Linux Mint has bigger problems

[OrbingStorm]

Image: iStockphoto/BrianAJackson

 

On February 20th, a hacker working under the handle "Peace" took control of the website of Linux Mint, a popular Linux distribution derived from Ubuntu (and Debian) targeted toward non-technical users and power users unhappy with modern desktop environments like GNOME 3, KDE Plasma 5, and Unity 7. The hacker replaced the download link for Linux Mint with one which contained a backdoor called Tsunami-an attack which put "several hundred" systems with a fresh installation of Linux Mint in the hacker's control, according to an interview with ZDNet's Zach Whittaker.

The same hacker gained control of the Linux Mint user forum, grabbing copies of the entire database twice, copies of which are now for sale on a dark web marketplace for 0.197 bitcoin ($85) per download. The user forum, which was powered by phpBB, used PHPass to hash passwords, which is possible to crack. At the time of this writing, the forum remains down while the main Linux Mint website was reinstated and compromised again shortly thereafter.

While these attacks are regrettable, and part of an infrastructure problem rather than a problem with the distribution itself, it increasingly appears that the Linux Mint team, led by project leader Clement Lefebvre, is spread too thin when it comes to security.

The problem with security in Linux Mint

The architectural design of Linux Mint inherits a great deal from its upstream sources Debian and Ubuntu (which is itself based upon Debian). Unfortunately, it lacks any sort of security advisories—Linux Mint evangelists insist that referring to the Ubuntu or Debian advisories is sufficient. Not every package in Linux Mint is available in Ubuntu or Debian, and this argument is further complicated by the fact that updates that work perfectly in Ubuntu or Debian are blacklisted by the Linux Mint team due to compatibility issues.

Linux Mint has the somewhat peculiar design decision of not updating the kernel using the graphical update manager. Users must run apt-get dist-upgrade in a terminal in order to receive updates, when users of Ubuntu receive the same kernel updates automatically. This leaves users vulnerable to potential root exploits and hardware issues. Additionally, there is an issue with shifting release cadences—with version 17, the underlying base moved from standard releases to Long-Term Support (LTS) releases of Ubuntu. Consequently, the packages incorporated are older, on average, than in previous releases, and if blacklisted are both old and insecure.

What exactly constitutes a 'Linux distribution?'

Linux Mint, when considered as the sum of its parts, is the Cinnamon desktop environment (DE), mintTools (software installer, update manager, backup too, welcome screen, etc.) and GNOME extensions built on top of an LTS version of Ubuntu. The repositories contain packages compiled for Ubuntu, without modification or recompilation. As outlined above, security patches and updates that work perfectly in Debian and Ubuntu are blacklisted as needed to not break under Mint—the only differentiation Mint provides is Cinnamon, thereby breaking security so that it "just works."

This is not a Linux distribution and this is completely backwards from the way things are supposed to work. The code produced and value added by the Linux Mint team is in Cinnamon, which is available as a default DE in properly designed distributions such as Debian, Fedora, and openSUSE—all of which have security advisories. The task of maintaining and securing it is not a trivial task, and it requires more infrastructure and resources than the Linux Mint team possesses. Creating a pseudo-fork of an existing distribution to showcase a DE, while blacklisting updates—some of which are security updates—because it interferes with the DE is staggeringly irresponsible and tantamount to security malpractice.

The troubling trend of desktop showcase distributions

This is not an isolated issue. Elementary OS is a similar Ubuntu fork that exists as a showcase of the Pantheon desktop environment. Either from being more focused as a single distribution (Linux Mint has spins for MATE, KDE, and Xfce, as well as an alternate distribution based directly on Debian, rather than Ubuntu), better packaging policies, or lower user base, it has less structural issues than Linux Mint. However, it still lacks a dedicated security advisory system.

The Solus Project exists as a minimalist, desktop-only OS to showcase theBudgie desktop, though this does not rely on any other distribution as an upstream source. It has a unique packaging system for apps, and has a much smaller repository of apps available presently. It has a better claim than Linux Mint and Elementary OS do for justifying the creation an entire, separate OS, though it lacks a dedicated security advisory system—hopefully, that will grow with the project as it matures. Budgie is officially available from the project developers for Fedora and openSUSE users, and a community-supported AUR for Arch users is also available.

A troubling conclusion

Linux distributions as pet projects or showcases of a particular technology should not be advertised as stable, secure, production-ready operating systems. The multitude of Linux distributions that are functionally technical demonstrations, advertised as stable, and exist as a hobbyist project make the entire ecosystem look unprofessional. The attack against Mint is troubling due to the impression that it is the most popular Linux distribution based on websites that track clicks like Distrowatch.

