Stories
Slash Boxes
Comments

SoylentNews is people

Linux Mint Site is Up Again

posted by martyb on Monday February 29 2016, @03:14AM   Printer-friendly
from the older-and-wiser dept.

-- OriginalOwner_ writes:

Clem Lefebvre, the honcho at Linux Mint, has commented in some forum threads February 24 regarding what they were doing for several days while the site was offline.

You're now [behind] HTTPS [at the forum] (that doesn't protect against the kind of attacks we went through, but it helps if you're hacked locally)

[...] We're also behind a global [firewall] and we've got new friends at Sucuri.net who scan our server for malware.

This phpbb is also version 3.1, so you'll see a few differences and some new features compared to the previous forums.

...and later in the day

- The firewall filters a lot of bandwidth and saves a lot of processing dedicated to the constant pounding of DDOS, malware, poking, and all the bad stuff that bots send continuously over the internet. That means less work for the server [which is why it's faster for you now].

[...] The phpbb team reached out to us during the attacks to see how they could help. I asked about updates vs customizations. [Fancy theming is] not a priority right now,

It appears there were things they already had on their list and getting pwned kicked that stuff into gear.

Previous: Mint Cinnamon ISOs Hacked

Original Submission

 
This discussion has been archived. No new comments can be posted.
Linux Mint Site is Up Again | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday February 29 2016, @03:15AM

    by Anonymous Coward on Monday February 29 2016, @03:15AM (#311415)

    lol

  • (Score: -1, Offtopic) by Anonymous Coward on Monday February 29 2016, @03:24AM

    by Anonymous Coward on Monday February 29 2016, @03:24AM (#311419)

    Tails Linux 2.2 Adds libdvdcss2 For Viewing Protected DVDs

    So with this addition:

    https://tails.boum.org/news/test_2.2-rc1/index.en.html#index2h1 [boum.org]
    https://archive.is/KhhEe [archive.is]

    "Add support for viewing DRM protected DVD videos using libdvdcss2. Patch series submitted by Austin English (Closes: #7674)[1]"

    [1] https://labs.riseup.net/code/issues/7674 [riseup.net]
            https://archive.is/hXgYe [archive.is]

    Is it now ILLEGAL to use Tails in the United States?

    • (Score: 0) by Anonymous Coward on Monday February 29 2016, @02:13PM

      by Anonymous Coward on Monday February 29 2016, @02:13PM (#311581)

      It is illegal to use Tails to view CSS-encoded DVDs in the United States. Previously it was both illegal and inconvenient. If you're running Tails but not watching DVDs, the change doesn't make you a criminal.

  • (Score: 2, Interesting) by Anonymous Coward on Monday February 29 2016, @03:28AM

    by Anonymous Coward on Monday February 29 2016, @03:28AM (#311420)

    they can't use GPG to sign their releases and host the public key & signatures via HTTPS?

    granted, most people are stupid and won't verify these but many are suddenly starting to become interested.

    and fuck md5 + sha1, I recommend using sha512 AND whirlpool checksums, hosted via HTTPS of course.

    it's not that fucking difficult, mint devs, just try it.

    • (Score: 0) by Anonymous Coward on Monday February 29 2016, @05:41AM

      by Anonymous Coward on Monday February 29 2016, @05:41AM (#311449)

      They need to switch to Gamemaker for true quality and security.

    • (Score: 5, Insightful) by tonyPick on Monday February 29 2016, @02:05PM

      by tonyPick (1237) on Monday February 29 2016, @02:05PM (#311580) Homepage Journal

      it's not that fucking difficult, mint devs, just try it

      Really? It seems there's a lot of "The lazy fools" horror floating around this story, but the Mint team got a single direct download link redirected for one day via a wordpress bug, took everything down as soon as they realised the extent of the issue and shouted about it from the rooftops to alert the users. Hopefully they'll learn a lesson and be smarter in the future, but you think this is somehow a shocking lapse of security?.

      For comparison just last week I'm reading that Nissan's Connected Car App didn't authenticate at all, and you could control other people's LEAF cars with it, and Nissan left it up & running until last week even after having this gaping hole pointed out to them in January.

      Hell, just a couple of stories down I'm reading about multiple ransomware attacks on hospitals, and the total clusterfuck that is medical device security. Now that is something to get angry about.

      But the fact a volunteer project didn't do quite as well as it might providing validating checksums that most folks won't use anyway? That isn't even the worst security issue posted on Soylent. On Sunday the 28th. Afternoon. By martyb.

  • (Score: 0) by Anonymous Coward on Monday February 29 2016, @05:32AM

    by Anonymous Coward on Monday February 29 2016, @05:32AM (#311444)

    Some blog posts by Clem:

    Mint's WordPress problems [linuxmint.com]

    We found an uploaded php backdoor in the theme directory of a wordpress installation, which was 1 day old and had no plugins running. The theme was new but most importantly I think we had lax file permissions on this.

    All the software the Linux Mint site was using was outdated [linuxmint.com]

    Our phpbb version was outdated. We were also contacted by the PHPBB team after they learnt of the attacks to see if they could help us in any way.

    .
    Softpedia says
    Linux Mint Forum Database Compromised for at Least a Month Before Announcement [softpedia.com]

    It turns out that they were warned about this breach on January 16 when Pieter Vlasblom left a tweet for them with an image to prove it. They didn't respond, and on February 21 the Linux Mint team was revealing the existence of hacked ISOs.

    There is a good possibility that they simply don't check their Twitter account all that often and they just didn't see the warning. In any case, it looks like the forum breach, at least, happened a while back, leaving the users exposed for more than a month.

    -- OriginalOwner_ [soylentnews.org]

    • (Score: 3, Interesting) by Runaway1956 on Monday February 29 2016, @06:31AM

      by Runaway1956 (2926) Subscriber Badge on Monday February 29 2016, @06:31AM (#311459) Homepage Journal

      Lax security. Things that make you go "hmmmmm". If no one cares very much about security on the site, maybe they aren't very focused on security in their OS.

      Don't get me wrong, I actually like Mint Debian Edition. I've run it, and not had problems with it. But, something like this makes me think that running Debian directly might be safer.

      But, this is common throughout the computing world anyway. A lot of people demand convenience and speed, and are willing to neglect security in their quest for fast and easy. That has always been a common theme on Microsoft OS's - maintain backward compatibility, make things easy, at the cost of security. Ehhhh - Maybe the Mint team has learned a lesson that will stick.

      --
      Abortion is the number one killed of children in the United States.

      • (Score: 0) by Anonymous Coward on Monday February 29 2016, @08:09AM

        by Anonymous Coward on Monday February 29 2016, @08:09AM (#311471)

        neglect security in their quest for fast and easy

        My impression is that Clem isn't willing to delegate|call in a specialist|spend money when he's clearly out of his depth.
        Maybe it's as simple as him trying to wear too many hats at once.

        Maybe the Mint team has learned a lesson that will stick.

        Hope so. {Fingers crossed}

        -- OriginalOwner_ [soylentnews.org]