back to article Linux Mint hacked: Malware-infected ISOs linked from official site

If you downloaded and installed Linux Mint from the distribution's website over the weekend, your machine has been compromised. "Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," said Clem Lefebvre, creator of the Linux Mint distribution, in a blog post dated …

  1. Anonymous Coward
    Stop

    If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.

    Er no, getting in touch with the authorities should be a default policy not an "if it happens again".

    1. This post has been deleted by its author

    2. TeeCee Gold badge

      Maybe because they know it's a complete and total waste of their bloody time to do so[1], but they feel they have to show willing anyway?

      [1] 'Cos the chances of "the authorities" actually giving a shit are only beaten for fuck-alledness by the chances of them actually catching the culprits if they bother to try.

  2. present_arms

    Quick way of finding out, from live session : "Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO. "

    I feel sorry for the guys over at mint, they made Ubuntu usable.

    Alie

    1. Anonymous Coward
      Anonymous Coward

      "I feel sorry for the guys over at mint, they made Ubuntu usable."

      And that's why it is a target.

      It's time to stop treating this as a minor crime and to go after the perpetrators seriously, Of course it might turn out some of the perpetrators are TLAs, hence the light touch so far.

      1. Charles 9

        Re: "I feel sorry for the guys over at mint, they made Ubuntu usable."

        Or they could be housed in countries hostile to the LEOs, meaning they can't be touched in any event.

    2. Roq D. Kasba

      Polo Mint

      That is all

    3. Mage Silver badge

      Proof Positive

      That Linux Mint is popular

      1. Anonymous Coward
        Anonymous Coward

        Re: Proof Positive

        Proof positive that Linux mint should be avoided, the fact the even use MD5 as a checksum is futher proof they can't be trusted with security.

        #fail.

  3. Field Commander A9

    What happened to the "Linux is malware-free" claim?

    1. Anonymous Coward
      Anonymous Coward

      It's becoming a viable target, possibly because people have switched thanks to Microsoft aggressively pushing Win10

      1. westlake

        In your dreams.

        "It's becoming a viable target, possibly because people have switched thanks to Microsoft aggressively pushing Win10."

        In round numbers, Win 10 has a 12% share of the desktop, and Linux 2%. Desktop Operating System Market Share In 25 years Linux as a desktop client has gained almost no traction whatever.

        1. GrumpenKraut
          Pint

          Re: In your dreams.

          Depends where you look: w3schools reports share at 5.5% during 2015, essentially stable.

          1. Anonymous Coward
            Anonymous Coward

            Re: In your dreams.

            From your link:

            You cannot - as a web developer - rely ONLY on statistics. Statistics can be misleading.

            Note: W3Schools is a website for people with an interest for web technologies. These people are more interested in using alternative browsers than the average user. The average user tends to use the browser that comes preinstalled with their computer, and do not seek out other browser alternatives.

            So you could infer that people interested in Web Technologies are twice as likely as the common herd to use Linux, a ringing endorsement.

            1. Anonymous Coward
              Anonymous Coward

              Statisics...

              A mathematician once worked out that to be on an aircraft, the stats proved it could be 1 in 10000 that it had a bomb on board. To have TWO bombs on board worked out to be 1 in 10000000, so every time he flew, he carried his own bomb.

              1. John Tserkezis

                Re: Statisics...

                "so every time he flew, he carried his own bomb."

                That's hardly an interesting story.

                Would be much more intersting if he stood during takeoff and said "I have a bomb".

                NOW we have a story. :-)

              2. Lammy

                Re: Statisics...

                ...or the statistician who drowned in a river that was 1 metre deep ... on average

              3. Anonymous Coward
                Anonymous Coward

                Re: Statisics...

                > To have TWO bombs on board worked out to be 1 in 10000000,

                I realise it's a joke, but he should have paid more attention in statistics class and he would have known about the dangers of falsely assuming events to be independent.

                In fact, if there is one bomb on board, the not unreasonable assumption is that the attacker will have slipped a back-up in case plan A did not work. Or in the case of land-based attacks, to finish off the job, e.g., by placing a second device at the expected gathering point of the crowds fleeing the first deflagration.

                A proper statistician would have taken those circumstances into account.

                I would have let the joke run, but there have been serious consequences to real people¹ because of this misinterpretation.

                ¹ Powerpoint file.

            2. Criminny Rickets

              Re: In your dreams.

              Have to disagree with you here. I had to (reluctantly) work on one of these average users computers last night, running Windows 10 (where the reluctantly comes in), and they were running Firefox as their default browser, not Internet Explorer or Edge.

            3. GrumpenKraut

              Re: In your dreams.

              > Note: W3Schools is a website for people...

              Yes, W3Schools is certainly a site that reports a rather high percentage of Linux usage. I agree with your reasoning why that is.

            4. Anonymous Coward
              Anonymous Coward

              Re: In your dreams.

              "So you could infer that people interested in Web Technologies are twice as likely as the common herd to use Linux, a ringing endorsement."

              Or you could infer that they need a detailed understanding of web technologies to get the damn things to work properly on Linux....

        2. Tom 7

          Re: In your dreams.

          There's more raspbian than windows in my daughters primary school.

          1. KeithR

            Re: In your dreams.

            "There's more raspbian than windows in my daughters primary school"

            Primary school - good place for it..

            1. smot

              Re: In your dreams.

              "Primary school - good place for it.."

              Indeed - it's easy to use, and easy on the school budget. Loads of educational software, and a decent UK support infrastructure.

              Glad you pointed it out.

            2. Anonymous Coward
              Childcatcher

              Re: In your dreams.

              >>"There's more raspbian than windows in my daughters primary school"

              >Primary school - good place for it..

              It's also handy in the office. I currently have a work experience lad from the local college wielding a soldering iron, whilst I drill holes in the walls etc to setup a one wire sensor network for the place. I did consider making him do data entry and filing (not really) as is traditional. I now have eight temperature sensors and a couple of door open/shut sensors wired up to a Pi. OpenHAB on the frontend and also fed to our Icinga instance. Total parts bill <£100 including the Pi.

              I have 25 years sysadmin experience and rather a lot of IT equipment, he has good eyes and steady hands and a willingness to learn. Good combination for education to occur (including mine.)

            3. FuzzyWuzzys
              Facepalm

              Re: In your dreams.

              "Primary school - good place for it.."

              Abso-bloody-lutely is should be in primary schools....'cos then our kids will grow into well rounded and open-minded individuals who know that technology encompasses a huge range of alternative ideas, not just the big 3 ( MS, Apple and Samsung ) that are constantly blasted at them by the media!

      2. Anonymous Coward
        Anonymous Coward

        RE "thanks to Microsoft aggressively pushing Win10"

        Aha!. So, once again, its all Slurps fault. I thought as much.

      3. KeithR

        "It's becoming a viable target, possibly because people have switched thanks to Microsoft aggressively pushing Win10"

        Ah - so Windows' relative vulnerability to malware was proof of it being a flawed OS; but now that it's happening to Linux, it's proof of popularity.

        Now there's an interesting dichotomy, eh?

        1. Anonymous Coward
          Anonymous Coward

          windows is not free

          Given that MS has made billions from selling windows and associated products then I would say that not spending enough to protect you users security is a big fail.

          From this example clearly this linux distribution was so secure that hacking the OS distribution source was more viable than attacking a running user's pc directly.

          The mint team to their credit made public the attack on their distrubtion source, something we have no proof that MS has done, not necessarily because MS have never been hacked directly because they have, instead because MS are not known for putting their user's first or even in their top ten.

