I don’t think you’ll find another major repo with so many real-world incidents though. Whether this is because of a systemic problem or just because it’s targeted more frequently, I’m not sure.

I’ve also had Macs online for years without issue.

I guess it only applies to “ephemeral” ports 49152–65535, though I’m not sure what range macOS actually uses. Wikipedia has numbers for Linux and various Windows versions but not macOS: https://en.wikipedia.org/wiki/Ephemeral_port

So does that mean typical desktop usage, like email, web browsing, SSH, etc. would be unaffected? Anyone have any insight on this? I’m not a networking expert myself.

I can’t believe the claim that “everything else dies” when that goes directly against observed reality.

If I understand you correctly: 63.4% odds of having at least one hallucination.

The simple way to calculate the odds of getting at least one error is to calculate the odds of having ZERO, and then inverting that.

If the odds of a single instance being an error is 1%, that means you have a 99% chance of having no errors. If you repeat that 100 times, then it’s 99% of 99% of 99%…etc. In other words, 0.99^100 = 0.366. That’s the odds of getting zero errors 100 times in a row. The inverse of that is 0.634, or 63.4%.

This is the same way to calculate the odds of N coin flips all coming up heads. It’s going to be 0.5^N. So the odds of getting 10 heads in a row is 0.5^10 = ~0.0977%, or 1:1024.

Edit: This is assuming independence of all 100 prompts, which is not generally true in a single chat window, where each prompt follows the last and retains both the previous prompts and answers in its context. As the paper explains, error rate tends to increase with context length. You should generally start a new chat rather than continue in an existing one if the previous context is not highly relevant.

For most: yes, there is a risk that the vendor has included a backdoor. There is also the risk that they are straight-up lying about how their service operates.

For Signal in particular: You can verify that their claims are true because you can audit the source code.

The Signal client is open-source, so any interested parties can verify that it is A) not sending the user’s private keys to any server, and B) not transmitting any messages that are not encrypted with those keys.

Even if you choose to obtain Signal from the Google Play Store (which comes with its own set of problems), you can verify its integrity because Signal uses reproducible builds. That means it is possible for you to download the public source code, compile it yourself, and verify that the published binary is identical. See: https://github.com/signalapp/Signal-Android/tree/main/reproducible-builds

You might not have the skills or patience to do that yourself, but Signal has undergone professional audits if anyone ever discovers a backdoor, it will be major news.

You are more likely to be compromised at the OS level (e.g. screen recorders, key loggers, Microsoft Recall, etc.) than from Signal itself.