back to article Linux Mint forums hacked: All users urged to reset passwords

A hack against Linux Mint over the weekend that meant surfers were invited to download a copy of the open source distro that came contaminated with a backdoor has also affected the organisation’s forums. As previously reported, hackers made a modified Linux Mint ISO before hacking its website with a link to the compromised …

  1. Anonymous Coward
    Anonymous Coward

    Linux Mint always struck me as skiddies standing on the shoulders of men (Ubuntu), standing on the shoulders of giants (Debian).

    And now it appears I was right.

    1. Anonymous Coward
      Anonymous Coward

      Yes, we've all thought that.

      It's a shame it's not run by a larger organisation, but a hobby project that's grown faster than it could cope.

      I like mint, but I've always had my doubts about the number of people working in it.

      I guess I can't moan - I haven't exactly showered them with donations.

    2. Anonymous Coward
      Anonymous Coward

      re: men (Ubuntu), standing on the shoulders of giants (Debian).

      with the market share of midgets?

      1. Anonymous Coward
        Anonymous Coward

        Re: re: men (Ubuntu), standing on the shoulders of giants (Debian).

        Well counting up the Linux based devices around the home, they outnumber windows 20:1

        1. Anonymous Coward
          Anonymous Coward

          Re: with the market share of midgets?

          And itchy humourless downvote fingers!

    3. Anonymous Coward
      Anonymous Coward

      You, sir/ma'am, are wrong. Mint fixed what Ubuntu (and Gnome3) broke in its moronic quest to create an open-source Apple clone. It's still Linux, Debian, Unix, C-based, and therefore highly flawed -- but it's the most practical desktop OS available today.

      WordPress, not Linux, has been implicated as the culprit in this breach, which was quickly detected. Worse has happened before. Debian, notoriously, got hacked in ~2008 and was distributing a backdoored OpenSSH package for quite a while. IIRC it's also happened to Redhat.

      1. Anonymous Coward
        Anonymous Coward

        "it's the most practical desktop OS available today."

        it's the most practical Linux based desktop OS available today.

        TFTFY.

      2. Ian 55

        'Mint fixed...'

        You have read that lwn thread, haven't you?

        It doesn't even mention the number of times they've held back security releases because, erm, well...

        As well as the way they repeatedly broke sudo apt-get dist-upgrade, it was seeing how long it took Flash security releases to be released that got me off Mint.

      3. Matt Bryant Silver badge
        Facepalm

        Re: tnovelli

        ".....WordPress...." Yes, "Linux" as such may be held blameless, but I automatically associate the use of WordPress with security newbs not fit to be trusted. It also doesn't encourage warm thoughts towards the Mint team to read that the Bulgarian skiddies that pulled off this hack "just 4 the lulz" used old and well-known tools. I don't care how pretty you think Mint is, it just went far down my list of distributions to recommend because the developers seem to be serially inept when it comes to security.

        1. Anonymous Coward
          Mushroom

          Re: tnovelli

          Yeah.... I mean, it's a nice convenient distro without too much idiotic bling, but it's got issues for sure. Being based on Ubuntu. Flash and Java installed by default. Obviously security isn't the prime directive. I have considered switching to FreeBSD on my dev box... but that doesn't do much for security as long as I'm developing PHP and Wordpress sites.

          Security nihilism... we're all doomed anyway ;) ->

        2. Greg D

          Re: tnovelli

          With that logic extracted then, this becomes:

          "Mint is fine, but their devs are noobs (despite writing an OS) because they use Wordpress?

          Don't let your dislike of a platform cloud your views.

    4. Greg D

      Where it came from is irrelevant. It is a good, solid OS, and great for entering into the Linux world.

      Ubuntu's UI became too "mobileified" (aka shit), and Debian too far behind the dev curve to be of serious use in the modern home (if you want stability its hard to find anything better, however).

      Cinnamon is awesome as a window system IMO.

      1. Anonymous Coward
        Devil

        Even on the server, Debian is a stability-or-security tradeoff.

        Mine's the one with the daemon & pitchfork (but I run Mint Mate on my desktop).

  2. Ali Um Bongo
    Facepalm

    Security? We've heard of it!