          Given that the PC architechure has always been insecure by design then when enough black hats are investing time in finding holes then it is only a matter of time. Until everyone is using a secure hardware platform that has not been intentionally obscured and rooted to allow easy access and monitoring by the "security services" then every OS running on a PC will always be vulnerable to attack

        2. Anonymous Coward
          Anonymous Coward

          "Ah - so Windows' relative vulnerability to malware was proof of it being a flawed OS"

          If you look at the webserver market (where you generally need full remote exploits to compromise a box), OSS / Linux based systems are about 4 times more likely to be hacked then Windows Servers after adjusting for market share.

          Therefore when used as an internet facing server OS, Windows is apparently in practical use cases actually far more secure from remote attack.

          Where Windows doesn't perform so well is with desktop software / user interaction - and that's largely due to legacy design decisions versus the requirements for backwards compatibility. And due to commonly installed Adobe and Oracle software.

    2. tony72
      Coat

      What happened to the "Linux is malware-free" claim?

      That was just a typo; it's now been corrected to "Linux is free malware".

      At least in this case.

      1. seanf

        That could be funny - but it isn't. "At least in this case."

        1. Anonymous Coward
          Anonymous Coward

          > That could be funny - but it isn't. "At least in this case."

          I disagree. It's witty, it's a proper piss-take.

          As they used to say, if you can't take a laugh you shouldn't have joined.

          /FOSS developer here. Co-wrote a Linux device driver once a long time ago, a few more bits for an important desktop environment. Know when to admit someone else has won the round--though not the fight, and can laugh at that. I do apologise if you're American, that would explain the lack of a sense of irony.

          Best of luck to the Mint bunch, though. Those wily bastards on the dark side can be incredibly skilled (and well-funded), not easy to come out on top of them every time.

        2. KeithR

          "That could be funny - but it isn't",

          No, it really is.

          In fact, it's bloody hysterical.

      2. tony72

        Uh oh, the Linux fans are touchy today.

        1. KeithR

          "Uh oh, the Linux fans are touchy today."

          They're always bloody touchy...

          1. Eddy Ito

            "Uh oh, the Linux fans are touchy today."

            They're always bloody touchy...

            All the fan boys are always touchy. In this instance it's the Windows variant that gets to hold the stick and thrash about like a six year old at a piñata party instead of getting on with work, plus ça change.

        2. John Tserkezis

          "Uh oh, the Linux fans are touchy today."

          Uh oh, the Windows fans are touchy today.

          I suppose the fanbois are resting assured that their delivery of Win10 comes though only one method - forced down their throats. No possible way at all they could have any unknown code appear without their knowledge.

          No wait.

          1. Fatman
            Joke

            <quote>I suppose the fanbois are resting assured that their delivery of Win10 comes though only one method - forced down their throats shoved up their ass.</quote>

            There!

            FTFY!!!

      3. BitDr

        @tony72

        That a fake Mint-distro (consider it a fork that no one would knowingly download & install (unlike Windows 10)) had to be created in order to insert a back door into the Operating System, speaks volumes about how difficult it is to infect *NIX with malware. The website was a trusted source, compromising it was really a social engineering hack to get their bastard-child (no one is claiming fathership) out of the nest.

        So to sum up. The web site was hacked in order to distribute a malicious fork of Linux-Mint which contained a back-door. And how well did that work out for the bad-guys?

    3. Unicornpiss
      Meh

      Can happen to anyone...

      Someone hacking a hosting website and redirecting downloads to a malicious ISO is not the same as the OS on a running computer being compromised. That said, ANY OS can be infected, as we all know, and vulnerabilities exist in anything with any degree of complexity. It's a testament to Mint's popularity that it's starting to show up on the radar of baddies.

      1. Roland6 Silver badge

        Re: Can happen to anyone...

        It's a testament to Mint's popularity that it's starting to show up on the radar of baddies.

        Not so sure it is Mint per sa, but open source. Given the discussion being had about Apple and the FBI and what is preventing the FBI from rolling their own iOS update, it is clear that the OS update mechanism is something worth hacking.

        It is clear the oss community are going to have to get better at the secure distribution of their wares to users.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can happen to anyone...

          'It is clear the oss community are going to have to get better at the secure distribution of their wares to users'

          Not sure if you are implying Microsoft Windows 10 distribution methods are better, but...

          Ebay and Microsoft need to at least try an educate Windows users, (if they can't stop the ebay distributions) that paying £24.99+ on Ebay for an (essentially free) Windows 10 Upgrade ISO on USB/DVD (some have sold 380+ copies) isn't a good idea, in terms of a way of getting malware-free Windows 10 install media.

          Users are essentially been forced to Pay £24.99+, because it can be such a problematic bulky download. Either the 'dumb' Win10 upgrade background tool (lack of disk space, especially SSDs - downloading or expanding files, repeatedly, downloading GB's if it fails) ...

          Or using the (heap of crock) Windows 10 Media creation 'something happened' tool, with no indication its failed until you have downloaded multiple GB of data, often 10's of GB, with Users often going over BT's 10GB data allowance of the basic packages, not even realising in many cases.

          In the UK, its this attempting to download multiple GB's without a means to recover from a broken download, ends up with Windows Users resorting to 'trusting' ebay as a means of software distributiion. Its even more annoying since Firefox has such a good file download recovery system, if Microsoft only had an option for its use under Windows, to download the ISO directly.

          Incredibly too, use any OS other than Windows, i.e. Linux Mint/MACOSX and you're offered to download the Windows 10 ISO's directly (though they seem to be US only) rather than forced to use the Windows 10 Media creation tool.

          Windows 10 distribution isn't some perfect secure distribution system either. I hate to think how much bandwidth has been wasted over recent months in failed Windows 10 downloads.

          Mint has got the install time down to 12 minutes to fully installed on an SSD. Updates 'just work' and quickly, you can see exactly whats been installed. People are becoming fed up of the bloat of Windows. Windows Update with its endless 'checking for updates' and endless 'installing updates', and multiple reboots - no wonder Linux Mint is gaining popularity fast.

          1. GrumpenKraut
            Pint

            Re: Can happen to anyone...

            > People are becoming fed up of the bloat of Windows.

            Put a period behind the word "bloat". Windows is just one sad instance.

            I find it incredible how most of the industry doesn't seem to get this.

            Beer, because I get that. Hello, mister fridge! Pilsener? OK!

            1. Anonymous Coward
              Anonymous Coward

              Re: Can happen to anyone...

              "People are becoming fed up of the bloat of Windows."

              Trying Linux won't help then. Most default Linux installs are even more bloated.

              1. Anonymous Coward
                Anonymous Coward

                Re: Can happen to anyone...

                > Most default Linux installs are even more bloated.

                I don't mean to sound rude, but are you sure you know what you are talking about?

                Just yesterday I rolled out a couple of OpenSuse machines. The "default" install was south of 250 MB.

              2. ro55mo

                Re: Can happen to anyone...

                Yeah, right...

                My Linux Mint install (I admit I am a fan) is currently using less than 8GB of disk space for the OS and all programs, excluding /home of course.

                Windows 10 needs 20GB

                https://www.microsoft.com/en-gb/windows/windows-10-specifications#sysreqs

                All my passwords are complex and unique and my email address has already been liberated from several other websites https://haveibeenpwned.com/ so zero impact to me.

                Here you have a FOSS community project that was targeted by some bottom feeder. They are upfront and honest about what happened, responding quickly to shut the problem down and inform the user base. Big companies should respond in the same way.

