1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Linux Mint ISOs infected in WordPress attack

Discussion in 'Article Discussion' started by Gareth Halfacree, 22 Feb 2016.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,471
    Likes Received:
    7,338
  2. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    "Motherload"

    What is the inherent security flaw in storing user details with iso?
     
  3. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    ...this week...
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,471
    Likes Received:
    7,338
    Bzzt. It's a mining term: hitting the principle vein of an ore or mineral, literally the 'mother' 'lode.'

    Not sure I understand the question. Do you mean the inherent issue with storing the MD5 hashes with the ISOs? If I have access to replace the ISOs with my malicious versions, I also have access to replace the hashes that are supposed to warn you if I've replaced the ISOs. If the hashes were on a different server, I couldn't do that; I could replace the ISOs, but when you check your download against the hashes (which nobody ever does) you'd be warned that the file had been tampered with.

    Putting the hashes on a separate server (or on a part of the same server to which the web server process doesn't have write access, at a minimum) is basic security. Better security, to which I allude in the article, is getting rid of hashes altogether in favour of cryptographic signatures. Anybody can make an MD5 hash (it's literally one command: md5sum filename); only the Linux Mint release team would have the private key required to GPG-sign the ISOs.

    You'd still have the problem that nobody would check said signature, of course, but hey: what can you do?

    Oh, look, it's Phil. Hi, Phil. Just a friendly warning: this thread is for comments on the news article. Any trolling or posting off-topic, especially about any general issues you may or may not have with Linux and/or those who use or develop Linux, will be deleted; persistent posting contrary to these rules will result in your being reported to the moderation team for a cooling-off ban. Have a lovely day!
     
  5. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    I thought that was "motherlode"
     
  6. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,471
    Likes Received:
    7,338
    D'you know, so did I - but Proper English spell-check and Google both have it as two separate words, so who am I to argue?
     
  7. jinq-sea

    jinq-sea 'write that down in your copy book' Super Moderator

    Joined:
    15 Oct 2012
    Posts:
    8,823
    Likes Received:
    721
    Phil - your PM conduct towards Gareth is, quite frankly, utterly distasteful. Please, take a week off to have a think about it. Ta-ra for now!

    While you're off, have a read of the rules. They're not optional!
     
  8. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    You shouldn't understand the question because I misread the article and thus asked a malformed question. I seem to be turning my Derp up to 11 today.
     
  9. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,471
    Likes Received:
    7,338
    While the question was wrong, was my answer right? 'Cos, if so, that's going in the 'Notable Achievements' section of my CV.
     
  10. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    I thought that they were being criticised for storing user details with the ISOs. But that's neither what happened nor what they were criticised on.

    I learned something from your answer though. I haven't heard of cryptographic hashes used as secure verification before and it's a valid point on keeping the hashes with the ISOS.
     
    Last edited: 22 Feb 2016
  11. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    This security issues has me concerned, as someone who was planning to make the change to Linux (Mint) in a few months and not knowing much about security of an OS, I read a comment on another site reporting this that the Linux Mint team have it backwards (their words) when it comes to security, preferring compatibility over security.

    Are these major failings in its security a reflection on the OS itself?
     
  12. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    Perhaps it's the old tradeoff between security and convenience coming into play.

    I never got what mint offers over Ubuntu apart from cinnamon as the default UI. Why is Mint considered more user friendly or favourable?
     
  13. Assassin8or

    Assassin8or Minimodder

    Joined:
    24 Apr 2009
    Posts:
    101
    Likes Received:
    1
    Gareth, I should think that you could make the installer check the signature file, which should contain a hash of the media, and if the signature isn't correct or media fails to match the contained hash it shouldn't install.

    This would obviate the requirement of the end user, who might be an MS Windows user, to check either the signature or the MD5 hash.
     
  14. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    Cinnamon was going to be the flavor (no pun intended) i was going to plum for, going on what I've read and seen it looks to be less of a jarring transition from the world of Windows, last thing i want when learning about a new OS is to be fighting an unfamiliar GUI.

    I kind of ruled Ubuntu out as I read it has a propensity of going down a similar route as Apple and Microsoft of a walled garden, data gathering, and dictating to users how they should use their OS.
     
  15. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    Yeah I guess canonical are doing that a bit. They are disregarding wayland to make their own display server. Which is a bit walled gardeny. But I'd imagine you would end up with that in Mint as well when it arrives.

    The most agregious thing is the ads but that can easily be turned off.

    You should check out elementary os. It's the nicest looking linux interface IMO.
     
  16. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,471
    Likes Received:
    7,338
    Sadly, this won't work: you're suggesting that the installer be trusted to verify its own validity. Where did we get the installer from? The suspicious ISO. It'd be the work of moments for the attacker to patch the installer to say "yup, everything checks out, no Trojans here governor." Same issue with the hash: where is it getting the hash from?

    The only way is for people to get used to verifying the signature manually using their own software - which is fine for nerds like us and completely useless for Aunt Mavis.

    Internally at Mint (or any other software vendor), what should be happening is an automated system on multiple independent servers that verifies any ISO upload against a public key. No signature, or an invalid signature? The team is alerted and the files don't get made available. It goes without saying, of course, that this system should not rely on WordPress, which has been harshly but not inaccurately referred to as a great remote shell with a mediocre CMS on top (and if they do use WordPress, for goodness sake keep it and everything else patched and updated!)
     
  17. SteveW

    SteveW What's a Dremel?

    Joined:
    3 Sep 2015
    Posts:
    3
    Likes Received:
    0
    I've used Ubuntu since 8.04 and I can say that Ubuntu is no walled garden on the scale of Microsoft/Apple. Every search and data gathering feature can be switched off with a few clicks. In addition, in the next version (Ubuntu 16.04), all the online search features will be disabled by default.

    There's nothing about FLOSS that forces Canonical to adopt Wayland. In the opinions of many, it may be easier if they had. I personally think choice is good and if they later regret the decision, I'm sure Canonical will make the right decision and adopt Wayland if necessary. Any other Linux distro is free to use Mir as a display server if they so please. I've yet to see anything "walled gardeny" distributed with a GPLv3/LGPLv3 license.
     
  18. SexyHyde

    SexyHyde Minimodder

    Joined:
    24 Jul 2009
    Posts:
    609
    Likes Received:
    11
    So this wouldn't effect the ISO's available via torrent?

    I've always loved Mint, it just seems so easy to navigate, mod, use, etc. Once i've got my hardware issues sorted and have some free time, I have to try ElementaryOS and SuSE.
     
  19. theshadow2001

    theshadow2001 [DELETE] means [DELETE]

    Joined:
    3 May 2012
    Posts:
    5,284
    Likes Received:
    183
    Of course doing your own display server is not against floss. Ubuntu is one of the most popular distross and because of that, going with their own display server may lead to program compatability issues between distros. We could end up with mir only programs or wayland only programs or worse cross platform programs, that ends up using some X compatibility which would be a step backwards. I hope that won't be the case but if it Iis then that to me would be a bit walled gardeny.

    FLOSS and walled garden are not mutually exclusive concepts BTW.
     
  20. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,648
    Likes Received:
    388
    It looks very Mac'ish doesn't it. :)

    Yes i understand it's no way near the scale of Microsoft/Apple, its just for me personally the very fact that they include things like online search, advertising, and those sorts of things is an indication of their intentions, that's not to say they're going to force those things on people in the future like Microsoft & Apple, its just that I personally don't agree with that kind ethos.

    AFAIK it wouldn't as once a torrents in circulation it's impossible to alter without changing the hash.
     

Share This Page