Linked by Thom Holwerda on Mon 22nd Feb 2016 11:04 UTC
Linux

Over the weekend, news broke that Linux Mint's servers were compromised, and ISO images were replaced by compromised versions with a backdoor. Everything was made public, and int responded in the only way they could: disclosure, site taken down.

Sadly, it turns out that Linux Mint has somewhat of a bad name when it comes to security.

To conclude, I do not think that the Mint developers deliver professional work. Their distribution is more a crude hack of existing Debian-based distributions. They make fundamental mistakes and put their users at risk, both in the sense of data security as well as licensing issues.

I would therefore highly discourage anyone using Linux Mint until Mint developers have changed their fundamental philosophy and resolved these issues.

Let's hope this issue raises a number of red flags for the Mint team so they can start to take steps to better the situation.

Order by: Score:
But...
by Soulbender on Mon 22nd Feb 2016 11:30 UTC
Soulbender
Member since:
2005-08-18

...Mint is awesome-sauce. I keep hearing that all the time here on osnews.

Reply Score: 1

RE: But...
by WereCatf on Mon 22nd Feb 2016 12:57 UTC in reply to "But..."
WereCatf Member since:
2006-02-15

I don't know about Mint as a whole, but I do really like the Cinnamon DE. It's clean, fast and just suits my style and tastes real well. Alas, I just tried to install Cinnamon under Ubuntu 15.10 and, well, it doesn't work too well: https://dl.dropboxusercontent.com/u/11811685/cinnamon.jpg

This is a fresh install, I only installed latest updates and then proceeded to install Cinnamon. Makes me quite sad :/

Reply Score: 3

RE[2]: But...
by theeil on Mon 22nd Feb 2016 13:33 UTC in reply to "RE: But..."
theeil Member since:
2005-09-18

Looks like you just need to install the right icon set, or change your icons in the settings. It seems like they just need to set the dependencies properly on the cinnamon package and all would be well.

Reply Score: 2

RE[3]: But...
by WereCatf on Mon 22nd Feb 2016 13:41 UTC in reply to "RE[2]: But..."
WereCatf Member since:
2006-02-15

Looks like you just need to install the right icon set, or change your icons in the settings. It seems like they just need to set the dependencies properly on the cinnamon package and all would be well.


Do notice how e.g. the file-manager has rendering-issues, too.

Reply Score: 2

RE[2]: But...
by Morgan on Mon 22nd Feb 2016 14:16 UTC in reply to "RE: But..."
Morgan Member since:
2005-06-29

Ubuntu generally doesn't play well with installing DEs other than the one your release came with. It takes a ton of tweaking by their respective teams to get Kubuntu/Xubuntu/Lubuntu/Ubuntu Mate looking and performing well before release, and trying to install any other DE after the fact on any of those will be full of gotchas.

You may want to look at Cubuntu, though it's an unofficial Ubuntu derivative so may have unforeseen bugs and issues compared to Ubuntu proper. Still, it's probably the best way to try out Cinnamon apart from Mint itself (which is obviously not a good idea until they sort all this out).

Reply Score: 4

RE[3]: But...
by sb56637 on Mon 22nd Feb 2016 19:34 UTC in reply to "RE[2]: But..."
sb56637 Member since:
2006-05-11

I run Cinnamon without any problems on openSUSE. You may need to switch to a different icon theme, but there are no hard dependencies on Mint.

Edited 2016-02-22 19:34 UTC

Reply Score: 4

RE[3]: But...
by tylerdurden on Mon 22nd Feb 2016 22:14 UTC in reply to "RE[2]: But..."
tylerdurden Member since:
2009-03-17

Nonsense. Mainline ubuntu works just fine with other DEs. I have a couple of 14.04 LTS machines running the latest KDE and Cinnamon without a problem.

It's super easy too: add the PPA, update, install the specific DE, go on with your merry life...

Reply Score: 3

RE[4]: But...
by Morgan on Mon 22nd Feb 2016 23:29 UTC in reply to "RE[3]: But..."
Morgan Member since:
2005-06-29

Interesting, I've had issues with several "aftermarket" DEs on Ubuntu over the years. Granted, I don't run Ubuntu daily, I only fuss with it when there's a new release just to see what it can do, so I'm sure I'm not aware of the proper arcane incantations necessary to bend it to my will. It's just not worth the effort when the official derivatives (Xubuntu, Kubuntu etc.) do such a great job.