        2. Yet Another Anonymous coward Silver badge

          Re: Can happen to anyone...

          >what is preventing the FBI from rolling their own iOS update

          That it would be outsourced to CapGemini,be delivered 10years late and $10bn over budget and not work ?

          1. mathew42
            Thumb Up

            Re: Can happen to anyone...

            I think you've been kind.

            If you are outsourcing to CapGemini, not working and over budget is more certain than taxes especially for global companies. Delivered 10 years late might be considered a win.

            I company I have a close relationship with had CapGemini roll out a change in anti-virus software to their global SOE. When machines weren't booting after the roll out, they were informed that the change request didn't include 'must work afterwards'.

      2. Anonymous Coward
        Anonymous Coward

        Re: Can happen to anyone...

        I'd say they *did compromise* the OS running the download page, and I guess it wasn't Windows. I'm afraid the Linux fanboys will discover their OS is not invulnerable as they think the hard way....

      3. DainB Bronze badge

        Re: Can happen to anyone...

        No it is not.

        First - this never happened to Microsoft and they are like a magnitude bigger target that is under attack 24x7. And they're running websites on Windows by the way.

        Second - can you trust to Mint developers to provide timely security updates if they can't even secure their web site ? That was a rhetorical question in case you were distracted by epic butthurt.

        1. Hans 1

          Re: Can happen to anyone...

          >First - this never happened to Microsoft and they are like a magnitude bigger target that is under attack 24x7. And they're running websites on Windows by the way.

          It is written up there, happening for Windows 10 as well.

          Now, the other day, I was chasing a Windows 7 ISO and came across a Microsoft answers page where an MVP offered links to download Windows 7 ISO from, one was pointing to a server that had "allegedly" been bought out, the download was a 2Mb exe, no ISO. The MVP was very "touchy" when I pointed out to him that the download was not "as advertised".

          thepiratebay is full of infected ISO's, has been happening to Windows since at least Windows 2000, since it became feasible for the average punter to download such large files.

          I have copies of the ISO's at home, but was over at a mate's that time, hd died, he just received replacement SSD and I improvised a WIndows 7 install... I have been fixing malware-infected Windows boxen for family, friends, friends of friends for over 10 years, and the last time I saw IE as default browser was A LOOOOOONG time ago.

          1. werdsmith Silver badge

            Ability to Handle Criticism

            User points out to Linux Zealot something about Linux that might benefit from improvement:

            Linux zealot response "Yeah but Windows shit, windows is fucking shit shit windows shit bloatware shit spyware shit fucking shit closed source walled garden shit shit shit shit shit shit shi...."

            User: "But I didn't mention Windows?"

            Linux Zealot "Arghh! Windows shit fucking shit shit shit shit fucking shit..."

            User: "But will somebody look at this problem in Linux ?"

            Linux Zealot "We don't need to because Windows is more shit, yeah did I mention Windows is fucking shit?".

            1. GrumpenKraut

              Re: Ability to Handle Criticism

              > ...Linux Zealot ... Linux Zealot ... Linux Zealot ...

              Way to win an argument.

              1. werdsmith Silver badge

                Re: Ability to Handle Criticism

                "way to win an argument"

                Who is arguing?

                1. GrumpenKraut

                  Re: Ability to Handle Criticism

                  > Who is arguing?

                  You with yourself, it seems.

                  1. werdsmith Silver badge

                    Re: Ability to Handle Criticism

                    > "You with yourself, it seems."

                    <Shrugs />

                2. Chika

                  Re: Ability to Handle Criticism

                  Is this the right room for an argument?

          2. Anonymous Coward
            Anonymous Coward

            Re: Can happen to anyone...

            "It is written up there, happening for Windows 10 as well."

            Please tell us where we can find any OS presented by Microsoft as an official download link that has been infected by 3rd party code / malware? (Adobe Flash and Java don't count!) Nope, didn't think so...

        2. RealBigAl

          Re: Can happen to anyone...

          Ah right,

          It has, after a fashion, already happened to Microsoft on multiple occasions through OEM distributed software and has been happening for years.

          Most recently, as mentioned in el Reg a few months back, Dell, Samsung and whomever distributing versions of Windows with baked in vulnerabilites.

        3. GrumpenKraut
          Facepalm

          Re: Can happen to anyone...

          > ...this never happened to Microsoft ...

          No Microsoft website has ever been owned, really?

          1. Anonymous Coward
            Anonymous Coward

            Re: Can happen to anyone...

            "No Microsoft website has ever been owned, really?"

            Only a very few outsourced / local country office ones. Nothing ever in a Microsoft datacentre that I recall....

        4. Avatar of They
          FAIL

          Re: Can happen to anyone...

          Few glaring errors in your comment.

          Didn't Windows pull their November release of Windows 10 because it was dodgy? making changes that impacted the security (removed) that users had set up and chosen (thus creating a rather large back door) And didn't they release a test batch update that bricked quite a few PC's last year. With no real explanation but making it quite clear they don't test or have a protocol to stop releasing to the world test updates?

          No one needs to hack and corrupt Microsoft downloads in this manner, because they do it themselves by a magnitude bigger than this hack.

          Their new peer to peer hosting opens up a whole can of whoop ass to the evil brigade who will no doubt exploit the hell out of it using probably the very same technique of making updates and new patches appear legit, only it won't be MS websites, it will be MS software again. They have by their nature and magnitude made desktop patching a "buffet of vulnerability."

          And Linux Mint have come out to tell the world they were hacked, and don't download the code. Windows don't tell you what code they download, so how can you be sure they are not all corrupt?

          Windows 10 has more back doors than anything else, with little moral code to tell their customers anymore.

          Lessons learned and kudos to Mint for this - but it is just a web site hack.

          Wonder if they used Kali Linux to make the hack?

      4. david 12 Silver badge

        Re: Can happen to anyone...

        >"not the same as"

        Yes, doubtless the server that was hacked was one of those ridiculous malware-prone MS IIS servers that no sane educated person would use. Run by amateurs, lusers, victims of MS's relentless dishonesty.

        In no way the same as.

        1. Anonymous Coward
          Anonymous Coward

          Re: Can happen to anyone...

          "one of those ridiculous malware-prone MS IIS servers that no sane educated person would use"

          That are statistically far less likely to be hacked than OSS / Linux based boxes. IIS according to Netcraft, is currently used by 30% of webservers. That's less than 3% behind Apache!

          And btw - IIS has had far fewer vulnerabilities over the last decade than Apache - and Apache itself has a pretty good record....

      5. Hans Neeson-Bumpsadese Silver badge
        Alert

        Re: Can happen to anyone...

        Whilst any OS can be compromised, what's significant in this case is that because of the open source nature of the OS, a perp can build a fully-functioning poisoned copy of the OS from publicly available source. That sort of thing is a bit harder to do with a closed-source OS.

        Not flaming or defending either approach....just saying....

    4. Camilla Smythe

      What happened to the "Linux is malware-free" claim?

      There is a suggestion in the comments section on the site that the redirect to the Bogus ISO was the result of an attack on a vulnerable Wordpress install.

      I’ll ask this question, without knowing the intrinsic details, or any specific details other than what has been posted above; did the breach have anything to do with the fact that you’re running WordPress?

      Best wishes and thanks for the heads up.

      -k0nsl

      Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.

      1. gollux
        Mushroom

        Friends don't let friends use WordPress...

    5. Sir Alien

      Sorry if this is sarcasm, not quite got it. But Linux is no more malware free than any other operating system. What I have heard before is Linux is "virus free" which is something different. Any operating system can get malware simply because the weakest link is the meat bag behind the keyboard who can click a dubious link for free malware installation.