The problem with this scenario is that the fault lies with practically everyone. The impetus for the creation of Cinnamon, and the rise of Mint's popularity, is due to the poor reception of early versions of GNOME 3, KDE 5, and Ubuntu Unity. Generally speaking, these were pushed to end-users well before they were ready for primetime, thereby driving users away. For a time, Linux Mint "just worked" in a way that other distributions struggled to do. Fortunately, reforms such as Fedora.next, and the maturation of the new generation of DEs have largely brought stability and sanity back to the desktop.

Source here  http://www.techrepublic.com/article/why-the-linux-mint-hack-is-an-indicator-of-a-larger-problem/

 

[Batu69]

Thread edited: Added tags.

Thread moved from technology news forum.

[straycat19]

Too many variants of various Linus distros.  People should stick with the original distro of debian since even Ubuntu is known to have security  problems.  The best distro of Linux ever is Slackware but it isn't something for newbies.  At least it can be secured.

[steven36]

The biggest problem with Linux is  the community have no sense of unity  .. Most are back stabbers. most all the members in so and so distro  slam other distros . When Red Hat ,  Debian and Ubunti were all hacked years ago . There jealous of the success Mint has had at drawing in Noobs form windows . Linux Mint has been around since 2006 and this the 1st time anything like this happen so what other rubbish the other distros write is just uncalled for. Most of  the time when something happens it causes the admins to wake up and get much better security . Already Linux Mint is back online with a much more secure forum than they had. Give them time i say they will become one the most secure Linux out there 

[straycat19]

They aren't just talking about the website hack, the distro is not secure and  has not been tested by  the developers nor have they published any of their own security adviseries, instead relying on those published for Debian or Ubuntu which may not even be applicable to Mint  and not publishing their own that may not be applicable to Debian or Ubuntu because the code has changed.  You may not like to hear that but defending a ripped off OS that doesn't invest in the necessary security audits is insanity.  

[steven36]

2 hours ago, straycat19 said:

They aren't just talking about the website hack, the distro is not secure and  has not been tested by  the developers nor have they published any of their own security adviseries, instead relying on those published for Debian or Ubuntu which may not even be applicable to Mint  and not publishing their own that may not be applicable to Debian or Ubuntu because the code has changed.  You may not like to hear that but defending a ripped off OS that doesn't invest in the necessary security audits is insanity.  

That' s because all patches for mint is from Ubuntu 14.04 LTS (Trusty Tahr)  or Debian Jesse   You want to see  security advisories look  at the change log on the updater or go to Ubuntu and Debian .  All mint is really is a unofficial  Ubuntu and they have the same patches.  What happen to them has nothing to do with how its made the reason they were hacked was because they were using and outdated wordpress site.

 

This is a ploy by the distros that have big company's that are involved with Linux for Distros to gain ground over Mint witch they want because most distros dont appeal to windows users like Mint does . All its going do is cause  windows users to stay with windows . This the reason only 1%  use it is because there's no  team effort or unity instead them helping each other out like they should they fight with each other .

 

I have a record of what they patch so they must have one too and they patch a whole lot  and i can go to Ubuntu  or look on the updater and see what there for .

 

 

There's many Distros  that  use patches  from other Distros even Ubuntu gets most there stuff from Debian . If they were only Disros that done there own updates they only be a hand full of dirstos  big companies  would love that it would be easier for them to control. They already changed it were at the Linux Foundation only big companies have a vote.

 

You're  answer to windows  security in other post is not  do no updates at all and you going to fuss about Mints when 90% of all malware is made for Windows ?

 

If something connects  to my  PC and has unusual traffic i know and i will check with wireshark  to see were its coming from.

 

People have been using Linux Mint for 9 years without  no problems much  can you say this about any version of windows ?  No ! So why would i stop using it because of  what  people from other distro finds wrong ?  Every O/S has security flaws and i bet if you were researching the one the researcher was using as there main O/S you find a ton in it too. 

 

People feed on the bad news they dont want to focus on whats good about something  . They say Linux Mint has millions of users and only a few  who were to dumb to look at the hash of the ISO were infected .

 

Only thing I dont like about mint i wish  they would do updated ISO more often  with updated kernels and stuff like Ubuntu does with full  Driver support .

 

Already Ubuntu 14.04.4 LTS (Trusty Tahr) comes with the 4.2 kernel  and works for my HW  for drivers and stuff .

 

Many  people still on XP the main stream market share says its over 10 fold more on it than all Linux Distros combined and not got support since 2014 people need to get a reality check and you going make a big deal over a few people who downloaded a tainted mint ISO ?

 

In every case the end user is the biggest thereat to there own security..  Education about security and making wise choices is the only thing that will prevent you from being breached

 

We will see will this effect Mint  in the long term but that's yet to be seen even with Ubuntu 14.04.4 LTS (Trusty Tahr) new rls Mint has had more hits in the last 7 days.

http://distrowatch.com/index.php?dataspan=1

 

[vibranium]

The article is quite fair and not hyped at all.

