Does Mint getting hacked change security thoughts?

[Fred Barclay]

Hard telling how many times Linux Mint has been hacked, the website, the programs, the operating system itself, these forums, from what I have read many hackers compromise systems and you never know they did so, they leave little to no trace, even server logs are modified, stupid hackers and hackers who wish others know they were on your system either get caught or purposely announce they hacked in.

So far as I'm aware Mint itself hasn't been successfully hacked (provided the user wasn't doing something ridiculous like logging in as root or keeping an outlandishly-outdated version.) For sure, during my time here I've never found a thread with a true hack in it.

[prestonR]

I'm a newbie and I enabled UFW when I first heard that it's installed by default. I tried the GUI GUFW but it seemed a bit half baked.

Much smoother would be to integrate the output of UFW status and triggered events into either conky or a panel item with an option 'stop all traffic':
- green icon=firewall status enabled
- red icon=firewall status disabled
- flashing icon=event traffic blocked
- stop-sign=all traffic stopped
- right-click=menu lists UFW commands, pick option=opens terminal.

Apart from that; I think firejail should come pre-installed in 18, sandboxing web apps couldn't be any easier.

[rustyp]

OK now dont know what a GUFW is I also do not know what a UFW is, speaking in acronyms only helps those who has the acronym decoder rings if you truly want to educate the general public you need to stop using texting language and type everything out where the average humans can comprehend. Or not.

In the future, I advise to Search The Fine Web before crying out, brother. I highly recommend to use Google: http://www.google.com
In this case for example with the not insanely difficult-to-imagine key words: firewall gufw (or firewall ufw).

Yeah I had no clue they were even firewalls OR programs see you have the advantage you knew they were firewalls.

Thanks for the extra beat down I never thought to waste time with the google hunt thing I went right to the author for advice so their was no chance for miss communication HOPEFULLY your not the type to suppress on topic discussions on forums, if people asking on topic questions upsets you its a sign you might need a break from the these forums. It all worked out perfectly the authors promptly directed me in the right direction as it related to their conversation.

Peace.

[rustyp]

Hard telling how many times Linux Mint has been hacked, the website, the programs, the operating system itself, these forums, from what I have read many hackers compromise systems and you never know they did so, they leave little to no trace, even server logs are modified, stupid hackers and hackers who wish others know they were on your system either get caught or purposely announce they hacked in.

So far as I'm aware Mint itself hasn't been successfully hacked (provided the user wasn't doing something ridiculous like logging in as root or keeping an outlandishly-outdated version.) For sure, during my time here I've never found a thread with a true hack in it.

Hopefully your right but I would never be surprised if any Linux based system has been hacked fact is I expect it I do not believe their is any operating system or software that is 100% secure. Again unannounced visits generally go unnoticed.

[Moem]

Yeah I had no clue they were even firewalls OR programs see you have the advantage you knew they were firewalls.

This sentence from Radish might have clued you in:

Personally, I'm now hoping that all future releases of Mint will have the GUFW firewall installed and activated by default in all new installs of Mint.

But don't take things too personally. Pjotr didn't mean to give you a beat down, I'm sure, and I don't think he's upset, either.

[Pjotr]

I think firejail should come pre installed in 18, sandboxing web apps couldn't be any easier.

Firejail is easy, for sure. I love it and use it daily.
I think it would be fine if Firejail would be pre-installed in Mint 18. Good suggestion.

Provided it's by default not enabled for any application; actually using Firejail for an application should still be a conscious choice of the user, I think.... Given the fact that running applications, even web browsers, without a sandbox is still pretty secure in Linux.

[Fred Barclay]

I do not believe their is any operating system or software that is 100% secure.

You're absolutely right there.
However, a well-admined Linux system is sooooo much more secure than Windows.

[Icarus149]

If you did not download your ISO image on last Saturday (February 20th) and installed your system with it, you are not affected by the hijack.

Don't forget, they hacked the forum, our e-mail addresses are already for sale on the dark net. So be prepared for some more spam now an then

This sucks...

[phd21]

Hi "GreyBeard51", & Everyone Else,

The Linux Mint computer Operating System is very secure, far more than other computer Operating Systems. Obviously, the Linux Mint and related websites (forum website) were not as secure as they could have been. The Linux Mint team realize this now and are taking steps to improve that.

