Linux Mint Forums Back After Double Attack

Releases and other announcements.
Please don't post support questions here
Forum rules
Section reserved for the team. You can reply to announcements here but not post new topics.Please do not add support questions to threads here,use the appropriate support forum instead
User avatar
karlchen
Level 20
Level 20
Posts: 11234
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Linux Mint Forums Back After Double Attack

Post by karlchen » Fri Feb 26, 2016 1:16 pm

Dear forum users,

Sorry to learn that not every forum user [1] has found the official communication where Clem explained what had happened and what the implications were. Please, find the 2 relevant blog posts here: As can be told from the 2 blog posts, Clem has frankly explained what had happened as soon as he had been aware of it. No attempt at camouflaging any relevant facts have been made.

Best regards,
Karl
Image
Linux Mint 19.2 32-bit xfce Desktop, Total Commander 9.22a 32-bit
Linux Mint 18.1 64-bit Cinnamon Desktop, Total Commander 9.22a 64-bit
Windows? - 1 window in every room

User avatar
MtnDewManiac
Level 6
Level 6
Posts: 1456
Joined: Fri Feb 22, 2013 5:18 pm
Location: United States

Re: Linux Mint Forums Back After Double Attack

Post by MtnDewManiac » Sat Feb 27, 2016 8:05 pm

WordPress?

phpBB?

An outdated version of phpBB?

In all seriousness - and meaning no disrespect - the news isn't that you were hacked... It's that you weren't (to our knowledge, at least :roll: ) hacked long ago, and that you actually realized that you had an intrusion.

Well... At least (according to my browser's script-blocker and GeoTool server information add-ons) you do NOT appear to be using (or should that be "getting used by," lol?) CloudFlare. So I'll stick around. I am a big fan of your distro - and the process of digging out from under the whopping pile of dung that has been / is being heaped upon your head over this "little" OOPS will (hopefully...?) ensure that you step into the 2000s security-wise, so I assume that you will come out of this more secure than you have been in the past. Or even pseudo-semi-secure, which is probably about ten thousand times better than merely "more secure than you have been in the past" :roll: .

In other words, lol, you were leaning way, way, waaaaaaay out over the outhouse hole and someone walked by and gave you that tiny little nudge that was sufficient to send you plummeting into the pile. <SHRUGS> It happens, even if in this particular case it was sort of a foreordained conclusion. THANK YOU for informing us of what occurred, inasmuch as you have (one assumes that you have not released all of the information you have gleaned, and that is understandable). Others might have, instead, simply made an announcement that all passwords need to be changed because, IDK, the drive they were stored on got pooched or something in order to (attempt to) hide their shame and embarrassment. Kudos!

BtW, the best way to fight hackers - or better yet, to develop and maintain a proactive strategy - is... to get a better hacker in YOUR camp :P . My suggestion would be, if the phrase "Click... Click... <BOOM!>" means anything to you (in the computer sense), contact the CMG and ask for a little help. Great group of people, and so talented that half of them ought to be locked up somewhere, lol (the other half would never get caught :roll: ).

Regards and thanks again for letting us know,
MDM
Mint 18 Xfce 4.12.

If guns kill people, then pencils misspell words, cars make people drive drunk, and spoons made Rosie O'Donnell fat.

rephugee
Level 1
Level 1
Posts: 8
Joined: Tue Oct 07, 2014 12:41 pm

Re: Linux Mint Forums Back After Double Attack

Post by rephugee » Sat Feb 27, 2016 9:42 pm

I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!

User avatar
hermes333
Level 4
Level 4
Posts: 207
Joined: Fri Mar 08, 2013 12:58 pm
Location: Montréal, Québec
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by hermes333 » Sat Feb 27, 2016 10:13 pm

Hello «Minters», I'm very glad to log in again here, I've changed my password as it was recommended. Long life to Linux Mint and no hackers can stop the FREE world!
Boîtier Thermaltake V3 Thermaltake 600W
Carte mère Asus B85M-E/CSM
Mémoire: 8 Go
Espace disque: 1 To
Processeur: Intel® i5 4570
Carte graphique: NVidia GeForce GT610
Système: Debian 9.4 Cinnamon 64 bit

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4207
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: Linux Mint Forums Back After Double Attack

Post by Fred Barclay » Sat Feb 27, 2016 11:56 pm

rephugee wrote:I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!
Hello rephugee. How long is the password you tried? Mine is over 20 characters long and I had no trouble setting it.

