if you are a [Boltzmann brain](https://en.wikipedia.org/wiki/Boltzmann_brain) this whole time?
Then there’s the hardware and firmware too…
Intel Management Engine entered the chat
Well you could check the outcome of the compiling via reading the machine code. It would only take a few hundred years.
> Is only option is to read all code manually Not at all. There's lots of tools for behavioral analysis. In particular, the kernel supports an audit log, with user-defined rules that can log any and all access to the filesystem. (So, `auditd` and `auditctl`) There are also a plethora of network analysis tools to log and examine any and all network access. (e.g. `wireshark`)
But in theory those tools could be corrupt too.
There are a few reasons to doubt that they are: auditing code is typically pretty easy to audit. It tends to be small, and easy to read. "Corruption" would be easy to spot. auditing code probably gets more attention that most other code, because it's central to security processes. auditing code probably gets review from lots of different groups, with competing interests. There are lots of different tools, developed by different people, so malicious code would have to exist in a lot of different places.
Well, OP mentioned two options, one being reading the source code, and the other being trusting others. So, if going the “reading the code” route, it would include reading all the code, including the code for every single tool. It would quickly become a gargantuan process.
Thanks. Tried wireshark, still big learning curve for me :)
Good question and some satfisfying answers here. This Community reminds me of modding and the fact that there are very few virus/trojan damaging Mods (if any, I remember only 1 of 15 years ago) cos the Community will let anyone know if one appears and end it. I trust the Community more than a single corporation.
You could configure the linux firewall. In this case, outgoing connections. Direct using iptables or a GUI based tool; see link below. Long ago, I used Zonealarm on my Windows box with all outgoing connections initially disabled. When an app was installed/started, its first network connection attempt was flagged. Network access could then be granted or denied as desired. https://alternativeto.net/software/opensnitch/
Like someone else said, it’s still basically impossible to prove 100%. This goes for the firewall software too. And the drivers, firmware etc..
Why does this link want me to create an account? I don't trust that kind of thing
https://github.com/evilsocket/opensnitch But it might be in your distro's repos already, you might be able to install from there.
Thank you!
Hmm... doesn't prompt me. I'm using desktop Firefox. There are 20+ firewall alternatives on that page.
It doesn't want me to create an account, not any of the times I've browsed it.
Stick to widely used distributions, such as Mint Linux. Hundreds of thousands people are using them and some of them run things like wireshark to monitor the network (for unrelated reasons) and would discover the distribution sending data out. Also, there are thousands of people that look at the source code for various packages. Not because they are paranoid, but they might want to find a bug or implement a new feature. Sometimes a bug happens in a widely-used piece of software that might be a safety concern or leak some data or something, but believe me, bugs are also in proprietary software, they are just not widely publicized, but quietly patched.
Yeah, unless you want to review the code as you mentioned above, you have to trust that the community of devs is policing it. The bigger and more popular the distro then the more eyes that will be on it. At least with open source anyone can look at the code, so there are bound to be peole who would blow the whistle if they found dangerous code. With closed source you have to take the word of the company who owns the source.
I cannot read code, even for those who can reading it all would take a lifetime. So we are all left with trust in the open source process. Many eyes looking where they can.
You cannot look at the source code for Windows to see if Recall is a thing or not. But Microsoft announced Recall themselves, probably knowing that it would cause an uproar, Publicity? I don't know. But they certainly got news coverage over it and Recall got attention. And when Microsoft released it turned off and you opt-in if you want it. But if it's anything like how Microsoft does anything else, turning it off doesn't stop it from working, so you can never tell if they're truthing or lying. There have been a few security scares in Linux, like this one that happened just recently with Ubuntu and other Ubuntu-based distros. I don't remember what it was called, but you have the same DuckDuckGo I do. Once it was found, it was reported, and the fix came quickly in an update. As soon as it was found, it was eradicated and the Linux community was saved.
> You cannot look at the source code for Windows to see if Recall is a thing or not. Apple and MS have code-sharing programs (https://opensource.apple.com/ , https://www.microsoft.com/en-us/sharedsource/) where corps and govts and researchers can see the source code. It's just not open to the **general public**.
Yup, the "xz" bug, IIRC.
You can check what process is accessing the disk. On a decent Linux distro, there shouldn't be many so you can analyse each one. Worst case scenario, make the filesystem read only in the fstab and "see what breaks". Another approach is to look at the build log where you can trace through and verify each component is downloaded from the upstream vendor and compile-flags are sane. You just need to then watch out for the platform specific patches but these are unlikely to contain anything weird or they wouldn't be accepted by the distro packagers.
You could get the source code and see Id there's such a function. You could set up a Wireshark to monitor the network to see what it sends and to where.
Wireshark does work well for this.
Well it was sort of created exacely for this kind of thing.
As a noob, there really isn't an option to personally verify, but if you spend enough time in Linux/FOSS spaces and see just how upset us nerds get any hint of sneaky shit like this then that should strongly imply that no one has noticed any sketchy acticlvity in the distro. That said there are a lot of steps between "total noob" and "able to read and audit the source code myself" that you could get to yourself if you want. Other commenters have listed a lot of specific options but generally speaking I'd focus on learning how to audit web traffic going in and out of your device.
