Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430090
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Zealot
by lemur2 on Tue 15th Jun 2010 10:53 UTC in reply to "Zealot"
lemur2
Member since:
2007-02-17

When it happens on Linux, everybody says "hey, it's a new security hole found, linux is more secure now.


Rubbish.

Distributing unsigned binary packages is a security hole that has been known about forever. This security hole is the entire reason package managers were designed written in the first place, over a decade ago.

Linux has been demonstrably more secure for the whole of that decade, but only for software distribution that utilises package managers. Like all trojans, this particular trojan relied on not being delivered via any package manager system.

Windows has no equivalent distribution system (although Windows Update does get part-way there, but that system applies only to Microsoft software). Consequently the security hole in Windows, wherein users routinely download and install unsigned binary packages, is absolutely enormous.

Edited 2010-06-15 10:55 UTC

Reply Parent Score: 3

RE[2]: Zealot
by Mr.Manatane on Tue 15th Jun 2010 14:32 in reply to "RE: Zealot"
Mr.Manatane Member since:
2010-03-19

Funny again how amnesic are Linux fanboy.

Your argumentation is just pointless when you see security holes like this:

http://www.informationweek.com/blog/main/archives/2008/05/a_black_e...

The problem involves Debian's version of the openssl package, which was changed back in 2006 in such a way that the encryption keys generated by the package could theoretically be guessed by an attacker. Bad. But what's worse, every encryption key generated with that edition of openssl since the change was made -- since 2006 -- now has to be dumped.


A single problems in the openssl debian package and BOOM all your genius stuff is doomed. now your genious deployement package tool - you are so proud of - is spreading the security holes on all OSes and it's worst than installing manually software YOU chose to install because you TRUST the repository of the linux distribution.

Reply Parent Score: 2

RE[3]: Zealot
by 3rdalbum on Tue 15th Jun 2010 15:26 in reply to "RE[2]: Zealot"
3rdalbum Member since:
2008-05-26

...and it's worst than installing manually software YOU chose to install because you TRUST the repository of the linux distribution.


I fail to see how it's worse than installing software manually. Debian users got an OpenSSL security update as soon as the vulnerability was patched, because it was in the repository. In fact, not only did it fix the vulnerability, but there were several layers of safety in the patch to identify weak keys and warn the user if they are present, as well as stopping any of the same keys from coincidentally being generated in the future (because any attacker would look for the known weak keys first).

The Debian vulnerability was caused by human error, not by malicious intent as we've seen in the UnrealIRC problem.

One flaw doesn't prove that the system is broken. Multiple flaws do. Internet Explorer 6 isn't broken because of a cross-site-scripting flaw discovered in 2006, it's broken because people keep finding cross-site-scripting flaws in it. The same applies with the repositories.

Reply Parent Score: 2

RE[3]: Zealot - patch times.. not bug counts
by jabbotts on Tue 15th Jun 2010 20:29 in reply to "RE[2]: Zealot"
jabbotts Member since:
2007-09-06

Bug counts are useless outside of superficial mass media and fanboy debate. All software is broken. Look at patch times instead. Once discovered, now long did it take Debian maintainers to deliver the update? How open where they during the process? How affective was the patch once delivered. How do these responses and turn around times compared to other major distributions and platforms?

Personally, my issue with Apple is not that bugs are discovered but how they address them. If they drop the "impervious to anything" marketing spin and demonstrated transparency from bug report through to patch availability; no problem. Apple's "we have no bug in TCP/IP and NIC drivers" is a good example. Microsoft actually falls between the two in terms of public disclosure but they have also had cases of leaving vulnerabilities unpatched for years until embarrassed enough to address it. I haven't seen Debian try to hush up a vulnerability; they are usually to busy delivering a patch response.

Reply Parent Score: 2

RE[3]: Zealot
by lemur2 on Tue 15th Jun 2010 23:22 in reply to "RE[2]: Zealot"
lemur2 Member since:
2007-02-17

A single problems in the openssl debian package and BOOM all your genius stuff is doomed. now your genious deployement package tool - you are so proud of - is spreading the security holes on all OSes and it's worst than installing manually software YOU chose to install because you TRUST the repository of the linux distribution.


Doomed?

No users system got any malware through the debian openssl error.

Security hole? No, the openssl error reduced the security of openssl on Debian systems for a time, but it was a weakness, not a hole. It meant taht an attacker, who knew about the weakness, would have required significantly less time for a brute force attack against openssl than should have been needed. No end user's system was ever breached because of it.

Spreading to all OSes? No. It was an error, that resulted in weaker openssl for some time on debian systems, and which was corrected when it was discovered in an audit at Debian.

Please stick to the facts, OK? No system can eliminate errors. This particular error resulted in no harm before it was fixed.

Zealot? Exactly who is spreading the lies and invictive here, hmmmm?

Edited 2010-06-15 23:25 UTC

Reply Parent Score: 2