It might have been a temporary system glitch, what with the new server, new phpBB software, and all.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

rephugee
Level 1
Level 1
Posts: 8
Joined: Tue Oct 07, 2014 12:41 pm

Re: Linux Mint Forums Back After Double Attack

Post by rephugee » Sun Feb 28, 2016 12:19 am

Fred Barclay wrote:
rephugee wrote:I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!
Hello rephugee. How long is the password you tried? Mine is over 20 characters long and I had no trouble setting it.

It might have been a temporary system glitch, what with the new server, new phpBB software, and all.
32 characters was too long, 24 characters worked. I use a password manager, so it's a (more or less) randomly generated password (currently 192 bits vs. the 256 bits I first tried). In that sense I'm not much worse off

But -

Given that people may use passphrases ('correct horse battery staple') instead of passwords, having any kind of limit is a bad thing. Since we don't know what kind of hashing and/or salting is taking place behind the scenes, using a good strong password or passphrase is the best protection against brute force attacks if someone were to run off with the password database again. It increases the odds that you'll have time to detect the problem and address it before the password's broken/cracked.

We all know that passwords and passphrases shouldn't be reused, but we also know that it still happens all the time. Having a "time buffer" from using a strong password/phrase can help mitigate that problem and give those people a chance to change it where it needs to be changed.

AnalogueMan
Level 3
Level 3
Posts: 143
Joined: Mon Dec 15, 2014 6:34 am

Re: Linux Mint Forums Back After Double Attack

Post by AnalogueMan » Sun Feb 28, 2016 7:17 am

How can I get rid of this annoying new login procedure: having to supply my username and now CHANGED password twice and that second time supply this stupid extra code to get into this forum :evil: !
Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?
Thanks.
Analogue man in a digital world

User avatar
DeVIL-I386
Level 1
Level 1
Posts: 34
Joined: Mon May 23, 2011 7:17 pm
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by DeVIL-I386 » Sun Feb 28, 2016 7:19 am

AnalogueMan wrote:Do all members have to go through this new procedure
Thanks.
This cumbersome process is with me too.
You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below.

waynea
Level 3
Level 3
Posts: 119
Joined: Mon Oct 14, 2013 11:49 am

Re: Linux Mint Forums Back After Double Attack

Post by waynea » Sun Feb 28, 2016 7:21 am

I have logged in with my original username and password - I thought this was not supposed to be allowed?

PS - I just posted elsewhere and got the error hen trying to post this

You cannot make another post so soon after your last.

Understand why this should be, but its bad usability....how long??

User avatar
Pjotr
Level 21
Level 21
Posts: 13248
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by Pjotr » Sun Feb 28, 2016 7:22 am

AnalogueMan wrote:Do all members have to go through this new procedure
Probably, yes. Please have some patience with the Linux Mint team; they're working hard to get things back to normal.
Last edited by Pjotr on Sun Feb 28, 2016 7:27 am, edited 1 time in total.
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Linux Mint Forums Back After Double Attack

Post by Cosmo. » Sun Feb 28, 2016 7:25 am

AnalogueMan wrote:,Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?,
I know, that some users do not have this problem. The question "Why" is a good one. I know from the admins, that they are working to solve the problem, but until now without a result.

My suspicion is the new board firewall, so nothing that should be different for the different users.

all41
Level 15
Level 15
Posts: 5590
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Linux Mint Forums Back After Double Attack

Post by all41 » Sun Feb 28, 2016 7:34 am

Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?
I see a lot of complaints about this.
As the forum came back online I logged in and changed the password and
entered a new email address. Immediately an activation notice to my new email address after which
the login has worked perfectly every time for me (dozens). My only caveat was not being prompted
that at least one letter be capitalized in the password--once I got through that and the activation notice it's
been smooth sailing.

