Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430089
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by flanque
by sakeniwefu on Tue 15th Jun 2010 11:51
in reply to "RE[3]: Comment by flanque"
Member since:2008-02-26
It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.
The problem at hand could have indeed been solved using trusted and trustworthy repositories.
However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.
Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.
This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.
Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.
Let's just say that "insecure by default" doesn't make a good slogan.
RE[5]: Comment by flanque
by lemur2 on Tue 15th Jun 2010 12:05
in reply to "RE[4]: Comment by flanque"
Member since:2007-02-17
It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.
The problem at hand could have indeed been solved using trusted and trustworthy repositories.
However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.
Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.
This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.
Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.
Let's just say that "insecure by default" doesn't make a good slogan.
The problem at hand could have indeed been solved using trusted and trustworthy repositories.
However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.
Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.
This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.
Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.
Let's just say that "insecure by default" doesn't make a good slogan.
Meanwhile, in the real world, we actually get this situation:
http://gorumors.com/crunchies/malware-infection-rate-worldwide/
When they say "malware infected PCs", they actually mean an estimated level of "malware infected Windows machines".
This is the status-quo level at which the proverbial "bar has been set". Linux machines must be able to better this standard to come off well in comparison with machines that are commonly marketed today.
ROFLMAO.
http://farm1.static.flickr.com/106/289981080_4008fa579a.jpg
Wait though ... it gets better. Here is an expert opinion on the value for money of the status quo machines being mass-marketed today:
http://blogs.fsfe.org/gerloff/?p=359
Here is the situation with the worlds highest-performing, most expensive, highest-value machines:
http://techie-buzz.com/foss/linux-powers-91-of-the-worlds-top-500-f...
http://cache.techie-buzz.com/images/postimg/ricky/supercomputer1.pn...
Edited 2010-06-15 12:23 UTC
RE[5]: Comment by flanque - security, stability, defaul
by jabbotts on Tue 15th Jun 2010 19:31
in reply to "RE[4]: Comment by flanque"
Member since:2007-09-06
I give you.. Debian Stable. EnGard Secure Linux would be a good choice if the machine your protecting justifies it. Maybe not Damn Vulnerable Linux though. 
Seriously though, this is really more of an example of how fast issues can be patched once discovered and a pretty good case study for how things can go badly. I'm adding it to my library beside the Debian OpenSSL issue from a year or so ago where a developer ignored the Debian policies and processes.
These things happen with all software but the repository distribution method continues to have a low (nearly nothing) case history of such issues; especially compared to other software distribution methods.
RE[5]: Comment by flanque
by testman on Fri 18th Jun 2010 02:44
in reply to "RE[4]: Comment by flanque"
Member since:2007-10-15
News
Linked by Thom Holwerda on 05/18/13 7:37 UTC
"In NixOS, the entire operating system - the kernel, applications, system packages, configuration files, and so on - is built by the Nix package manager from a description in a purely functional build language. The fact that it's purely functional essentially means that building a new configuration cannot overwrite previous configurations. Most of the other features follow from this." Interesting approach. A Linux distribution, sure, but with some very refreshing ideas about system configuration.
Linked by fran on 05/18/13 1:38 UTC
Google added, among other features, C/C++ support to its new version of AIDE. From Android-IDE, "Now you can write parts of your app or your whole app in C/C++ on your device. AIDE supports the Standard Android NDK toolchain (GCC 4.6 + Bionic, STL, ...). No changes are necessary if you want to build an app developed on a PC with Eclipse. C/C++ development is fully integrated: Build errors appear in the error list and files can easily be navigated to with Go to file. The editor supports C/C++ syntax highlighting."
Linked by Thom Holwerda on 05/17/13 23:35 UTC, submitted by kragil
Ars nails it: "The answer is that Google did announce what amounts to a fairly substantial Android update yesterday. They simply did it without adding to the update fragmentation problems that continue to plague the platform. By focusing on these changes and not the apparently-waiting-in-the-wings update to the core software, Google is showing us one of the ways in which it's trying to fix the update problem."
Linked by MOS6510 on 05/17/13 22:22 UTC
"It is good for programmers to understand what goes on inside a processor. The CPU is at the heart of our career. What goes on inside the CPU? How long does it take for one instruction to run? What does it mean when a new CPU has a 12-stage pipeline, or 18-stage pipeline, or even a 'deep' 31-stage pipeline? Programs generally treat the CPU as a black box. Instructions go into the box in order, instructions come out of the box in order, and some processing magic happens inside. As a programmer, it is useful to learn what happens inside the box. This is especially true if you will be working on tasks like program optimization. If you don't know what is going on inside the CPU, how can you optimize for it? This article is about what goes on inside the x86 processor's deep pipeline."
