Am I naïve to think that those of us that check the md5sum of isos would have been warned of this?

Regards, John Little

The LinuxMint 17.3 Cinnamon ISO download file was discovered to be hacked yesterday. The break-in is discussed in the link below. Clem is being very candid. The bad guys from Sofia, Bulgaria, used WordPress to break in twice. After the first break-in was discovered Clem thought he had closed the hole yesterday but at 2.29AM last night he was informed by a user that the 64 bit Cinnamon ISO was still compromised, meaning the bad guys had broken in again. Following that news he took LinuxMint.com off line. As of 5:38PM CST it is still off line. When sleuthing the break in back to its source Clem discovered that the three guys involved had a 32 bit version of Cinnamon ready to upload but didn't get to do it. He's informed the authorities.

The LinuxMint forum is, IMO, very clutzy to use, unlike the vBulletin forum software used by KubuntuForums.net. Here we click the link to subscribed threads to see a date sorted list of subscribed threads that we can respond to. Then we can click Today's Posts to see the new posts. Then we can mark the forums read, ready to start over the next time we login. Our forum is, IMO, much cleaner and easier to use than the one based on WordPress.

Anyway, here is the link where Clem discusses the break in with users:

http://blog.linuxmint.com/?p=2994

EDIT: There are over 4,000 known WordPress vulnerabilities:
https://wpvulndb.com/

EDIT:EDIT: The softpedia article demonstrates that the bad guys were real amateurs. So, apparently it does not take a genius coder to break into a WordPress site.

No, especially if there are lax directory permissions, as Clem did mention. I'd suspect an iffy plugin or theme, but this was supposedly a fresh, hours-new install with no addons other then the theme. And yes, wordpress has vulnerabilities, like any php based stuff does. But the 4000 bugs is akin to listing all vulnerabilities in , say ubuntu plus all of those in all software available in the repos, for a number of releases.

I was wondering why their site is down

Sent from my Samsung Galaxy S5 using Tapatalk

As per usual lets blame some one else for our stupidity, "upMint"
https://news.ycombinator.com/item?id=11143162

Interesting link. Someone named "ryanlol" commented:

Interesting post on the LinuxMint Blog this evening:
http://blog.linuxmint.com/?p=3001#comments

Yeah, it took 60 comments to get to the conspiracy stuff, LOL!

As usual, the comment has zero percent useful info and zero sourcing. Even us casual conspiracy theorists need some tidbit to go on "I read it on the internet" is not quote enough.


Let's face it, people from script kiddies to pros constantly probe the entire web for vulnerabilities and holes. This just reminds us of this fact.
People can argue about what software was used, and how crappy it may or may not be, but it all boils down to expertise and time when you have your own servers.

Aaaaand time for popcorn......https://lwn.net/Articles/676664/

Though lwn is full of anti-user, anti-popular sentiment

Full of it indeed. I read the entire thread following the article and it was nothing more or less than a battle of egos and disinformation. Packages with security or other problems are in category five, highlighted in red. The user is free to choose to install them or not.

Debian doesn't install Adobe and libdss because of licensing issues? CDROM drives aren't even included on new laptops, and even though my five year old laptop has a DVD/CDROM drive it has been almost that long since I watched a movie with it. DVR's, USB's and such have kicked the plastic discs to the curb. I've watched more movies on this iPhone 6+ in the last year than I ever watched in total on my CD-ROM drive.

What I read in that article was professional jealousy being expressed. Mint is probably more popular than Debian and Ubuntu combined, and once you install it you'll know why. The licensing issue is bogus anyway. EVERY distro I've used or tried in the last ten years, including Debian, Fedora, openSUSE, Arch, Kaos, and others include the ability to easily add repositories that contain "non-free" apps, proprietary codecs, etc.

The last time I checked the Ubuntu forum had about 350 posts per day, causing any question you'd post pass quickly out of the response window. Kubuntu averages 50-75 new posts per day, which gives noobs a better chance of getting a solution to their question. I've noticed that the LinuxMint forum averages around 700 new questions per day, +- 50. The OS detail page on DistroWatch shows "Ubuntu" as the Linux distribution with the largest percentage of a named distro, but Mint is probably accounting for mor than half of that 3%. The unknown Linux distribution accounts for 41% of Linux visitors to DistroWatch.

It's all a bunch of hot air. All the major distros have had their sites and/or repositories hacked or compromised and there are ocassional announcements of a CVE that affects a version of one of their distro components. The Mint site hack and distro is no different. The hacker's claim is that "hundreds" of downloads on Feb 20th are pwnd and now part of their botnet. Total nonsense, of course. If "hundreds" were pwnd then thousands must have been downloaded on that single day, from that single Bulgarian website. And the majority are unaware? Ludicrous. Considering that few distro users download and install but then never visit the distro website again, I suspect that by now the only box containing a copy of the hacked ISOCis the Bulgarian server.

As usual, the weakest security component is the user, not the distro or an app. I used Windows for 25 years and never got a single announced infection ( there were many vectors MS kept secret that may have been on my machine, which is why I never did financial stuff on Windows). I have never gotten an infection on any of my Linux installs, either, since 1998. I try to be a careful user on either platform. Don't use flash or Java and don't visit pron sites or download or view pron and you'll avoid 99.99% of all malware.

The lwn writer does highlight some of the reasons I do not care for Mint in general, though the points imo are not overly serious for the intent and intended user base.

Having experienced Mint KDE 17.3 for nearly two months I find his criticisms off target or flat wrong. Security updates, for example. Synaptic has a level 5 kernel-dev package security update this afternoon. So far, from the KDE desktop I cannot tell the difference between my Kubuntu experience and my Mint experience.

The LinixMint forum is back on line. They have dropped WordPress and procured the services of sucuri.net. I don't know what level of service they purchased but Clem has off loaded the management of their servers and forum. The new forum software, phpBB, is much better than WordPress but, IMO, not as good as what KubuntuForums.net uses, vBulletin.

They are still using Wordpress as the blogging software, the actual site software looks to be the same, and phpbb is the same. They just have added a security company to assist. Hopefully they are getting good advice and assistance on configuring their servers better.