    I signed up for their Cinnamon Spices extensions & themes site: http://cinnamon-spices.linuxmint.com earlier today and got confirmation of my account, complete with login details, including password, sent out via email.

    1. Pan_Handle

      Re: Security? We've heard of it!

      Oops. Disappointing, and I speak as a fan of Mint and user over several hardware instances.

  3. BasicChimpTheory

    Surely Mint is nubs standing on the ghost of Windows?

    1. hplasm Silver badge
      Facepalm

      Re:Surely Mint is nubs standing on the ghost of Windows?

      Windows is dead?

      Rejoice!

    2. DaveC449

      Ghost

      Does Windows Have a ghost?

      1. Anonymous Coward
        Anonymous Coward

        Re: Ghost

        Well (Apple) Mac want their windows system back and Microsoft wish to slip through their fingers again!

  4. codejunky Silver badge

    Hmm

    I must say I am impressed with the way this issue has been handled. Mint offers a very friendly way to start out in linux but is powerful enough to be used beyond that point (of course this is helped by sitting on the mature Ubuntu), but they have reacted to this breach of security quickly and are doing what they can to put this right.

    Anyone can be compromised, it is how you respond to it that matters. I hope they are back in action soon and I wish them the best of luck.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm

      I'm curious as to what other way you think they could possibly have handled it. Keep distributing the hacked ISO? Of course they took it down. Not tell their forum users to reset passwords, after the entire world was told that their DB was for sale on hacker sites? Really? Since you're so impressed with what they have done, you must have something in mind, surely?

      Personally, I'd say they'd have had to be slack-jawed imbeciles to do anything other than what they did, so while I guess they deserve a modicum of credit for not being complete morons, I don't see why anybody should be singing their praises either. "Well done, you ****ed up big time, but you could have ****ed up even worse if you really, really tried." No.

      1. Frank Zuiderduin

        Re: Hmm

        The fscked up? Where? Oh, you mean WordPress did. Right.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hmm

          Yes, you should never use anything that starts with a "W".

    2. Grease Monkey

      Re: Hmm

      You're impressed that they advised forum users to change their passwords and then promptly took the forums off line so users couldn't change their passwords?

  5. NP-HARD
    WTF?

    A king's ransom

    $85.

    Aiming for the big league

    1. Camilla Smythe

      Re: A king's ransom

      As per,

      https://twitter.com/thegrugq/status/701407183339008000

      https://twitter.com/LogicalDash/status/701434397485047813

      I think in bosnia they use . to separate third-powers, and , for the decimal point

      As a result the actual figure might be $85,000

      Ho-Hum.. Shit, that should not happen.. happens.

      Fair enough they suggest that their 'suppositories' are 'safe' but that is where 'The Gold' would be.

      Wise, after the event, change passwords and don't use the same one all over the place advice but you have to hope that that they have adhered to that one themselves.

      Of course I realise, hope, that given their background they probably do but falling foul of a Wordpress Hack, unless it was 'zero day', raises some concerns... Not that I can play 'Holier Than', unintentional pun. just spotted it after I typed it.

      I would not wish to FUD but I do hope that they have sanitised their own access to the 'suppositories' and made quadruple sure that nothing untoward has gone on.

      ..... Still waiting for the Password Reset E-Mail?

      I should resist the temptation to say I'm not overly bothered if those details got 'stolen'. I may be stupid but using Linux of itself has made me more aware about security and, in part according to my limitations, given me the tools to implement it for myself.

      Oh.... and just in case it is still all shit layered on top of shit.

    2. TheVogon Silver badge

      Re: A king's ransom

      "Aiming for the big league"

      $1 per user is about the going rate...

  6. Novex

    Er...

    ...how can I change/reset my password when the forums are offline? (as at time of writing, 14:07GMT 22/02/2016)

    1. Camilla Smythe

      Re: Er...

      Er... Perhaps your time might be better spent making sure you have not used the same e-mail account, username, password combination on a more important account elsewhere and, if you have, changing those.

      Just saying....

      1. Novex

        Re: Er...

        I already use different complex passwords for each of all my accounts wherever they are. So I only need to change the Linux Mint Forums one...

