Linux Mint always struck me as skiddies standing on the shoulders of men (Ubuntu), standing on the shoulders of giants (Debian).
And now it appears I was right.
A hack against Linux Mint over the weekend that meant surfers were invited to download a copy of the open source distro that came contaminated with a backdoor has also affected the organisation’s forums. As previously reported, hackers made a modified Linux Mint ISO before hacking its website with a link to the compromised …
Yes, we've all thought that.
It's a shame it's not run by a larger organisation, but a hobby project that's grown faster than it could cope.
I like mint, but I've always had my doubts about the number of people working in it.
I guess I can't moan - I haven't exactly showered them with donations.
You, sir/ma'am, are wrong. Mint fixed what Ubuntu (and Gnome3) broke in its moronic quest to create an open-source Apple clone. It's still Linux, Debian, Unix, C-based, and therefore highly flawed -- but it's the most practical desktop OS available today.
WordPress, not Linux, has been implicated as the culprit in this breach, which was quickly detected. Worse has happened before. Debian, notoriously, got hacked in ~2008 and was distributing a backdoored OpenSSH package for quite a while. IIRC it's also happened to Redhat.
You have read that lwn thread, haven't you?
It doesn't even mention the number of times they've held back security releases because, erm, well...
As well as the way they repeatedly broke sudo apt-get dist-upgrade, it was seeing how long it took Flash security releases to be released that got me off Mint.
".....WordPress...." Yes, "Linux" as such may be held blameless, but I automatically associate the use of WordPress with security newbs not fit to be trusted. It also doesn't encourage warm thoughts towards the Mint team to read that the Bulgarian skiddies that pulled off this hack "just 4 the lulz" used old and well-known tools. I don't care how pretty you think Mint is, it just went far down my list of distributions to recommend because the developers seem to be serially inept when it comes to security.
Yeah.... I mean, it's a nice convenient distro without too much idiotic bling, but it's got issues for sure. Being based on Ubuntu. Flash and Java installed by default. Obviously security isn't the prime directive. I have considered switching to FreeBSD on my dev box... but that doesn't do much for security as long as I'm developing PHP and Wordpress sites.
Security nihilism... we're all doomed anyway ;) ->
Where it came from is irrelevant. It is a good, solid OS, and great for entering into the Linux world.
Ubuntu's UI became too "mobileified" (aka shit), and Debian too far behind the dev curve to be of serious use in the modern home (if you want stability its hard to find anything better, however).
Cinnamon is awesome as a window system IMO.
I must say I am impressed with the way this issue has been handled. Mint offers a very friendly way to start out in linux but is powerful enough to be used beyond that point (of course this is helped by sitting on the mature Ubuntu), but they have reacted to this breach of security quickly and are doing what they can to put this right.
Anyone can be compromised, it is how you respond to it that matters. I hope they are back in action soon and I wish them the best of luck.
I'm curious as to what other way you think they could possibly have handled it. Keep distributing the hacked ISO? Of course they took it down. Not tell their forum users to reset passwords, after the entire world was told that their DB was for sale on hacker sites? Really? Since you're so impressed with what they have done, you must have something in mind, surely?
Personally, I'd say they'd have had to be slack-jawed imbeciles to do anything other than what they did, so while I guess they deserve a modicum of credit for not being complete morons, I don't see why anybody should be singing their praises either. "Well done, you ****ed up big time, but you could have ****ed up even worse if you really, really tried." No.
As per,
https://twitter.com/thegrugq/status/701407183339008000
https://twitter.com/LogicalDash/status/701434397485047813
I think in bosnia they use . to separate third-powers, and , for the decimal point
As a result the actual figure might be $85,000
Ho-Hum.. Shit, that should not happen.. happens.
Fair enough they suggest that their 'suppositories' are 'safe' but that is where 'The Gold' would be.
Wise, after the event, change passwords and don't use the same one all over the place advice but you have to hope that that they have adhered to that one themselves.
Of course I realise, hope, that given their background they probably do but falling foul of a Wordpress Hack, unless it was 'zero day', raises some concerns... Not that I can play 'Holier Than', unintentional pun. just spotted it after I typed it.
