Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Discussion in 'all things UNIX' started by stapp, Feb 21, 2016.

Thread Status:
Not open for further replies.
  1. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,377
    I'm running the Openbox session of Lubuntu. The Lubuntu dev has made something called lxclipboard and that works even in an Openbox session. It's very elementary but I don't need a sophisticated clipboard manager. My next choice, again keeping minimal resources and dependencies in mind,would be xfce4-clipman.

    The one pita is LibreOffice. If I copy something and assume it's in the clipboard and close LibreOffice before pasting the stuff elsewhere, it's gone. IIRC, the LibreOffice devs are aware of the issue but regard it as a feature.
     
  2. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,314
    Location:
    Canada
    Well stated, MisterB :thumb: Good grief, all this fud is having a paralyzing effect on some people. Just a simple check of the ISO's MD5 checksum will verify its legitimacy.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    But that's my key point, we don't know for how long they've been hacked or if they've been silently hacked in the past. A 2-month-old or a 1-year-old code means nothing in Mint's terms now, specially considering Mint's security practices.

    My concerns aren't only in regards to the after scenario, but the before. Mint's security practices were cr*p, there is no way to guarantee the code is clean unless it's reviewed, which AFAIK didn't happen.

    And it's not paranoia to say it's uncertain if Mint is clean. Paranoia is saying "it's infected" without evidence. All I said was "there is no way of telling if it's clean or not, only code review can tell".

    Paranoia could also mean saying it's clean without code rewivew. The paranoid argument can go either way ("it's clean" <---> "it's infected"), and without actual evidence (i.e. source code review) it's completely unsientific either way.
     
  4. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    Where is any evidence or even indication of this? As I said, intrusions and alterations can be easily traced once a breach is discovered. Logs that don't normally get looked at get looked at. Source code on a server can be quckly parsed for any differences from known good files.

    There is also the lack of any indications of any serious security problems with Mint before the hack that I've pointed out before. If there was compromised Mint code floating around for the past two years, there would have been some indications of it by now. Malware, just like any other software, has a goal and a purpose such as pushing unwanted ads or ransomware. It gives evidence of its presence both by behavior and network connections it makes. Even if hypothetically possible, I don't see the Mint Linux community as being worth any kind of real stealth malware that is usually used in targeted attacks on targets with some value to the attacker like access to a restricted corporate or government network.


    In other words, you can come up with all kinds of hypothetical possibilities but it is also very easy to disprove them by looking at the facts and it is the facts you work with, not the possibilities.
     
  5. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    There's none, because the source code hasn't been reviewed by a 3rd party.
     
  6. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    It's so funny. Talking about the facts and possibilities. "all kinds of hypothetical possibilities" were raised by you that Mint is safe, based on the reality of all its malpractices on development security, and the fact that Mint trade security measures for usability. What's your logic here? You assertion here "Mint is safe" is not supported by the fact that Mint deliberately sacrificed common security measures to cater noobs who prefer "easy to use". Why this thread even exist in the first place? What fact caused its existence?

    You could not tell reasonable susceptibility from paranoid.
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    I'm talking about internet chatter like forum posts on the Mint forum, here, and elsewhere. Actual case histories with details of what happened. Reviewing source code won't reveal actual compromised systems. Not only do you need anecdotes of actual compromised systems, the compromises have to be traced to alterations in the Mint source code that were done by the hackers. Just as a an example, here is a case history of an Ubuntu exploit and infection I found on Youtube.

    https://www.youtube.com/watch?v=94QsgdXnsmU

    I actually find this video pretty interesting because the victim gives a detailed account of the compromise but never once thinks of how that attack could have been prevented. Noscript or uMatrix and setting Flash to "Ask to Activate" would have saved him. The facts in this video can actually lead one to improve security in a real way.




    Sacrificing security for usability is a common choice that is made in life in general, not just computers. Once again, we are dealing with a something that, however bad it sounds in theory, hasn't been demonstrated to affect the Mint user community in any big way by actual case histories. Yes, Mint is safe, safer than Windows by far. That there are Oses that are far more safer and secure is a a given but that doesn't make Mint particularly unsafe. For those who want to harden and secure it, the common options of GUFW, Firejail, Grsecurity, Apparmor and SELinux are all possible for Mint.

    This post from this morning is another example of something that is factual and that gives you facts that might make you want to review and tighten security in a realistic way like removing Powershell if you are not using it. https://www.wilderssecurity.com/thre...ndows-powershell-word-document-macros.384744/. Off topic and the wrong OS, I realize, but a good example of something that gives you facts that can be worked with.
     
  8. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Well said, this is pretty much how I see it too.
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Exactly. What MisterB fails to realize is that, given Mint's security practices, it's possible that the old code (here deemed safe) is compromised, so matching it with new code won't give an answer to wether or not Mint's source code is clean.

