|
|
|
|
|
|
by bigyabai
287 days ago
|
|
|
Kali Linux is a pentesting distro. It's not claimed to be secure and AFAIK it makes deliberately insecure design decisions to enable spoofing/SDR attacks. Are reproducible builds and supply-chain audits enough to trust the binaries?
No. But for most applications trust isn't really required. What strategies exist for spotting subtle backdoors in such large codebases?
It's not hard. For big projects, contributors are usually a tight-knit group that heavily scrutinize any outsider PRs. By creating a rigorous system of code review (and implementing reminders for bad dependencies) you can deter backdoors decently well. For hardware, how do you approach the risk of compromised firmware, microcode, or hidden subsystems
You cannot. Do projects like Coreboot, Heads, or formally verified kernels meaningfully reduce this risk in practice?
No, but if properly configured they can reduce attack surface as-advertised. Beyond reading every line yourself, what’s the best way to build confidence?
I know this is a dumb answer, but "be smart" will get you a really long ways. Stick to the main roads, don't use software developed by 2 or 3 people if your personal security is paramount. Keep your systems slim and minimally networked, route any home servers through a VPN or proxy to prevent it from being harassed on the open internet. |
|
|