
Beware of hacked ISOs if you downloaded Linux Mint on February 20th - ty___ler
http://blog.linuxmint.com/?p=2994
======
dghughes
Now you tell me.

------
cdevs
Does anyone know the start date ? I had a friend install it for their laptop
two weeks ago

~~~
detaro
> _We were exposed to an intrusion today._

> _[...]_

> _Finally, the situation both happened and was solved today, so it should
> only impact people who downloaded this edition on February 20th._

------
i_have_to_speak
Looks like something is going on again. Their website is down currently.
[21-Feb 02:55 UTC]

~~~
corvus_sapiens
"Edit by Clem: We shut down the server until we find the source of the second
intrusion (probably something left by the first)."

[http://blog.linuxmint.com/?p=2994](http://blog.linuxmint.com/?p=2994)

------
anishathalye
It's somewhat disappointing that this blog article is served over HTTP, and
it's impossible to access it via HTTPS. How do we know that these new MD5s are
to be trusted?

~~~
bogus-
Linux Mint doesn't seem to prioritize security in general. No TLS for ISOs, no
easily spottable signatures for ISOs, marking security updates untrusted by
default...

~~~
RaleyField
They also ignore (at least they used to) DNS servers from DHCP and use
Google's public DNS servers completely oblivious of why users might not want
this.

------
jtchang
Well that is scary. I personally don't check ISO checksums and signatures very
often. Probably the only time I do is when I sometimes get install errors and
wonder if I got all the bits and if anything got corrupted.

~~~
RaleyField
> don't check ISO checksums

I've grown obsessive about it. When you're conscious about that it's amazing
(to put mildly) how many prominent projects don't bother with any
authentication.

------
StavrosK
What other ways are there to download, apart from http and torrents?

~~~
khedoros
FTP?

~~~
StavrosK
I mean "what other ways do they have to download this?" All I saw is HTTP and
Torrent, so I'm curious as to what exactly got compromised.

------
ryanlol
I'll just leave this here

    
    
        forums.linuxmint.com pwd
      /root/hacked_distros/mint/var/www/forums.linuxmint.com
        forums.linuxmint.com cat config.php
      <?php
      // phpBB 3.0.x auto-generated configuration file
      // Do not change anything in this file!
      $dbms = 'mysql';
      $dbhost = 'localhost';
      $dbport = '';
      $dbname = 'lms14';
      $dbuser = 'lms14';
      $dbpasswd = 'upMint';
    
    

Perhaps the insanely secure db credentials had something to do with the
breach?

But what would _I_ know.

~~~
cmurf
Might not hurt to post this in the comments section of the Mint blog.

~~~
orionblastar
If they used the same password on the forums and blog then they still have a
problem. They need to be notified of this and change the password to a more
secure one.

The config.php file should not be readable by an anonymous user, that is a
security risk.

~~~
ryanlol
>The config.php file should not be readable by an anonymous user, that is a
security risk.

Yes usually unauthorized people having access to your server results in
various security risks.

------
btrask
I was trying to download Linux securely a month or so ago. It's actually
embarrassingly difficult to do. The only two distros that did it right (that I
could find) are Debian and Alpine Linux. The rest (including Mint and Ubuntu)
had hashes (usually MD5) or GPG keys served over HTTP.

~~~
chei0aiV
If you can think of any improvements Debian could make, please do suggest them
via bug reports or on the mailing list. If you would like to work on fixing
some of our issues, here are the ones we know about:

[https://wiki.debian.org/Hardening/RepoAndImages](https://wiki.debian.org/Hardening/RepoAndImages)

~~~
btrask
Debian is already outstanding in this regard (and others)!

One minor suggestion would be to provide ISO hashes over HTTPS. It's just as
secure as using GPG with fingerprints sent over HTTPS, and it's a lot easier.

The fingerprints
([https://www.debian.org/CD/verify](https://www.debian.org/CD/verify)) could
also be made more prominent (perhaps put on the main download page).

Thanks again!

------
mcpherrinm
I am pretty sad they're posting MD5 sums of the correct images: It's pretty
trivial to collide MD5 -- and when you've got an active attacker, this is
something you should worry about.

SHA1/2 at least, but preferably a gpg signature would be much better.

~~~
ryanlol
>It's pretty trivial to collide MD5

... collisions=/=second-preimage attacks

>SHA1/2 at least, but preferably a gpg signature would be much better.

SHA1/2 isn't any better, you're _never_ going to get hit by file corruption
that magically also is a md5 collision.

~~~
_jomo
How do you get hit by file corruption when downloading via TCP in 2016? I
don't recall this ever happening to me.

~~~
ryanlol
While possible, it's really really unlikely for this to happen without some
fairly serious network issues between you and whoever you're downloading from.

~~~
Laforet
Or a flaky bit in the RAM or (very rarely) storage media.

