Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

The Mint website is back online except for the forum. They might have learned a thing or two about Wordpress, like avoiding it completely if you care about the security of your server.

 

That doesnt change the fact that theyre running outdated site frameworks and software: http://prnt.sc/a75ebe

I think they moved over to Ubuntu when their servers broke down entirely back the day, before they were running Debian.

Their blog is dated too: http://prntscr.com/a75f4f

At least WordPress is up to date........

 

Just read a post from the head Mint developer that the Cinnamon website was a part of the problem. Cinnamon is used by a lot of different distros as an DE option so this could have been a MUCH wider problem than it was.

I may move to Mate - it'll be Wayland ready long before Cinnamon.

 

WordPress is technology like any other, good and bad.
It is all about sane security policies and risk management.
Mrk

 

I do have some personal bias about Wordpress. It is high maintenance security wise and from what I've read, the Mint team wasn't up to that kind of maintenance.

I don't think having outdated software on their server was the problem, that happens all over the place. It was more basic stuff like lax permissions and weak passwords.

I just read through the latest Mint blog posts and didn't see anything about the Cinnamon page. The main cinnamon.mint subdomain is redirecting to developer.mint right now. In any case, the DE is the most superficial part of the OS and easily switched. My Mint Vm can switch between Cinnamon, Mate, Xcfe and KDE easily by just logging out and selecting a different DE.

 

Using passwords like 'upMint' surely is something to reconsider, to put it mildly.

 

I just tried Mate for the umpteenth time and it just reinforced my preference to Cinnamon. I know with Cinnamon not all Cinnamon's are the same. Mint Cinnamon is much better than installing Ubuntu and then adding Cinnamon. I've tried dozens of distros and usually w/Cinnamon DE and Fedora's Cinnamon (from the ground up) is second only to Mints own direct version - its pretty much the same. IMO what people like about Mint coming from Windows is Cinnamon more so than Mint's version of Ubuntu.

Clem added an answer to someone's comment post detailing that the Cinnamon page was involved with the hack so that must have also been on the same servers as the blog, the forum and the images (part of the problem also). There's like 600 comments on there so not that easy to find.

Yeah when you are 'Mint' and you have a server admin password - upMint - there are some obvious issues there with the security mindset. The fact that someone had hacked into them in January - and was selling the forum data on January 16th and Mint knew nothing till February 21st says a lot about this whole issue too imo never mind that users alerted them to this. It's the same security mindset that Mint has about the distro itself - they don't believe security is necessary at all.

 

This thread is another reason why I like to use VM's for my workspace activities. Damage control made easy! I only update the host OS when something kernel level or high threat shows up in the VM updates. This config really takes the concern down a few notches.

 

VM won't help you if you login to your email on a compromised box, and something intercepts and send your credentials to a server somewhere.
Mrk

 

Mint tsunami update rolling out now.



Detect tsunami and warn the user.

 

Let's hope the update also removes the backdoor.

 

Unfortunately no. Just notifies the user. Here is he source code for this update. https://github.com/linuxmint/mintupdate/compare/master...rosa-maintenance

Funnily the urgency is classified as medium.

 

Well, I find myself psychologically unable to even dare installing this test-update now that their servers' content has to be considered with suspicion. Not sure what's gonna land on my machine is indeed reliable by now I'm afraid Linux Mint Rafaela will have to get removed from my desktop since I just can't trust it anymore.

Besides, how to know if previous updates already installed aren't backdoored? Why one backdoor only? I won't ever get any satisfactory answer to that. Maybe in a year or two shall I get back to Mint, with a brand new version of the system. Perhaps.

 

I can understand your dilemma as I share the same thoughts to a degree. However given the opensource status im certain there are many smart people combing over the distro as we speak now that is in spotlight. Im sure many other distro developers are rethinking their strategy also. This can only lead to good things. I still feel safe and secure, however this situation has proved nothing is bulletproof. Same is certainly said for Microsoft. The difference is, we will not know about it if there was a backdoor. At least with linux, we a chance of knowing. That to me is far more important.

Following the 4.9.91 update there are immediately 4 new updates. Unfortunately I did not take a screenshot, but looking back over the history they all seem to be ca-certificate validation, openssl and network related. Maybe these are a reaction to the hack, but that would be pure speculation though.

regards.

 

Apparently users on the Reddit linux mint subforum are reporting that Mint forums are now TLS enabled is secured by Securi Cloud Proxy.

https://www.reddit.com/r/linuxmint/comments/47f4g8/linux_mint_forums_are_back_up_tls_enabled_and/

https://forums.linuxmint.com/

Although as of writing the forum is down for maintenance.

 

The forum is back up and it is working now. I've got no big worries about my Rafaela installs from an ISO I download months ago. My Rafaela VM is actually a good test subject for any issues due to the server hack since it has some fairly recent additions and updates and I can check what its connecting to with Wire shark.

