Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Permalink for comment 430139
To read all comments associated with this story, please click here.
RE[3]: Zealot
by 3rdalbum on Tue 15th Jun 2010 15:26 UTC in reply to "RE[2]: Zealot"
3rdalbum
Member since:
2008-05-26

...and it's worst than installing manually software YOU chose to install because you TRUST the repository of the linux distribution.


I fail to see how it's worse than installing software manually. Debian users got an OpenSSL security update as soon as the vulnerability was patched, because it was in the repository. In fact, not only did it fix the vulnerability, but there were several layers of safety in the patch to identify weak keys and warn the user if they are present, as well as stopping any of the same keys from coincidentally being generated in the future (because any attacker would look for the known weak keys first).

The Debian vulnerability was caused by human error, not by malicious intent as we've seen in the UnrealIRC problem.

One flaw doesn't prove that the system is broken. Multiple flaws do. Internet Explorer 6 isn't broken because of a cross-site-scripting flaw discovered in 2006, it's broken because people keep finding cross-site-scripting flaws in it. The same applies with the repositories.

Reply Parent Score: 2