Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Discussion in 'all things UNIX' started by stapp, Feb 21, 2016.

Thread Status:
Not open for further replies.
  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    They say they will detail their GPG key for downloads at some point. As I've read that has always been there just no instructions for use.

    The image sites are supposed to be https also now.
     
  2. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    When the answer to any possible problems with the distro (in a security forum) is "its popular" and "its easy to use" I think the discussion has basically ended.
     
    Last edited: Mar 20, 2016
  3. UnknownK

    UnknownK Registered Member

    Joined:
    Nov 3, 2012
    Posts:
    160
    Location:
    Unknown
    After reading some of the comments here full of mint bashing, I am beginning to wonder whether it's the distribution itself which got hacked, not just the website of the distribution. Probably I need to reread the news about the hack.
     
  4. Santosh83

    Santosh83 Registered Member

    Joined:
    Mar 22, 2016
    Posts:
    4
    I recall the distribution itself was modified (IIRC the 17.3 version, Cinnamon flavour only) and a malware was piggybacked onto it. The got to the distribution ISOs by breaking into the website.
     
  5. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I don't believe I've ever really 'bashed' Mint. I am concerned about many of their security practises, problems and support though, which is why I've never used it. I've used another Debian/Lubuntu/Ubuntu LTS based distro though. I quite liked LXLE http://distrowatch.com/table.php?distribution=lxle unfortunately my old laptop had hardware problems and now resides in the great hardware repo in the sky.

    It was fun while it lasted and I kinda liked SeaMonkey preconfigured with BluHell Firewall.

    I'll stick with Ubuntu I think, Canonical just do it so well. ;)
     
  6. accessgranted

    accessgranted Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    205
    That's the trouble: once the site is hacked, how to be sure the .ISOs are still legitimate? How skilled were the attackers, and how far could they go while remaining stealth? Did they just steal content, or did they silently alter the software? I liked Mint a lot, but as long as I don't get precise answers to those questions, I just cannot be sure any Mint version I install or update on my system from now on is clean.
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    Honestly, I wouldn't use Mint in the foreseable future. Looking more deeply into what happen, I cannot guarantee that the ISO is not compromised. In fact, I wouldn't even use Cinnamon, for that matter.
    Anything that comes from Mint should be taking with a little salt; not on the quality of the product/code itselft, but in regards to actual backdoor compromise. I wouldn't be surprised if, e.g., Cinnamon, had malicious code, considering how insecure Mint management was. Will they audit the source code for their products?

    I guess it's possible to compile everything from source and see if there's anything tampered, but that would require too much effort. Mint is not trivial for me, so why bother reading through the source code and compiling everything.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    If this has been done to the Mint site and ISO, what's to keep it from happening to the 100's of other distros and sites? Why would we trust ANY of them then? At some point, one has to at least be reasonable (as opposed to overly paranoid), or one cannot live... ;)
     
  9. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    Because the technical and maintenance resources are different for each of these 100 ISOs. Not every distro was created equal (isn't this obvious?). You can have everything positive about a distro in your imagination, but when it comes back to real life, resources basically determines the quality of each distro. Therefore, I always stick with the distro with the best resources, both human resource and financial aspects. A "hobby project" is deemed to be more problematic than other more professional ones.
     
  10. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    really.?
    What in your opinion is a more professional one..?
    all operating systems have problems whether they are professional or not.
    FOSS for example is non-corporate and often the contributors are volunteers,this is how our linux distros come into existence.
     
  11. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
  12. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    In the case of opensource, the source code needs to be checked which shouldn't be that big a deal and then recompiled if there is any doubt about the binaries. This would be a much bigger concern with closed source proprietary software where only the binary files were publicly released.

    Based on the facts, not on the paranoid fud that has been going around about this, I have no problem continuing to use Mint and doing new installs of it.

    Auditing the source code for alterations is not that difficult a prospect for the developpers. There are software tools and scripts that can make this fast and painless. It is not necessary for every line of it to be read by a human being to verify its integrity.

    Not exactly true, they took the source code and altered part of it, recompiled it, and incorporated it into an ISO image that they hosted on a completely different server. They altered the links on the Mint server to point to the compromised ISO. They didn't change the ISOs on the Mint server.
     
  13. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
  14. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    Yes, my brother has used that for a long time.
     
  15. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,115
    Location:
    Brasil
    The problem is that it takes too much time and effort to review source code. Take TrueCrypt as an example: it took hundreds of thousands of dollars, numerous cryptography experts, and a few years, and that is for a 3 MB program.

    Reviewing the source code of Mint is not practical. Nobody will do it, unfortunately.

    The fact is that we don't know the extent of the damage. Mint could be compromised for a long time and we don't know.

    You can consider Mint as the Shrodinger's Distro :p Until we review the source-code, it could be clean or malicious. Arguing in any direction without proof is pointless and pure especulation.

    Actually, that is exactly what Debian was doing in 2008, and that is exactly why they compromised OpenSSL completely https://en.wikipedia.org/wiki/Debian#2008_OpenSSL_vulnerability
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    The site is now https and you can check your download against the sha256sum and gpg signature files.

    https://community.linuxmint.com/tutorial/view/2266

    This is how other distros have kept their images clean for years now but Mint IS doing the same now.

    I have to believe that Mint had a virgin copy of all their builds & Cinnamon offline and could simply upload that once they had the security issues ironed out. Regardless its just Ubuntu with different packages & priorities. During the end of the install you can see Ubuntu packages being removed such as Apparmor - well I have seen that before.