User avatar
RacerBG
Level 4
Level 4
Posts: 377
Joined: Sun Mar 03, 2013 4:31 am
Location: Bulgaria

Re: Linux Mint Forums Back After Double Attack

Post by RacerBG » Sun Feb 28, 2016 7:56 am

The new blue theme is not great but I hope that the security now is better. Also I changed my password too. :)
Proud of Linux Mint!

User avatar
Pjotr
Level 21
Level 21
Posts: 13248
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: Linux Mint Forums Back After Double Attack

Post by Pjotr » Sun Feb 28, 2016 7:57 am

all41 wrote:
Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?
I see a lot of complaints about this.
As the forum came back online I logged in and changed the password and
entered a new email address. Immediately an activation notice to my new email address after which
the login has worked perfectly every time for me (dozens). My only caveat was not being prompted
that at least one letter be capitalized in the password--once I got through that and the activation notice it's
been smooth sailing.
Do you keep your cookies across sessions? My Firefox has been configured to generate a clean slate upon closing it: all cookies and history are being wiped. That might be the reason for the extra security code requirement that I (and others) are facing.
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

all41
Level 15
Level 15
Posts: 5590
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: Linux Mint Forums Back After Double Attack

Post by all41 » Sun Feb 28, 2016 8:19 am

It does not seem to matter if I keep cookies or choose to delete them
as Firefox closes. My login is fine even if I set to always use private browsing mode.
I am entering my username and password manually each time--not letting ff remember
or inputting with password manager

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: Linux Mint Forums Back After Double Attack

Post by Cosmo. » Sun Feb 28, 2016 10:08 am

all41 wrote:It does not seem to matter if I keep cookies or choose to delete them
They same here: If I log off because I leave my computer, FF stays open and the cookies stay untouched. If I am at the end of the day and close FF, cookies get deleted in this case. But in both cases the wrong message about too many login attempts with the captcha comes.

User avatar
Flemur
Level 17
Level 17
Posts: 7088
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Linux Mint Forums Back After Double Attack

Post by Flemur » Sun Feb 28, 2016 12:13 pm

One minor forum bug is fixed: with FF, the fluxbox toolbar shows the currently open tab text label; the Mint forums used to show up in the toolbar as whatever was the previously open tab, now it displays correctly.

Yesterday, though, the forum kept rejecting a long post or mine (~ "you don't have permission"), but it would take short posts; I finally sent the guy a PM.
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Mint 19.1 Xfce/fluxbox
Manjaro openbox/fluxbox

mintybits
Level 6
Level 6
Posts: 1123
Joined: Fri Jan 27, 2012 5:09 pm

Re: Linux Mint Forums Back After Double Attack

Post by mintybits » Sun Feb 28, 2016 2:24 pm

karlchen wrote:Sorry to learn that not every forum user [1] has found the official communication where Clem explained what had happened and what the implications were. Please, find the 2 relevant blog posts here:
Thanks! :)

Skaendo

Re: Linux Mint Forums Back After Double Attack

Post by Skaendo » Sun Feb 28, 2016 9:22 pm

Would it be possible to get everyone to move their avatars and other images to a https host like imgur?

Or possibly be able to upload them to the forums and use them from there?

Since the recent breach, and switching everything Linux Mint to https the site is giving partially encrypted status because a lot of people have their images on http hosts.

User avatar
PraesesZA
Level 1
Level 1
Posts: 5
Joined: Mon Oct 27, 2014 9:47 am

Re: Linux Mint Forums Back After Double Attack

Post by PraesesZA » Mon Feb 29, 2016 10:42 am

Has there been any signs that passwords were decrypted?

I can't remember my old password so I don't know which sites' passwords I have to change :?

Locked

Return to “Releases & Announcements”