You are not logged in.

#1 2016-07-17 23:41:50

cloverskull
Member
Registered: 2015-10-01
Posts: 343

Linux Mint possibly compromised

Hey guys,

Interesting news here: https://linuxmodder.wordpress.com/2016/ … al-notice/

Top comment on the post sums up my feelings, more or less.

@BL Devs/maintainers - how "hardened" are we against something similar? Ubuntu forums just got hit as well, seems like a decent time to discuss security.

Offline

#2 2016-07-18 02:36:34

vasa1
Member
Registered: 2015-09-29
Posts: 204

Re: Linux Mint possibly compromised


Using the Openbox (3.5.2) session of Lubuntu 14.04 LTS but very interested in BL :)

Offline

#3 2016-07-18 06:25:39

Head_on_a_Stick
Member
From: London
Registered: 2015-09-29
Posts: 8,759
Website

Re: Linux Mint possibly compromised

cloverskull wrote:

how "hardened" are we against something similar?

As long as any downloaded ISO images are verified with the provided checksum file [1] then that image can be considered "safe".

Overly paranoid users are invited to follow this method to install a basic, bootable Debian jessie filesystem tree:
https://www.debian.org/releases/jessie/ … 03.html.en

Then follow this guide to install the BL packages and configurations on top:
https://github.com/BunsenLabs/bunsen-netinstall

These methods are based on scripts and are thus entirely transparent in their operation.
smile


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII., 18.

Forum Rules   •   How to report a problem   •   Software that rocks

Offline

#4 2016-07-18 07:25:26

Nili
Member
From: $HOME/♫♪
Registered: 2015-09-30
Posts: 1,020
Website

Re: Linux Mint possibly compromised

I read Ubuntu as well on Debian forum?

Anyway wish both distro to exceed these situations without significant damage.


Devuan // CWM
Fedora // GNOME

Offline

#5 2016-07-18 14:52:55

Sector11
Conky 1.9er Mod Squid
From: Upstairs
Registered: 2015-08-20
Posts: 6,821

Re: Linux Mint possibly compromised

@ cloverskull

I like the post by Buck (@the_great_aspie) written on: July 18, 2016 at 08:42 (today)


The sun will never set if you keep walking towards it. - my son
Being positive doesn't understand physics.
_______________________________
Debian 10 Buster = SharpBang ♯!

Offline

#6 2016-07-18 16:12:09

cloverskull
Member
Registered: 2015-10-01
Posts: 343

Re: Linux Mint possibly compromised

Haha yeah, I guess it's an intentional smear. Interesting.

Offline

#7 2016-07-18 19:32:58

Sector11
Conky 1.9er Mod Squid
From: Upstairs
Registered: 2015-08-20
Posts: 6,821

Re: Linux Mint possibly compromised

Not sure what the motive was, but reading all the comments some things didn't add up.  That last comment put it more in perspective for me - and I'm a noob.  I did get the email from Mint, referred to in my link, and re-set my password.  So yea, I get the feeling it was a smear campaign.  Others may know better.


The sun will never set if you keep walking towards it. - my son
Being positive doesn't understand physics.
_______________________________
Debian 10 Buster = SharpBang ♯!

Offline

#8 2016-07-18 21:44:09

redcollective
Member
From: The Wilds
Registered: 2015-09-29
Posts: 111

Re: Linux Mint possibly compromised

I found this article bordering on mendacious.

http://imgur.com/nzbBHvM

The checksums for a debian cd are included in the download directories if you are using http and are not "hard to find". I reckon it is arguable that anyone actively seeking out a download for a linux distribution should  also be sufficiently equipped to find the checksums for their download.

It's a long time since I used jigdo to download debian but I believe it too uses the jigdo file for the download to carry the checksums.

Having said all that the most recent install of bunsen I did was a netinstall and I have to admit I probably didn't bother to verify the image I downloaded from the debian website.

A serious question though: a torrent from an authoritative .torrent file is pretty much self verifying isn't it? The pieces have to be a cryptographic match to the hashes in the torrent file?

Red


Knowledge Ferret

Offline

#9 2016-07-18 22:09:43

damo
....moderator....
Registered: 2015-08-20
Posts: 6,722

Re: Linux Mint possibly compromised

redcollective wrote:

....
A serious question though: a torrent from an authoritative .torrent file is pretty much self verifying isn't it? The pieces have to be a cryptographic match to the hashes in the torrent file?

Red

Yes. Which is another reason for preferring the torrent for a BL iso (apart from speed, repo bandwidth etc.).


Be Excellent to Each Other...
The Bunsenlabs Lithium Desktop » Here
FORUM RULES and posting guidelines «» Help page for forum post formatting
Artwork on DeviantArt  «» BunsenLabs on DeviantArt

Offline

#10 2016-07-19 05:13:23

earlybird
ほやほや
Registered: 2015-12-16
Posts: 738
Website

Re: Linux Mint possibly compromised

redcollective wrote:

A serious question though: a torrent from an authoritative .torrent file is pretty much self verifying isn't it? The pieces have to be a cryptographic match to the hashes in the torrent file?

A torrented file will of course contain the data described by the torrent if it has been downloaded successfully.  You still need to be sure that the torrent file you used was integer.

Offline

#11 2016-07-19 13:39:31

Anaconda
crypto-anarchist
From: Quesnel BC Canada
Registered: 2015-09-29
Posts: 228

Re: Linux Mint possibly compromised

Sector11 wrote:

So yea, I get the feeling it was a smear campaign.  Others may know better.

Well there were some legitimate concerns but, yeah, it seemed a bit over hyped to me too. The thing about that is, whenever there is a real world example of a security issue with our beloved, more secure than proprietary OS's Linux, some folks are going to make as big a deal out of it as possible.

So I checked things out at the bunsenlabs installation page. Looks like we did extremely well by the standards of the above piece.


“The university is well structured, well tooled, to turn out people with all the sharp edges worn off...." Mario Savio
"Protections for anonymous speech are vital to democratic discourse". Help enforce our right to free and anonymous speech by running a Tor relay.

Offline

#12 2016-07-20 04:34:48

johnraff
nullglob
From: Nagoya, Japan
Registered: 2015-09-09
Posts: 8,335
Website

Re: Linux Mint possibly compromised

^respect to Sherrif Two-irons!


...elevator in the Brain Hotel, broken down but just as well...
( a boring Japan blog (currently paused), idle Twitterings and GitStuff )

Introduction to the Bunsenlabs Lithium Desktop

Offline

Board footer

Powered by FluxBB