Linked by Jordan Spencer Cunningham on Mon 14th Jun 2010 23:58 UTC
Bugs & Viruses Recently, the Linux version of UnrealIRCd was discovered to have had a Trojan worm its way into the source code. Even more embarrassing for the developers of Unreal is that the Trojan's been holding open the backdoor in the source code since November of 2009-- not very recently. And, of course, bloggers and press in general are taking the opportunity of another breach in Linux security to point out doomsday devices that don't really exist.
Thread beginning with comment 430098
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Comment by flanque
by sakeniwefu on Tue 15th Jun 2010 11:51 UTC in reply to "RE[3]: Comment by flanque"
sakeniwefu
Member since:
2008-02-26

It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.

The problem at hand could have indeed been solved using trusted and trustworthy repositories.

However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.

Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.

This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.

Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.

Let's just say that "insecure by default" doesn't make a good slogan.

Reply Parent Score: 5

RE[5]: Comment by flanque
by lemur2 on Tue 15th Jun 2010 12:05 in reply to "RE[4]: Comment by flanque"
lemur2 Member since:
2007-02-17

It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.

The problem at hand could have indeed been solved using trusted and trustworthy repositories.

However if the software has bugs, like using gets(), but really many kinds of bugs can do. You rely on exploit prevention and mitigation which is on par with Windows and still not at modern levels.

Then there is another whole class of exploits helped by people keeping all doors open in their servers, most of which use Linux, but could use anything.

This is not GPL code vs everyone else, it is distributors(GPLd and Proprietary) not fixing fixable things for whatever dark reason they have.

Your beloved Linux has "free" code(often just changing a number here and there) to prevent many exploits currently affecting faithful users like you. However, if they are not enabled by default it's as if they never were there when the system is used by a normal user. Ship with all doors closed and write down why it is dangerous to open them and the user will get the chance to think twice.

Let's just say that "insecure by default" doesn't make a good slogan.


Meanwhile, in the real world, we actually get this situation:
http://gorumors.com/crunchies/malware-infection-rate-worldwide/

When they say "malware infected PCs", they actually mean an estimated level of "malware infected Windows machines".

This is the status-quo level at which the proverbial "bar has been set". Linux machines must be able to better this standard to come off well in comparison with machines that are commonly marketed today.

ROFLMAO.

http://farm1.static.flickr.com/106/289981080_4008fa579a.jpg

Wait though ... it gets better. Here is an expert opinion on the value for money of the status quo machines being mass-marketed today:

http://blogs.fsfe.org/gerloff/?p=359

Here is the situation with the worlds highest-performing, most expensive, highest-value machines:

http://techie-buzz.com/foss/linux-powers-91-of-the-worlds-top-500-f...
http://cache.techie-buzz.com/images/postimg/ricky/supercomputer1.pn...

Edited 2010-06-15 12:23 UTC

Reply Parent Score: -1

jabbotts Member since:
2007-09-06

I give you.. Debian Stable. EnGard Secure Linux would be a good choice if the machine your protecting justifies it. Maybe not Damn Vulnerable Linux though. ;)

Seriously though, this is really more of an example of how fast issues can be patched once discovered and a pretty good case study for how things can go badly. I'm adding it to my library beside the Debian OpenSSL issue from a year or so ago where a developer ignored the Debian policies and processes.

These things happen with all software but the repository distribution method continues to have a low (nearly nothing) case history of such issues; especially compared to other software distribution methods.

Reply Parent Score: 2

lemur2 Member since:
2007-02-17

These things happen with all software but the repository distribution method continues to have a low (nearly nothing) case history of such issues; especially compared to other software distribution methods.


Just to be clear ... the repository distribution system has a perfect record. Exactly nothing has ever happened, in terms of malware getting on to end users systems. This particular trojan incident had nothing at all do with the repository distribution system.

Reply Parent Score: 2

RE[5]: Comment by flanque
by testman on Fri 18th Jun 2010 02:44 in reply to "RE[4]: Comment by flanque"
testman Member since:
2007-10-15

It is evident you don't know much about the matter. I wonder why you feel compelled to post so much in this thread.


INTJ/Asperger's

Reply Parent Score: 2