        1. Camilla Smythe

          Re: Er...

          I already use different complex passwords for each of all my accounts wherever they are. So I only need to change the Linux Mint Forums one...

          No big deal then...? Unless the Mint Folk open up the forums again and allow someone to use your old account details to post Goatse pictures.... which would be a serious Duh-Oh moment.

          Not that I am on-side or anything but perhaps they need a little bit of time to make sure things are 'clean' before you get back in. No doubt they are taking advice from TalkTalk.

          https://haveibeenpwned.com/

          Novex

          Oh no — pwned!

          Pwned on 3 breached sites.

          OK.... assuming your username is unique, who are the other two?

          1. Novex

            Re: Er...

            Novex is not my log in username, only a screen name, and only here and one other site that I use. So in fact in theory not any of the three. I suspect that it's not exactly a unique name bearing in mind that there are around 7+ billion people in the world.

  7. The Travelling Dangleberries

    Not the only problem

    This thread http://lwn.net/Articles/676664/ is interesting and suggests that the website hacks are a symptom of the way that the LinuxMint team approach development and security.

    1. Camilla Smythe

      Re: Not the only problem

      Sure... Let me garner some down votes.

      That's just indicative of the complete cluster fuck that the Linux/Unix directory structure is, why naming conventions are not and 50% of my hard disk space under Linux is occupied by symlinks. Obviously I know fuck all but that's the way it appears to me. I can't install mdm from Debian on my Mint because Mint called their gdm mdm. Fuck off and rename your Debian mdm and write a symlink to it. It can't be that hard, can it? For balance Shades of 1980's commondlg.dll under Windows and it really gets my goat that my Atari does not work when I try to hammer a Radio Shack kernel up its arse. Meh.

      1. GrumpenKraut Silver badge
        Meh

        Re: Not the only problem

        > ...and 50% of my hard disk space under Linux is occupied by symlinks.

        Hard disks with even more then 40 Megabyte of space are available.

        Back to serious: the mdm issue is addressed (not: solved) here (lwn). You are welcome.

        1. Camilla Smythe

          Re: Not the only problem

          Thanks for referring me back to the previous article. It would seem 'addressed' means someone moaned about it. Glad to be corrected.

          Hard disks with even more then 40 Megabyte of space are available.

          Thanks for the 'hard' figure. According to you 20 Megabytes of Linux on a Hard Disk is given over to symlinks. Does that include the space used on the hard disk that says where they are?

          Perhaps you can provide some grep thing that says where they all live so next time something does not work I can add another one in the appropriate directory, usr/bin, pointing to the other one in a different directory, /etc/usr/var/bin that will redirect it to the other one in /foo/bar/etc/usr/share/bin and so on.

          Thanks Again.

          1. Peter Gathercole Silver badge

            Re: Not the only problem @Camilla

            I suspect you're deliberately grossly exaggerating. 20GB of symlinks is a whole lot of symlnks, bearing in mind that they actually occupy relatively small amounts of disk space each (if the path pointed to by the symlink is relatively short, the destination address is actually stored in the inode!)

            They clutter the directory structure, true, but the main advantage is that they don't use much disk space.

          2. GrumpenKraut Silver badge

            Re: Not the only problem

            Symlink count:

            % find . -lname \* | wc -l

            37535

            Symlink character count:

            % find . -lname \* | wc -c

            1678843

            That's 1.6 Megabyte. More than I thought, still a non-lethal amount.

    2. Anonymous Coward
      Anonymous Coward

      Re: Not the only problem

      Read most of that wn.net thread just now, and I'm a bit shocked. Only a few weeks ago I installed Mint on my wife's boxen. Now I'm wondering if that was a mistake, even without getting back doored (I hope).

      The consensus on that thread seems to be that the Mint distro badly run and is deliberately messing up namespacing. Apparently only the Cinnamon desktop environment is high quality. It's said that the way to go is to get Debian with the Cinnamon DE.

      Is that worth doing for a typical home use situation? Right now it's stable and seems fine. (BTW, I've run Linux a bit myself but I'm 99% ignorant otherwise)

      1. GrumpenKraut Silver badge

        Re: Not the only problem

        > It's said that the way to go is to get Debian with the Cinnamon DE.

