I have followed this thread the last couple of days with some interest to see where it goes.
This is an area that interests me professionally. Now some will say I must be biased as I work for an organisation that makes billions of dollars a year selling security technologies, which many people still believe are unnecessary. So you can expect me to say that there is going to be a risk to the RPI! Presumably because that way I can help peddle $50 per year solutions aimed at a $35 computer (not a typo, really no point in marketing to a non internet connected device, just because we are commercial does not mean we are stupid).
Let's be clear I am worried about malware on the RPi. Oh, and a quick clarification here, as I know some of you are aware as I can see it in your posts, Viruses are only one class of threat and is why if you are looking to actually protect a machine getting just AntiVirus for it is a waste of time. Malware is the superset, and covers techniques such as Trojans (applications that contain malicious code or behaviors) that for example are the main attack vector on Android at the moment, Worms that usually self replicate using some form of network based propagation, Adware and Spyware that do not tend to self propagate and hand coded targeted attacks. AntiVirus is predominantly involved in using signature based techniques (mostly regex or hash based) to scan files to see if they contain malicious code. The history of the virus goes back to the days of the floppy disk when most of these things were passed around by hand. Recently we have seen a revival of this with attacks using removable media, USB pen drive, SD card etc. However if the Malware is not in a file, AV will not find it, and most these days is not.
The majority of threats today come via the web. In some cases this will be via file download. In the case of trojans a user will be tricked into downloading a binary or source code that contains the threat, and yes there are examples and increasing ones of open source repositories being successfully targeted and malware introduced into the source, and in some cases going a long time before they are discovered. As has been pointed out above this might be an issue in the classroom environment with code sharing. Most browser vulnerability based threats target windows of Mac, but from time to time Linux ones exist and because they attack an exploit in the browser they are often more generic than you would think. Open source is helping here but it is a risk reducer not a risk remover. There have been issues with commercially available browser plug ins that have had serious vulnerabilities.
Server vulnerabilities are what I am really worried about with the RPi, and before you stop reading because you do not intend to use your RPi as a "server" take a moment to understand how an OS works. Many of the services running on it are listening to the network. This generates the opportunity to should they be discovered to use exploits in the services to run arbitrary shell code on the device. This is why commercial anti malware contains firewalls that lock down the comms to the OS and apps and technologies like Host Intrusion Detection (HIDs) and Host Intrusion Protections (HIPs) that look for anomalous behavior at the IP level. If you use a PC with a commercial (unfortunately to create the signatures and engine sto make these things work is massively expensive so no OS project has been able to really do this) AntiMalware on it then these engines will be providing a large and growing part of your protection.
On the most commonly attacked platforms (Windows and Mac) there are also other techniques that we use to detect malware that use heuristics and behavioral analysis of running processes to find things that have slipped past the other defenses. There are a few interesting but small OS projects I have seen that are working on some of this.
So given all of the above the question is why would someone want to attack an RPi?
Simple answer is that many attacks do not care about what the machine is, they just want to pwn it for various reasons, in the case of Linux boxes as relatively few of them are used as desktops this is so they can be used by a "Bot Herder" as part of a BotNet and subsequently leased out to be used for activities such as spam or DDOS attacks. In the case where the box has port 80 open the Bot may make your machine part of a content delivery network and have you hosting content that is either used as part of other attacks (such as hosting pages used to execute drive by downloads) or in some cases hosting unsavory or otherwise illegal material. There are unfortunately some very nasty people out there and as the money that can be made in Cybercrime has sky rocketed organized crime has found a new income source. I am aware of instances where compromised machines have been found containing material of the most depraved kind.
So how are we going to protect RPis?
The first thing to do is to create an iptables config (in fact configs) to provide some basic lock down. I have done this before for other projects but I do not have free time in abundance at the moment however I will see if I can find some time to start a project and there is lots of stuff available for re-use. Configuring Linux to be more a client and less of a server will get you a very long way, and Netfilter is good and solid, so if you get the config right the kernel is doing all the hard work for you.
The second thing to do is to have a project (perhaps as an extension to the current wiki) to document best practice and known secure solutions. One of the things I personally have found most challenging with Linux is creating a known secure browser configuration. Giving people advice on how to do this would be sensible.
The third. Use the RPi as a platform to teach kids about Information Security and Privacy.
Disclaimer: All of the above whilst derived from my professional experience are my own opinions and not those of my employer. In the interests of disclosure I am the CTO for Enterprise Security Products and Services at Symantec the worlds largest "AntiVirus" vendor.