[steven36]

6 minutes ago, vibranium said:

The article is quite fair and not hyped at all.

The article is just rehash of what i already read its based  on glaubitz from the Linux community  dislike of LM  so hes net picking i bet if he was to research his own distro he find more issues in it than in mint.

https://lwn.net/Articles/676664/

 

Most articles  i read are not very informative they just take stuff others said and try make a story of it . If its something i use chances are i done read it all before it hits the tabloid rags.

 

More people use Windows XP  than all Linux and they get no security updates at all  even when they did have a hack they were not tested for xp. 

[vibranium]

I don't see the world in the same way as you do.

 

I see the article as providing good, factual information. It helped me.

 

Factuality is how I base my security, not what I like or who's jealous of whom or what other people are using or how lousy other OSes can be.

[steven36]

1 minute ago, vibranium said:

I don't see the world in the same way as you do.

 

I see the article as providing good, factual information. It helped me.

 

Factuality is how I base my security, not what I like or who's jealous of whom or what other people are using or how lousy other OSes can be.

The fact is even Cinnamon the biggest difference in it and Ubuntu  is packaged by Debian Jessie and distributed on unofficial  repos for Ubuntu. And if you waited around for Mint or Ubuntu to give you updates for you're software you have wait forever so you have to use 3rd party ppa if you want anything very new.

[vibranium]

LM's blacklisting of incompatible updates is criticized. I don't see how not patching can lead to better security than patching. Simple logic.

[steven36]

2 hours ago, vibranium said:

LM's blacklisting of incompatible updates is criticized. I don't see how not patching can lead to better security than patching. Simple logic.

Microsoft blacklisted  all updates for XP  in 2014 and Blacklisted updates for versions of IE that many have no choice but  to use . Ubuntu is sort of like Windows you have take updates Mint gives you a choice do you want to take or not  if you want anything not in mint and you want take a chance  with compatibility its open source you can update it yourself  . All you have to do is check the box level 4 updates.

 

Ubuntu puts updates before if the O/S even works are not when i 1st tested 15.10  the 3rd party divers in there driver manger would mess up my whole install, its fixed now they had to patch the stack..compatibility is very important as well if i cant get things to work right im going to  not use Linux at all . Ill use windows

 

I test  all kinds of Linux  i just installed  kubuntu-14.04.4 yesterday on my other HHD on my fast Linux machine  and on a old xp pc i have i been testing anti x based on Debian

[CODYQX4]

On 2/25/2016 at 1:20 PM, steven36 said:

The biggest problem with Linux is  the community have no sense of unity  .. Most are back stabbers. most all the members in so and so distro  slam other distros . When Red Hat ,  Debian and Ubunti were all hacked years ago . There jealous of the success Mint has had at drawing in Noobs form windows . Linux Mint has been around since 2006 and this the 1st time anything like this happen so what other rubbish the other distros write is just uncalled for. Most of  the time when something happens it causes the admins to wake up and get much better security . Already Linux Mint is back online with a much more secure forum than they had. Give them time i say they will become one the most secure Linux out there 

Popularity/Fame is a good way to get hacked. Most malware targets Windows even if became the undisputed most secure OS that wouldn't change.

 

Mint may be 10 years old but I never heard of it until the last year or two. Despite all the tech forums and whatnot I've only recently heard of Mint.

 

Ubuntu was probably the main thing in 2006 (more like 2007-2008 for me since I really didn't follow anything in 2006 nor did I even have the internet, hell, I hadn't heard of Vista at all until one day all of those PCs came out with it) that I heard of, and even today I imagine that is solidly in the top 3 most well-known and/or used distros even with the hate over Unity and Systemd.

[steven36]

31 minutes ago, CODYQX4 said:

Popularity/Fame is a good way to get hacked. Most malware targets Windows even if became the undisputed most secure OS that wouldn't change.

 

Mint may be 10 years old but I never heard of it until the last year or two. Despite all the tech forums and whatnot I've only recently heard of Mint.

 

Ubuntu was probably the main thing in 2006 (more like 2007-2008 for me since I really didn't follow anything in 2006 nor did I even have the internet, hell, I hadn't heard of Vista at all until one day all of those PCs came out with it) that I heard of, and even today I imagine that is solidly in the top 3 most well-known and/or used distros even with the hate over Unity and Systemd.

Well i did since after the 1st year of the 21st century and i never been hacked on Linux yet but i had my email stole from me on windows a few times on XP and some other bad stuff .  I never was a Linux user tell i seen what a mess M$  made with windows 10. And the bottom line is . Even after the hack Linux Mint  is far from dead people are donating  for the fact it happened and love it anyways . And all jealous distros and Windows using Linux hatters are eating crow because the only thing people can do from past mistakes is not make the same mistake 2 times   .