SoylentNews is people
SoylentNews
If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.
From Clem:
We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.
Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.
As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.
If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.
Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.
Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.
The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.
(Score: 0) by Anonymous Coward on Sunday February 21 2016, @08:33PM
Regarding that OS which comes pre-installed on a large number of computers:
Did that OS ever start to ship with a mechanism to assure that downloads aren't a broken pile of bits or a purposely-altered rogue file?
...or is every added executable that its users download and run still unverified--i.e. a potential explosive satchel?
Back in the DOS days, I remember that the magazine that included text listings of executables included a checksum so that when you typed it in you could verify that you hadn't make a mistake.
I noticed that that sort of checking disappeared when Redmond's newer GUIware OS appeared.
When I started tinkering with Linux, I noticed that checksum verification was standard practice again.
...and trying to read Mint's forum yesterday evening was disappointing (Connection interrupted).
I had to go to Google and get their caches of Mint's pages.
There was a similar experience a few weeks back when they made changes to the site and didn't do sufficient testing before going live.
I seems that Clem and the guys need to brush up on site maintenance|security.
-- OriginalOwner_ [soylentnews.org]
(Score: 5, Insightful) by Lunix Nutcase on Sunday February 21 2016, @09:34PM
Did that OS ever start to ship with a mechanism to assure that downloads aren't a broken pile of bits or a purposely-altered rogue file?
Yeah, it's called code signing. Welcome to more than a decade ago.
...or is every added executable that its users download and run still unverified--i.e. a potential explosive satchel?
Nope, when the source can't be confirmed (because the executable isn't signed) it pops up asking if you really want to run it.
Back in the DOS days, I remember
Because that has any relevance to today.
(Score: 0) by Anonymous Coward on Monday February 22 2016, @03:44AM
code signing
That's a step in the right direction.
Apparently, it's Redmond that does the signing.
I'm guessing there is a monetary charge for that.
Must be nice--when you're on the right end of the racket.
A checksum sounds easier and cheaper.
more than a decade ago
Better late than never, I guess.
I had bailed on That Other OS by then, apparently.
the executable isn't signed
...because the dev wasn't willing to pay M$'s dangeld, one assumes.
A simple checksum would solve that situation.
any relevance
The topic was verifying the validity of an executable.
Being able to do that over 3 decades ago is absolutely on-topic.
Being able to do it at zero cost and with zero latency is quite relevant.
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by Pino P on Monday February 22 2016, @10:29PM
A checksum sounds easier and cheaper.
Who signs the checksum?
(Score: 0) by Anonymous Coward on Monday February 22 2016, @10:58PM
The packager signs the checksum, obviously.
(It would be good if he didn't get his site pwned.)
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by Pino P on Monday February 29 2016, @04:29PM
If the packager signs the checksum, who signs the packager's public key? That's all Authenticode is: a checksum encrypted with the publisher's private key, plus a certificate asserting that the corresponding public key belongs to the publisher.
(Score: 0, Funny) by Anonymous Coward on Monday February 22 2016, @12:22AM
I seems that Clem and the guys need to brush up on site maintenance|security.
Security has never been a priority for the mouth-breathers at Linux Mint, or the yokels who use it.
It has always been an easy to install not-Windows. That's it.
A few years ago, it was discovered that the Mint team was purposely withholding upstream security patches because it would be too difficult to apply them. What the actual fuck.
Mint is like the Palemoon browser, a bunch of amateurs who wouldn't have a product if they couldn't leech from upstream contributors and then change the logo. I certainly do not trust them with my data.