Linux Mint Forums Back After Double Attack

[karlchen]

Dear forum users,

Sorry to learn that not every forum user [1] has found the official communication where Clem explained what had happened and what the implications were. Please, find the 2 relevant blog posts here:

• Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
• All forums users should change their passwords.

As can be told from the 2 blog posts, Clem has frankly explained what had happened as soon as he had been aware of it. No attempt at camouflaging any relevant facts have been made.

Best regards,
Karl

[MtnDewManiac]

WordPress?

phpBB?

An outdated version of phpBB?

In all seriousness - and meaning no disrespect - the news isn't that you were hacked... It's that you weren't (to our knowledge, at least ) hacked long ago, and that you actually realized that you had an intrusion.

Well... At least (according to my browser's script-blocker and GeoTool server information add-ons) you do NOT appear to be using (or should that be "getting used by," lol?) CloudFlare. So I'll stick around. I am a big fan of your distro - and the process of digging out from under the whopping pile of dung that has been / is being heaped upon your head over this "little" OOPS will (hopefully...?) ensure that you step into the 2000s security-wise, so I assume that you will come out of this more secure than you have been in the past. Or even pseudo-semi-secure, which is probably about ten thousand times better than merely "more secure than you have been in the past" .

In other words, lol, you were leaning way, way, waaaaaaay out over the outhouse hole and someone walked by and gave you that tiny little nudge that was sufficient to send you plummeting into the pile. <SHRUGS> It happens, even if in this particular case it was sort of a foreordained conclusion. THANK YOU for informing us of what occurred, inasmuch as you have (one assumes that you have not released all of the information you have gleaned, and that is understandable). Others might have, instead, simply made an announcement that all passwords need to be changed because, IDK, the drive they were stored on got pooched or something in order to (attempt to) hide their shame and embarrassment. Kudos!

BtW, the best way to fight hackers - or better yet, to develop and maintain a proactive strategy - is... to get a better hacker in YOUR camp . My suggestion would be, if the phrase "Click... Click... <BOOM!>" means anything to you (in the computer sense), contact the CMG and ask for a little help. Great group of people, and so talented that half of them ought to be locked up somewhere, lol (the other half would never get caught ).

Regards and thanks again for letting us know,
MDM

[rephugee]

I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!

[hermes333]

Hello «Minters», I'm very glad to log in again here, I've changed my password as it was recommended. Long life to Linux Mint and no hackers can stop the FREE world!

[Fred Barclay]

I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!

Hello rephugee. How long is the password you tried? Mine is over 20 characters long and I had no trouble setting it.

It might have been a temporary system glitch, what with the new server, new phpBB software, and all.

[rephugee]

I had hoped that Linux Mint would come back stronger and safer after this unfortunate event, but that, sadly, doesn't seem to be the case.

When logging on to the forums for the first time after the breach to change my password, being told that my chosen new password is too long(!) does not inspire any trust in the new setup. There should be no such thing as too long a password!

Hello rephugee. How long is the password you tried? Mine is over 20 characters long and I had no trouble setting it.

It might have been a temporary system glitch, what with the new server, new phpBB software, and all.

32 characters was too long, 24 characters worked. I use a password manager, so it's a (more or less) randomly generated password (currently 192 bits vs. the 256 bits I first tried). In that sense I'm not much worse off

But -

Given that people may use passphrases ('correct horse battery staple') instead of passwords, having any kind of limit is a bad thing. Since we don't know what kind of hashing and/or salting is taking place behind the scenes, using a good strong password or passphrase is the best protection against brute force attacks if someone were to run off with the password database again. It increases the odds that you'll have time to detect the problem and address it before the password's broken/cracked.

We all know that passwords and passphrases shouldn't be reused, but we also know that it still happens all the time. Having a "time buffer" from using a strong password/phrase can help mitigate that problem and give those people a chance to change it where it needs to be changed.

[AnalogueMan]

How can I get rid of this annoying new login procedure: having to supply my username and now CHANGED password twice and that second time supply this stupid extra code to get into this forum !
Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?
Thanks.

[DeVIL-I386]

Do all members have to go through this new procedure
Thanks.

This cumbersome process is with me too.

You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below.

[waynea]

I have logged in with my original username and password - I thought this was not supposed to be allowed?

PS - I just posted elsewhere and got the error hen trying to post this

You cannot make another post so soon after your last.

Understand why this should be, but its bad usability....how long??

[Pjotr]

Do all members have to go through this new procedure

Probably, yes. Please have some patience with the Linux Mint team; they're working hard to get things back to normal.

[Cosmo.]

,Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?,

I know, that some users do not have this problem. The question "Why" is a good one. I know from the admins, that they are working to solve the problem, but until now without a result.

My suspicion is the new board firewall, so nothing that should be different for the different users.

[all41]

Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?

I see a lot of complaints about this.
As the forum came back online I logged in and changed the password and
entered a new email address. Immediately an activation notice to my new email address after which
the login has worked perfectly every time for me (dozens). My only caveat was not being prompted
that at least one letter be capitalized in the password--once I got through that and the activation notice it's
been smooth sailing.

[RacerBG]

The new blue theme is not great but I hope that the security now is better. Also I changed my password too.

[Pjotr]

Do all members have to go through this new procedure or are there some who do not have to do this, and if so, why?

I see a lot of complaints about this.
As the forum came back online I logged in and changed the password and
entered a new email address. Immediately an activation notice to my new email address after which
the login has worked perfectly every time for me (dozens). My only caveat was not being prompted
that at least one letter be capitalized in the password--once I got through that and the activation notice it's
been smooth sailing.

Do you keep your cookies across sessions? My Firefox has been configured to generate a clean slate upon closing it: all cookies and history are being wiped. That might be the reason for the extra security code requirement that I (and others) are facing.

[all41]

It does not seem to matter if I keep cookies or choose to delete them
as Firefox closes. My login is fine even if I set to always use private browsing mode.
I am entering my username and password manually each time--not letting ff remember
or inputting with password manager

[Cosmo.]

It does not seem to matter if I keep cookies or choose to delete them

They same here: If I log off because I leave my computer, FF stays open and the cookies stay untouched. If I am at the end of the day and close FF, cookies get deleted in this case. But in both cases the wrong message about too many login attempts with the captcha comes.

[Flemur]

One minor forum bug is fixed: with FF, the fluxbox toolbar shows the currently open tab text label; the Mint forums used to show up in the toolbar as whatever was the previously open tab, now it displays correctly.

Yesterday, though, the forum kept rejecting a long post or mine (~ "you don't have permission"), but it would take short posts; I finally sent the guy a PM.

[mintybits]

Sorry to learn that not every forum user [1] has found the official communication where Clem explained what had happened and what the implications were. Please, find the 2 relevant blog posts here:

Thanks!

[Skaendo]

Would it be possible to get everyone to move their avatars and other images to a https host like imgur?

Or possibly be able to upload them to the forums and use them from there?

Since the recent breach, and switching everything Linux Mint to https the site is giving partially encrypted status because a lot of people have their images on http hosts.

[PraesesZA]

Has there been any signs that passwords were decrypted?

I can't remember my old password so I don't know which sites' passwords I have to change