Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

A Twitter post dated January 16, 2016

"Interesting, the @linux_mint forum database is being sold on several forums, you might want to change your password."

The same Twitter account tweets "Took them over a month to notice. " 21 hours ago.

https://twitter.com/ChunkrGames/status/688346150622081024

 

You miss my point.
If there is an issue with mint then in time can the same issue occur with other linux distros.
How are other distros securing against such a breach and why is mint not employing them.

 

I did not miss your point. I started off with Security of the "entire linux infrastructure" apart,. Anyway, the choice is up to each person.

 

Well, the Why Mint question is answered. It was just an opportunistic hack that could have happened to any website that had such vulnerabilities. Really shocking for a Linux distro because Linux developers should understand the underpinnings of a web server and how to secure one. Incompetence is the word on many levels. Mint wasn't targeted, it was just easy pickings.

 

Apart from Linux, to me it sounds like this hack could have happened with any vulnerable website that had downloads for open source software, even open source for Windows. Is that right?

 

I am most probably wrong. I think it's a Ubuntu devotee jealous of Mint.

 

Only Mints developers can answer why they ignore commonly used security practices since in the many stories and discussion threads that are up on the net now about this Mint is being filleted by their lack of security and other now openly questionable practices.

MD5 is not considered secure. The same server hosted their WordPress blog. They used 6 character passwords that included the word Mint. The web addresses were not https. This list goes on - its just a matter of reading through the several discussions taking place on the web now. Their entire forum database was being sold online in mid January yet they had no clue they were hacked till 2 days ago.

 

I have been having this impression that Mint has lower quality in terms of security and system stability, but I have no idea the devs could be so dumb, arrogant and incompetent to such amateur levels. You can call it stupid for the third point, the "package renaming" game. Glad I have never touched their releases.

 

This is one of the reasons I stay with Ubuntu.

 

Does Ubuntu have a LTS with support for at least 3yrs from now? Cause I only see see 6-9 months when I've looked. Thanks.

 

This may help:

https://wiki.ubuntu.com/LTS

 

Thanks. Why I couldn't find this I don't know. I still could not find the specific month & day in 2019 14.04 support ends.

https://wiki.ubuntu.com/Releases
http://www.ubuntu.com/info/release-end-of-life

No month & day stated.

 

There is always such resistance to --verify with GPG. This makes me want to cuddle with "GPG" because it prevents so many hurts.

 

I think it's April 2019, it is a bit vague though.

https://wiki.ubuntu.com/Kernel/Supp...et=14.04.x Ubuntu Kernel Support Schedule.png

 

I agree with you, in parts. I don't think Mint users should verify the ISO's with GPG, and I think most of them don't even know how to do that. And it's OK, because they're not advanced users.

What I think should be done, and this is for every OS out there, is the server admins should verify that everything is correct. They should leave the Hashes where they've always been, this way users who know to do verify them could HELP the admins in case something goes wrong.

But I feel that this happens: some admins put the distros/hashes for the public, and don't bother to check them until the next release (or never, for that matter), being dependent solely on users to verify the integrity of the ISO's.

If the admins were more active in this regard then this attack probably wouldn't have happened, IMO.

 

Wow I always thought they paid for the third party software from donations and ad sponsors.

This really sucks I like Linux Mint What distro should I move to? I like the Windows like interface, maybe Zorin OS or Netrunner I've heard there Arch version is pretty good plus both of them have video live wallpaper options.

Really only six characters? I'm a novice and I use better passwords then that.

I'm worried about updates and the software center now.

 

What about "not only one"? Install numerous distros, eventually you will decide which is best at that time. And your opinion and experience WILL change in the course of the years. For example, I thought Arch was the best thing in the world; but Catalyst is not working fine there right now, and thus I can't use Arch for work. Debian was my second option, and yet again I had to move away from it. Ubuntu was sluggish and use too much HD all the time, so I couldn't use that either (not to mention it's harder to maintain than Arch and Debian).
But it seems there's a light at the end of the tunnel for me: openSUSE. The smartest installer out there; the best openCL performance (3x what Arch/Debian/Ubuntu offer); all my games and recording software work here (some don't on Arch/Ubuntu/Debian); real good stability and user interface, specially wtith YaST; etc.

So I'd recommend testing all distros you can. Start with Ubuntu or some of it's flavors like UbuntuMATE/Kubuntu/Xubuntu/etc. Then if you get bored of it or they're too buggy for you, go to Debian (start with Debian stable). Then if you're bored or can't use Ubuntu/Debian anymore, go with openSUSE, and so on. Then if you want, move to Fedora, or Manjaro, or CentOS, or Arch, or try any one of them again.

My point is: Don't feel like you need to stay with one or with what most people use. Go with your findings, go with your experience, trace your own road. Stay where it suits you better; today it might be one distro, and tomorrow the game can change. And although most people might agree on something, it doesn't mean this something is better for you. Only you know what is best for yourself, so go with your knowledge and experience

And if something goes wrong (and it will, at some point, for everybody), don't hesitate to ask for help.

 

I have got my notification...I have been pwned (I had a Mint forum account...)

https://i.imgsafe.org/f0b046e.png

 

Maybe this is a case of fragmentation or specifically a result of fragmentation within the community? I have no idea how this open source vs freedom software works in linux or whether distro developers are bound by/any certain obligations/guidelines or protocols. Is there a governing body of GNU linux that dictates/encourages certain practices?

Or is it pretty much do as you please and deal with the consequences as they arise? Rather than taking pre-emptive action and following best common practices.

To be honest this is quite unsettling, considering im one the many seeking refuge from windows so to speak. I assumed the open source status and the dogma around the word implied far greater levels of security and privacy, and with that a sense of "trust to a point".

What to do what to do.

Edit: IMO keep using Mint. Learn linux, learn the ecosystem and judge later and act accordingly.

 

Yeah the email I used to sign up for Mint forums came up pawned also. I don't see it as a big deal since I only use it to sign up for accounts - anything else that comes into that account goes in the trash or is marked as spam.

You can't change your password yet because Mint is still down - Saturday, Sunday, Monday, Tuesday ..................

 

Yes, me too. I registered using a remailer (33mail.com) so it's not a big deal and also I use unique passwords..

 

I usually refer people to https://wiki.ubuntu.com/Releases#End_of_Life_.28EOL.29

I doubt that even those very close to the release/support process know the exact date or exact time in 2019

I wonder why that should be an issue.

 

Oh right, thanks.

 

There are other distros that can use Cinnamon including Ubuntu which isn't in this list.

https://distrowatch.com/search.php?desktop=Cinnamon

I'm not all that worried about updates. I don't update daily, more like every couple of months. The Mint install I use the most has some security additions like Firejail and GUFW and I did a really clever SD card install with it--It is on one half of a 64gb SD card and Windows sees a 32gb SD card.

Ubuntu 14.04 LTS is the distro I use the most. It works really well in my Lenovo W520 and I finally got Bumblebee, the Linux version of the Nvidia/Intel switching graphics driver, working. What I've found is that some distros work better in some hardware than others and a distro that works great in one machine won't necessarily work so well in another.

I like Mint for its ease of use and easy transition from Windows. When I first read about this, I was worried that this was some sort of organized attack on Linux but it has turned out to be just a case of sloppy server security being compromised.

 

I just got my first post-Mint-hack mail, some Brazilian fellows want me to know my bank transaction was done successively.