But, that does not mean you cannot make your system even more secure, using software and hardware Firewall(s), FireJail ("Sandboxing" internet programs), changing your local ISP Internet connection's DNS IP Addresses, using a VPN network connection, etc... And, just using rational procedures to follow when surfing the internet, use good passwords, do not save anything that you did not ask for, or open attachments you do not know about, or go to high risk websites, use WPA2 WiFi passwords when using WiFi, etc... There are plenty of articles and posts on the Internet to teach people about using computers and surfing the Internet in a safe and effective manner.

Some Search results on "Surfing the Internet safely"
https://www.google.com/?gws_rd=ssl#q=su ... net+safely

Easy Linux tips for beginners and for advanced users
(Great website) - check for security web links on the right side
https://sites.google.com/site/easylinuxtipsproject/


Having the built-in, installed, software firewall (ufw, gufw) turned on as a default in all Linux Mint editions always seemed to me to be a prudent (smart) thing to do. I was very surprised that the software firewall is not enabled by default? So, now it is one of the first things I tell people to do. You might also be surprised to find out that not all hardware firewalls in "routers" are enabled either by default, and they should be; so check your hardware routers as well to make sure their firewalls are turned on.

If you are using a computer and do not know what a software and or hardware "firewall" is, or a "router", then it is up to you to look up this information regarding your security, your family members security, and your computer's security, especially with regards to surfing the Internet. Of course, if you ask nicely, the good people in this excellent forum will help with that as well.

I would very much like to see the Linux Mint firewall turned on (enabled) as a default in all Linux Mint editions, and it would be nice to have an optional system tray panel firewall "stoplight" type indicator as well. I think "Firejail" is so useful as to warrant being installed in all Linux Mint Editions and letting the new users know about it (welcome screen - new user please read, stuff to do).

FYI: If you want to "stop all Internet" activity, you can just click your Network Manager icon in the system tray panel, and click "disconnect" from your active "connected" local ISP (Internet Service Provider) connection, usually the top item in the list. Then, when you want Internet access again click your Network Manager icon, and click "connect" to your local ISP network connection. I used to like the way certain firewalls, and or 3rd party programs in another computer operating system that I used to use, could also provide a "one click" option in the system tray to "stop all internet activity" until I the user clicked and enabled internet access again. Other than the procedure that I just mentioned, I do not know of any Linux Mint program to do this, perhaps someone else does. I would like one, perhaps a nice feature to add to the firewall system tray panel "stoplight" type indicator that I would like to see and use.

Hope this helps ...

PS: Most people just have to enable the firewall once and that's it, set it and forget it.

But, if you are like me and occasionally like to have a multi-media server (Kodi/xbmc, Plex, PS3 Media Server, etc...) running to stream music, movies (videos), etc... to other devices (Smart TV's, smart Blu-ray DVD players, stereos, phones, tablets, etc...), or are sharing files across multiple computers via home or office networking, then that requires opening various firewall ports for the multimedia server and client software, or the file sharing server and client(s). This is perfectly safe normally, for example while the media server software is working (running), but when it is not running, unless you manually change the firewall to turn off those ports, this leaves that computer system open for security (hacking) problems. So, you have to go into that computer's firewall to turn off (deny) access to those ports once you are done using that software service, and if you want to use that program (software service) again, then manually going back into the firewall again to open (allow) those ports for the program to work, before starting that program again. It would be extremely nice (convenient) if there was an easier more "automatic" firewall method for this, like an application specific firewall enhancement or rule, where these ports are closed until the application is started, then those firewall ports are automatically opened, and then automatically closed when the application is closed.

Edit: 02-25-2016 8pm us eastern: Maybe the current firewall application interface can be modified to use the firewall rule's description field to browse to an installed application, which during this process, can then obtain any pertinent (necessary) information like application launch command name, and maybe PID, rule id#, and automatically enter this information into the description field of the firewall rule, then this can be used by the program's launchers (icons, menu items, etc...) to have the firewall rule(s) "wrap" itself around the program to automatically open the firewall ports (allow, enable) on program start, and to automatically change the ports to (Deny, disable) when the application is exited or terminated, see example below.

"Command: firewall r1o kodi r1c" = firewall rule1open (allow) applicationame=kodi rule1close(deny)
or
"Command: iptables r1o kodi r1c" = firewall rule1open (allow) applicationname=kodi rule1close(deny)

Food for thought ...