    Anyone with a clean install of Mint after the initial updates can install a grsecurity kernel through an automated script or there are manual instructions in the 2nd link below and as has been said here there is also Firejail.

    https://github.com/rickard2/grsecurity-Debian-Installer

    http://hardenedlinux.org/system-sec...ening-your-desktop-linux-mint-with-grsec.html

    The number one thing about Mint is that it is bringing users over from Windows and not everyone stays with Mint once they become more familiar with Linux overall. They fixed their iso issues & they had a security audit performed plus they are using a security vendor in an ongoing basis. So they're doing what they can within their financial constraints.

    This coming from someone who may have been seen as bashing Mint in this thread.
     
  17. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    I'm a newcomer to Linux. I've used it only it a few times over the last 16 or so years. Lately I've been using Mint a little bit, and I like it a lot. This is particularly due to the Windows inspired interface. While I have not used it recently (but I guess I have used it at some point), by looking at screenhots of it, I'm sure I would not like the OS X inspired UI used by Ubuntu, as I really do hate OS X.

    I've got no plans to ever ditch Windows, but as alternative to play around with, I think Mint is an excellent choice.

    I'm not too worried about the issues with Mint, as it does seem they are trying to do things better now as @AutoCascade explained, in his last post.
     
  18. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    Look for a Distro that does most of the following, automate (reduces chances of human intervention), only build and provide packages from source, follow common security practices for securing infrastructure and processes and packaging.
    Compile every package from source using automated build servers (never manual). Build install images automated too, have nightly builds. Run suite of tools to test these nighty builds. Have different server/locations for storing source code, packages/images and websites. Don't ship packages without source code available. Use secure configurations on infrastructure (secure connections, unique passwords per service/server and keys and all the usual security practises). Run security audits, respond to CVEs and do own security patching. Has a diverse team of people (no single point of failure).

    Major distros such as Debian/Ubuntu/Redhat/Centos/OpenSuse do most, if not all of the above (I've never investigated what Mint does).
     
  19. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I think it was Unity that really sold Ubuntu for me, precisely because it does vaguely resemble OS X. I believe Linux and Mac (& Android) are all fundamentally UNIX based anyway. Mint did try to replace Unity with a more Windows-like desktop environment.

    One of the big attractions of Linux for many is precisely that it isn't Windows and doesn't suffer from the same security headaches that Windows seems to be plagued with. Most Linux users AFAIK have little in the way of security and rely on the security of the distro releasers' ability to regularly patch and update/implement Linux kernel updates promptly and efficiently.

    There have been questions about Mint's security approach for quite a while now. Hopefully these have been addressed. This whole episode has not improved my confidence in Mint though & it is unlikely I would ever use it now.
     
    Last edited: Mar 25, 2016
  20. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    @Daveski17 I guess I'm too used to Windows after using it for many years to like OS X itself or OS X inspired desktops. But, the fact that different Linux distros can have completely different desktops to cater for different tastes is obviously a great strength. The same applies to Android phones to an extent with some manufactuers heavily customising Android on their devices.

    With regards to security, it is nice to have an operating system which works very well right from when its first installed, with (seemingly) no dramas with updates, and no need to worry about installing security software or finding missing device drivers. While, thankfully, it's extremly rare in my case for any Windows Update to actually cause problems. I have been having a lot of problems with Windows 10 updates failing to install.
     
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I think that desktop environment choice is the great appeal of Linux. I'm not so sure that some DE's are so much OS-X inspired or that it's just integral to the OS architecture itself. I remember the Gnome desktop on Ubuntu. The overall look and feel of a distro can be important, something I've always found a tad lacking in the bog standard Ubuntu. I can see the appeal of Mint for Windows users. Unity is a bit like Vegemite/Marmite, you either love it or hate it. Now, if they could fix it that all websites could stream TV with Linux (two or three I use that run in windows won't run in Linux) it would be almost perfect lol.
     
  22. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,417
    And here I am without any desktop environment at all. I guess that's a choice as well ;) I use the Openbox window manager which lets me do most of what I need. Then, there are small conveniences such as Kupfer and dmenu to help me launch / open files without much overhead at all.
     
  23. Santosh83

    Santosh83 Registered Member

    Joined:
    Mar 22, 2016
    Posts:
    4
    I remember trying Openbox a few years ago, but eventually settled for LXDE and then XFCE. Gives me a nice compromise between no desktop and the rather big (for my system) ones like Unity, Gnome or KDE. By the way, what do you use for a clipboard in your environment?

    Thanks for the correction. You're right.
     
  24. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    10,239
    Location:
    Lloegyr
    I guess that's the Linux equivalent of 'going commando' lol. ;)
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I'm not referring to in depth analysis of algorithms or functions, I'm referring to unauthorized alterations of the actual text which can be easily parsed. The key word here is integrity.

    That is the paranoid fud I refer to. It has no basis in fact and all evidence points to the contrary, especially since the hack which has put a lot of attention on Mint and any problems with it. Given what the hackers actually did, they didn't show that kind of thought or sophistication. Any such intrusion and alteration of files would leave traces which could only go unnoticed if nobody was paying attention and that is not the case after the hack. Paranoia, in general, does not lead to better security. It leads to misallocation of resources and putting defenses where they are not needed while taking them away from where they are. It favors the attacker, not the defender.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.