If you're posting here, you've probably heard about the attack on the Linux Mint website.


I run Mint on my other machine, but haven't downloaded any ISOs lately, so this specific issue doesn't apply to me directly. But I keep thinking about this Reddit thread.

The main point of contention is this:

(One link removed)

Here's where you'll have to excuse my inexperience, but please bear with me.

Do these criticisms make sense? It seems like the user who posted that comment has aggressively decried Mint at least a few times before. This does not make him wrong, but it does make me wonder.

The other thing that I read today said that Mint hides certain security updates by default. Why would they do this?

Should Mint users consider moving away from that distro?

Given that Mint has taken a proactive approach to dealing with the hack and that I've used Mint with no issues off and on for years, I call shenanigans on Reddit.

Panic is not your friend.

Nope.

Probably because the majority of users (like me) would not understand a security update if it was a rattlesnake 10 feet in front of them.

One persons opinion does not make a mandate. I bet Mint drops using WordPress now on their sites.

I mostly agree with frankbell, although I have never used Mint.

This particular event is not a source or binary exploit of the Mint repos - it is an exploit of yet another wordpress based site in which it was hyperlinks that were changed, not code (albeit, a small consolation to those who downloaded from the bogus links).

But those who did download and failed to check the checksums of the ISO must accept their own share of the consequences. They themselves failed to take on the ordinary user responsibility for their end of the transaction, and failed to follow the instructions on the Mint site. This is not M$ or Red Delicious - the user has choices and responsibilities.

As I have said in other threads, the real problem we are all facing is an internet infrastructure designed for a sane world, now operating in one that is anything but sane. There is not and never will be "perfect" software, and there is ultimately no tech solution for malicious human initiated activities - regardless of whether or not there is a dedicated security team!

This is not a failing of Mint (other than use of wordpress), it is just one notably successful exploit for that day, there were very many others we did not read about. And there will be more tomorrow... and the next day... until it all melts down. My optimism is that it may happen quickly.

For their part, Mint has responded quickly and taken the one meaningful action of taking the site offline - which many are not willing to do when faced with similar problems. So they do deserve credit for their response.

It does appear however that they only shut it down after a second hit. Had the intruders any sense they wouldn't have exposed the fact they still had entry after the initial "clean up".
Pretty poor effort from the Mint team really.
Especially as the user forum database was exposed as well.

And yes I still have Mint systems in the house.

Well i don't think Mint is 'garbage', and the guy who wrote it sounds like being in some 'anti-Mint' rage.

This i agree with fully, though.

I've used Mint with no issues enable or seen away.It does appear however that they only shut it down after a second hit.But those who did download and failed to check the checksums of the ISO must accept their own share of the consequences.

I'm not leaving Mint. The Forums, maybe, but not Mint as my preferred OS of Choice.
"most likely" seems like an opinion.

Lots of Monday Morning Quarterbacking going on in the current situation.
It is likely that the exact weakness may never be disclosed, but a weak db password is certainly alarming, at least to me.

That is my opinion.

It appears that the hacker modified the checksums present on the website to match the malicious upload.

http://www.zdnet.com/article/hacker-...mint-backdoor/

I'm not sure what the average user can do in situations like that. Except maybe staying away from diatros that don't encrypt that information in some way.

wrt: http://www.zdnet.com/article/hacker-...mint-backdoor/
An article discussion with "the hacker"...
says
Why is the interviewer referring to the interviewee as "the hacker"?

And if users don't check md5sums (they usually don't) why bother to change the published values?

The whole article smacks of click-bait.

I'm sure a lot of talented thought will go into the resolution of this incident. automatically linking the download might not be the best idea -- perhaps the link should go onto a site page protected with HTTPS and then let me select the download option from that point . this simply draws the second point: i really don't know which of my x.509 certs are trustworthy. we really should verify these -- and sign them -- before using them . but that is a story for another time .

I think that, from what I've read, the main issue is with weaknesses in Wordpress. Most likely, as has been mentioned, the Mint dev's will lose Wordpress for their web presence. I've read the same old Debian vitriol on Ars Technica that has been going on ad nauseum since Debian downstream distros ever came to the fore (they also disparage Ubuntu). Anyway, I will still continue to support the Mint distro. Debian was a great concept, and Mint makes it better; same with Ubuntu. Onward.

I used Mint long ago, but I never will again. If they let their website be hacked twice in one day, they need to go to WalMart and buy a clue. The Wordpress hack is just one issue. The lack of a security team is a valid criticism, and I don't think Mint will ever have anyone who knows much about security. In the current environment, security is a basic necessity, and Mint has none. None.

I use multiple platforms. Only ONE runs Mint, but has for over a year. Others are Sparky, VSIDO, CentOS. I used to run pure Debian, and am likely to again. I used to run Ubuntu, but NEVER will again! So the MINT site is not terribly secure, and I am not likely to download a new image before they fix that, but I am not reloading this laptop running Mint until I have a LOT better reason!

I love that quote: "Panic is not your friend." Very true!

I've used WordPress since v. 1.5 for its original purpose: blogging. As a result, I tend to follow WordPress news, though I don't do so slavishly.

I don't know the technical details of what happened with linuxmint.com, but, in defense of that platform, I wish to note that security issues at WordPress sites are almost always related to dodgy plugins, rather than to WP itself. (Note that I said "almost always.")