      Linux/Unix does make installing malware accidentally much harder but it is not impossible. Completely malware immune systems is a fantasy in terms of full far operating systems.

      1. Anonymous Coward
        Anonymous Coward

        Wrong and completely wrong.

        The usual (as in this case) was a hack on a Linux web server set up incorrectly with PHP (or perhaps a new flaw in PHP that script kiddies got hold of - the article does say it was a bit of a naive attempt). All of MS virii/trojans/bots stuff is client side and can be activated with a simple click on a link in an e-mail, or a stupid facebook page about cats.

        1. dajames

          Tautology

          ... web server set up incorrectly with PHP ...

        2. Anonymous Coward
          Anonymous Coward

          "All of MS virii/trojans/bots stuff is client side and can be activated with a simple click on a link in an e-mail, or a stupid facebook page about cats."

          So you are saying MS OSs are more secure as user interaction is usually required to exploit them, whereas Linux holes are often remotely exploitable?

      2. The little voice inside my head

        Would you like an OS that recognizes appropriate behaviour, meaning it uses a baseline, keeping track of what is considered "normal" in everyday experiences and then start "nagging" you with notifications if there are unexpected traffic or services or processes running in the background? I wonder how smart an OS could become nowadays... Not just an antivirus or process scanning that depends on a database to catch malware or viruses, but like a natural heuristic approach... Which comes to mind, several antivirus make use of, but don't know if there is any baselining going on.

      3. BitDr

        Agreed...

        It is not impossible to install software that has a malicious intent, if it was then installing ANY software would be problematic, and yes the problem usually exists between the keyboard and the chair (PEBKAC). The difference with *NIX is that the user actually has to type in a password to install anything, and if they don't have SUDO or otherwise have root privileges then they're not going to be able to do anything of the sort. Whereas Windows malware has been known to install silently, in the background, without the user being aware of it happening, without any interaction at all.

        Windows users may not read the pop-up dialogue requesting permission to install, and perhaps are more prone to simply click OK to get rid of the annoying dialogue-box. A behavior that has been created due to the constant appearance of un-neccessary or just plain annoying pop-up dialogues.

    6. KeithR

      "What happened to the "Linux is malware-free" claim?"

      Ooh - the Linux zealot fanbois didn't like that question!

      1. Criminny Rickets

        Re: "What happened to the "Linux is malware-free" claim?"

        The article has nothing to do with Malware in Linux. This wasn't about someone clicking on a link or installing something and getting infected, it's about the main Linux Mint website being hacked to point to an already compromised version of Linux Mint. Big difference.

        1. Anonymous Coward
          Anonymous Coward

          Re: "What happened to the "Linux is malware-free" claim?"

          "The article has nothing to do with Malware in Linux."

          "an already compromised version of Linux Mint"

          Compromised by malware (an IRC Trojan). So it is about malware in Linux.

      2. Unicornpiss
        Linux

        Re: "What happened to the "Linux is malware-free" claim?"

        At the risk of making a troll happy, I don't remember ever hearing that claim. And no one in IT beyond perhaps L1 Helpdesk cannon fodder truly believes that any OS is immune from malware. What you would hope though, is that when you install an OS on your machine, it is at least initially free from corruption, and in this case, some users got infected downloads. Not the first time this has happened on the Internet, not the last for sure.

        "Out of the box", Linux is generally less likely to be infected unless the user is prone to turning on all sorts of unnecessary services and installing software from shady sources. True, part of the reason is that it is not targeted as much due to the lesser market share. But as a Mint Linux user, I can honestly say that even if the Windows and Linux roles were reversed, with Linux being equally or more prone to malware than Windows, I would likely still use it due to the lack of bloat, marketing, pointless features that no one will likely ever use, and the general elegance of it. Like taking your vacation by a scenic lake instead of Disneyland. Though to each their own.

      3. Chika

        Re: "What happened to the "Linux is malware-free" claim?"

        Ooh - the Linux zealot fanbois didn't like that question!

        Are you desperate for downvotes?!?

        Mind you, I'm as great a fan of Linux zealots, especially distro zealots as I am of Windows zealots. Or Apple zealots. I've used them all and I have gripes about them all.

        As for the claim, anyone with any experience in operating systems in general can tell you how valid it is.

    7. earl grey
      Flame

      What happened to the "Linux is malware-free" claim?

      ODFO

    8. Chika
      Holmes

      What happened to the "Linux is malware-free" claim?

      That's a claim only ever made by the inexperienced because they do not realise that any operating system can be infected. It's just a matter of working out how to get in.

      Doing it at installation is one way to do it going back to the days when users installed everything from floppy discs.

      That's as true of Mint as of openSUSE, of RedHat, of Ubuntu, of Debian, of Windows, of MacOS, of RISC OS, of ANYTHING that attaches to the Internet. The fact that somebody has done it to Mint now is, as somebody already noted, proof that it is becoming popular enough to be noticed by those bastards that insist on doing this.

      The only way to never get infected is to switch the machine off but then, of course, the bastards win.

    9. sisk

      What happened to the "Linux is malware-free" claim?

      It's only quipped by idiots. That's been true for a while now. We know there's Linux malware in the wild. It's still rare, but it exists, and any knowledgeable Linux user knows it. That's why we have things like ClamAV.

  4. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Why on Earth would you trust a tiny group of 2-3 stooges?

      Because I'm free to do so.

      Isn't this the main idea of FOSS?

  5. ZSn

    md5?

    md5, really? sha256 surely if you want to be sure. The perpetrators could even spoof the 'right' md5 - I'm surprised that they didn't. Though if mint think that md5 is good enough perhaps that explains how they were hacked.

    Perhaps I'm just incorrigibly paranoid but I always check the hash from differ went sources before I install something.

    1. Charles 9

      Re: md5?

      Because although it's relatively easy to locate collisions with MD5, it's still tricky to perform a preimage attack against an MD5 hash (Given X', find Y such that H(Y)=X'), particularly a second-preimage attack (Given X, find Y such that H(Y) = H(X)) which is what you'd need to pass malware off on an ISO while still having the same hash. Anyway, many repos also offer SHA1 hashes as a secondary method, and it would be a computationally astronomical feat to be able to succesfully second-preimage attack an ISO that has BOTH an MD5 AND an SHA1 hash.

      1. ZSn

        Re: md5?

        Yup, I'm wrong and you're right - apologies. I was mixing up preimage attack against an MD5 hash with collision attacks.

        However, my point that sha1 let alone md5 is frowned upon still stands and doesn't bode well for mint when they don't even use sha1.

        1. GrumpenKraut

          Re: md5?

          > However, [I didn't understand what you said]

          No downvote from me, just to indicate why these happened.

        2. Charles 9

          Re: md5?

          "However, my point that sha1 let alone md5 is frowned upon still stands and doesn't bode well for mint when they don't even use sha1."

          It's a compromise. MD5 may not be the best tool in the shed, but for now it's still useful against preimage attacks, it's standard, programs to do it are literally everywhere, and among standard-bearers like SHA, it's the fastest of the lot. And since hashing something big like an ISO takes time, especially with underpowered computers, that can be important in terms of actually using it (for hashing the Nandoid backups on my phone takes nearly as much time as the backup itself—ARM chips have a reputation for being thrifty but wimpy).

          Providing an MD5 hash in combination with other hashes allows the user to make the conscious decision to take the quick-but-less-safe MD5 check or opt to use one of the other signature checks, either instead or in addition.