Reply Score: 2

RE[5]: But...
by tylerdurden on Tue 23rd Feb 2016 07:18 UTC in reply to "RE[4]: But..."
tylerdurden Member since:
2009-03-17

In my experience, it literally takes 3 commands to install the latests KDE, XFE, and cinnamon. I'm currently running the latest cinnamon on a 14.04lts machine. Installing it was IMO a painless and straightforward process.

Things are about to get weird....

Reply Score: 2

RE[2]: But...
by Luminair on Tue 23rd Feb 2016 20:10 UTC in reply to "RE: But..."
Luminair Member since:
2007-03-30

yeah, I don't know about you guys, but I thought from looking at the website that mint is a flaky operation run by one guy.

cinnamon is nice, and you can install that on a substantial distro like debian, so just do that instead

Reply Score: 2

RE: But...
by juzzlin on Mon 22nd Feb 2016 20:54 UTC in reply to "But..."
juzzlin Member since:
2011-05-06

...Mint is awesome-sauce. I keep hearing that all the time here on osnews.


It's just a distro for the few vocal Ubuntu haters.

Reply Score: 2

Comment by ssokolow
by ssokolow on Mon 22nd Feb 2016 12:08 UTC
ssokolow
Member since:
2010-01-21

I remember hearing something similar about Arch's attitude toward security (it being lacklustre) and haven't had time to do the research to conclusively confirm or deny it.

That's why I've stayed on Lubuntu so long since switching off Gentoo when I botched something and needed a working system FAST.

Edited 2016-02-22 12:09 UTC

Reply Score: 2

ahferroin7
Member since:
2015-10-30

Guess I won't be recommending Mint to anyone anymore...

I'm frankly starting to run out of stuff to recommend to people who don't have the patience to actually learn how the system works (I just recommend Gentoo to people who do have such patience).

Reply Score: 1

righard Member since:
2007-12-26

Currently I find Fedora to fit this purpose pretty well.

Reply Score: 2

ahferroin7 Member since:
2015-10-30

That really depends on what you're recommending it for though. I generally don't recommend Fedora on two specific grounds:
1.One of the big selling points for many people I've introduced to Linux is that updates are so much faster than on Windows, and you don't always have to reboot to complete them, Fedora pretty much nukes both arguments. Yum/DNF have a horribly inefficient dependency solver. This means that calculating upgrades takes way longer than it should, and also uses a significant amounts of system resources. This is fine for a server system that only gets upgraded during scheduled downtime, but it's horrible for a desktop where people expect to be able to use the system for other things while upgrades are happening. Also, it's not all that infrequent from what I've seen that the whole system needs to go down to finish upgrading things (because of how interdependent everything is).
2. Under the hood, Fedora is extremely limiting when it comes to choices. They support nothing other than SystemD. They have limited choices for building custom kernels due to the large number of patches they have. They make it particularly difficult to switch desktop environments (this is usually difficult, but due to their packaging, it's a lot trickier on Fedora and many other RPM based distros than it is on something Like Gentoo). They make it somewhat difficult to deal with third-party drivers (though they do a much better job of handling such things than many distros, largely because it's a common target for out of tree module developers due to the similarity to RHEL and CentOS). This is actually a common issue I have with a majority of Linux distributions other than Fedora (including Ubuntu), and Mint was one of the last ones that I knew of other than Arch that isn't source based and did a decent job of minimizing this issue.

Reply Score: 2

muep Member since:
2006-03-19

That really depends on what you're recommending it for though. I generally don't recommend Fedora on two specific grounds:
1.One of the big selling points for many people I've introduced to Linux is that updates are so much faster than on Windows, and you don't always have to reboot to complete them, Fedora pretty much nukes both arguments. Yum/DNF have a horribly inefficient dependency solver. This means that calculating upgrades takes way longer than it should, and also uses a significant amounts of system resources. This is fine for a server system that only gets upgraded during scheduled downtime, but it's horrible for a desktop where people expect to be able to use the system for other things while upgrades are happening. Also, it's not all that infrequent from what I've seen that the whole system needs to go down to finish upgrading things (because of how interdependent everything is).

I agree that dnf is not the fastest package manager out there, but it is still quite reasonable. I usually use the system normally while updating.

Also the interdependencies are mostly the same you'd see in other big distros. Fedora is just a bit more worried about the side effects of running old stuff mixed with new stuff side by side. So you will have the occasional recommendation to reboot.

