Over the weekend, news broke that Linux Mint’s servers were compromised, and ISO images were replaced by compromised versions with a backdoor. Everything was made public, and int responded in the only way they could: disclosure, site taken down.
Sadly, it turns out that Linux Mint has somewhat of a bad name when it comes to security.
To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.
I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.
Let’s hope this issue raises a number of red flags for the Mint team so they can start to take steps to better the situation.
…Mint is awesome-sauce. I keep hearing that all the time here on osnews.
I don’t know about Mint as a whole, but I do really like the Cinnamon DE. It’s clean, fast and just suits my style and tastes real well. Alas, I just tried to install Cinnamon under Ubuntu 15.10 and, well, it doesn’t work too well: https://dl.dropboxusercontent.com/u/11811685/cinnamon.jpg
This is a fresh install, I only installed latest updates and then proceeded to install Cinnamon. Makes me quite sad :/
Looks like you just need to install the right icon set, or change your icons in the settings. It seems like they just need to set the dependencies properly on the cinnamon package and all would be well.
Do notice how e.g. the file-manager has rendering-issues, too.
Ubuntu generally doesn’t play well with installing DEs other than the one your release came with. It takes a ton of tweaking by their respective teams to get Kubuntu/Xubuntu/Lubuntu/Ubuntu Mate looking and performing well before release, and trying to install any other DE after the fact on any of those will be full of gotchas.
You may want to look at Cubuntu, though it’s an unofficial Ubuntu derivative so may have unforeseen bugs and issues compared to Ubuntu proper. Still, it’s probably the best way to try out Cinnamon apart from Mint itself (which is obviously not a good idea until they sort all this out).
I run Cinnamon without any problems on openSUSE. You may need to switch to a different icon theme, but there are no hard dependencies on Mint.
Edited 2016-02-22 19:34 UTC
Nonsense. Mainline ubuntu works just fine with other DEs. I have a couple of 14.04 LTS machines running the latest KDE and Cinnamon without a problem.
It’s super easy too: add the PPA, update, install the specific DE, go on with your merry life…
Interesting, I’ve had issues with several “aftermarket” DEs on Ubuntu over the years. Granted, I don’t run Ubuntu daily, I only fuss with it when there’s a new release just to see what it can do, so I’m sure I’m not aware of the proper arcane incantations necessary to bend it to my will. It’s just not worth the effort when the official derivatives (Xubuntu, Kubuntu etc.) do such a great job.
In my experience, it literally takes 3 commands to install the latests KDE, XFE, and cinnamon. I’m currently running the latest cinnamon on a 14.04lts machine. Installing it was IMO a painless and straightforward process.
Things are about to get weird….
yeah, I don’t know about you guys, but I thought from looking at the website that mint is a flaky operation run by one guy.
cinnamon is nice, and you can install that on a substantial distro like debian, so just do that instead
It’s just a distro for the few vocal Ubuntu haters.
I remember hearing something similar about Arch’s attitude toward security (it being lacklustre) and haven’t had time to do the research to conclusively confirm or deny it.
That’s why I’ve stayed on Lubuntu so long since switching off Gentoo when I botched something and needed a working system FAST.
Edited 2016-02-22 12:09 UTC
Guess I won’t be recommending Mint to anyone anymore…
I’m frankly starting to run out of stuff to recommend to people who don’t have the patience to actually learn how the system works (I just recommend Gentoo to people who do have such patience).
Currently I find Fedora to fit this purpose pretty well.
That really depends on what you’re recommending it for though. I generally don’t recommend Fedora on two specific grounds:
1.One of the big selling points for many people I’ve introduced to Linux is that updates are so much faster than on Windows, and you don’t always have to reboot to complete them, Fedora pretty much nukes both arguments. Yum/DNF have a horribly inefficient dependency solver. This means that calculating upgrades takes way longer than it should, and also uses a significant amounts of system resources. This is fine for a server system that only gets upgraded during scheduled downtime, but it’s horrible for a desktop where people expect to be able to use the system for other things while upgrades are happening. Also, it’s not all that infrequent from what I’ve seen that the whole system needs to go down to finish upgrading things (because of how interdependent everything is).