      2. Destroy All Monsters Silver badge

        Re: md5?

        Or you can use honest-to-god GPG signature.

        Yeah, I know, nasty to use etc.

        Meanwhile: "Linux Bulgarian Mint"

        1. Anonymous Coward
          Anonymous Coward

          Re: md5?

          > Yeah, I know, nasty to use etc.

          Why nasty to use? I use signatures dozens of times per day, mostly without even realising, except for occasionally having to type a passphrase. Right tools for the job, etc.

      3. Anonymous Coward
        Anonymous Coward

        Re: md5?

        > Because although it's relatively easy to locate collisions with MD5, it's still tricky to perform a preimage attack against an MD5 hash

        Not *that* hard. You could do it in 2008 in about 3 days with a lab of 200 Playstation 3's:

        http://www.win.tue.nl/hashclash/rogue-ca/

        These days you can probably do it on EC2 with a bunch of GPU instances and spot pricing.

        > many repos also offer SHA1 hashes as a secondary method, and it would be a computationally astronomical feat to be able to succesfully second-preimage attack an ISO that has BOTH an MD5 AND an SHA1 hash.

        SHA1 has not been broken in this way (yet) - so surely this should be the primary method, not the secondary. Better still, just use SHA256, as there are indications SHA1 is also close to compromise.

        1. FelixReg

          Re: md5?

          Something that's often forgotten is you don't have to create a file with a perfectly matching MD5 or SHA1. All you need is a file with hashes that match at the beginning and end, and for enough of the other hex digits to *look* ok.

          Though semi-matching *two* independent hashes would be a neat trick for the bad guy to pull. I'd worry that MD5 and SHA1 are not particularly independent, though. They are algorithmically close.

          1. Anonymous Coward
            Anonymous Coward

            Re: md5?

            Creating a similar looking MD5 might fool some of the people who just eyeball it. Don't you copy the value you get from md5sum and search for it on the relevant web page, though?

    2. Someone

      SHA256 was provided

      A file of SHA256 message digests for the ISOs was provided, and Lefebvre produced a GPG signature for that file. This has been the case since Linux Mint 17.0.

      http://mirror.bytemark.co.uk/linuxmint/stable/17.3/

      gpg: Signature made Wed 09 Dec 2015 16:09:06 GMT using DSA key ID 0FF405B2

      gpg: Good signature from "Clement Lefebvre (Linux Mint Package Repository v1) <root@linuxmint.com>"

      Primary key fingerprint: E1A3 8B8F 1446 75D0 60EA 666F 3EE6 7F3D 0FF4 05B2

      Checking the authenticity of the ISOs could have been strongly emphasized on the Linux Mint website, but Linux Mint goes for ease of use, and checking GPG signatures isn’t ease of use. And, this is unlikely to help someone downloading Linux Mint for the first time. If your website gets hacked, the hacker can probably remove or change the recommend verification steps.

      Even the Tor Project says that the number of downloads of hash and signature files is a tiny fraction of the overall downloads for Tor Browser. If the users of Tor Browser don’t care, users of Linux Mint are going to care even less.

      1. KeithR

        Or...

        Just stick to Windows, and you don't have to worry about any of this nonsense...

        1. Anonymous Coward
          Anonymous Coward

          Re: Or...

          No, because MS pre-infect their OS with malware. Much better than having third parties infect the source, eh?

        2. hplasm
          Windows

          Re: Or...

          Windowlickers are restless tonight, sir...

        3. GrumpenKraut
          Linux

          Re: Or...

          > Just stick to Windows, ...

          Please do.

        4. Chika

          Re: Or...

          Just stick to Windows, and you don't have to worry about any of this nonsense...

          No, you don't. You have to worry about different nonsense, that's all.

      2. ZSn

        Re: SHA256 was provided

        @Someone

        'Even the Tor Project says that the number of downloads of hash and signature files is a tiny fraction of the overall downloads for Tor Browser. If the users of Tor Browser don’t care, users of Linux Mint are going to care even less.'

        I'd be curious as to where you got that info, not that I doubt you, but I'd like to see what they say in detail. The TOR iso hash is actually on their website, as long as you trust the SSL (and not go to the length of verifying the gpg) you don't need to download it, just view the main page.

  6. Anonymous Coward
    Anonymous Coward

    nearly got had myself

    Thought I'd try Mint after about 9,877 people telling me I should.

    Stopped the download when it looked to be coming from a dodgy IP address, and grabbed it from University Of Kent instead.

    Else, on the one bloody day I decide to give it a go, I'd have ended up with Mint : Polo Edition.

  7. itzman
    Linux

    With success, comes malware..

    Not sure if I feel touched that someone thought Mint was popular enough to compromise it, or sad that its got so popular it may need a malware scanner sometime soon...

    Still not bad to have the issue spotted and fixed in under 24hrs

    1. Diodelogic

      Re: With success, comes malware..

      Curiously enough, from reading about this event on several blogs, the Linux Mint website was hacked, restored, and then hacked again. The website is offline as I write, while the Mint people work on the server.

      I downloaded the KDE 17.3 version of Mint because the 17.3 Cinnamon package wasn't ready at the time, but I couldn't make it work. I was thinking about downloading Cinnamon yesterday but didn't get around to it, and for once my laziness paid off. Although I'm still planning to get Mint and try again.

      1. Ian 55

        Hacked, restored, hacked again

        Restored from scratch or just the obvious hole patched?

    2. KeithR

      Re: With success, comes malware..

      "someone thought Mint was popular enough to compromise"

      As I mention elsewhere, funny that when Windows - which is VERY popular, y'know - was a target and Linux wasn't, so much, this was evidence of Windows' crapness:

      Now, being a target is proof of popularity.

      Maybe that's all it's ever been...

      1. Anonymous Coward
        Anonymous Coward

        Re: With success, comes malware..

        Is Bulgaria in the EU/common market or whatever it is called now? If so, I bet this was the doing of Boris Johnson to get us to vote YES to leave (which I will anyway).

      2. itzman
        Pint

        Re: With success, comes malware..

        Gosh. Linux was so hard to crack that they had to actually compromise the installation process. In other words Linux is so proof once installed, that it couldn't be hacked.

        Glass mostly full?

    3. Tony-A

      Re: With success, comes malware..

      >> issue spotted and fixed in under 24hrs

      IIRC it took a week for a search for Code Red on microsoft.com to return anything relevant.

      1. hplasm
        Meh

        Re: With success, comes malware..

        "IIRC it took a week for a search for Code Red on microsoft.com to return anything relevant."

        Be fair- it takes more than a week to find anything on microsoft.com. Longer if you use Bing(e).

  8. kneedragon

    compromised

    Anything and everything can be compromised. Some things are easier than others, and some are bigger targets than others, but even those we think of as very secure (with good reason) are not invulnerable. This is not a sign of major issues, this is a timely warning. Do take note, the issue was noticed quickly and steps were taken to fix it quickly, Mint was quite open and forthcoming about it, and if we all checked the checksum like we should, nobody would have gotten bit at all. Number of people affected by this is small, and the number who will still be affected by it in a month will be almost none. I am not going to say it was a good thing, but read it as what it is - a warning.

    1. KeithR

      Re: compromised

      "Anything and everything can be compromised"

      ...Shall hereafter be Linux Zealot creed, now that it's happened to a Linux distro...

      1. Anonymous Coward
        Anonymous Coward

        Re: compromised

        'Tis a Shame Keith, that you don't know a compromised website from your compromised MS Windows PC.

        1. hplasm
          Devil

          Re: compromised

          "'Tis a Shame Keith, that you don't know a compromised website from your compromised MS Windows PC."