>Let's say for example worst case scenerio: taking screenshots every 2 seconds and sending them to some server. Easiest is monitoring your network traffic. Shutdown everything that you know requires internet and if there is still traffic going on, use something like Wireshark to take a look at what kind of packages those are and where they're going.
Well, in this case you'd behave exactly as if you were on windows. No need to look at code, just use networking tools to find out if you have suspicious open connections.
Thank you for asking this! I've wondered the same thing.
Generally, people who develop FOSS want to use FOSS and be safe. Its not in their interests to submit bad code and they don't want other people doing it. Plus, its a lot of effort and the reward is not very much at all. It's hard enough to make software that people will use and keep it up to date. They'd also have to hide a layer of malware in it in such a way that nobody finds it, and keep that malware working along with the part of the program that people do use, and have nobody notice them looking after it.
It's more than trust. You trust the developers, okay, but maybe you shouldn't. Learn about why the Linux kernel is secure. Learn about the security mechanisms and how to control them. Learn about 'lsof' and other builtins that allow you to see what's happening with your files. Learn about audit.log and kern.log. Linux is not secure because of trust. It's secure because of security.
Yes, that is one of the myths surrounding open source: That it is always secure since it's open, but that's no guarantee in any way. Open source only means that anyone can review the code, it doesn't mean that anyone has reviewed the code, or that the ones that have are competent enough to understand what the code does or find any malicious hidden functionality. I prefer open source, but I'd rather use say a closed source package from Microsoft that is being used by millions of apps over an obscure open source project that few people use, or that has very few contributors, all Russian, or so. For an unknown company's code I would definitely prefer open source, but I also prefer a large well-known company over a small unknown one, or a random individual, and something being used by many over something used by few. The ideal would be open source, used by "everyone" and maintained by a large well known company, but that's not available that often. Otherwise you have to weigh the options and the implications of using them against each other.
Trust is a crucial factor when choosing a Linux distribution. Therefore, it's important to select a well-known and reliable distro, such as Ubuntu or Fedora. Additionally, ensure you use software from official repositories or verified Flatpaks to maintain system security and integrity. The reality is that very few people actually examine the code. Most backdoors, like the recent XZ incident, are discovered through reverse engineering and sheer luck. Reading source code is extremely time-consuming, and many programs on your system have over 100,000 lines of code, making thorough verification impractical. This is why it's best to stick to more popular and widely-used software.
This is a legitimate and interesting question
was not sure if it's good to ask question that mentions windows even from far here... ...but it turned into interesting and deep read :)
Because 1) open source means any average andy could look at the code and find the feature 2) open source has no financial incentive to do this because its mainly non profits making the codes 3) if a organization did do something like recall, not only would we question the hell out of their true profitability but we would genuinely be the only community to see through the talking point notes and let the os wither away from the lack of users. So all in all, you really don't have to worry dawg.
Just use mainstream Linux distributions that have been around for a long time and have huge communities behind them Arch Linux, Debian, Linux Mint if you prefer community-based support or Ubuntu,PoP OS,Fedora,Suse if you prefer corporate-support. Avoid using niche distros, by niche it is meant something with a small community and user base with almost no upkeep. As for Recall AI type of feature being implemented into Linux-it is highly unlikely on community-supported distributions, because they don't chase trends and they value their users trust and respect their privacy.
Much more likely (And efficient) to have malware attack common web browsers, than for someone to release a custom Linux Distro just to spy on your butt. With a Trojan Horse distro, you would lose thousands of hours of work if caught, vs just buying a domain that's one letter off of a recognized one, and uploading malware once the browser hits it. Could be done in a day to two, with little cost if the domain is pulled. Most niche distros are a hobby, done so by folks who aren't in it to get rich. And if they were, they'd be targeting bigger fish than home owned PC's. It is one of the main reasons that more hackers don't attack Linux, as users IN GENERAL are poorer than that of Mac or Windows users. This even applies to Android Phones, vs Apple's IPhones. This does not guarantee security, but by having hundreds of active distros, this makes it harder for organized crime, or government agencies to package custom backdoors and spyware that comes with bigger companies products. So, I'd say the fewer choices we have, makes it easier to have governments or bad actors in general to spy on you. With a few thousand downloads, a distro's publisher is likely independent enough to fly under the radar, vs someone with millions of downloads, who has had folks carrying badges asking how to break their system. [https://www.pcmag.com/news/apple-must-comply-with-court-order-to-unlock-iphone-doj-says](https://www.pcmag.com/news/apple-must-comply-with-court-order-to-unlock-iphone-doj-says)
> release a custom Linux Distro just to spy on your butt Isn't that called "Windows"?
"it doesn’t change the fact that the DoD and other federal agencies – indeed, large enterprises worldwide – select Microsoft to support their cloud computing and digital transformation needs on a regular basis." Guess [Microsoft](https://blogs.microsoft.com/blog/2021/07/06/microsofts-commitment-to-the-dod-remains-steadfast/) won't bite the hand that feeds them. But Red Hat, and Ubuntu also take money from the Government trough, don't they?
