[–] [deleted] 2 points 10 points 12 points (+12|-2) ago
[–] tcp 0 points 7 points 7 points (+7|-0) ago (edited ago)
Well, they put the website back up again after the first attack and got compromised again shortly after. You would think they would have contacted some experts or put up a minimal site so that they could have figured out how they got attacked and prevent it from happening again. That is the most troubling part: the lack of judgement.
[–] Kookus 0 points 8 points 8 points (+8|-0) ago
Their site was a flawed design, from the ground-up. The methods used by the hacker never would have worked if they'd kept their WP installation up to date. But more than that, they were clearly running a combined front/back-end config, and they had no auditing to speak of. We know the former is true because the hacker was able to change page data as well as upload new ISOs, when the page data should have been isolated on a non-exposed DB back-end, and we know the latter because the hacker apparently first gained access to the site back in January, and any competent level of security auditing would have caught that and stopped this before it became a real problem.
All of this suggests inexperience in site administration; none of it points to any sort of fundamental failure of build philosophy or even a misunderstanding or misapplication of security within the distribution itself. The one has nothing to do with the other unless and until somebody can conclusively prove that the entire Mint OS runs on a poorly-configured WordPress install, set up by the same guy who configured their website.
An argument could be made that the presentation and follow-through suggest a culture that is perhaps not as focused on its public (and public-facing) image, but I think this past weekend will serve as a wake-up call to the people in charge of that aspect of the foundation.
[–] CatInTheHat 0 points 1 point 1 point (+1|-0) ago
That's a pretty common problem with most distros and open source projects, especially hobby and smaller projects.
[–] 4390089? 0 points 1 point 1 point (+1|-0) ago
Being a professional developer means admitting that your code sucks. It is the only way to develop better code.
Your web site hacked does not mean that your Linux is bad, but it indeed does expose a problem in the quality of the code. Who is going to check that your source code is not compromised now? They have the passwords of the forum, who know that the developer uses the same login name and password to the release builds servers?
[–] HoocOtt 0 points 4 points 4 points (+4|-0) ago
The actual security issues seem pretty minor to me. Namely the switching of the isos and the forum info. First with the iso it was caught very quickly and you should be checking the checksum anyway. Second the forums seems minor as well. What personal info do people put on their forum account? If it is any you should rethink how you interact with social media in general.
One thing I think is going on is Mint has accrued lots of enemies. By just being successful all the other distros (and thier advocates and user basees) are of course envious. Specifically mint is eating Ubuntu's lunch. Also I am sure them forking gnome and lots of gnome applications with cinnamon has made more then a few enemies. Then there is the elephant in the room Microsoft windows 10. Lots of businesses and consumers are taking a good hard look at linux and any faltering of any distribution will be latched on by the Microsoft mafia.
I think there are more then a few people and articles which when they saw weakness they took out the long knives and started flinging shit.
This hit peice i think is one of those such articles.
The red hand of guilt can be found with this:
Linux Mint has the somewhat peculiar design decision of not updating the kernel using the graphical update manager.
This is not a security problem but a criticism of the distribution's desktop. Plenty of distros update the kernel from the command line.
The fact this is snuck in there is telling in regards to the writers motivation for why he wrote this hit piece.
[–] CatInTheHat 0 points 1 point 1 point (+1|-0) ago
Not updating the kernel from the graphic interface could be a security issue for non technical savy users that mint attracts. If these no savy users don't get a kernel update ever that leaves those users open to vulnerabilities in old kernels. The GUI updater should probably update after whatever amount of time and testing is needed to make sure it doesn't break everything. I have never used mint so I might be completely off base with how their updaters work.
[–] DownloadedYourCar 0 points 2 points 2 points (+2|-0) ago (edited ago)
If you set it to do level 1-5 updates, which I as a novice several years ago was able to figure out fairly easily, is just allowing the same updates as Ubuntu but with out the kernel updates, but the kernel headers still come through to inform you that a new kernel is available.
From there you just click on "Linux Kernels" in the Update Manager and it gives you an easy to understand list of kernels, indicating which ones are installed & which one is loaded. Then you just click on the new one you want and click install. Not as simple as Ubuntu which just does it all at once, but it's not a cryptic thing to do.
If these no savy users don't get a kernel update ever that leaves those users open to vulnerabilities in old kernels.
True, it's not ideal.
[–] Dopefish [S] 0 points 7 points 7 points (+7|-0) ago
I have to say, this article details some interesting perspective on the entire desktop Linux ecosystem being affected by vanity distros if you will.