I run a Rawhide system in desktop use and I usually do not reboot. This usually goes just fine, but sometimes I do run into weird behavior e.g. in KDE that then disappears on next login.


2. Under the hood, Fedora is extremely limiting when it comes to choices. They support nothing other than SystemD. They have limited choices for building custom kernels due to the large number of patches they have. They make it particularly difficult to switch desktop environments (this is usually difficult, but due to their packaging, it's a lot trickier on Fedora and many other RPM based distros than it is on something Like Gentoo). They make it somewhat difficult to deal with third-party drivers (though they do a much better job of handling such things than many distros, largely because it's a common target for out of tree module developers due to the similarity to RHEL and CentOS). This is actually a common issue I have with a majority of Linux distributions other than Fedora (including Ubuntu), and Mint was one of the last ones that I knew of other than Arch that isn't source based and did a decent job of minimizing this issue.


Fedora does indeed currently only support the systemd init.

In general, Fedora seems to ship with some tens of kernel patches. I think this is fairly decent as far as distros of similar scope go. The patches are supposed to mostly address bugs that have not yet been fixed upstream. E.g. ARM hardware support is limited in some cases by the requirement to keep the kernel close to mainline.

I usually run an unpatched vanilla kernel and have not noticed the ones in fedora to cause problems with that.

Reply Score: 1

Delgarde Member since:
2008-08-19

Fedora is just a bit more worried about the side effects of running old stuff mixed with new stuff side by side. So you will have the occasional recommendation to reboot.


Agreed... Fedora doesn't *require* reboots any more than any other distro. They just recommend it in the graphical updater, because for non-technical users, it's the easiest way to ensure all the updated services get restarted properly.

Personally, I just use "dnf update" whenever the UI notifies me of updates, and make a call on rebooting when I see what's coming in.

Reply Score: 2

shyouko Member since:
2005-12-31

Recently installed a fresh copy of Fedora 23 Server onto my desktop box and then just:
# dnf group install "Cinnamon Desktop"
# systemctl set-default graphical.target

I haven't see anything broken for the last week.

Now considering wiping Mint from my notebook too.

Reply Score: 1

Comment by Gone fishing
by Gone fishing on Mon 22nd Feb 2016 13:55 UTC
Gone fishing
Member since:
2006-02-22

So Mint had their servers compromised and bad ISOs released - this is bad. They may also have issues with how they package binaries not good. But I'm failing to see a cause and effect here.

Reply Score: 5

A link rather than ISO images
by jessesmith on Mon 22nd Feb 2016 14:00 UTC
jessesmith
Member since:
2010-03-11

The summary is not entirely accurate. The ISO images were not replaced. A single link to one ISO image (the Cinnamon edition of Mint 17.3) was replaced so people would download an infected ISO from the attacker's server. People who used direct links or torrents to download the ISO images were not affected.

The whole thing seems overblown. Lots of open source projects have had their servers compromised over the years. FreeBSD, Fedora, Debian... In each case the issue is usually identified right away (as it was with Mint), the problem fixed and we all go back to normal. The whole "the sky is falling" wave of posts and articles is just pointless fear mongering.

Yes, having a project's website hacked is bad, but very few people were affected, the situation was resolved quickly and the fix is easy. This should not be a big deal.

Reply Score: 7

RE: A link rather than ISO images
by Morgan on Mon 22nd Feb 2016 14:21 UTC in reply to "A link rather than ISO images"
Morgan Member since:
2005-06-29


Yes, having a project's website hacked is bad, but very few people were affected, the situation was resolved quickly and the fix is easy. This should not be a big deal.


Ideally no, it shouldn't be a big deal once it's fixed. However, it has inevitably damaged Mint's reputation for security and trust, and they will have to work hard to regain that trust. That's just the way the world works, and no amount of wishing will change people's minds.

I see it from a more positive side; this has caused an obviously needed shakeup at Mint and hopefully they will come out of this more secure and more trustworthy than before.

Besides, it didn't take long for the projects you mentioned to bounce back from their own gaffes; this should be no different.

Edited 2016-02-22 14:22 UTC

Reply Score: 4

nicubunu Member since:
2014-01-08

Consider both Fedora and Debian were breached in the past, but they now have a decent reputation.
IIRC, those were more serious incidents, with the attackers compromising the build system (at the time of the Fedora incident I was a contributor and we all had to change our passwords) not a mere attack on the website.