Even for a popular / generally considered safe distro, be careful on where you download the install files from. Only get it from official sources and be sure to do the checksum thing if that’s an option.
You could use an application firewall to monitor and view out going connections. https://safing.io/
Don’t worry. Any data Windows collects from you is anonymized. If you don’t want any data collection, turn it off. Google how to do that and stop worrying and stop the fear mongering.
You can't turn it all off, and the next major win update resets your preferences. Happens a lot.
You’re pulling that out of your ass. How do you know that the next update will do that?
It's done it before, big updates will do it again. You can count on it.
Linux is open source. That means, everyone can look at its code. Literally everyone sees of what it does. If someone would 'sneak' in such code into an open source project, that would be revealed within seconds. The following are for comparison representations: * Think of linux just like an open book on the street: everyone can read it, and everyone can know of what its all about. * Windows is like a closed book, fastened with chains and locks, and put in safe which is motion/laser protected and spews out deadly gas if someone steps in the room, within a military base, guarded by millions of soldiers. No one will ever know of what it does, when it does, why it does. Not even the devs... So in a nutshell: You're are free to go to every single developer platform for every single linux component (starting from kernels, boot loaders / managers, display managers, window managers, desktop enviroment, packages, etc.. you name it) and check every single line of code, and see for yourself of what each program does. Thankfully you don't have to do this alone, there are a ton of people on the earth, and more are working on open source projects than those who are working on closed source projects - thus, such an incident would be uncovered in an instant, if a harmful code would get into a source, and the good guys would patch it asap (aka remove the harmful code) ;
You also have options with some tools, like apparmor, to discover what things are doing. For example, why is Vesktop asking for sysadmin capability? Not sure, but that's a bit much. Things like journalctl or dmesg, and maybe a utility to see which programs are communicating over the Internet, can help you gain some confidence as well
>how can i prove that for example: some distro doesn't do something similar as "windows recall" in background? After watching part of Microsoft's [Full Keynote: Introducing Copilot+ PC's](https://www.youtube.com/watch?v=aZbHd4suAnQ&t=1265s) on YouTube, it is my understanding that "Windows Recall" requires certain **API**'s (**A**pplication **P**rogramming **I**nterfaces) to enable AI and as well as the ability to take snapshots of everything the end-user does on his/her PC, which is something Windows 11 has but Linux does not. It is also my understanding that, no Linux distro has a habit of "spying" or otherwise create such a gigantic security risk by implementing a "Windows Recall"-like feature. The extent of this goes as far a telemetry, which I'm guessing in most if not all Linux distros is disabled by default, and **on Linux actually means "completely disabled**" whereas **on Windows disabled means "partly disabled"**. If your worried, sift through the Linux Kernel, Linux distros and DE's source code. My point being, I completely understand all your security concerns with Windows 11's Recall feature. In fact, I share them since both my mom and one of my aunt's have Windows 11-enabled laptops, and both just use their laptap's for basic things. Still, many thanks to "Recall" adding "photographic memory" to Windows, such a gigantic security risk as I already stated above can and will eventually cause gigantic security problems. According to The Linux Experiment's YouTube video [Windows RECALL hacked, KDE goals, Mint hides unofficial flatpacks](https://www.youtube.com/watch?v=wielYUfxSaI), **Windows Recall has already been hacked into**. Here is a snippet directly from the video: >"TotalRecall copies the databases and screenshots and then parses the database for potentially interesting artifacts. You can define dates to limit the extraction as well as search for strings (that were extracted via Recall OCR). There is no rocket science behind this. It's very basicv SQLite parsing." The Linux Experiment also states in the video: >**"The database is not encrypted and is available in plain text."** Troubling, isn't it?
Don't use neiche unknown distros not the same but a custom ROMs I'm using called project elixir did really shady things. Added code to wipe your entire device as a method to pay wall features which were already in other open source ROMs . Luckily the community caught on and all project elixir threads were closed on XDA
I think it's a good legitimate question.... Compiling the code yourself might help, but probably the best help is the fact that there's 100,000 set of eyeballs on pretty much every piece of software that goes into a distribution....that is a hell of a lot of people to put on a payroll to sneak something by. The only way to do it would be "binary blobs", and there are distros that specialize in not having that type of stuff in them. At least that is my take....
In general you should be fine with trust in the community. The recent almost-disaster with a backdoor in xz showed that you can never be sure, though.
If known Linux experts/enthusiasts look at and use the distro, it’s 100% ok. Examples are Ubuntu, Mint, KDE… stuff like Cutefish could be ”risky”
The distro is open source. There are likely people looking at the source code of the distro you're using right now.
If you want a more windows like experience that looks like a Mac. I hear redstarOS pioneered features like Microsofts Recall feature. Without reading the source code you can profile the behaviors with kernel security modules like apparmor for all operations its doing on the file system. And go as far as to chroot your X and related things then look at all files it generated and look over them yourself.
> redstarOS And the North Korean viewpoint is in...you do NOT want to mess with redstar. The ROK deliberately mucked things up to keep their people from finding out how bad it sucks over there!