A little follow up from the hacker...

http://www.zdnet.com/article/hacker-hundreds-were-tricked-into-installing-linux-mint-backdoor/ [zdnet.com]

Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads

After a detailed conversation, the hacker explained how the multilayered attack was carried out.

Peace was "just poking around" the site in January when they found a vulnerability granting unauthorized access. (The hacker also said they had the credentials to log in to the site's admin panel as Lefebvre, but was reluctant to explain how in case it proved useful again.) On Saturday, the hacker replaced one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and later decided to "replace all mirrors" for every downloadable version of Linux on the site with a modified version of their own

...

But the best way to get users to download the backdoored version was by changing the checksum -- used to verify the integrity of a file -- on the website with the checksum of the backdoored version.

What is the point of putting the checksum on the same site as the download ISO?

"What is the point of putting the checksum on the same site as the download ISO?"

It makes it more fun?

So is there a way to check your Mint 17.3 install for this trojan?

I know it says to check the checksum, but I burned Mint 17.3 Cinamon to a USB stick several days back, installed it, and then deleted the ISO, so I can't check the hash now...

What is the point of putting the checksum on the same site as the download ISO?

He apparently put the correct checksum on the Mint site and then uploaded those files to a server in Bulgaria, where he pointed the download link. Nobody would know the difference that way. The checksum would appear valid, which it was, for the hacked file.

Oh, thanks for bringing that to my attention. I'm going to delete my download to be sure.

Mint seem to have a cavalier attitude to security. One of the reasons I stopped using the Cinnamon desktop (which is a Mint project) was its use of (as far as I could tell) unsigned extensions and applets.

Mint seem to have a cavalier attitude to security.

To be fair, this is a WordPress hack, not a Linux hack. (As if we needed further proof that WordPress is a security nightmare.)

Just a couple of thoughts:

1) Maybe they could use a static html page for their md5 checksum instead of a wordpress page / post ?

2) More importantly, whoever hacked into their site was able to download all the data from the database, meaning that the info of any forum users is now out there (and apparently being sold).

While the passwords are encrypted, apparently they could theoretically use brute force attacks to (eventually) decrypt the passwords (I have no idea how long it would take to do this on a user-per-user basis; I am guessing a long time...)

So I guess that if you use the same password for the Linux Mint forums on other sites, probably would be a good idea to change the passwords to those other sites.

I'm seeing many other places where Linux Mint is being raked over the coals not only for this website hack, but also for the position they take on security of the OS.

Are they saying that Mint is any worse security-wise than the other debian / ubuntu based distros?

Are they saying that Mint is any worse security-wise than the other debian / ubuntu based distros?

In short, yes.

From what I have seen, the opinion has been best expressed by a Debian developer, Adrian Glaubitz:

Well, Linux Mint is generally very bad when it comes to security and quality.

First of all, they don't issue any Security Advisories, so their users cannot - unlike users of most other mainstream distributions [1] - quickly lookup whether they are affected by a certain CVE.

Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable [2]. With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.

Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.

(...)

To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.

I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.

Source: [lwn.net...]

I am well aware that there are fundamental differences in approach between Debian, Ubuntu and Mint, and the Mint team would strongly disagree with the statements above. However, security has never been the primary focus of Linux Mint, and their policies include (for instance) holding back updates for core elements of the OS to avoid problems, possibly because they are just respinning Ubuntu/Debian (the FrankenDebian mentioned in the quote) and simply don't have the resources to do the testing. Their failings with regards to the security of their website (outdated WordPress and phpBB installations, no HTTPS, downloads on the main server...) could well be symptomatic.

It is an interesting argument, it may be safe to use Mint at home, but the project appears to lack the professionalism and depth to be a recommended choice for business/ enterprise use.

@ encyclo

Thanks for the note and for sharing your opinion.

How much harder would it be for someone who uses linux mint at home to set up a box running debian?

My main concern would probably be finding drivers for my hardware / setting up my canon pixma printer (don't think they make linux drivers for it, but haven't checked in a while.)

Is there a secure desktop / file manager for debian that makes it "windows-like" ?

Does it have the same software availability as Ubuntu or mint have?

Although I am still quite the Linux noob, I know enough about using the terminal to install and update packages, but otherwise, I need to be able to copy and paste code in the terminal.
And would the linux mint debian edition be more secure than the mainstream linux int releases?

Thanks in advance.

Mint is pretty similar to Ubuntu - the big differences are the default desktop (and both have spins that offer different default desktops), GUI config and installation tools, and Mint default installs some codecs that may breach patents in some countries (they can be installed on Ubuntu, as can licensed alternatives to some of them).

Debian is a not that hard hard to install, but will be more work. It is a while since I did a Debian desktop install so I cannot remember exactly how it was different.

There are plenty of other Debian based distros: [distrowatch.com...]

Most of the software in the Ubuntu and Mint repos comes from Debian (Ubuntu forks Debian at intervals, Mint adds to Ubuntu). The biggest difference is that Ubuntu works with Launchpad PPAs out of the box.

Thanks Graeme:

I have been searching around the Debian forums.

Maybe I am wrong, but it seems like:

1) You could get ANY package or codec in Debian as they have for Ubuntu, IF you add the right repository in your sources file, and

2) Despite being touted as stable and secure, you could make Debian very NON-secure and UNstable by adding those repositories

So is Debian's stability and security based on the fact that, out-of-the-box, they don't include as many repositories as Ubuntu / Mint have?

And is it based on CULTURE instead of technology? Meaning, is Debian more secure and stable just because the Debian community ENCOURAGES users to be more responsible?