Reply Score: 3

So...
by darknexus on Mon 22nd Feb 2016 14:09 UTC
darknexus
Member since:
2008-07-15

Where's that amazing security open source is magically supposed to give us?
Points to the Mint team for full disclosure. I wish all teams, and companies, would do as well. However I think this proves that the automatic answer of a lot of commenters here of "open source it all!" isn't magically going to make anything better. Security is security, whether it's open or proprietary and one is no more intrinsically secure than the other.

Reply Score: 0

RE: So...
by tylerdurden on Mon 22nd Feb 2016 22:23 UTC in reply to "So..."
tylerdurden Member since:
2009-03-17

Where's that amazing security open source is magically supposed to give us?


In the closet where strawmen are stored?

Reply Score: 3

Linux Mint friendly distro
by yerverluvinunclebert on Mon 22nd Feb 2016 15:53 UTC
yerverluvinunclebert
Member since:
2014-05-03

Linux Mint is one of the most user-friendly desktop distros and it sad to hear of any failure, build, security or otherwise that might put users off. There are so many fragmented versions of linux and so many internecine detractors that divert users from home-grown linux and straight into the arms of Apple and Microsoft.

Edited 2016-02-22 15:54 UTC

Reply Score: 1

*how* is important
by project_2501 on Mon 22nd Feb 2016 15:55 UTC
project_2501
Member since:
2006-03-20

*HOW* this happened is really important.

Yes we can say that the impact was "so so", "not major" .. or we ma say that websites should expect to be hacked, ... or we may say that they finally published a blog about all the drama so they've nothing to hide.

But that all misses key points:

1. How did this happen? Technically. Was it a sophisticated attack, or a junior attack against which shuld have been basic protections?

2. How do we know this won't happen again?

3. What was the handling? What was the sequence of events? Was there a delay in finding out? Delay in acting? Delay in isolating the suspected systems? What was the forensics done (or just basic log review)? What did the find out, if anything?

4. How do they know that the impact "was not so massive"? What reason do we have to believe such statements?

5. Aside from the technical mechanics of the attack, what culture (processes) were in place? Who is responsible for the website which people are asked to trust? What monitoring happens? Who is alerted and what happens? What were the lessons learned from this incident? .. in 2016 websites really shouldn't be hackable.

Are the various comments online true about the linuxmint dev's not really focussing on security eg advisories?

Reply Score: 2

RE: *how* is important
by Alfman on Mon 22nd Feb 2016 21:34 UTC in reply to "*how* is important"
Alfman Member since:
2011-01-28

project_2501,

Are the various comments online true about the linuxmint dev's not really focussing on security eg advisories?



That someone changed the ISO download link is not good, hopefully Mint will up it's defenses. That said realistically hacks can & do happen even to the best of us. It wasn't too long ago that RSA security keyfobs used to protect fortune 500 companies were breached and enterprise security is their job! Anyone who thinks they are 100% secure are 100% naive!

The hack is newsworthy, but the other criticisms mostly sounds like someone with an axe to grind blowing things out of proportion. Mint doesn't publish upstream CVEs because they piggyback off of ubuntu packages for almost everything, including security updates. When a vulnerability comes up, it will be fixed at the exact moment that Ubuntu fixes it in their repo. Not before, and not after.

Consider this: it is very likely that Mint's security would be much *much* worse if they attempted to do their own packages. Without tons of resources, attempting to do security patches for tens of thousands of packages in-house would be an unmitigated disaster... my 2 cents.

Reply Score: 5

v Don't say I didn't tell you... ;-)
by MrHood on Mon 22nd Feb 2016 16:53 UTC
ahferroin7 Member since:
2015-10-30

This reinforces exactly why I run Gentoo on all my personal systems, and make a point to regularly audit _everything_, including doing penetration testing and simulating all manner of hardware failure modes.

Reply Score: 1

tylerdurden Member since:
2009-03-17

While I appreciate your initiative trying to come up with your own FUD. It's gibberish. Perhaps you're even more out of your depth than usual.

Edited 2016-02-22 22:35 UTC

Reply Score: 5

MrHood Member since:
2014-12-02

While I appreciate your initiative trying to come up with your own FUD. It's gibberish. Perhaps you're even more out of your depth than usual.


I was in fact expecting your comeback as the perfect OSS zealot/troll of sorts. Thanks for showing up and helping out in representance of the average OSNews reader of recent times!

Ditto.

