Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Discussion in 'all things UNIX' started by stapp, Feb 21, 2016.

Thread Status:
Not open for further replies.
  1. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    I think this, below, hits the nail on the head. Coming from a Windows environment users see Linux Mint as familiar and easy to use but what is familiar and easy to use is the Cinnamon desktop environment which can be had elsewhere.

    Mint is back online - still no SSL, still no GPG. It's still the same 4 people who used a 6 character server password that included the phrase 'Mint' in it. It's still run by the same people who had a hacker in their system for over a month before users alerted them that there was a problem. It's still the same distro that purposely blocks some security updates from Ubuntu because allowing them would 'break' Mint. This article calls that "staggeringly irresponsible and tantamount to security malpractice".

    Mint is a great starter Linux imo. It didn't take me long to find Cinnamon elsewhere though and move on.

    http://www.techrepublic.com/article...n-indicator-of-a-larger-problem/#postComments

     
  2. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Softpedia is saying now that the Twitter post I posted below was sent to Mint's Twitter but they either ignored it or just don't check their Twitter - the latter more likely since they have 65,000 followers and there are only 4 people running Mint.

    http://news.softpedia.com/news/linu...east-a-month-before-announcement-500901.shtml

     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    LOL, I didn't even remember I had an account at Mint forums. I received this e-Mail today:

     
  4. Sm3K3R

    Sm3K3R Registered Member

    Joined:
    Feb 29, 2008
    Posts:
    604
    Location:
    Wallachia
    Linux Mint is an interesting distro, but i ve always manged to brake/kill the installs using the app installer or updater in maximum 1 day. :)
    I find strange that someone attacks this cute distro , but on the other hand makes us think twice before downloading ISO-es.
    For example for Open Suse ( i used to like this one) it takes ages to see updated ISO-es most of the time.When testing it on my AM1 machine i need to wait even an hour to install and update it :) so they usually dont check or updated the ISO-es for some reason.
    I guess because free distroes are free :)

    Have they managed to fix the issues in the mean time for real ?!
    I want to try Mint again. Is it safe ?
     
  5. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    I just downloaded and installed Mint Cinnamon 17.3 x64 the other day and it's fine. Just check the MD5 against the one displayed on the download page. I've had great luck so far with this one, everything is very nice and polished. No issues at all....
     
  6. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    You shouldn't be surprised once you know what humans can do to innocent people :/

    I think it's supposed to not cause confusion to newer users, because if they change the ISO more often then the hashes will cause confusion to those who downloaded an older ISO. But that is pure especulation on my part.

    Nah. Arch puts out an ISO every month :) Debian puts out ISO's for they "mini.iso" every few weeks IIRC.

    I think so, but you must make sure to download the new ISO's. Don't use older ones, who knows how long they've been compromised.

    It is, though not enough for me. If security is your main priority, than go with Debian Sid with the GRSecurity Kernel, or at least Debian Jessie. Or go with Arch and GRSecurity, maintenance is lower than any other Debian or Debian-family distro :)
     
  7. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    They have made some improvements. Though they never gave details - making it useless - they have always given the ability to check the image using GPG.

    They appear to be adding some security but kicking and screaming along the way because it is an admission that they were wrong.

    None of the other issues pointed out earlier have been addressed though.

    http://blog.linuxmint.com/?p=3007
     
  8. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    I've actually done a new install since all of this happened. I had to test a laptop that needed a 7mm drive and I only had a 16b ssd which was too small for Windows. The install went extremely smoothly and took much less than a half hour to get a fully working system. It was much easier and faster than either Windows 7 or Windows 10 which I installed after I got a bigger drive. Mint makes up in drivers what it lacks in security. That was obviously the focus of the development, driver compatibility and performance. Security was not and implementing security features is left to the user but is not all that difficult. In terms of the distro, not the server, I don't find the security that horrible and easily improved. I consider it more secure than Windows by far. If you want an easy system to set up that is going to perform well, Mint is made for that. If you want security, there is Qubes at the extreme and quite a few other distros that are much better.
     
  9. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    I am surprised that there are still so many die hard Mint fans after all that just happened. Amazing.
     
  10. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
  11. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    Exactly. Mint simply has no resources to support such a huge project. You know what will happen (Again) when you are severely short-staffed in a project. It's maintainers are not even qualified as a Linux Admin, not to mention sitting on such a huge project. A joke if you ask me.
     
