[–]tcp0 points
7 points
7 points
(+7|-0)
ago
(edited ago)
Well, they put the website back up again after the first attack and got compromised again shortly after. You would think they would have contacted some experts or put up a minimal site so that they could have figured out how they got attacked and prevent it from happening again. That is the most troubling part: the lack of judgement.
Their site was a flawed design, from the ground-up. The methods used by the hacker never would have worked if they'd kept their WP installation up to date. But more than that, they were clearly running a combined front/back-end config, and they had no auditing to speak of. We know the former is true because the hacker was able to change page data as well as upload new ISOs, when the page data should have been isolated on a non-exposed DB back-end, and we know the latter because the hacker apparently first gained access to the site back in January, and any competent level of security auditing would have caught that and stopped this before it became a real problem.
All of this suggests inexperience in site administration; none of it points to any sort of fundamental failure of build philosophy or even a misunderstanding or misapplication of security within the distribution itself. The one has nothing to do with the other unless and until somebody can conclusively prove that the entire Mint OS runs on a poorly-configured WordPress install, set up by the same guy who configured their website.
An argument could be made that the presentation and follow-through suggest a culture that is perhaps not as focused on its public (and public-facing) image, but I think this past weekend will serve as a wake-up call to the people in charge of that aspect of the foundation.
[–] [deleted] 2 points 10 points 12 points (+12|-2) ago
[–] tcp 0 points 7 points 7 points (+7|-0) ago (edited ago)
Well, they put the website back up again after the first attack and got compromised again shortly after. You would think they would have contacted some experts or put up a minimal site so that they could have figured out how they got attacked and prevent it from happening again. That is the most troubling part: the lack of judgement.
[–] Kookus 0 points 8 points 8 points (+8|-0) ago
Their site was a flawed design, from the ground-up. The methods used by the hacker never would have worked if they'd kept their WP installation up to date. But more than that, they were clearly running a combined front/back-end config, and they had no auditing to speak of. We know the former is true because the hacker was able to change page data as well as upload new ISOs, when the page data should have been isolated on a non-exposed DB back-end, and we know the latter because the hacker apparently first gained access to the site back in January, and any competent level of security auditing would have caught that and stopped this before it became a real problem.
All of this suggests inexperience in site administration; none of it points to any sort of fundamental failure of build philosophy or even a misunderstanding or misapplication of security within the distribution itself. The one has nothing to do with the other unless and until somebody can conclusively prove that the entire Mint OS runs on a poorly-configured WordPress install, set up by the same guy who configured their website.
An argument could be made that the presentation and follow-through suggest a culture that is perhaps not as focused on its public (and public-facing) image, but I think this past weekend will serve as a wake-up call to the people in charge of that aspect of the foundation.