I would not wish to FUD but I do hope that they have sanitised their own access to the 'suppositories' and made quadruple sure that nothing untoward has gone on.
..... Still waiting for the Password Reset E-Mail?
I should resist the temptation to say I'm not overly bothered if those details got 'stolen'. I may be stupid but using Linux of itself has made me more aware about security and, in part according to my limitations, given me the tools to implement it for myself.
Oh.... and just in case it is still all shit layered on top of shit.
I already use different complex passwords for each of all my accounts wherever they are. So I only need to change the Linux Mint Forums one...
No big deal then...? Unless the Mint Folk open up the forums again and allow someone to use your old account details to post Goatse pictures.... which would be a serious Duh-Oh moment.
Not that I am on-side or anything but perhaps they need a little bit of time to make sure things are 'clean' before you get back in. No doubt they are taking advice from TalkTalk.
https://haveibeenpwned.com/
Novex
Oh no — pwned!
Pwned on 3 breached sites.
OK.... assuming your username is unique, who are the other two?
Sure... Let me garner some down votes.
That's just indicative of the complete cluster fuck that the Linux/Unix directory structure is, why naming conventions are not and 50% of my hard disk space under Linux is occupied by symlinks. Obviously I know fuck all but that's the way it appears to me. I can't install mdm from Debian on my Mint because Mint called their gdm mdm. Fuck off and rename your Debian mdm and write a symlink to it. It can't be that hard, can it? For balance Shades of 1980's commondlg.dll under Windows and it really gets my goat that my Atari does not work when I try to hammer a Radio Shack kernel up its arse. Meh.
> ...and 50% of my hard disk space under Linux is occupied by symlinks.
Hard disks with even more then 40 Megabyte of space are available.
Back to serious: the mdm issue is addressed (not: solved) here (lwn). You are welcome.
Thanks for referring me back to the previous article. It would seem 'addressed' means someone moaned about it. Glad to be corrected.
Hard disks with even more then 40 Megabyte of space are available.
Thanks for the 'hard' figure. According to you 20 Megabytes of Linux on a Hard Disk is given over to symlinks. Does that include the space used on the hard disk that says where they are?
Perhaps you can provide some grep thing that says where they all live so next time something does not work I can add another one in the appropriate directory, usr/bin, pointing to the other one in a different directory, /etc/usr/var/bin that will redirect it to the other one in /foo/bar/etc/usr/share/bin and so on.
Thanks Again.
I suspect you're deliberately grossly exaggerating. 20GB of symlinks is a whole lot of symlnks, bearing in mind that they actually occupy relatively small amounts of disk space each (if the path pointed to by the symlink is relatively short, the destination address is actually stored in the inode!)
They clutter the directory structure, true, but the main advantage is that they don't use much disk space.
Read most of that wn.net thread just now, and I'm a bit shocked. Only a few weeks ago I installed Mint on my wife's boxen. Now I'm wondering if that was a mistake, even without getting back doored (I hope).
The consensus on that thread seems to be that the Mint distro badly run and is deliberately messing up namespacing. Apparently only the Cinnamon desktop environment is high quality. It's said that the way to go is to get Debian with the Cinnamon DE.
Is that worth doing for a typical home use situation? Right now it's stable and seems fine. (BTW, I've run Linux a bit myself but I'm 99% ignorant otherwise)
Any mint users may wanna hop over to the forums, and change their password. The compromised email addresses have been uploaded to haveibeenpwned. Funnily enough, it appeares I have been.
Additionally unsubscribe, as I haven't used mint for a few years.
(A relaxing break from fedora update stress, hint nvidia hardware)
Seems to me there's a whole generation of 'users' coming in who barely know how to wipe their own arses, who cry when they lose and gloat when they win, but who overall really don't have much of a clue.
For heavens sake, if you want your hand held and everything to 'just work' without you having to lift a well manicured finger, and let the 'others' do all the work for you then piss off and go and sit in someone's walled garden. Where you will be royally shafted and pay for the privilege, and still be none the wiser.