 

Damn But at least we can modify the update so it can delete the backdoor.

No need for suspicion, just look at the source code.

The good thing about OpenSource is that anyone can verify the code. As the hack showed, things get discovered pretty quickly in the Linux world.

I can understand the frustration, but imagine this: many people are always testing Linux distros to find suspicious behavior, and that includes Mint. Heck, there are even people decompiling Windows components to find a backdoor
I would assume that any abnormal network activity would have been caught by now.

It's possible that all OS's have an unknown backdoor today that we haven't found. I think about that every day. But we have to work with what we know: so far, we seem to be clean of backdoors, and that includes Mint.

In addition, considering that the hashsum of the ISO you downloaded is fine, it's possible that you're also fine.

However, given the lack of technical CARE on the Mint side, I too would find myself installing another distro. My paranoid side says they're so bad at administering things that they might have been infected long ago and that their distros are compromised.
But the logical side of me says "no, there's no evidence for that".

Exactly. We have to trust that Microsoft don't put backdoors in Windows (which has already been proven that they do).

However, Microsoft has a technical quality far better than Mint and many other distros out there, so I wouldn't consider the possibility of an outside breach so soon.

This is good! This is very good If Catalyst was at a newer version on Mint, I would definitely install it to show my support to the developers.

And as you mentioned, they're changing their servers as well, which is good for Mint users.

 

My install is from the same .iso dated last year, but all the updates from then on are to be put into doubt IMHO. How to be sure we know all about the hacks that have been --or haven't been performed-- once the servers are compromised? To what extend were they compromised? What has been done through the illegal access? How can the Mint team be even sure as to what has been touched or changed?
Sure I can settle to look at each and every line of code from scratch, but what's the point of doing so? Not up to the end user to do that.
Or I can compare hashes-- that goes for the original .iso, but how about hashes from each and every update performed? How to compare those and to what?
Trust is broken, not toward Linux, nor even Mint team, but toward their servers and software. I think they're no longer even sure what part of their software they can rely on and trust.

 

Some fresh read for you on why I said Linux Mint is not a distro. It's a frankenbuild. It's a joke, and it has been a joke.
Source:

http://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/


What exactly constitutes a 'Linux distribution?'
Linux Mint, when considered as the sum of its parts, is the Cinnamon desktop environment (DE), mintTools (software installer, update manager, backup too, welcome screen, etc.) and GNOME extensions built on top of an LTS version of Ubuntu. Therepositoriescontain packages compiled for Ubuntu, without modification or recompilation. As outlined above, security patches and updates that work perfectly in Debian and Ubuntu are blacklisted as needed to not break under Mint—the only differentiation Mint provides is Cinnamon, thereby breaking security so that it "just works."

This is not a Linux distribution and this is completely backwards from the way things are supposed to work. The code produced and value added by the Linux Mint team is in Cinnamon, which is available as a default DE in properly designed distributions such as Debian, Fedora, and openSUSE—all of which have security advisories. The task of maintaining and securing it is not a trivial task, and it requires more infrastructure and resources than the Linux Mint team possesses. Creating a pseudo-fork of an existing distribution to showcase a DE, while blacklisting updates—some of which are security updates—because it interferes with the DE is staggeringly irresponsible and tantamount to security malpractice.

 

The fact the Mint forum/server was hacked does not mean everyone should go ape**** on Mint.
They are not the first nor last to get their stuff compromised. It doesn't make Mint any less better.
Mrk

 

What do you mean by "ape***"? Yes it's very true that every server could be hacked, but what people said about Mint, at least the two paragraphs I quoted, are all true. They deliberately prevented security updates in order for their DE to work. I mean, what kind of Linux devs would do stuff like that? All servers being hacked are not equal. Given Mint's philosophy on security, they certainly are more likely to be hacked. Yes Debian was hacked before, but why nobody ape*** on Debian? You never wondered why?

 

Truth is, apart from Cinnamon there's nothing in Mint one can't find in the Ubuntu family.
In fact Xubuntu is usually a more serious proposition than Mint Xfce, and Ubuntu Mate leaps with every new release.

 

Very true, and if you research it a little, you can even install Cinammon in Ubuntu from a PPA:

http://www.webupd8.org/2014/06/new-cinnamon-stable-ubuntu-ppas-ubuntu.html

 

Oliverjia, the fact they blocked updates is irrelevant - if anything it points at a broken system before Mint, which would be Debian and Ubuntu. Moreover, it has nothing to do with the site breach in any way, shape or form. Debian was hacked, and it makes it even worse, as they are supposedly security conscious. Plus Debian has no value for people whi want to enjoy their computers, which is something that Mint helped change in the Linux world.

Mrk

 

Maybe we can start a thread just to discuss this
Debian is as great as well as any other distro.