Linked by Thom Holwerda on 05/17/13 22:15 UTC, submitted by Tom
"It was the only moment I heard regret slip into Otellini's voice during the several hours of conversations I had with him. 'The lesson I took away from that was, while we like to speak with data around here, so many times in my career I've ended up making decisions with my gut, and I should have followed my gut,' he said. 'My gut told me to say yes.'" The world would've been a much different place - Apple would have been less dependant on Samsung for its chips, which probably would've meant less money for Samsung to develop its Galaxy business.
Linked by Thom Holwerda on 05/16/13 21:41 UTC
Glass is getting some love at Google I/O as well. New applications have been released - Facebook, Twitter, Evernote, Elle, Tumblr, and CNN. Perhaps more interesting: the newly announced Google Glass Developer Kit will allow offline applications and direct hardware access - great for hacking and expanding Glass' potential. This kit will really allow hackers to put Glass through its paces.
Linked by Thom Holwerda on 05/16/13 17:04 UTC
"But Beck and Merrill decided that simply banning toxic players wasn't an acceptable solution for their game. Riot Games began experimenting with more constructive modes of player management through a formal player behavior initiative that actually conducts controlled experiments on its player base to see what helps reduce bad behavior. The results of that initiative have been shared at a lecture at the Massachusetts Institute of Technology and on panels at the Penny Arcade Expo East and the Game Developers Conference." Absolutely fascinating stuff. I'm a League of Legends player, and to be honest, the community isn't nearly as bad as some make it out to be. I'm happy Riot games has the guts to employ science to address the issue.
Linked by Thom Holwerda on 05/16/13 13:17 UTC
"Android and iOS, the number one and number two ranked smartphone operating systems worldwide, combined for 92.3% of all smartphone shipments during the first quarter of 2013 as Windows Phone crept past BlackBerry for 3rd place. According to the International Data Corporation Worldwide Quarterly Mobile Phone Tracker, Android smartphone vendors and Apple shipped a total of 199.5 million units worldwide during 1Q13, up 59.1% from the 125.4 million units shipped during 1Q12." Windows Phone doubles from a few to twice few, iOS loser market share as its growth is slower than that of the overall market. BlackBerry continues slide into irrelevance.
Linked by Thom Holwerda on 05/16/13 12:06 UTC
"According to the latest research from our Wireless Smartphone Strategies service, global Android smartphone profits reached US$5 billion in total during the first quarter of 2013. Samsung dominated and captured an impressive 95 percent share of all Android smartphone profits." Wow.
Linked by Thom Holwerda on 05/15/13 23:03 UTC
"During its Keynote today, Google announced new features coming to its flagship search function - you know, that thing we all started using Google for. VP Amit Singhal spent some time discussing what Google's search functionality will eventually morph into. Google's strategy is summarized by three words: answer, converse, and anticipate. Singhal explained that many of the pieces of these upcoming changes can already be seen in products that Google has recently introduced - namely, Google Knowledge Graph and Google Now, with perhaps a splash of Google Glass, too." I hold on to my hat every time Google changes Search. It's such a vital product in my daily life.More News »
Sponsored Links
Member since:
2007-02-17
If the people running the server had sent their tainted app to Apple, then you would be able to pay to have a Trojan in your iPhone. Until Apple took it down because it allows for extra functionality.
But still, Windows and Linux security are on the same league. In the case of Linux it is more aggravating if anything because the features are there somewhere, only disabled or enabled with holes. I am no elite hacker and I can still go from gets() to arbitrary command execution in my latest Ubuntu Karmic amd64 with the default options. All because of dubious GCC "optimizations".
It is not at all difficult to write malware for any system at all.
The only place that people can put obstacles in the way is to prevent malware from getting on to a system in the first place.
The system of open source repositories in conjunction with package managers is the only system for distributing a complete set of software devised to date that has a good record in respect of malware.
You could indeed write code that exploited functions in Linux to get to execute arbitrary code (such as a keylogger), but that will not help you in your malicious intent against Linux users if you cannot get them to install your malware installer in the first place.