Stories
Slash Boxes
Comments

SoylentNews is people

Mint Cinnamon ISOs Hacked

posted by cmn32480 on Sunday February 21 2016, @03:16PM   Printer-friendly
from the ruh-roh dept.

Appalbarry writes:

If you downloaded Mint Cinnamon today (for versions of "today" that include February 20th, 2016) you should immediately check the MD5 checksum. Blog Entry here.

From Clem:

We were exposed to an intrusion today. It was brief and it shouldn't impact many people, but if it impacts you, it's very important you read the information below.

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition.

If you downloaded another release or another edition, this does not affect you. If you downloaded via torrents or via a direct HTTP link, this doesn't affect you either.

Finally, the situation happened today, so it should only impact people who downloaded this edition on February 20th.

Apparently the hacked ISOs are hosted on 5.104.175.212 and the backdoor connects to absentvodka.com. Both lead to Sofia, Bulgaria, and the name of 3 people over there.

The comment thread suggests that the ISOs are showing up in other places, and that the Mint site may still not be entirely secure.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mint Cinnamon ISOs Hacked | Log In/Create an Account | Top | 54 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by darkfeline on Monday February 22 2016, @01:10AM

    by darkfeline (1030) on Monday February 22 2016, @01:10AM (#307943) Homepage

    So ultimately, the problem is that no one verifies the signatures.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by frojack on Monday February 22 2016, @01:58AM

    by frojack (1554) Subscriber Badge on Monday February 22 2016, @01:58AM (#307956) Journal

    I doubt that is the case, and I doubt that had anything to do with the current topic.

    Personally, I don't fly to Germany to do an In person verification of Opensuse pgp keys, so my key
    list remains in the "valid but untrusted" category. The web of trust that the opensuse signing keys
    have is extensive, and I import all the keys for those who have signed the opensuse keys.

    But clearly I don't import all the keys of those who signed opensuse's signing keys. I only go one level
    deep.

    I've signed a few people's keys over the years, and had them sign mine. But the web of trust is a world wide
    thing which is pretty difficult to establish with complete certainty.

    To the best of my knowledge, there is no "Kevin Bacon" tool to determine if there is a trusted link from
    me to any random developer I communicate with. (Good Idea for a SmartPhone App).

    --
    No, you are mistaken. I've always had this sig.