        If you need/want a new install, that's what I'd suggest. But...

        > Right now it's stable and seems fine.

        ...only when needed, as a new install (at least for me) always brings a few surprises.

  8. HAL-9000

    PS

    Any mint users may wanna hop over to the forums, and change their password. The compromised email addresses have been uploaded to haveibeenpwned. Funnily enough, it appeares I have been.

    Additionally unsubscribe, as I haven't used mint for a few years.

    (A relaxing break from fedora update stress, hint nvidia hardware)

  9. Adair

    Quite a lot of whiners commenting here.

    Seems to me there's a whole generation of 'users' coming in who barely know how to wipe their own arses, who cry when they lose and gloat when they win, but who overall really don't have much of a clue.

    For heavens sake, if you want your hand held and everything to 'just work' without you having to lift a well manicured finger, and let the 'others' do all the work for you then piss off and go and sit in someone's walled garden. Where you will be royally shafted and pay for the privilege, and still be none the wiser.

    Otherwise, accept that computing is a jungle, which you enter at your own risk, and if, per chance, you get skinned alive then at least have the grace to laugh at yourself, commiserate with others, and learn from the experience. Maybe even share the learning. Now there's a novel idea for some!

    Meanwhile the gloaters and the whiners will no doubt continue enjoy sitting in the bottom of their little pit of self satisfied wank, while others get on with the job of taking responsibility and actually making things work---especially when they have broken.

    Some things never change.

    1. GrumpenKraut Silver badge
      Pint

      Re: Quite a lot of whiners commenting here.

      Have an upvote. Doesn't look like everybody likes what you are saying, though.

    2. Cynic_999 Silver badge

      Re: Quite a lot of whiners commenting here.

      It will surprise you, but there are many people who use a computer as a tool rather than being a project of itself. Yes, I do expect my OS to "just work" the same as I expect my washing machine or vacuum cleaner to "just work" without the need to take off the covers and tweak the belt tension or change a pulley for one with a different diameter - or in fact know anything about what they look like inside or how they work.

      And I fear you have just illustrated why the attitude of the Linux community is ensuring that most people who use a computer for serious work will stay with Microsoft. People do not necessarily want to battle trying to fit a cam belt to their new car before they can drive it away while the garage staff mock them from the sidelines for their lack of expertise.

      1. GrumpenKraut Silver badge

        Re: Quite a lot of whiners commenting here.

        > ...use a computer as a tool rather than being a project of itself.

        That's when you have someone do the install for you. Car analogy applies.

    3. Anonymous Coward
      Anonymous Coward

      Re: Quite a lot of whiners commenting here.

      Yes, it's obviously all my fault that my login was hacked and I have a backdoor installed on my Linux machine. How dare I complain that someone did this without my consent.

      If this had happened to a Windows or OS-X update, you'd be crowing about how the stupid users who pay 'the man' for their OSs deserve it and you'd be making smug comments about how safe your Linux box is.

      1. GrumpenKraut Silver badge

        Re: Quite a lot of whiners commenting here.

        > Yes, it's obviously all my fault that my login was hacked and I have a backdoor installed on my Linux machine.

        You totally did not make that up, I am sure.

      2. Anonymous Coward
        Anonymous Coward

        Re: Quite a lot of whiners commenting here.

        This is no different to download sites having "Download" button ads, blag video player updates, etc.

        The 1000's of Windows users moving to Linux Mint have brought their naivety with them, and it didn't take long for someone to take advantage of that.

      3. Unicornpiss Silver badge
        Flame

        Re: Quite a lot of whiners commenting here.

        Linux is a free OS, as in speech and beer. Repeat, it is free. And it does many things much better than any version of Windows since XP (or at least 7) has managed. It is stable, fairly mature, and an ongoing project. It is also a "labor of love", where devs donate their time. It will not nag you about idiotic things, nor will it prevent you from self-immolation if you don't know what you're doing. (like any Unix-like OS) This is a big part of its elegance and power. It is probably more secure out of the box than any version of Windows, provided you're not silly enough to turn on every service in existence that you don't need, or install from unapproved sources.

