Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430085
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Comment by flanque
by sakeniwefu on Tue 15th Jun 2010 10:26 UTC in reply to "RE: Comment by flanque"
sakeniwefu
Member since:
2008-02-26

It's not a security problem at all. At least not at the OS level.

If the people running the server had sent their tainted app to Apple, then you would be able to pay to have a Trojan in your iPhone. Until Apple took it down because it allows for extra functionality.

But still, Windows and Linux security are on the same league. In the case of Linux it is more aggravating if anything because the features are there somewhere, only disabled or enabled with holes. I am no elite hacker and I can still go from gets() to arbitrary command execution in my latest Ubuntu Karmic amd64 with the default options. All because of dubious GCC "optimizations".

Reply Parent Score: 3

RE[3]: Comment by flanque
by lemur2 on Tue 15th Jun 2010 10:38 in reply to "RE[2]: Comment by flanque"
lemur2 Member since:
2007-02-17

It's not a security problem at all. At least not at the OS level.

If the people running the server had sent their tainted app to Apple, then you would be able to pay to have a Trojan in your iPhone. Until Apple took it down because it allows for extra functionality.

But still, Windows and Linux security are on the same league. In the case of Linux it is more aggravating if anything because the features are there somewhere, only disabled or enabled with holes. I am no elite hacker and I can still go from gets() to arbitrary command execution in my latest Ubuntu Karmic amd64 with the default options. All because of dubious GCC "optimizations".


It is not at all difficult to write malware for any system at all.

The only place that people can put obstacles in the way is to prevent malware from getting on to a system in the first place.

The system of open source repositories in conjunction with package managers is the only system for distributing a complete set of software devised to date that has a good record in respect of malware.

You could indeed write code that exploited functions in Linux to get to execute arbitrary code (such as a keylogger), but that will not help you in your malicious intent against Linux users if you cannot get them to install your malware installer in the first place.

Reply Parent Score: 2

RE[4]: Comment by flanque
by sakeniwefu on Tue 15th Jun 2010 11:51 in reply to "RE[3]: Comment by flanque"
sakeniwefu Member since:
2008-02-26

It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.

The problem at hand could have indeed been solved using trusted and trustworthy repositories.

However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.

Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.

This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.

Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.

Let's just say that "insecure by default" doesn't make a good slogan.

Reply Parent Score: 5

RE[3]: Comment by flanque - Ubuntu
by jabbotts on Tue 15th Jun 2010 19:07 in reply to "RE[2]: Comment by flanque"
jabbotts Member since:
2007-09-06

Ubuntu.. popular.. but not the most solid distribution available. If only popularity was a valid indication of product quality in this world.

Reply Parent Score: 2