[LinuxJim]

Since Mint 17.3 downloads got hacked. Does that change anyone's thoughts on security?

No, it doesn't change my thoughts on security, but it HAS brought to light how insecure the whole Mint ecosystem is. Not only the website, but the distribution itself as well.

Clem & co. are developers (like me), not security experts. Mint has no security team, like some other distros do. Mint doesn't participate in the security alert system, like other distros do. Mint actively PREVENTS many security updates from being applied to your system from upstream, through the tiers of the Update Manager. Mint MODIFIES many of the programs that it gets from upstream, potentially INTRODUCING security holes in those packages.

Also, Clem & co. were NOT as forthcoming and transparent as you think: http://news.softpedia.com/news/linux-mi ... 0901.shtml This shows that the forums had been hacked and our personal info put up for sale ONE MONTH EARLIER than the recent hack, and nobody from the Mint team told us, even though they were aware of it!

I expect many of these shortcomings to change in light of recent events but, until they do, Mint is an INSECURE distribution. My complements to Clem & co. for some great software, but not for security practices.

I have never been a Mint *user* - the only reason I'm here is to keep up on developments and support those people in my circle who use Mint (and to help people on this forum as well). I have already converted three of my supported users away from Mint, with a couple more to go.

If and when the Mint distribution itself has acceptable security, I will be happy to recommend it to my users once again. Anyone can be the victim of a website hack, but what happened here was a reflection of the lax security practices of the Mint team in general.

[Fred Barclay]

The proof is in the pudding; care to back up that tidbit about Mint blocking all those security updates?

And as to the link about the stuff for sale: methinks Twitter is not the proper way to notify the Mint devs of a forum hack, don't you agree? I wouldn't be surprised if Clem still hadn't read that tweet. The Mint twitter account is not exactly a hotbed of activity, ya know!

[LinuxJim]

The proof is in the pudding; care to back up that tidbit about Mint blocking all those security updates?

Huh? It's set up that way BY DEFAULT - read the dozens of posts on this forum dealing with enabling/disabling level 3,4,5 updates...

And as to the link about the stuff for sale: methinks Twitter is not the proper way to notify the Mint devs of a forum hack, don't you agree? I wouldn't be surprised if Clem still hadn't read that tweet. The Mint twitter account is not exactly a hotbed of activity, ya know!

Then why does it exist? Yet another bit of evidence that the Mint team doesn't stay on top of things, don't you think? The point was that the breach happened long before it was made public. Clem is a great guy, it is not my intent to disparage him, but IMO this is an unacceptable faux pas.

[GreyBeard51]

Thanks all, for responding. I'm stickin' with Mint.

[Fred Barclay]

Okay, LinuxJim, that's a bit clearer.

Level 3 updates are enabled by default, actually; and you're right, 4-5 are not. However, it's an easy click to enable all security updates (regardless of level) while disabling the other 4-5 updates (I do it this way). Or you could even install all updates if you like, regardless of level.

I personally like the system the way it is. Some security updates could create an unstable system, so Mint doesn't allow those unless you want 'em. It's a risk either way: if your system crashes due to an instability you can't use it, while if you have a security vulnerability... I prefer risking a slight loss of stability in exchange for all security updates, but it's not a one-size-fits-all solution. Some people need the most stable system possible.
Besides, only some security updates qualify as levels 4 or 5. Most of the ones I've seen are installed by default as levels 1-3 updates.

Being on LMDE 2, also, I've found the Debian package base a bit more stable than the Ubuntu package base, so the risk of an instability is even less.

Now as to the Twitter account, I have no idea what it's for. But still, there are established protocols for contacting developers in this sort of situation, and via Twitter is hardly one of em. I'm sure Pieter what's-his-face is a fine researcher, but he chose to ignore the standard procedure in favour of notifying the Mint devs his own way. That's hardly respectful to Clem, and doesn't reflect well on Pieter either (he must not have valued your or my personal info enough to actually bother to contact Clem properly).

Anyway, it's a new day! Clem has already improved security, and I'm sure more improvements are to come! I am not saying that Mint had/has perfect security (there are several things I would change), but when you look at it, not one single distro has perfect security. Mint's a fine project and very secure.

[Moem]

The proof is in the pudding; care to back up that tidbit about Mint blocking all those security updates?