Otherwise, accept that computing is a jungle, which you enter at your own risk, and if, per chance, you get skinned alive then at least have the grace to laugh at yourself, commiserate with others, and learn from the experience. Maybe even share the learning. Now there's a novel idea for some!
Meanwhile the gloaters and the whiners will no doubt continue enjoy sitting in the bottom of their little pit of self satisfied wank, while others get on with the job of taking responsibility and actually making things work---especially when they have broken.
Some things never change.
It will surprise you, but there are many people who use a computer as a tool rather than being a project of itself. Yes, I do expect my OS to "just work" the same as I expect my washing machine or vacuum cleaner to "just work" without the need to take off the covers and tweak the belt tension or change a pulley for one with a different diameter - or in fact know anything about what they look like inside or how they work.
And I fear you have just illustrated why the attitude of the Linux community is ensuring that most people who use a computer for serious work will stay with Microsoft. People do not necessarily want to battle trying to fit a cam belt to their new car before they can drive it away while the garage staff mock them from the sidelines for their lack of expertise.
Yes, it's obviously all my fault that my login was hacked and I have a backdoor installed on my Linux machine. How dare I complain that someone did this without my consent.
If this had happened to a Windows or OS-X update, you'd be crowing about how the stupid users who pay 'the man' for their OSs deserve it and you'd be making smug comments about how safe your Linux box is.
This is no different to download sites having "Download" button ads, blag video player updates, etc.
The 1000's of Windows users moving to Linux Mint have brought their naivety with them, and it didn't take long for someone to take advantage of that.
Linux is a free OS, as in speech and beer. Repeat, it is free. And it does many things much better than any version of Windows since XP (or at least 7) has managed. It is stable, fairly mature, and an ongoing project. It is also a "labor of love", where devs donate their time. It will not nag you about idiotic things, nor will it prevent you from self-immolation if you don't know what you're doing. (like any Unix-like OS) This is a big part of its elegance and power. It is probably more secure out of the box than any version of Windows, provided you're not silly enough to turn on every service in existence that you don't need, or install from unapproved sources.
A web forum got hacked. This happens. Daily. It's only going to get worse. The webmasters notified the populace and have taken measures to secure the site. You could argue that it should have been more secure to begin with, but you can say that about anything that has been pwned. Hindsight is 20/20 and it's easy to solve the world's problems with a pint in your hand in a nice warm bar.
If someone gives me a car, computer, operating system, whatever, with no expectations of recompense, I might be upset if it has a few flaws, but not as upset as if I've paid a lot of money for it and it has a lot of them. (Windows, Office come to mind) And again, it wasn't the OS that was hacked, but a web server. Even the NSA has had notable breaches. Cut Mint some slack.
I actually don't agree with this,
Use the same semi-crappy password, ideally with a spare email address on sites that don't hold the keys to your kingdom (forums, pointless sign ups etc), - use good, unique passwords on things that do (email, hosting, truecrypt etc)
On all of the breaches so far that I have had details on (3 of them - Adobe, Moneybookers and this one) they are only details I am really not fussed about losing, may as well do 123456!
There is now data to suggest that this was NOT a lone ranger attack ("Peace on ZDNET) but an orchestrated attempt by various interested parties (NOT Microsoft) to damage Mints reputation and spread FUD...
I hasten to add that this is not confirmed at this time and I do not expect any real clear facts for some time as investigations continue but the ideas that lone luser did this "'cause I might want a botnet" is not looking credible As it stands, there *appears* to be evidence that this attack was was carried out by pros to harms Mints reputation possibly because it was muscling on various people's territory. I hasten to add that I am not privy to the source data and I am trying to be careful to report on a few *claims.*
We wait and see.
Personally, I am stocking with Mint 17 KDE. This was an attack on Mint's website and not an inherent flaw in Mint Linux. I do think Clem and co. have been caught wrong footed by a hobby project taking off and their not adapting. But it's not anything to do with the distro itself - it was the server it was running on and weak security.
Wait, WHAT ?
Are you trying to say it was NOT Microsoft that put its enormous financial resources to hack website and damage reputation of obscure Linux distro also known as "The Biggest Threat to Microsoft Windows" among few thousands of Mint users ?
Who else could it be then ?