Reply Score: 1

tylerdurden Member since:
2009-03-17

...said angrily the doofus who keeps typing www.osnews.com, on his browser's address bar, and expects to read www.windowscentral.com

LOL

Reply Score: 2

MrHood Member since:
2014-12-02

...said angrily the doofus who keeps typing www.osnews.com, on his browser's address bar, and expects to read www.windowscentral.com

LOL


It's amusing to see that the child in you feels the need to strike back every time, like you were in a kindergarten quarrel... On the other hand, it's sad to ascertain that your misinformation does equal your arrogance - you should have quoted Neowin (which I don't read) as a true MS-fanboy site.

But don't worry, keep waiting. Some day somebody will build up www.linusasskissers.com for you and your upvoting friends...

LOL. ;-)

Reply Score: 1

tylerdurden Member since:
2009-03-17

It's amusing to see that the child in you feels the need to strike back every time, like you were in a kindergarten quarrel...



.. but enough about yourself.

Reply Score: 2

kneej-erk sensationalism
by FunkyELF on Mon 22nd Feb 2016 18:17 UTC
FunkyELF
Member since:
2006-07-26

This all seems to be knee-jerk and sensationalist.

Let's wait for the dust to settle and see how they got hacked. Was it something a novice hacker could have pulled off or something that took a bunch of resources? Time will tell.

Reply Score: 4

I found this out from Amazon searches
by benali72 on Mon 22nd Feb 2016 18:41 UTC
benali72
Member since:
2008-05-03

I run Mint and discovered the Mint servers were missing when I tried to do a search on Amazon through the Firefox search box. Apparently Amazon searches go through the Mint servers first and since the Mint servers were down this stopped the searches from working with the browser message: UNABLE TO CONNECT To http://redir.linuxmint.com/amazon...

While I appreciate Mint needs to make referral money, this shows that there are costs to having an unnecessary server dependency.

As of 1:30 pm EST Monday Feb 22, this search still doesn't work.

Reply Score: 6

Remastersys
by lucas_maximus on Mon 22nd Feb 2016 19:48 UTC
lucas_maximus
Member since:
2009-08-18

Mint was a lot better than the Remastersys distros that followed from Ubuntu if we go back a good few years ago.

It always better to keep to distros that are backed by large companies because you are more likely to have professional devs putting it together rather than talented amateurs.

Reply Score: 2

Mint hacked - Mint bad
by jbijnens on Mon 22nd Feb 2016 19:58 UTC
jbijnens
Member since:
2005-12-30

I'm quite aware of all the technical reasoning that is given the last day about why Mint is bad, but as stated before, this is not the first server from an open source project that is hacked and it will not be the last. And yes I understand that the way the distribution is build could be done in another better way. But then again they are not alone. There are several software packages that when I take a closer look at the source code make me very very sad. But then again they seem to work. There are too many remarks that seem to indicate some jealousy about the success of Mint is behind these remarks. I also read that Mint users are a bit "too stupid" to take security serious. Please stop feeling good in the Linux niche/comfort zone and take also less technical users into consideration. Go one like this and within 10 years you will be asking yourself why Linux still hasn't made it to the desktop (if there still is a desktop). Let us stop pointing at each other and be a real Linux "community" where you have experts, would-be-experts and yes also fools.

Edited 2016-02-22 19:59 UTC

Reply Score: 3

Mint Trolls Amass their Armies
by vtpoet on Tue 23rd Feb 2016 02:41 UTC
vtpoet
Member since:
2013-12-31

Ever since Mint created Cinnamon, mostly all I've ever read is praise for the distribution. Now that Mint has stumbled, I'm kinda' amazed by all the vitriol. Talk about kicking a man when they're down. It's as if all the Mint Trolls got a get-out-of-jail-free card and Sauron took the One Ring from Frodo. I've never read so much pent-up Mint/distro bashing. Wow.

Reply Score: 2

RE: Mint Trolls Amass their Armies
by pepa on Tue 23rd Feb 2016 05:37 UTC in reply to "Mint Trolls Amass their Armies"
pepa Member since:
2005-07-08

Yes, I've felt all the praise most of the time was over the top, but indeed, this amount of negativity is also unwarranted, and moreover, unhelpful. Rather offer some constructive criticism, rather than to kick a project when it's down, that's downright disheartening and discouraging.

Reply Score: 2

tylerdurden Member since:
2009-03-17

That's the thing with pendulums; a lot of the praise was starting to err on the delusional, eventually expectations and reality say 'hi' to each other, and then then things swing the other way towards irrational negativity.