2. Under the hood, Fedora is extremely limiting when it comes to choices. They support nothing other than SystemD. They have limited choices for building custom kernels due to the large number of patches they have. They make it particularly difficult to switch desktop environments (this is usually difficult, but due to their packaging, it’s a lot trickier on Fedora and many other RPM based distros than it is on something Like Gentoo). They make it somewhat difficult to deal with third-party drivers (though they do a much better job of handling such things than many distros, largely because it’s a common target for out of tree module developers due to the similarity to RHEL and CentOS). This is actually a common issue I have with a majority of Linux distributions other than Fedora (including Ubuntu), and Mint was one of the last ones that I knew of other than Arch that isn’t source based and did a decent job of minimizing this issue.
Fedora does indeed currently only support the systemd init.
In general, Fedora seems to ship with some tens of kernel patches. I think this is fairly decent as far as distros of similar scope go. The patches are supposed to mostly address bugs that have not yet been fixed upstream. E.g. ARM hardware support is limited in some cases by the requirement to keep the kernel close to mainline.
I usually run an unpatched vanilla kernel and have not noticed the ones in fedora to cause problems with that.
Agreed… Fedora doesn’t *require* reboots any more than any other distro. They just recommend it in the graphical updater, because for non-technical users, it’s the easiest way to ensure all the updated services get restarted properly.
Personally, I just use “dnf update” whenever the UI notifies me of updates, and make a call on rebooting when I see what’s coming in.
Recently installed a fresh copy of Fedora 23 Server onto my desktop box and then just:
# dnf group install “Cinnamon Desktop”
# systemctl set-default graphical.target
I haven’t see anything broken for the last week.
Now considering wiping Mint from my notebook too.
So Mint had their servers compromised and bad ISOs released – this is bad. They may also have issues with how they package binaries not good. But I’m failing to see a cause and effect here.
The summary is not entirely accurate. The ISO images were not replaced. A single link to one ISO image (the Cinnamon edition of Mint 17.3) was replaced so people would download an infected ISO from the attacker’s server. People who used direct links or torrents to download the ISO images were not affected.
The whole thing seems overblown. Lots of open source projects have had their servers compromised over the years. FreeBSD, Fedora, Debian… In each case the issue is usually identified right away (as it was with Mint), the problem fixed and we all go back to normal. The whole “the sky is falling” wave of posts and articles is just pointless fear mongering.
Yes, having a project’s website hacked is bad, but very few people were affected, the situation was resolved quickly and the fix is easy. This should not be a big deal.
Ideally no, it shouldn’t be a big deal once it’s fixed. However, it has inevitably damaged Mint’s reputation for security and trust, and they will have to work hard to regain that trust. That’s just the way the world works, and no amount of wishing will change people’s minds.
I see it from a more positive side; this has caused an obviously needed shakeup at Mint and hopefully they will come out of this more secure and more trustworthy than before.
Besides, it didn’t take long for the projects you mentioned to bounce back from their own gaffes; this should be no different.
Edited 2016-02-22 14:22 UTC
Consider both Fedora and Debian were breached in the past, but they now have a decent reputation.
IIRC, those were more serious incidents, with the attackers compromising the build system (at the time of the Fedora incident I was a contributor and we all had to change our passwords) not a mere attack on the website.
Where’s that amazing security open source is magically supposed to give us?
Points to the Mint team for full disclosure. I wish all teams, and companies, would do as well. However I think this proves that the automatic answer of a lot of commenters here of “open source it all!” isn’t magically going to make anything better. Security is security, whether it’s open or proprietary and one is no more intrinsically secure than the other.
In the closet where strawmen are stored?
Linux Mint is one of the most user-friendly desktop distros and it sad to hear of any failure, build, security or otherwise that might put users off. There are so many fragmented versions of linux and so many internecine detractors that divert users from home-grown linux and straight into the arms of Apple and Microsoft.
Edited 2016-02-22 15:54 UTC
*HOW* this happened is really important.
Yes we can say that the impact was “so so”, “not major” .. or we ma say that websites should expect to be hacked, … or we may say that they finally published a blog about all the drama so they’ve nothing to hide.
But that all misses key points:
1. How did this happen? Technically. Was it a sophisticated attack, or a junior attack against which shuld have been basic protections?
