[sf-lug] Malware hidden in Linux packages First Gentoo more lately Arch.

[Rick Moen]

Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

> Thanks

Yr. very welcome, of course.

> I have replied, mentioning the source, to the originator of the
> message I saw,  mentioning both the faq and the articles admission
> that the malware was broken so that it could not enact its filthy
> mission.

Interesting.  But the larger message is that, as I put it at
http://linuxmafia.com/~rick/lexicon.html#moenslaw-security3 :

   Malware is _not_ a security problem; malware is a secondary
   _after-effect_ of a security problem.

The entire anti-malware proprietary software industry (including Sophos) 
is essentially telling people 'Run our proprietary black-box software
under root authority on your system, and we'll protect you against a
scary if vague bunch of bad things.  Trust us.'  But they do a pretty
terrible job at that, the collateral damage to your system is typically
pretty severe (and, as I pointed out in links from
http://linuxmafia.com/~rick/faq/#virus2 to coverage of the 2005 Sony
rootkit scandal, the antivirus companies don't hesitate to sell their
customers down the river and deliberately ignore corporate-originated
malware), and you can do a great deal better by _just not running code
you shouldn't trust_.

If you just don't install and run code you have no reason whatsoever to
trust, then you lack the big, gaping security hole that malware later 
waltzes into.  The problem isn't the malware; it's the carelessness
creating the huge security hole.

This has been known and true for ages, even on MS-Windows and MacOS.
The only difference on Linux is that it's a little easier to Do the
Right Thing consistently and not shoot your system security in the foot.

Meanwhile, there will always be articles pushing products from Sophos
and many other such companies, for the simple reason that there's money
in it.  Gullible people have money, too.  ;->