        A web forum got hacked. This happens. Daily. It's only going to get worse. The webmasters notified the populace and have taken measures to secure the site. You could argue that it should have been more secure to begin with, but you can say that about anything that has been pwned. Hindsight is 20/20 and it's easy to solve the world's problems with a pint in your hand in a nice warm bar.

        If someone gives me a car, computer, operating system, whatever, with no expectations of recompense, I might be upset if it has a few flaws, but not as upset as if I've paid a lot of money for it and it has a lot of them. (Windows, Office come to mind) And again, it wasn't the OS that was hacked, but a web server. Even the NSA has had notable breaches. Cut Mint some slack.

    4. Pan_Handle

      Re: Quite a lot of whiners commenting here.

      Charming

    5. Adair

      Re: Quite a lot of whiners commenting here.

      Actually I've got it wrong: 'self satisfied' should be 'self-pitying'.

    6. ecofeco Silver badge

      Re: Quite a lot of whiners commenting here.

      Have an upvote from me as well.

  10. J J Carter Silver badge
    Windows

    Titter ye not!

    Right now, unless you inspect all the C code and compile your own kernel, Linux has to be considered an enemy munition.

    I've just emailed the IT staffers reminding them that installing any unauthorised s/w on company equipment will result in dismissal for gross misconduct.

    1. GrumpenKraut Silver badge
      Trollface

      Re: Titter ye not!

      Says J J Carter, the machine gun of all trolls -------------------------->

    2. linicks

      Re: Titter ye not!

      J J Carter:

      "I've just emailed the IT staffers reminding them that installing any unauthorised s/w on company equipment will result in dismissal for gross misconduct."

      Did you just stumble on a document from 1996?

  11. Not That Andrew
    Joke

    This sort of thing would never happen if you just used Slackware, they don't have official forums.

  12. Daniel Voyce

    "Dont use the same password"

    I actually don't agree with this,

    Use the same semi-crappy password, ideally with a spare email address on sites that don't hold the keys to your kingdom (forums, pointless sign ups etc), - use good, unique passwords on things that do (email, hosting, truecrypt etc)

    On all of the breaches so far that I have had details on (3 of them - Adobe, Moneybookers and this one) they are only details I am really not fussed about losing, may as well do 123456!

  13. Jedipadawan

    More data...

    There is now data to suggest that this was NOT a lone ranger attack ("Peace on ZDNET) but an orchestrated attempt by various interested parties (NOT Microsoft) to damage Mints reputation and spread FUD...

    I hasten to add that this is not confirmed at this time and I do not expect any real clear facts for some time as investigations continue but the ideas that lone luser did this "'cause I might want a botnet" is not looking credible As it stands, there *appears* to be evidence that this attack was was carried out by pros to harms Mints reputation possibly because it was muscling on various people's territory. I hasten to add that I am not privy to the source data and I am trying to be careful to report on a few *claims.*

    We wait and see.

    Personally, I am stocking with Mint 17 KDE. This was an attack on Mint's website and not an inherent flaw in Mint Linux. I do think Clem and co. have been caught wrong footed by a hobby project taking off and their not adapting. But it's not anything to do with the distro itself - it was the server it was running on and weak security.

    1. DainB Bronze badge

      Re: More data...

      Wait, WHAT ?

      Are you trying to say it was NOT Microsoft that put its enormous financial resources to hack website and damage reputation of obscure Linux distro also known as "The Biggest Threat to Microsoft Windows" among few thousands of Mint users ?

      Who else could it be then ?

  14. Klatch

    what do we have here then..

    http://www.infoworld.com/article/3036600/linux/is-linux-mint-a-crude-hack-of-existing-debian-based-distributions.html

    Hmm interesting

  15. Cardinal

    The Mint forum is back up

    It's just come back inside the last hour or so I think, but hosted on phpBB.

    https://forums.linuxmint.com/index.php

    1. Cardinal

      Re: The Mint forum is back up

      There's a post from 'clem' under 'Chat about Linux Mint' here:-

      https://forums.linuxmint.com/viewtopic.php?f=60&t=217156#p1135182

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019