2. How do we know this won’t happen again?
3. What was the handling? What was the sequence of events? Was there a delay in finding out? Delay in acting? Delay in isolating the suspected systems? What was the forensics done (or just basic log review)? What did the find out, if anything?
4. How do they know that the impact “was not so massive”? What reason do we have to believe such statements?
5. Aside from the technical mechanics of the attack, what culture (processes) were in place? Who is responsible for the website which people are asked to trust? What monitoring happens? Who is alerted and what happens? What were the lessons learned from this incident? .. in 2016 websites really shouldn’t be hackable.
Are the various comments online true about the linuxmint dev’s not really focussing on security eg advisories?
project_2501,
That someone changed the ISO download link is not good, hopefully Mint will up it’s defenses. That said realistically hacks can & do happen even to the best of us. It wasn’t too long ago that RSA security keyfobs used to protect fortune 500 companies were breached and enterprise security is their job! Anyone who thinks they are 100% secure are 100% naive!
The hack is newsworthy, but the other criticisms mostly sounds like someone with an axe to grind blowing things out of proportion. Mint doesn’t publish upstream CVEs because they piggyback off of ubuntu packages for almost everything, including security updates. When a vulnerability comes up, it will be fixed at the exact moment that Ubuntu fixes it in their repo. Not before, and not after.
Consider this: it is very likely that Mint’s security would be much *much* worse if they attempted to do their own packages. Without tons of resources, attempting to do security patches for tens of thousands of packages in-house would be an unmitigated disaster… my 2 cents.
As much as I like the Mint philosophy and the overall attention they put in listening to users with their design, on this I can’t do anything but say “I warned you”.
People around here use to often complain about how certain Proprietary Desktop Systems are fundamentally insecure/untrustable and designed to spy on you. But IMHO this proves that unless you don’t really know in detail how your OS and software is built, you can’t really trust other open alternatives like this either – especially if they have this kind of popularity/user base and draw an equal amount of attention to them (more popularity => a larger userbase to attack).
With that being said, I hope the Mint team is able to tackle the issue appropriately… And a few more people have become better acquainted on the combined notions of “Operating System” and “Security”.
This reinforces exactly why I run Gentoo on all my personal systems, and make a point to regularly audit _everything_, including doing penetration testing and simulating all manner of hardware failure modes.
While I appreciate your initiative trying to come up with your own FUD. It’s gibberish. Perhaps you’re even more out of your depth than usual.
Edited 2016-02-22 22:35 UTC
I was in fact expecting your comeback as the perfect OSS zealot/troll of sorts. Thanks for showing up and helping out in representance of the average OSAlert reader of recent times!
Ditto.
…said angrily the doofus who keeps typing http://www.osnews.com, on his browser’s address bar, and expects to read http://www.windowscentral.com
LOL
It’s amusing to see that the child in you feels the need to strike back every time, like you were in a kindergarten quarrel… On the other hand, it’s sad to ascertain that your misinformation does equal your arrogance – you should have quoted Neowin (which I don’t read) as a true MS-fanboy site.
But don’t worry, keep waiting. Some day somebody will build up http://www.linusasskissers.com for you and your upvoting friends…
LOL.
.. but enough about yourself.
This all seems to be knee-jerk and sensationalist.
Let’s wait for the dust to settle and see how they got hacked. Was it something a novice hacker could have pulled off or something that took a bunch of resources? Time will tell.
I run Mint and discovered the Mint servers were missing when I tried to do a search on Amazon through the Firefox search box. Apparently Amazon searches go through the Mint servers first and since the Mint servers were down this stopped the searches from working with the browser message: UNABLE TO CONNECT To http://redir.linuxmint.com/amazon…
While I appreciate Mint needs to make referral money, this shows that there are costs to having an unnecessary server dependency.
As of 1:30 pm EST Monday Feb 22, this search still doesn’t work.
Mint was a lot better than the Remastersys distros that followed from Ubuntu if we go back a good few years ago.
It always better to keep to distros that are backed by large companies because you are more likely to have professional devs putting it together rather than talented amateurs.
