How much more malware is lurking in Linux official repositories?
Summary: The revelation that the open-source Unreal IRC server download has been infected with malware for some eight months is pretty worrying. But the added discovery that this Trojan horse made its way into the Gentoo distro is real reason for the Linux community to re-examine how trusted repositories are handled.
The revelation that the open-source Unreal IRC server download has been infected with malware for some eight months is pretty worrying. But the added discovery that this Trojan horse made its way into the Gentoo distro is real reason for the Linux community to re-examine how trusted repositories are handled.
It's true that compared to Windows, Linux is pretty safe bet if you want to remain protected from hackers. After all, the 1% or so usage share that the OS enjoys (combined with the fact that many of its users are pretty switched on) just doesn't make it a worthwhile target to go after.
But there's a big difference between the OS being a "pretty safe bet" and it being invulnerable. No OS is invulnerable. If someone wants in on your system, and they have the time and resources, they are likely to find a way.
But this is a major blunder. Allowing infected code to make its way into an official distro demonstrates how complacent some in the Linux community have become.
Which leads to the biggest and most important question of all - how can we, as Linux users, be sure that more malware hasn't infiltrated official channels?
The idea that we can blindly trust official repositories of open source code is slowly eroding. Earlier this year Mozilla discovered that it had been hosting a Firefox add-on that contained malware. This latest incident should underline the need to beef up security to protect users.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
No erosion.
This is an obscure IRC chat server app, that only shows how inept some people can be.
Gentoo is one of the few distros that requires you to compile from tar.gz EVERYTHING.
I doubt they have the resources to verify/test code or certify vendor software.
With Gentoo you literally compile your own kernel before downloading tarballs to yet do more compiling.
I know b/c I've tried Gentoo. Is this necessarily a bad practice in terms of implementation? That's something for a separate debate.
But, the risks of accepting any vendor's source remain.
Distros must keep up their guard to ensure that all code admitted to the repo is certified clean and safe to use.
That has been a sticking point for Canonical who don't 'willy-nilly' let source find its way into Ubuntu. It's a careful vetting certification process and if you scroll through the Synaptic database, only select programs have Canonical's blessing for support (LTS).
Stay in the GPG 'ring of safety' repo and you are fine with Ubuntu Linux.
An obscure IRC server that has not been accepted in the Ubuntu repositories
RE: How much more malware is lurking in Linux official repositories?
Well put. I tried it and it was doable but most definitely not for the 'faint of heart'--Loverock maybe, but Average Joe? No.
RE: How much more malware is lurking in Linux official repositories?
Funny, if I only ran software that Microsoft certified as safe I would probably not get infected either. I fail to see how that makes Linux different or safer.
It happened to Mozilla, it will likely happen sooner or later to anyone hosting repositories if it's worthwhile for someone to try to make it happen. At least I know I need to be careful. If you want to advocate Linux teach safe computing across all platforms rather than act as if a switch in OS will fix all your problems forever. It won't. Ubuntu has no idea what they are up against if they think their current usage base is anything like what it will be if they ever really catch on.
RE: How much more malware is lurking in Linux official repositories?
Nice response.
I totally agree knowing what a good hacker(s) can do when they really want.
RE: How much more malware is lurking in Linux official repositories?
And yes, I am sure there are and will be Windows users who have not been infected, this proves nothing. Or they don't know they have been pwned.
RE: How much more malware is lurking in Linux official repositories?
Funny... I have been online since the days of Prodigy and CompuServe. My home system (Windows) has been online and connected to the public web over cable and/or fiber 7x24 since 2001. To date I have NEVER been hacked, infected by a virus, or compromised in any way. Period. Which means that my Windows system is every bit as safe as your Linux system.
Please educate yourself instead...
RE: How much more malware is lurking in Linux official repositories?
Funny but maybe with all this overconfidence, you don't even know it you've been pwned yet or not. And we only have your word for it.
RE: How much more malware is lurking in Linux official repositories?
And, as the article makes a point of, they're just getting lazy and complacent in the very practices they lampoon Windows users for not doing.
RE: How much more malware is lurking in Linux official repositories?
RE: How much more malware is lurking in Linux official repositories?
<img border="0" src="http://www.cnet.com/i/mb/emoticons/wink.gif" alt="wink">
RE: How much more malware is lurking in Linux official repositories?
@RoyalKnight@..says...<br><i>Or maybe some people just can't seem to fathom a Windows user that's actually competent in what they do.</i><br><br>Yes, given what I've seen out there, that is tough to fathom. No doubt. [b]lol...[/b] :D <br><br><i> It's like saying the computer elite can only be Linux users.</i><br><br>Well that's what it seems to be turning into.<br><br>But don't forget, most Linux users were windoze users at one time and didn't start on Linux. And many (like myself) still have to use both systems.<br><br>I can't say the opposite holds true given all the NBMer FUD that I've read around here.<br><br><i>And, as the article makes a point of, they're just getting lazy and complacent in the very practices they lampoon Windows users for not doing.</i><br><br>Only a very tiny minority of an even smaller Gentoo community were involved in this. Unless you like to inflate inflate their numbers beyond the mere 450 hits they get per day over at DistroWatch.
