SoylentNews is people
SoylentNews
If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.
From Clem:
We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.
The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.
(Score: 3, Insightful) by Pino P on Sunday February 21 2016, @05:46PM
This is why fans of Authenticode-style code signing claim that a secure channel (such as HTTPS) isn't enough, that each software publisher needs to obtain a certificate from a commercial certificate authority and keep it current.
(Score: 3, Insightful) by maxwell demon on Sunday February 21 2016, @07:49PM
Yeah sure, because money makes the key so much more secure.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Pino P on Monday February 22 2016, @09:31PM
Money does not make the key itself more secure. It is believed to make the assertion of the identity of the key's holder more secure.
(Score: 0) by Anonymous Coward on Sunday February 21 2016, @08:02PM
You mean security theatre companies claim that if you only bought their product, you'd be safe?
I did not see that one coming.
(Score: 4, Insightful) by Dunbal on Sunday February 21 2016, @08:37PM
No, you'd FEEL safe, which is different.
(Score: 4, Informative) by frojack on Sunday February 21 2016, @08:21PM
The thing is, the actual mint ISOs were in fact all signed, and were not compromised.
The hackers created NEW ISOs, hosted on their own website which were compromised.
The only scary part here is that Mint's web server which contains links to the download server was hacked and links to the rogue server inserted. The hackers were never able to compromise the actual Mint repository server, but apparently the web server wasn't as well protected.
Code signing wouldn't have prevented this in any way.
What is alarming is that they had poor security on their web servers. As far as I know that hasn't been explained yet.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by frojack on Sunday February 21 2016, @08:49PM
According to Clem they the breach was made via wordpress. From there they got a www-data shell. From there they made changes to the web page containing the URLs for the download server.
So third party crapware running with excessive privileges defeats Linux security once again. Its not like its the first time Wordpress has been the source of such problems.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by darkfeline on Monday February 22 2016, @01:10AM
So ultimately, the problem is that no one verifies the signatures.
Join the SDF Public Access UNIX System today!
(Score: 2) by frojack on Monday February 22 2016, @01:58AM
I doubt that is the case, and I doubt that had anything to do with the current topic.
Personally, I don't fly to Germany to do an In person verification of Opensuse pgp keys, so my key
list remains in the "valid but untrusted" category. The web of trust that the opensuse signing keys
have is extensive, and I import all the keys for those who have signed the opensuse keys.
But clearly I don't import all the keys of those who signed opensuse's signing keys. I only go one level
deep.
I've signed a few people's keys over the years, and had them sign mine. But the web of trust is a world wide
thing which is pretty difficult to establish with complete certainty.
To the best of my knowledge, there is no "Kevin Bacon" tool to determine if there is a trusted link from
me to any random developer I communicate with. (Good Idea for a SmartPhone App).
No, you are mistaken. I've always had this sig.