Huh? It's set up that way BY DEFAULT - read the dozens of posts on this forum dealing with enabling/disabling level 3,4,5 updates...

3 is enabled by default. Only 4 and 5 are disabled.

And as to the link about the stuff for sale: methinks Twitter is not the proper way to notify the Mint devs of a forum hack, don't you agree? I wouldn't be surprised if Clem still hadn't read that tweet. The Mint twitter account is not exactly a hotbed of activity, ya know!

Then why does it exist?

To tweet blog posts. Not necessarily to receive information.

[openmind]

Having UFW enabled would not prevent this form of attack at all.

[Pjotr]

The proof is in the pudding; care to back up that tidbit about Mint blocking all those security updates?

Huh? It's set up that way BY DEFAULT - read the dozens of posts on this forum dealing with enabling/disabling level 3,4,5 updates...

If you examine which updates are tagged level 4 and 5 (the levels that are disabled by default), you'll see that it concerns low-risk packages like Grub and X.Org. Not high-risk packages like Firefox, Adobe Flash Player and such.

Then the withheld kernel updates, which are a category of their own. How likely is it, that a *desktop user* gets hit by an attacker exploiting a kernel vulnerability? From what I've seen: very unlikely.

So all in all: for a desktop user, is Mint less secure than Ubuntu, which doesn't withhold any updates? Yes. By much? No.

Is Mint more stable than Ubuntu? Yes. By much? That depends on your hardware combination.

The price Mint pays for the extra stability for some hardware combinations, in the form of a small decrease in practical security, is therefore pretty low. It's a balanced choice that I think is reasonable.

[LinuxJim]

Level 3 updates are enabled by default, actually; and you're right, 4-5 are not. However, it's an easy click to enable all security updates (regardless of level) while disabling the other 4-5 updates (I do it this way). Or you could even install all updates if you like, regardless of level.

The Mint team is separating the updates into levels. The Mint team is deciding which updates are security-related and which aren't. No other distribution does this. No other distribution takes it upon themselves to second guess what the upstream developers were thinking.

Now as to the Twitter account, I have no idea what it's for. But still, there are established protocols for contacting developers in this sort of situation, and via Twitter is hardly one of em. I'm sure Pieter what's-his-face is a fine researcher, but he chose to ignore the standard procedure in favour of notifying the Mint devs his own way. That's hardly respectful to Clem, and doesn't reflect well on Pieter either (he must not have valued your or my personal info enough to actually bother to contact Clem properly).

What exactly are these "established protocols"? Clem found out about the hacked ISOs through a post in a thread on this forum. Is that the "established protocol"?

Again, kudos to Clem for some fine work in developing Mint, but there is still a long road ahead. People should not be lulled into a false sense of security by the shoutings of those wearing fanboy hats and crying that all is back to business as usual...

[Fred Barclay]

Shucks! I left my fanboy hat at home. I also don't SHOUT THAT MUCH; I'm more or less quiet by nature.

"Established protocols" are email or IRC, in my opinion. Clem doesn't actively participate here much anymore, so trying to contact him through the forums is probably a hit-or-miss situation.

As a matter of fact, the Linux Mint main page has a Contact Us section (linked). This would be the obvious way Pieter should have let us know.

I take it you haven't run Debian Stable? There are the "updates" repos, and then there are the "security updates" repos. Many other distros do divide which-is-which.
Now for example, a rolling distro wouldn't do this, because it gets updates for every single package, regardless. But something like Mint or Debian Stable, that is stable and only gets required updates, needs to distinguish between the two.

[Cosmo.]

No other distribution does this. No other distribution takes it upon themselves to second guess what the upstream developers were thinking.

Which conclusion do you draw out of this? My conclusion is, that Mint does pay more attention to stability than others do.This is not a fault, but a feature.

Clem found out about the hacked ISOs through a post in a thread on this forum. Is that the "established protocol"?

This thread you mentioned has been read at least by one moderator, who confirmed the reported problem. It is not so unlikely, that he or any other team member did sent a message to Clem. And he reacted as we know immediately.

The usual way for a security researcher is to give his information on a private way (Twitter is not one of them) to the developer / company to give them at first the needed time to react accordingly. A message on Twitter / Facebook / wherever can also be a fake. Pitifully this was not the case here, but you know that only afterwards.