    It doesn't matter the direction of the argument, the only to possible know that is by source code review.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    Possible is just that, it doesn't mean probable, much less certain. To make decisions based upon remote possibility makes no sense. So far, I have seen nothing that moves the assertion that the Mint code was compromised in the past anything more than a remote and unlikely possibility given the lack of actual evidence to support it.
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    That is EXACTLY what I've been saying over and over and over and over and over.

    Saying "Mint's code is clean" without actual evidence is the SAME as saying "it's not clean" without actual evidence. The difference is that I said "WE CANNOT BE SURE EITHER WAY UNTIL A CODE REVIEW IS DONE. Nobody knows if Mint's code is clean or not until proper source code review is done".

    I don't know how much clear I can be.
     
  12. Santosh83

    Santosh83 Registered Member

    Joined:
    Mar 22, 2016
    Posts:
    4
    Yup. The Mint team needs to do a code review and a review of all the logs of their website. By code review, they only need to check their OWN code, i.e., their DE Cinnamon plus all the other customisations, installers, patches and glue they add to create Mint and LMDE, as well as their website code too. The rest is presumably pulled periodically from Ubuntu and Debian's repositories, so all they'd need to do there is to do a fresh update. And of course they need to wipe their servers down to the metal and re-install whatever OS they're using and reboot their whole build toolchain and website. This is NOT easy, and I'm afraid they may be somewhat less thorough than this.

    Their latest blog post notes that they will display SHA256 sums and GPG info, but am rather disappointed to note that it's not yet in place on some of the download pages, while on others it's there, but no directions are provided to newbie users as to how to verify them. However, they have switched their site (except for the blog) to HTTPS.
     
  13. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    511
    Location:
    Earth .... occasionally
    Larger font perhaps ?

    Maybe more use of color to highlight key points in the text.....

    .... I don't know .... my eyesight ain't what it used to be :)
     
  14. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    This.
    Very objective assessment.
     
  15. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Just to be clear on this, are we certain, beyond any doubt, that they have NOT done a code review?
     
  16. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    What do you mean by "they"? I hope you did not mean Mint devs.
     
  17. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Who else would do a code review but the Mint people? I'm just asking, can we know for certain that they haven't done one? Or is this just more speculation, like 99% of this thread has been. :)
     
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    I find the part code review part to be trivial and a misleading argument. As I said earlier, it would not take long to parse the code on the server for any alterations that weren't done by the developers. My other point, that there would be actual case histories of compromised Mint installations by now if it had happened a year or two ago. Would anyone out there who is spreading the paranoid fud please bring one up to support your assertion. The internet is not a place where people keep quiet about stuff like this. Until you do so, I remain firm in asserting that what happened is pretty much as reported by the Mint blog and using Mint is as safe as any other distro.
     
  19. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,038
  20. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    @MisterB I agree as well. I think we can all rest pretty easy about Mint and let go of all the paranoid fud, because that's pretty much all it is at this point.
     
  21. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,903
    You people are hilarious. If there were to be a code review, it definitely should NOT be the Mint people, because they are the party that are of conflict of interest. You have to use a third party to do the code review to maintain objectivity. One such example is the code review/audit of Truecrypt, which were led by a Johns Hopkins cryptographer and security technologist Matt Green, a third party. Granted, authors of Truecrypt were nowhere to find anymore; but even they are known to the public, the code review and audit should still have been done by a third party team.
     
    Last edited: Mar 26, 2016
  22. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,038
    My common sense tells me that there's almost certainly nothing to worry about. Because I am never paranoid when it comes to security, I'm prepared to take the risk (an extremely small one in my opinion) and use Mint.

    If you have a different opinion, then that's fine, and there's no shortage of other Linux distros to use. But I don't think anything you say will make me change my mind.
     
  23. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,003
    Ok, so that's how it works, I have no idea, that's why I asked. But I still have to agree that some of you are simply obsessing over nothing. I also agree that we're hearing mostly paranoid fud in this thread and elsewhere over the Mint issue. I have no problem using Mint, nor do many many others. Let's be practical. We can all sit around obsessively worrying about every little detail that *might* somehow happen. Or we can relax, and live our lives worry free. I choose the latter... As another member mentioned, show me the story or stories where all the Mint users have been compromised over the past months or years. I'm afraid it just ain't happening.... :)
     
  24. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    Wrong sort of review. Were not analyzing complex algorithms to see if they've been coded correctly, were just seeing if the source code text has been altered from the developers original. I could do that easily if I had the files and wouldn't need much more than a file browsers for the initial parsing. You're barking up the wrong tree. Once again, a case history please to prove this is more than fud.
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,248
    Location:
    Southern Rocky Mountains USA
    They would be the only ones who could effectively do it because they would have the original development files on the machines that they coded on. Without those, tracing unauthorized alterations would be much more difficult because of the lack of logs, change files and timestamps. Once again, you're barking up the wrong tree. This is a forensic investigation looking for damage, code maliciously altered by 3rd parties, not an analysis of the how well the code implements its intended functions or if there are exploitable flaws in the original developers code.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.