Or is there some sort of technology which allows Debian to be more secure and more stable than Ubuntu and Mint even if the same repositories are added to a Debian install sources file?

I ask, because even for modest uses (emailing, watching videos on youtube, using google spreadheets, dropbox, watching videos with VLC, etc.,), one would have to add the non-free repositories to sources.list, and leave it in there to get automatic updates.

But wouldn't that make Debian just as unsafe as Ubuntu / Mint?

I do not thing Ubuntu is unsafe. Mint has had issues, but not Ubuntu. As far as I know Ubuntu does not do any of the things that the Debian developer ecyclo quotes criticises Mint for.

I think at one point Ubuntu has some security features before Debian.

Ubuntu has had PRIVACY issues, because the default Unity desktop comes with desktop search function that searched your applications and documents together with external sources (like Amazon). I think these issues have been resolved, although I currently use Xubuntu (the XFCE spin) so I do not know.

Debian does usually install less stuff by default, which may make it a bit more secure and a bit lighter.

You cannot get everything in Ubuntu in Debian - the Ubuntu Software centre has proprietary as well as open source software, and it has PPAs [help.ubuntu.com...] some of which may work with Debian. I do not think nonfree is necessarily insecure, just not free software. Of course some things in nonfree are proprietary so they cannot be independently verified.

If you do not use PPAs, you can probably get almost everything in Mint in Debian. PPAs ARE probably a bit risky.

Debian probably does have a more security minded (and more open source minded) user base

Hmmm...

Well, it sounds more like the best compromise between safety and security might be Ubuntu but using an alternate desktop, since Unity doesn't look like I would enjoy it at all (both for usability and for privacy reasons).

Can you get an alternate desktop to load by default (instead of having to click the gear icon at login and select the desktop)?

that is easy for me to do, but this machine will mostly be for my wife and mother-in-law, so I am looking for the best balance between security and ease of use. I am sure there must be SOME WAY to set an alternate desktop as the default desktop...

I was persuaded here some time ago to go for Mint. I'd just upgraded my Ubuntu system (to 12.04, I think) and found it almost unusable. Part of the reason for that was me trying to run it "out of the box" and Ubuntu had suffered so many changes, not all for the good, that I threw in the towel.

Mint 13 has been running well here on 5 machines since then. Ok, Mint 13 is based on Ubuntu 12.04 BUT it has an easier-to-use desktop/interface (in my case Mate). Of those machines, two are desktops used daily for general purposes; one is a laptop (recently upgraded to Mint17.3 for use in a transcription system); one is a local postfix mail server; and the other is a remote online postfix mail server (a virtual m/c running under Windows 12).

I've found all of them work well. I re-boot every six months or so or when an upgrade bulletin recommends it. I subscribe to the Mint RSS feed out of curiosity - it's not much use for real info - and the Ubuntu tech feed so that I know what updates I'm about to install. I've yet to catch Mint lagging behind on software updates.

The Mate interface is so simple to use that I and my brother have had success recommending it to Windows users who had so little trouble converting to it that they have left Windows far behind.

You may be correct about its security but I've seen no sign of it here. Indeed, this is the first time I've seen any mention of it, and I read a couple of security sites every day.

Ubuntu offers an edition with the Mate desktop by default: [ubuntu-mate.org...] - the default setup closely resembles the old Gnome 2 desktop rather than Mint's Windows-like default. You can change the defaults after installation of course. There is no Ubuntu variant offering the Cinnamon desktop (although you can install it easily enough in any Ubuntu flavor).

There is nothing which directly compares to Linux Mint's positioning of their OS as being the "just works" Linux. Mint includes non-free elements such as MP3/DVD codecs, proprietary graphics drivers, Java, Flash plugins, etc. Major distributions cannot do this as the legality is at best questionable. All of these packages and codecs can be installed by the end-user in Ubuntu or Debian, but they will never be there by default. Also, the entire ethos of the project is aimed at new users who want a stable, hassle-free experience with a traditional-style (Windows-style) desktop. So Mint remains almost unbeatable in the Linux world for ease of use.

On the other hand, the Mint team appear to be overstretched and are considered by some to be ignoring security issues in their distribution. Mint is dependent on Ubuntu repositories for the bulk of their packages, and their additions and accretions may or may not play well with the Ubuntu base packages that Mint does not control (hence the classification and blocking by default of a significant number of security updates to base packages).

Should you abandon Linux Mint? Not necessarily, because it is difficult to find an alternative which is as easy to use. You just have to weigh the arguments about security and try to make an informed decision.

I have used Mint a few times, I found it to be reasonably coherent as Linux distributions go. I mostly used the Mate desktop. I may try Ubuntu Mate next time. (At the moment I'm using Windows 10 on all my machines!)

Thank you both, dstiles and encyclo.

Can you get an alternate desktop to load by default (instead of having to click the gear icon at login and select the desktop)?

On all my machines it is sticky per users - i.e. it remembers each users last choice of desktop and defaults to that.

Major distributions cannot do this as the legality is at best questionable.

You could also install a variant that only installs the desktop you want. Any of Uuntu, Kubuntu, Netrunner (Germain developed, Kubuntu + codecs preinstalled + more default apps), Xubuntu, Ubuntu MATE may suit you.

The legality of the codes is a problem in the US which has broad software patent laws. The Mint developers live in the EU where the laws are not as bad, so they have not problem. There is no legal problem with the graphics drivers as the copyright and patent holders involved have allowed their distribution, Java is now open source, and Flash may also have Adobe's permission.