See here: http://www.zdnet.com/blog/bott/linux...06?tag=nl.e550

Utter drivel. Pure FUD. We're all stupider because of these so-called reporters.

Just because an open source program contained a trojan doesn't mean open source sucks. A closed source, or Windows-only, program could be infected just the same. And it'd be harder to detect when you don't have the source.

Just because a primarily Unix program got compromised doesn't mean Linux sucks. This wasn't a Linux failure, it was a human failure. Unreal IRCd works just fine on Windows, by the way. Also, Windows users are human too.

Just because Unreal IRCd is sort of well-known doesn't mean that malware on Linux is new. Malicious scripts have been around forever (rm anyone? obfuscated perl?).

This also wasn't a Gentoo error. Gentoo doesn't have the resources to check every line of every program it ships, and should it even try?

The Unreal devs screwed up. They know it. They're taking steps to prevent this sort of thing from happening again. And they're being very open about it. Read the announcements, read the irc-security mailing list. Their transparency is commendable. Would you ever see Microsoft say "Sorry, due to human error, patch KB471289 contained a backdoor. In response, we'll tell you how to fix it: ABC. And we'll implement tighter security controls including XYZ. Really, our bad guys." No.

But this kind of crap isn't even worth reading.

Yeah.

Wake me up when I need to worry.

My mother has always feared this type of FOSS infection: that which is distributed with the source code. I hope a fix for the Gentoo distribution to remove this Trojan can be released. Good thing I don't have to worry: I have Ubuntu.

Its true the linux bashing is bull**** but the malware isn't too good.

This story has been out everywhere.
The debian team had mentioned this 15-16 months ago.
Anyone who has used IRC knows there is a chance of being rooted.

Nobody's disputing that.

No system would ever be 100% safe from this kind of exploit, but the difficulty in successfully publishing this kind of attack in the world of open source software is highlighted by the fact that the attacker had to choose an obscure project for which there are a bazillion alternatives.

Most projects are GPG signed, or at least publish md5sums on their website to prevent this kind of thing from happening. Having freely viewable source code also helps.

Can the same be said for any freely downloadable Windows software? I mean, FFS, when this happens here it makes headlines... but it's an every day occurrence under Windows...

What do you expect from zdnet.

See the original post here:
http://forums.unrealircd.com/viewtopic.php?t=6562

Yes, they were careless:

Post your sources. If this trojan was known by Debian 15 months ago, they would have reported it to Unreal then.
IRC is no different then any other Internet-facing program. Run it as its own user to mitigate risks. IRC is not inherently more prone to "rooting." You're like that article on this very same subject that said IRC users deserved it because they were stupid to use IRC.

That settles it.
I'm going back to Windows then.........

I'm a gentoo user and I think the infection was not really that dangerous.. if you know what you're doing. It was said that:

So the package will not really be built using the usual tool 'emerge'.

I think the effect of the malicious code to Gentoo is almost next to nothing.. thanks to Gentoo's verifications.

Yeah, the fact that portage does 3 different checksums to verify downloads helps a lot. Did anyone on Gentoo actually successfully install the infected version? I'm just impressed that the backdoor compiled; the last time I had a piece of "malware" in a source build it wouldn't build with my version of GCC which was a laugh and a half. Especially since I was trying to build it intentionally to do some reseach!

Just 1 slight non-destructive mistake and anti-linux windows-side article writers are already too happy to quote that? So eager really, aren't they?

I don't see anything in there about malware, it just says the code violates GPL and is of very low quality with possible exploits and they don't wanna include it in Debian, and they're right.