          Duh- Is that the big 'e'?

    2. Sandtitz Silver badge

      Re: compromised

      "Do take note, the issue was noticed quickly and steps were taken to fix it quickly, Mint was quite open and forthcoming about it,"

      I can fully understand taking down the website as a reaction to this, but surely the best form of action would have been to post some sort warning notice to visitors along with the instructions of using MD5 or SHA. Anyone can come up with a basic web page the apologizes for the downtime and warns people of the fake download.

      "Number of people affected by this is small, and the number who will still be affected by it in a month will be almost none."

      Where do you base this? How do you know how many people have downloaded this distro and into home many computers? Mint is very popular but I'd like to see some download statistics from Mint to put this into perspective - are the like 1000 downloads from the mirrors daily or more? Does Mint have their own BT tracker to provide BT statistics?

      If I download a distro I'm not going to check the website again unless I'm looking for more information or so. Chances are the less technical people would be happily using this for a long time.

      1. Charles 9

        Re: compromised

        "I can fully understand taking down the website as a reaction to this, but surely the best form of action would have been to post some sort warning notice to visitors along with the instructions of using MD5 or SHA. Anyone can come up with a basic web page the apologizes for the downtime and warns people of the fake download."

        Because the WEBSITE was hacked. TWICE IIRC. Meaning ANY notice you put up would be promptly removed. In fact, you may end up tipping the hackers to post THEIR OWN instructions on using MD5HASH and so on...only with all the hashes replaced with THEIRS.

        1. Sandtitz Silver badge

          Re: compromised @Charles 9

          Yes, the website was hacked.

          Redirecting port 80 at linuxmint.com to another location where a simple static html file I suggested is served is easy to do and doesn't need a lot of computing resources. I'm sure there are plenty of people or organizations who'd happily host the said notice until Mint guys gets their website rebuilt.

          1. Anonymous Coward
            Anonymous Coward

            Re: compromised @Charles 9

            "Redirecting port 80 at linuxmint.com to another location where a simple static html file I suggested is served is easy to do and doesn't need a lot of computing resources..."

            Unless THAT gets hacked, TOO, unless the hackers are ALREADY further up the chain.

    3. Anonymous Coward
      Anonymous Coward

      Re: compromised

      If you have physical access and enough time then yes anything manmade can be manunmade however this does not mean that you cannot design something to be truely secure if you can discount physical access.

      Without physical access computers should be secure in every sense but because, I would say, Microsoft's policy of putting security last lots of people, who do not understand low level coding, believe it is not possible to have a secure and bug free computer.

      It is possible just not on a PC and especially not when users have root access

      1. Anonymous Coward
        Anonymous Coward

        Re: compromised

        "If you have physical access and enough time then yes anything manmade can be manunmade however this does not mean that you cannot design something to be truely secure if you can discount physical access."

        I doubt it. As long as you can access it, locally or not, you can probably find a way to turn necessary functions into exploits and eventually into privilege escalations. I mean, we even have malware that can use Sneakernet and jump air gaps, for goodness sakes. Bet you pretty soon someone will come up with a way to remotely bombard something like a keyboard wire with a focused electromagnetic beam, allowing one to type a physical keyboard without ever being near it. It's kind of price of admission: what man can make, man can break.

  9. hplasm
    Meh

    The ghost of SCO

    Bursts forth one last time just before the credits roll for a final stab at linux...

    Smells of a large co, or the adherents thereof, or their acolytes- or some dicks.

    1. GrumpenKraut

      Re: The ghost of SCO

      > Smells of ...

      standard internet scum[TM], I'd say (downvote not from me).

    2. KeithR

      Re: The ghost of SCO

      The Scottish Chamber Orchestra! Those violin-wielding BASTARDS!

  10. Will Godfrey Silver badge
    Unhappy

    Very sad to see this. The creatures that pulled this stunt give scum a bad name.

    1. KeithR

      "Very sad to see this. The creatures that pulled this stunt give scum a bad name."

      And yet you'd doubtless have laughed your tackle off if this had been Windows...

      1. Anonymous Coward
        Anonymous Coward

        They don't need to modify the iso to put malware onto windows.

      2. Will Godfrey Silver badge
        FAIL

        @KeithR

        No I wouldn't actually. I have more thought for the ordinary users who are the real victims of this sort of thing - you know, those people who do an honest days' work only to find their bank account has been cleaned out by these creatures and they are now up to their eyeballs in debt.

        I don't consider that a laughing matter at all, and don't have any time for anyone who does think it funny.

      3. hplasm
        Gimp

        And yet you'd doubtless have laughed your tackle off if this had been Windows...

        Jokes are for laughing at.

  11. TimeMaster T
    Happy

    I see this as great news

    It mean that Linux has become popular enough that cyber cooks consider it worth their time to try and compromise it.

    Can the year of the Linux Desktop be far behind?

    1. KeithR

      Re: I see this as great news

      "Can the year of the Linux Desktop be far behind?"

      Well, if being vulnerable to malware is a condition of desktop presence, any year now...

      1. werdsmith Silver badge

        Re: I see this as great news

        "Can the year of the Linux Desktop be far behind?"

        First quoted 2002.

        2 3 4 5 6 7 8 9 0 1 2 3 4 5

        1. itzman

          Re: The year of the Linux desktop..

          Back around 1990, I was informed that 'this would be the year of Unix'...

          ...and in 1991,1992...in fact what happened was that over a period of 25 years, first Unix, then Linux, has very slowly, simply become the de facto operating system kernel for almost everything (except for Windows).

          Why?

          Because it offered lower costs to hardware and software developers.

          There's a lot about Unix and Linux that is not optimal - X windows is perhaps the greatest abortion along with Postscript, that has ever been foisted on an undeserving community, but at least they are open standards.

          As is TCP/IP and so on. In the end open standards work, because they make the barrier to entry of any proprietary system massive. Only Windows that was first on the scene, by a massive and unpleasant use of de facto monopoly has managed to protect its shrinking user base.

          If it were worth anyone's while, a reverse engineered shim on top of Linux that did more than wine does, to enable Windows programs to tun more or less natively in Linux, would have been written. Already many new apps are using cross platform toolkits that mean that programs for OSX Windows and Linux are available. Eventually mainstream paid for apps will be ported one way or the other.

          1. Anonymous Coward
            Anonymous Coward

            Re: The year of the Linux desktop..

            Except seemingly games, as developers continue to ignore Linux, even with the increase of cross-platform tools. There are developers (such as Bethesda) who are quoted as saying this is not enough and are staying Windows-only in the PC world. Not even developing for the PS4 (which is supposed to have a UNIX-based environment) seems to be helping much.

  12. Anonymous Coward
    Gimp

    Linux Mint, the OS with the security hole in the middle!

    Just been round to my Nans, upgrading her PC to Windows 10 from Linux Mint. Secure by design, not security by obscurity!

    1. Anonymous Coward
      Anonymous Coward

      Re: Is your Nan at risk?

      So you have just been to your "nan's" (AKA the Gimp) for a spot of upgrading, wink wink.

    2. Anonymous Coward
      Anonymous Coward

      Re: Linux Mint, the OS with the security hole in the middle!

      But did you think about your Vindaloos?

    3. This post has been deleted by its author

    4. KeithR

      Re: Linux Mint, the OS with the security hole in the middle!

      "not security by obscurity!"

      And in Mint's case, not even that...

      1. frank ly

        Re: Linux Mint, the OS with the security hole in the middle!