RE: How much more malware is lurking in Linux official repositories?
<i>"See? No matter what I would say about that, it wouldn't matter to you because you got to Google first." </i>
Translation: you cannot answer the questions, so instead you come back with a lame comment about how I got to Google first, further confirming that you know nothing about security, and prefer to mask your short comings by diverting away from the topic. I'm still waiting for your answers...
<i>"You have "probably forgotten" more about computer security that I'll ever know? Are you sure you meant to say that? lol... Well that's the most truthful understatement of the year."</i>
So... impress me. Tell me what you know about computer security instead of simply picking apart what I have said. Again, I'm still waiting for your answers...
<i>"But I am smug and superior"</i>
Keep telling yourself that and maybe it will actually come true... cough... BTW I'm not overconfident, I'm knowledgeable, you should learn the difference. Yes I cannot prove it and you only have my word, but the same applies to you - I only have your word that you actually know something about Linux besides how to download and install it. Again, I'm still waiting for your answers...
RE: How much more malware is lurking in Linux official repositories?
RE: How much more malware is lurking in Linux official repositories?
<i>"That's right. I could have Googled it and given you the answers you wanted, but frankly, I don't think you know what it is either. You can't even remember what happened yesterday."</i>
A SYN flood is used in a denial of service attack, where the attacker sends burst of TCP SYN (request for connection) packets.
NAT (network address translation) and PAT (port address translation) are firewall concepts and provide security by either masking an IP address or port.
The SID (security identifier) suffix for the built-in local admin acount on all Windows systems always ends in 501.
A KDC (key distribution center) is a function of Kerberos, and is used in both LDAP and MS Active Directory implementations.
I realize these concepts are beyond the comprehension of a 10 year old, so I'm not expecting you to understand them. School is dismissed for today, junior, check back tomorrow if you would like me to teach you more. My comment about forgetting security, means that I have much more knowledge of the topic than you, not that I have forgotten it. But again, I don't expect you to understand.
<i>"Well old man, considering your still stuck in the tape drive era and don't even know how to do a simple malware or virus scan, I don't think you're terribly qualified to preach to me about your mail order knowledge. Even a child can do a simple malware or virus scan, yet that seems to be beyond your comprehension." </i>
Please re-read the entire discussion between us and show me exactly where I said that I do not run anti-virus or malware clients on my computer, and that I do not perform regular scans. I didn't say that, and I do run them. You are making assumptions, and handing out the very absolutes that you accused me of earlier - hypocrite. BTW - the comments about my age may be funny, but they have nothing what so ever to do with the topic which you keep avoiding. But since you went there first - I think I hear your parents calling, maybe you should change your diaper and go home.
RE: How much more malware is lurking in Linux official repositories?
Ok, so we've established that you know nothing about security. Let's stick to Linux alone and see what you know, since you imply that you have expertise there.
What is a Linux semaphore and why is it necessary? What is ASLR? How about IPtables - do you even know what that is used for? What makes SE Linux different?
In case these Linux-specific security concepts are too difficult for your 10 year old brain, what is an inode? A umask? What are the 7 typical run levels in linux and what does each one mean (I'll give you one for free - run level 4 is not normally used)? How about a Unix question: which flavor of Unix has an /opt mount point and what is it used for?
How about network storage such as SAN and NAS? Can you tell me what FCoE stands for? What is a LUN, and how does the word "zone" relate to it? What is CIFS (hint: it's the Windows equivalent of NFS)?
Let's move on to networking and routing: Do you know what OSPF stands for? How about beaconing with token ring. What is the standard MTU for ethernet?
I can answer every single one of these without hesitation. I'll wait for your reply to see if you can answer even one of them, but I doubt it. Don't even try to compare your "IT knowledge" to mine. I will eclipse you in every category. You have no place lecturing me about anti-virus, malware, Windows, Linux, or any other IT related topic when you have but only a fraction of the knowledge that I do!
I am done with you, troll.
RE: How much more malware is lurking in Linux official repositories?