I’m quite aware of all the technical reasoning that is given the last day about why Mint is bad, but as stated before, this is not the first server from an open source project that is hacked and it will not be the last. And yes I understand that the way the distribution is build could be done in another better way. But then again they are not alone. There are several software packages that when I take a closer look at the source code make me very very sad. But then again they seem to work. There are too many remarks that seem to indicate some jealousy about the success of Mint is behind these remarks. I also read that Mint users are a bit “too stupid” to take security serious. Please stop feeling good in the Linux niche/comfort zone and take also less technical users into consideration. Go one like this and within 10 years you will be asking yourself why Linux still hasn’t made it to the desktop (if there still is a desktop). Let us stop pointing at each other and be a real Linux “community” where you have experts, would-be-experts and yes also fools.
Edited 2016-02-22 19:59 UTC
Ever since Mint created Cinnamon, mostly all I’ve ever read is praise for the distribution. Now that Mint has stumbled, I’m kinda’ amazed by all the vitriol. Talk about kicking a man when they’re down. It’s as if all the Mint Trolls got a get-out-of-jail-free card and Sauron took the One Ring from Frodo. I’ve never read so much pent-up Mint/distro bashing. Wow.
Yes, I’ve felt all the praise most of the time was over the top, but indeed, this amount of negativity is also unwarranted, and moreover, unhelpful. Rather offer some constructive criticism, rather than to kick a project when it’s down, that’s downright disheartening and discouraging.
That’s the thing with pendulums; a lot of the praise was starting to err on the delusional, eventually expectations and reality say ‘hi’ to each other, and then then things swing the other way towards irrational negativity.
Not at all true. People have been complaining about the complete disregard for security coming out of the Linux Mint camp for _years_. Remember this?
http://www.omgubuntu.co.uk/2013/11/canonical-dev-dont-use-linux-min…
What really happened, is because of Windows 8 and Windows 10, there have been a _lot_ of new Linux users since 2013. They have been recommended to try Linux Mint, and then starting aping their positive experience to others.
The current backlash against the Mint team is that they are either so incompetent that they do not know the full extent of their server compromise, or they are outright lying to their users when they claim that only ISO downloads for two days this weekend were affected. We know from independent sources (https://twitter.com/ChunkrGames/status/688346150622081024) that Linux Mint website information was for sale the day after Christmas. That’s two months ago. It’s very likely that the site was compromised before that.
If I was a Linux Mint user, I would be wiping my install and changing all of my passwords once I got set up on the other side with another distribution.
TL;DR – Linux Mint exposed their users, then lied to them about it, and shouldn’t be trusted.
Cinnamon is by far the nicest Linux desktop to me at the moment. I understand that nowadays I can also use it from a pure Debian distribution. Wonder how much I miss if I just go upstream.
I tested cinnamon on debian and it worked fine.
what you miss from mint are all the little quality of life tweaks that every custom distro has… which you enjoy while you have them… and you don’t miss when you lose them
Come on Thom, that 3rd link is to a comment on a news headline article. Not much of a source.
The ZDNet article of the second link purports to be a scoop from the actual perp. It seems more like a product placement ad for a “breach notification site” to me.
Regardless, I would not download any software from Bulgaria.
We are all at risk right where our router plugs into our ISP. It’s getting time to put more resources into the firewall. Good topic for an article.
Does anyone know how many downloads of the bad ISO there were?
An Ars Technica article is here: http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-i…
The initial response from the mint-team was quite good, disclosure + closing down the site. The follow-up is disappointing: malware infected ISO’s were distributed via the official mint-site. Nothing less than closing down until after the recommendations of a security-audit are implemented is satisfactory imo.
Edited 2016-02-25 09:58 UTC
This is not completely correct. The link on their site was altered to point to a corrupted ISO located on servers in Bulgaria. The “real” ISO’s were not tampered with. The “hacking” was done by using a vulnerability in the WordPress engine. WordPress is the CMS used fir the Linux Mint website. So I don’t fully understand why you ask for a complete security audit.
If you went to the official linux-mint website and clicked on the download links provided there you got the infected ISO’s. Regardless of how that was achieved that is a big security failure (Why was wordpress used? Was it configured properly?). They clearly need some outside experts to check whether there are some other holes in their security – hence the audit.
Edit: typos
Edited 2016-02-25 16:52 UTC