        Keith, are you and Windows having some kind of relationship difficulties? I ask because this all sounds like some kind of anger transference thing. You and Windows need to sit down and talk about what's gone wrong.

  13. Doctor Syntax Silver badge

    More worrying is distribution by mirror sites. The attack surface is much bigger. If one of those was compromised it could be distributing backdoored ISOs for a good while before anyone noticed - or do they all get regular sanity checks?

  14. cd / && rm -rf *
    Pirate

    Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it

    What's the betting the hacker's IP address is in a range owned by M$?

    1. Mikey

      "What's the betting the hacker's IP address is in a range owned by M$?"

      Precisely sod all, one would imagine. Really, what would they have to gain from doing that, given the market share of PCs running mint is miniscule in the grand scheme of things? I know you unwashed lot love to portray them as evil-minded, underhanded ratbags with an over-riding mission to eliminate all things from St Torvalds himself, but that's completely batshit bonkers. Pretty much up there with chemtrails and all those free energy contraptions.

      The simple fact here is there was a webserver set up by some halfwit who left it vulnerable, and it got compromised. It happens all the time, all over the place, and there is nothing to suggest that just because it happens to run the all-hallowed Linux that it's inherently immune to such things. I do worry about you lot, because sometimes it feels like you've been conditioned to trust FOSS implicitly without using the normal security and setup procedures. It's software, it can go bad on you, it's always a risk. No matter the vendor.

      Macolytes and Linux Zealots have been taking the piss for years. Then the Macolytes felt the sharp sting of vulnerability, and now... now it's the turn of the Zealots. Maybe now you'll see we're all in the same boat?

  15. present_arms

    man

    Lets see, someone hacks Wordpress and somehow because they changed the IP to a dodgy ISO, somehow Linux is fooked? Windows users, don't gloat, you can pick up a malware infested ISO of Windows anywhere :)

  16. Destroy All Monsters Silver badge
    Windows

    The feel when the discussion reminds one of the Amiga vs. Atari ST days of retardation

    This thread is full of really bad trolling.

    1. Mikey
      Happy

      Re: The feel when the discussion reminds one of the Amiga vs. Atari ST days of retardation

      Pffft, everyone knows the Amiga was the better of the two any day!

      1. David 132 Silver badge
        Flame

        Re: The feel when the discussion reminds one of the Amiga vs. Atari ST days of retardation

        Pffft, everyone knows the Amiga was the better of the two any day!

        In your dreams!!1!. Vi is CLEARLY superior!

        I'm sorry, I seem to have wandered into the wrong argument.

        1. GrumpenKraut
          Trollface

          Re: The feel when the discussion reminds one of the Amiga vs. Atari ST days of retardation

          > In your dreams!!1!. Vi is CLEARLY superior!

          You mis-spelled Emacs.

          1. David 132 Silver badge

            Re: The feel when the discussion reminds one of the Amiga vs. Atari ST days of retardation

            You mis-spelled Emacs.

            Touché (have an upvote).

            I heard that Emacs now includes Systemd...

            ...or is it the other way round?

  17. Anonymous Coward
    Anonymous Coward

    What am I going to do now?

    Looks like I'll have to give up on my plan to move from Windows 7 to Mint, and embrace Windows 10.

    .

    No, what am I thinking?? At least they're fighting to keep Mint free of malware - Microsoft are doing everything they can to foist malware on me.

    I'm encouraged by their immediate and open response to this problem, so I think I'll stick with the penguin.

    But I will check the downloads from now on

    1. David 132 Silver badge
      Linux

      Re: What am I going to do now?

      Same here. I had a spare NUC kicking around the house, and put Mint 17.3 Cinnamon on it earlier this week (yeah yeah, I downloaded the ISO via torrent well before this incident).

      First impressions:

      - it installed beautifully from the live USB image, taking maybe 20 minutes

      - Everything was recognised out-of-the-box - even wifi and S3/S4 worked perfectly, which surprised me.

      - just for giggles, I installed WINE and tried running an old Microsoft game (Age of Mythology/Titans). Blow me down, it worked perfectly. Better, in fact, than on my Windows 7 PC, on which it crashes periodically. I can just click the .EXE or a desktop shortcut and the game loads. Super easy. Even the network game mode works.

      - coming from the Windows & OSX world, there's obviously a lot for me to learn! Plus, I keep managing to break it in unexpected ways. For example, following a list of "11 Linux Mint Tweak tips", I disabled access-time via etc/fstab 'noatime'. When I rebooted, the desktop had reverted to a different window manager (?) - right-click menus looked odd, the wallpaper didn't load, and all my desktop icons had reverted to a different theme and didn't want to change back. Weird! So I undid the 'noatime' tweak and all is back to normal. I think I need to back off from my compulsive urge to fiddle, and just accept that until I understand it more completely, I should leave well alone.

      - Firefox / Pale Moon and all my plugins work perfectly too.

      General impressions: I like it. My house network is now a a well-rounded mix of OSX, Windows 7, Ubuntu LTS (on the NAS) and Mint. I can have flame-wars with myself.

      1. Anonymous Coward
        Anonymous Coward

        Re: What am I going to do now?

        Yes, I would advise not tweaking unless you really have a problem. That has caused me grief enough in the past.

        I'm content to leave it largely as it comes out of the box - it performs well enough for me (especially after I found the magic words to make it talk to the broadcom wireless).

      2. Richard Crossley
        Mushroom

        Re: What am I going to do now?

        I disagree. Keep fiddling and trying stuff out. You'll break it loads of times, but you'll learn as you do.

        I would recommend fiddling on a VM image first if your NUC has valuable data.

        Icon, because you know you'll detonate something.

        1. Anonymous Coward
          Anonymous Coward

          ...Keep fiddling and trying stuff out

          Can't disagree with that. The point I had in mind was that fiddling often leads to a need to reinstall, so if you first and foremost want to find out what Mint can do for you, leave the fiddling until you are more familiar. Alternatively - yes, that's what VMs are good for. No use if it's the hardware that needs fiddling with, but pretty useful otherwise.

      3. Youngdog

        Re: What am I going to do now?

        Pretty much my experience too David 132.

        I was dual-booting it with Win10 until a few weeks ago. Then I found out that after July I won't be able to transfer Windows to a new device - so I backed up /home, spent about an hour rebuilding Mint, downloaded virtualbox, created a Win8.1 VM and finally upgraded that to Win10 instead. Ever since then I've been not looking back.

  18. i1ya
    Meh

    First page of comments shows a nice example of what does "troll-feeding" term mean

    Aside from that, I agree with people who say that Mint becoming a hacking target shows that it is popular; secondly, I'm sure it's first (or, to be exact, not last) attack on minor, yet prominent distros (minor because they don't have enough resources to maintain first-class security on their websites), and it's also pity to hear this news since bad publicity is the last thing I want to happen to independent distro world.

    Now please tell me, how many people do check MD5 and SHA sums each time they download something? (I'm surely will be downvoted for this, but I confess: I did this 0 times. But I will try to learn the lesson.)

    1. Destroy All Monsters Silver badge

      Re: First page of comments shows a nice example of what does "troll-feeding" term mean

      Actually, I do. As it is annoying to do on the command line, I even scripted it to allow copy/paste off the website onto a simple cmdline script. Nothing to write home about:

      https://s3.amazonaws.com/hjnwbvbfyi/checkdathash.sh

      1. Mystic Megabyte
        Linux

        Re: First page of comments shows a nice example of what does "troll-feeding" term mean

        In the terminal I just copy the result of md5sum (Shift+Ctrl+C) and in Firefox press / (Tip:It's the key with a question mark) to open the search box and paste in there. The correct string will be highlighted on the web-page. Simple

  19. Camilla Smythe

    Linux/Mint Not Popular

    Down Vote away. I would have no doubt that all the other distros suffer from similar 'peripheral attacks'. Crew Mint just got pwned. That is all. Good Night.