[i]A SYN flood is used in a denial of service attack, where the attacker sends burst of TCP SYN (request for connection) packets.<br><br>NAT (network address translation) and PAT (port address translation) are firewall concepts and provide security by either masking an IP address or port.<br><br>The SID (security identifier) suffix for the built-in local admin acount on all Windows systems always ends in 501.<br><br>A KDC (key distribution center) is a function of Kerberos, and is used in both LDAP and MS Active Directory implementations.[/i]<br><br>Excellent! We know you know how to look things up in Google. I can do that too. Congratulations.<br><br><i>I realize these concepts are beyond the comprehension of a 10 year old, so I'm not expecting you to understand them. School is dismissed for today, junior, check back tomorrow if you would like me to teach you more.[/i]<br><br>Mommy....mommy...bad man chased me. Bad man chased me.<br><br>lol....<br><br>[i] My comment about forgetting security, means that I have much more knowledge of the topic than you, not that I have forgotten it.[/i]<br><br>No, it just means you've admitted to some senility on your part and said something you shouldn't have concerning your forgetfulness. I commend you for admitting that. I hear it's a first good step before being put out to pasture.<br><br><i>Please re-read the entire discussion between us and show me exactly where I said that I do not run anti-virus or malware clients on my computer, and that I do not perform regular scans. I didn't say that, and I do run them.[/i]<br><br>And you've waited four posts in this discussion before telling us that?<br><br> I do admit that you are a little slow and behind the times, but do try to clarify yourself before going off on half-cocked absolutes (like you said to kiriovs@). It might've saved you a little bit of embarrassment here.<br><br><i>You are making assumptions, and handing out the very absolutes that you accused me of earlier - hypocrite.[/i]<br><br>Nope, I'm just calling a spade a spade where credit's due. Why didn't you tell us you deal only with standalone machines? :p<br><br><i> BTW - the comments about my age may be funny, but they have nothing what so ever to do with the topic which you keep avoiding.[/i]<br><br>Well let's hope by the time I get to be your age, I won't be so senile and forget things like proper security for computers.<br><br>[i] But since you went there first - I think I hear your parents calling, maybe you should change your diaper and go home.[/i]<br><br>Please don't tell my mommy. I really want my ice cream tonight and she'll get mad if she finds out.<br><br>lol...
RE: How much more malware is lurking in Linux official repositories?
<i>"Excellent! We know you know how to look things up in Google. I can do that too. Congratulations."</i>
You say that I looked up the definitions on Google, but how did I know to even mention SYN floods, NAT and PAT, SID's, and KDC unless I already knew what they were? If I have no computer security knowledge at all, then how would I have known what to lookup on Google? Not only are you proving to everyone here how little you know, you can't even make an intelligent argument.
<i>"I do admit that you are a little slow and behind the times, but do try to clarify yourself before going off on half-cocked absolutes (like you said to kiriovs@). It might've saved you a little bit of embarrassment here."</i>
Why would I be embarrased? So far you are the only one who has not been able to answer my questions. Please look at my other post above where I ask you questions about an entire series of IT related topics including Linux. I'll bet you can't answer one of them! My original statement to kiriovs@ was that it doesn't matter which OS you run if you secure both the computer and the perimeter (BTW, perimeter is another fancy security word that you probably know nothing about, so here's a clue - it means a firewall). I could fill this entire blog full of IT related questions that I already know the answers to, but what would be the point if you can't answer even one of them? And so far, you haven't. I don't have to try to make you appear ignorant, you're doing a great job all by yourself.
So... keep making fun of my age, call me senile, accuse me of being forgetful - twist my words. Use every tactic you can to try to divert everyone's attention away from the simple fact that you know NOTHING. You are a kid whose parents bought him a computer, and who thinks that, because you can spell words like Linux and Malware, you are somehow qualified to preach to the rest of us about "proper security for computers". When you repeat the 4th grade again next year, see if your elementary school has IT classes that you can take. In fact, when you have a college degree in computer science, several technical certifications, and 17 years experience in IT, then, maybe then, you will be on my level.
RE: How much more malware is lurking in Linux official repositories?
RE: How much more malware is lurking in Linux official repositories?
A quick summary of our conversation so far:
I make a couple of statements to @kirovs about never being hacked and never having a virus to date. These are facts, not absolutes. An absolute would be if I said that I <b>will never be hacked</b> or <b>will never get a virus</b>. There is a difference between the two, and you just don't get it.
In your first response, you accused me of being overconfident and that I wouldn't even know if I did get hacked, thus implying that I don't know what I'm doing.
So I challenged you, twice now with a series of questions about security, questions about Linux (which you claim to know), networking, storage, etc. Every time I challenge you to see if you actually know what you're talking about, I get the following:
"Well... umm... malware... um... pwned... umm... wait... umm... (uh-oh, I can't answer @smtp4me's questions and can't compete with him, so I better try something else). You're senile and old. You should be put out to pasture. You should be playing Parcheesi at the old folks home." (@ubiquitous one giggles to himself, not realizing that he is the only one lauging and that he still hasn't answered my challenge)
So I challenge you again, and I get the following:
"You are looking all this up. Umm... Well... But... You're forgetful because of your age. Umm... I am superior. I am God. Umm... AARP... (I really hope my smoke screen works. If I actually have to answer his questions I will look like a fool.)"
Please scroll back up and look at the two different posts where I have now asked ~20 different questions. How about this - if you can answer just 5 of them, I will take it on faith that you actually know the answers, and unlike you I will not accuse you of looking them up. Feel free, pick any 5 and answer them. But I'm predicting that when you reply, instead of providing answers, you will revert to the same tactics you have used in every response (comments about my age, looking up things on Google). You say that I have a big ego and that I brag a lot, then in the next breath you say: <i>"I'm God, pal. Don't ever forget that. I can part oceans with my hands. I can make the earth tremble.</i>". You also previously admitted that you are "smug and superior". Hmm... and you say I have an ego? Do you hear that? It's the sound of everyone here laughing at you.