  12. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    Install GUFW and the firewall is taken care of. Add Firejail and the security is fairly decent. As I said, Mint excels in the driver department and that makes it attractive compared to some other distros. Mint, around 20 minutes from recycling center salvage to a working system. Another 20 minutes to apply updates--this was 17.2. Windows 7 took a couple of hours to install and get drivers sorted out and several more hours to update. The Windows 10 upgrade took several hours to complete and I once again had to spend more time sorting out drivers after I finally got to the desktop.
     
  13. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Bottom line, not everyone is obsessed with security issues, in fact millions use Mint daily and never worry about it as it has no impact on their daily use of their machines. Same with Windows. A very tiny select group of users will obsess about security and try to straight-jacket their Win systems, while most of the world carries on without concern. To each his own... :)
     
  14. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Windows firewall is on by default. Is there a downside to have the Mint firewall on by default?

    Mint's admins never worried about security either and look what happened to them.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    I don't see the need for a firewall on by default when most users probably are behind routers.

    As for the Mint breach/issue recently, things happen. Debian has had problems before too. I'm sure others have as well.
     
  16. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    As I said its the 'other' issues (reported below) that they are ignoring. No one will ever say Mint is the most complicated distro to install.

    What people love about Mint is Cinnamon much more than Mint and most people have no idea that Cinnamon is not Mint and have never tried other distros with Cinnamon. I've tried several and the Cinnamon experience is pretty common across distros. MRK does some great reviews but I find fault with the fact that the distro experience can change dramatically by what DE is used. There is also imo a big difference between adding a DE to a distro as opposed to one built from the ground up with that DE.

    This comment and the discussion that follows are good reading.

    https://lwn.net/Articles/676613/

    https://lwn.net/Articles/676664/

    "Well, Linux Mint is generally very bad when it comes to security and quality.

    First of all, they don't issue any Security Advisories, so their users cannot - unlike users of most other mainstream distributions [1] - quickly lookup whether they are affected by a certain CVE.

    Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable [2]. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.

    Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.

    Another example of such a hi-jack are their new "X apps" which are supposed to deliver common apps for all desktops which are available on Linux Mint. Their first app of this collection is an editor which they forked off the Mate editor "pluma". And they called it "xedit", ignoring the fact that there already is an "xedit" making the old "xedit" unusable by hi-jacking its namespace.

    Add to that, that they do not care about copyright and license issues and just ship their ISOs with pre-installed Oracle Java and Adobe Flash packages and several multimedia codec packages which infringe patents and may therefore not be distributed freely at all in countries like the US.

    To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.

    I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues."
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    And yet Mint is by far the most popular distro and has been #1 on Distrowatch for years now.. ;)
     
  18. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    'Probably' isn't a very secure term.
     
  19. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Do you disagree? It's easy enough for a user to turn the firewall on if desired. Does Ubuntu have a firewall on by default? Or are you just picking on Mint today? :)
     
  20. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    I use Fedora not Ubuntu. The Fedora firewall is on by default.

    Let's be clear I am not 'picking on Mint' though you make it sound like a little kid using those terms.

    The firewall is a minor issue in comparison to other things that had some light shed on them after the hack.
     
  21. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    haha, I know someone will come up with this argument eventually.
    What about Windows XP? Microsoft stopped security updates for XP, yet XP still had the largest market share for years before 7 took over. So most people are idiots. For people prioritize convenience (no matter how little more) over security (no matter how much less), they deserve to be hacked. Not once, not twice, but many more times to come.
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    It is not just cinnamon. Driver compatibility and ease of install make for a very good impression. Mint is also very lean on system resources, much better than Ubuntu. I find it using around 300-400mbs of system memory compared to around 700mbs for Ubuntu and more than 1gb for any version of Windows on the same machine. I am also impressed by the way I can move a Mint install to a Virtualbox VM and everything works, the guest additions are already there. In other words, Mint has virtues other than security that make it attractive. I don't see Mint as unprofessional at all, it just has a focus on things other than security.
     
  23. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    Yeah the popularity tag is a strawman argument which has nothing to do with what's being discussed.
     
  24. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Guys, you're both *obsessing* on things that most users just don't care about. I certainly don't. You can find fault with ANY distro if you want. I don't use Fedora because it's too buggy. Same with OpenSUSE.

    Here's the bottom line: Nobody cares about all the things you're so concerned with. I think that pretty much sums it up. ;)
     
  25. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    740
    Location:
    United States
    So how many other distros where you can have Cinnamon by default have you installed and used?
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.