Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: bakedjake
Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
Hacker explains how he put "backdoor" in hundreds of Linux Mint downloads
After a detailed conversation, the hacker explained how the multilayered attack was carried out.
Peace was "just poking around" the site in January when they found a vulnerability granting unauthorized access. (The hacker also said they had the credentials to log in to the site's admin panel as Lefebvre, but was reluctant to explain how in case it proved useful again.) On Saturday, the hacker replaced one of the 64-bit Linux distribution images (ISO) with one that was modified by adding a backdoor, and later decided to "replace all mirrors" for every downloadable version of Linux on the site with a modified version of their own
But the best way to get users to download the backdoored version was by changing the checksum -- used to verify the integrity of a file -- on the website with the checksum of the backdoored version.
What is the point of putting the checksum on the same site as the download ISO?
Are they saying that Mint is any worse security-wise than the other debian / ubuntu based distros?
Well, Linux Mint is generally very bad when it comes to security and quality.
First of all, they don't issue any Security Advisories, so their users cannot - unlike users of most other mainstream distributions  - quickly lookup whether they are affected by a certain CVE.
Secondly, they are mixing their own binary packages with binary packages from Debian and Ubuntu without rebuilding the latter. This creates something that we in Debian call a "FrankenDebian" which results in system updates becoming unpredictable . With the result, that the Mint developers simply decided to blacklist certain packages from upgrades by default thus putting their users at risk because important security updates may not be installed.
Thirdly, while they import packages from Ubuntu or Debian, they hi-jack package and binary names by re-using existing names. For example, they called their fork of gdm2 "mdm" which supposedly means "Mint Display Manager". However, the problem is that there already is a package "mdm" in Debian which are "Utilities for single-host parallel shell scripting". Thus, on Mint, the original "mdm" package cannot be installed.
To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.
I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.
Can you get an alternate desktop to load by default (instead of having to click the gear icon at login and select the desktop)?
Major distributions cannot do this as the legality is at best questionable.