Linux Mint site hacked
The Linux Mint site was hacked recently, and the folks that did it pointed to ISOs that included a backdoor. Anybody who downloaded Linux Mint on February 20th should take action immediately, according to a post on the Linux Mint Blog.
Clem reports for the Linux Mint Blog:
I’m sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below. Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition. If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn’t affect you either.
If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso" (where yourfile.iso is the name of the ISO).
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session. Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
The shocking news about the Linux Mint hack spawned a large thread in the Linux subreddit and the folks there shared their thoughts about it:
Rafelement: "Has this ever happened before? Someone compromising the .iso?"
Ipsirc: "It's happened with a redhat mirror long years ago."
LeaveTheMatrix: "Sometimes I get tired of people, ESPECIALLY WordPress users, who don't even follow such basic security procedures.
I do put some blame on the WP devs themselves as well, in their haste to make it "user friendly" they have been the cause of so many servers getting compromised over the years.
Heck, least they could do is occasionally change the login url so that bots can't easily find it."
Cbmuser: "This issue shows that the Mint people don't know how to secure their infrastructure. And as it turns out, their configuration was blatantly unsecure. There is a difference whether something like this happens by accident or the people in charge don't know how to do their job."
Wanderhomer: "This and their policy regarding security updates of the kernel, X.org and such makes me really wonder why so much people trust this distribution and recommend it to new Linux users."
Dain42: "Primarily because it's not Ubuntu.
People's complaints with Canonical aside, there is a lot of snobbishness about using Ubuntu, because people see it as a "starter distro" since it was the first one they picked up, ignoring the fact that roughly 50% of Google's internal users run it, as do Wikipedia's servers, last I heard.
Ubuntu is a mature, well-maintained distro with corporate backing, and a very strong consumer/user focus, compared to the other big distros. I think it makes a much better choice for family and friends of you're recommending Linux. There are plenty of flavors, too, for people who don't like Unity or have older or slower machines."
Cbmuser: "Then, for God's sake, use Debian, Arch, Gentoo, openSuSE or Fedora. At least, these distros take security serious and issue regular security advisories which are also posted on lwn.net.
Linux Mint doesn't do anything like that and whenever something like the recent glibc vulnerability occurs (CVE-2015-7547), users have no easy means to inform themselves whether their distro has been fixed.
Really, I wouldn't touch Mint - or any distro without proper security support - with a 10-feet pole."
Wanderhomer: "By default Linux Mint disables all updates for the following packages, including all security updates:
kernel, dbus, X.org, acpid, mountall, mesa, systemd, plymouth, upstart, *base-files, grub, grub2
Afaik Linux Mint doesn't provide any nice documenation or notification about that, so as a user you have to know about that and enable those updates manually if you care about a secure system. I mean since the release of Mint 17.3 more than ten security bugs have been fixed in the kernel alone, all of them not getting shipped to Mint by default.
The details can be found in some file in the mintUpdate package where they blacklist all those packages."
ExpertNewb: "How can they do this?
We are a small software development company who have a few custom linux drivers we distribute from our own repo. It runs on a separate server than the rest of our infrastructure (which in itself is separated and containerized into several parts, mostly for security). So, even if anything else in our infrastructure is hacked, our file server which sends out debian packages, which runs barely anything else other than file server, won't be affected.
How can people behind a popular Linux distro let this happen?"
Hgwellsrf: "The OS itself is sound and robust; I install all updates too. And afaik this is only the first time something like this has happened to them. So unless they make it a habit, I'm good with mint. Also I dual boot with Arch. Best of both worlds!"