Reply Score: 2

RE: Mint Trolls Amass their Armies
by joekiser on Wed 24th Feb 2016 21:29 UTC in reply to "Mint Trolls Amass their Armies"
joekiser Member since:
2005-06-30

Ever since Mint created Cinnamon, mostly all I've ever read is praise for the distribution. Now that Mint has stumbled, I'm kinda' amazed by all the vitriol. Talk about kicking a man when they're down. It's as if all the Mint Trolls got a get-out-of-jail-free card and Sauron took the One Ring from Frodo. I've never read so much pent-up Mint/distro bashing. Wow.


Not at all true. People have been complaining about the complete disregard for security coming out of the Linux Mint camp for _years_. Remember this?

http://www.omgubuntu.co.uk/2013/11/canonical-dev-dont-use-linux-min...

What really happened, is because of Windows 8 and Windows 10, there have been a _lot_ of new Linux users since 2013. They have been recommended to try Linux Mint, and then starting aping their positive experience to others.

The current backlash against the Mint team is that they are either so incompetent that they do not know the full extent of their server compromise, or they are outright lying to their users when they claim that only ISO downloads for two days this weekend were affected. We know from independent sources (https://twitter.com/ChunkrGames/status/688346150622081024) that Linux Mint website information was for sale the day after Christmas. That's two months ago. It's very likely that the site was compromised before that.

If I was a Linux Mint user, I would be wiping my install and changing all of my passwords once I got set up on the other side with another distribution.

TL;DR - Linux Mint exposed their users, then lied to them about it, and shouldn't be trusted.

Reply Score: 2

What about Cinnamon without Mint?
by ThomasFuhringer on Tue 23rd Feb 2016 09:03 UTC
ThomasFuhringer
Member since:
2007-01-25

Cinnamon is by far the nicest Linux desktop to me at the moment. I understand that nowadays I can also use it from a pure Debian distribution. Wonder how much I miss if I just go upstream.

Reply Score: 2

Luminair Member since:
2007-03-30

I tested cinnamon on debian and it worked fine.

what you miss from mint are all the little quality of life tweaks that every custom distro has... which you enjoy while you have them... and you don't miss when you lose them

Reply Score: 2

Blowhards
by bhhenry on Wed 24th Feb 2016 04:40 UTC
bhhenry
Member since:
2005-07-06

Come on Thom, that 3rd link is to a comment on a news headline article. Not much of a source.

The ZDNet article of the second link purports to be a scoop from the actual perp. It seems more like a product placement ad for a "breach notification site" to me.

Regardless, I would not download any software from Bulgaria.

We are all at risk right where our router plugs into our ISP. It's getting time to put more resources into the firewall. Good topic for an article.

Does anyone know how many downloads of the bad ISO there were?

An Ars Technica article is here: http://arstechnica.com/security/2016/02/linux-mint-hit-by-malware-i...

Reply Score: 1

Comment by emphyrio
by emphyrio on Thu 25th Feb 2016 09:51 UTC
emphyrio
Member since:
2007-09-11

The initial response from the mint-team was quite good, disclosure + closing down the site. The follow-up is disappointing: malware infected ISO's were distributed via the official mint-site. Nothing less than closing down until after the recommendations of a security-audit are implemented is satisfactory imo.

Edited 2016-02-25 09:58 UTC

Reply Score: 1

RE: Comment by emphyrio
by jbijnens on Thu 25th Feb 2016 11:42 UTC in reply to "Comment by emphyrio"
jbijnens Member since:
2005-12-30

This is not completely correct. The link on their site was altered to point to a corrupted ISO located on servers in Bulgaria. The "real" ISO's were not tampered with. The "hacking" was done by using a vulnerability in the WordPress engine. WordPress is the CMS used fir the Linux Mint website. So I don't fully understand why you ask for a complete security audit.

Reply Score: 1

RE[2]: Comment by emphyrio
by emphyrio on Thu 25th Feb 2016 16:32 UTC in reply to "RE: Comment by emphyrio"
emphyrio Member since:
2007-09-11

If you went to the official linux-mint website and clicked on the download links provided there you got the infected ISO's. Regardless of how that was achieved that is a big security failure (Why was wordpress used? Was it configured properly?). They clearly need some outside experts to check whether there are some other holes in their security - hence the audit.

Edit: typos

Edited 2016-02-25 16:52 UTC

Reply Score: 1