  20. Anonymous Coward
    Anonymous Coward

    Non story. Anyone downloading Mint on the weekend is still trying to figure out how to get their wireless to work, how to adjust screen resolutions, how to do every stupid tiny useless tweak that should take three clicks but actually takes configuring the right download server, then finding the right package, and the prerequisites for the package... I *want* to like it but every time I try it's just a huge pain in the butt.

    1. Doctor Syntax Silver badge

      @ Codysydney

      It sounds like you're doing it wrong. Why are you trying to configure another download server other than the standard Mint repositories? If you're looking for bleeding edge versions you should be on a different distro.

    2. Unicornpiss

      Oh I dunno...

      I tried getting to networking in my Mint installation and it took exactly 3 clicks. Menu>System Settings>Networking. (4 if I wanted to look at the options)

      I also use (and mostly like) Windows 7. If you know the .cpl shortcut you can get there quickly, but off the top of my head, you normally would go to "Start">Control Panel>Network>Change Network Adapter Settings, then "Properties", IPV4 (or 6), then "Properties" again to actually view things you can change. That's a few more clicks to be sure. Or you could use one of the "Wizards", which in my experience dumb things down to the point of making my head hurt and not having the intended effect I was going for. And that's Win7. 8 and 10 make me want to cry with frustration with the start menus and inadvertent things that pop up or happen to my windows if I accidentally trigger them with an errantly placed mouse pointer or accidental swipe on a touch screen. There is such a thing as adding too many "convenience" features. For every time I use one of these and find it useful, there are 99 other times that I spend more time undoing what Windows thought I meant to do. And maybe someday MS will learn to not have apps steal focus. It's possible I guess.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oh I dunno...

        Out of curiosity, tried to get to adaptor properties on Win 10. 'Click' network in system tray area (or whatever it's called these days), select network settings, select change adaptor properties.

        Two more steps if go via start menu,

        Got confused trying to do it via search, gave up as time to go to work.

    3. Stig2k

      Hence the funny-because-it's-true-joke "Linux is only 'free' if your time is worthless"

  21. David Roberts
    FAIL

    Are you sure you have this the right way round?

    Wordpress. People are hunting all the time for Wordpress sites they can compromise. So did someone look for ways to compromise the Mint site, or did a Wordpress hacker find a vulnerable site and then notice what it was hosting?

    This wierd pride that claims the attack shows how popular Mint is baffles me.

    Like being proud of being mugged because it shows that you are rich. Not that you were a dick and had a few too many beers then wandered down a dark alley.

    Most likely it is a desperate excuse after all the posts praising Mint as the answer to any Windows issues, followed by a demonstration that the advice wasn't 100% good in all circumstances.

    Have a bit of honesty, and admit the Mint guys screwed up. They were so security naive they apparently used Wordpress on the server they used to distribute Mint. So people now have copies of Mint with back doors. This must at least raise the question "Is this the only foolish thing they did?".

    Don't just go "Look, look, Windows 10!" as if this explains, excuses or justifies this total cock up.

    The sensible posters have acknowledged that a bad thing happened and noted that hashes from several sources should be checked before installing anything.

    The Mint guys should be taking a good hard look at the way they work, and everyone should be giving this breach maximum publicity to try and help all the poor sods who have been compromised.

    1. phil 27

      Re: Are you sure you have this the right way round?

      This, wordpress, on the same server serving out the iso images. Physical seperation 101 or complete lack of it. I did read some comments in their announcement post that they're rattling a can for money for more hardware to buy another server just for the wordpress machine to at least give it some seperation.

      For a few clients that wanted wp no matter what we advised we ended up having to deal with the devil, and so we ran the wordpress server on a local lan machine not accessible from the internet and automated scraped/rsync over ssh'd off a static version to host as a static html page on the public server.

      Probably someone will pop up in a minute and offer them a cloud solution, because that's really well physically and electrically isolated also.

      They need to stop with the fanboy rahrah, lick their wounds and do things betterer in future.

  22. Anonymous Coward
    Devil

    This is why...

    This is why all my servers are updated from source. I keep a source tree up to date, compile that and from there on install the whole thing. Obviously this is no 100% guarantee failsafe, but infecting a source tree and making sure your hack fits in is still a heck harder than replacing one single file.

    Do note that I'm using FreeBSD (hence the demon icon) but don't pick up my post as "FreeBSD is better than Linux" because such comments are bogus. Even FreeBSD provides ISO's for installation purposes so basically the same risk factor applies.

    1. Charles 9

      Re: This is why...

      What about rogue compilers? How do you safeguard against those?

      1. Hans 1
        Windows

        Re: This is why...

        >What about rogue compilers? How do you safeguard against those?

        That is even harder to pull off than infecting a source tree, and in a completely different galaxy than Windows 7810 coming with spyware, disguised as security updates, is it not ?

    2. phil 27

      Re: This is why...

      We won't because some of us are gentoo users :-)

      Equally we can't be smug either for the same reason, because I don't code review every single line of every single package to the depth I should be doing to be able to claim that. And if someone else does, why did you miss shellshock and the glibc bug for so long if so :-)

  23. Palpy

    What a lot of fun the comment on this one are!

    Yep, a website got hacked. It happened to the Ubuntu forums awhile back. Probably that means that Ubuntu is hopelessly insecure, and now so is Mint.

    Of course, doing something like downloading Paint.net from a bogus source hoses Windows, too.

    Everything is insecure. Mes amies, it's us against the world.

    I love how passionate everyone is about their OS of choice. By the devolving deities, be passionate about Windows, or Mint, or OSX, or Qubes, or OpenBSD! Because if users are not engaged in the systems they use, those systems will end up on the trash-heap of history.

    Oh, wait. Everything ends up on the trash-heap of history.

    Right, then, never mind. Ennui as usual, and back to the cat videos.

  24. Anonymous Coward
    Boffin

    Facts!

    Looking at the rate of increase of Linux installs, in 24 hours a backdoored ISO will have affected 0.134 of a user.

  25. CAPS LOCK

    tl;dr? Here's an executive summary:

    Don't use Wordpress.

    1. Tom 7

      Re: tl;dr? Here's an executive summary:

      There's nothing wrong with wordpress if you want an out of the box solution that takes longer to master than to write your own.

  26. itzman
    Devil

    ROTFFLMFAO!

    There's nothing wrong with wordpress if you want an out of the box solution that takes longer to master than to write your own.

    That reminds me of the '1001 things to use an Apple MACintosh for', back in the day.

    1000: Use it to prop the Windows open.

    1001: Drop it out of Windows to kill stray cats.

  27. Nanook

    What would prevent hackers from changing the MD5's to match their hacked ISOs?

  28. Bronek Kozicki

    Year of Linux on desktop

    I think Windows users are so used to "this will never come" that one day it will catch them by surprise :)

    And no, it probably won't be 2016, nor 2017. But give Microsoft enough time to sell subscription to Windows-as-a-service without option for permanent license, Steam to push game developers far enough, kernel hackers to improve on nouveau and amdgpu, and few other bits to fall into place. It will take a long time, there is little incentive since Linux already rules where it matters, in the datacentres, but we will get there when people start paying attention to their privacy on desktop eroded to nothing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like