Monthly News – February 2016

Written by Clem on Tuesday, March 1st, 2016 @ 1:37 pm | Main Topics

News

The attacks

Since that Saturday night on February 20th, all our efforts went towards protecting our project and our community. After the despicable attacks on our website and the deliberate attempts at hurting our users, we had to react fast and efficiently. The compromised server was shut down, all ongoing projects were stopped and all our time, efforts and resources were used to address the situation.

We had to work really hard, day and night for more than a week on this. We had to learn a lot too, fortunately we weren’t alone. We received help, we purchased new resources, we made new friends and we acquired help and expertise.

I’d like to thank the phpBB team and Automattic (the company behind WordPress.com) for reaching out to us to see if and how they could help.

I’d like to thank Avast for working with us on this. They contacted us and offered to help analyze the fake ISO. We gave them a copy of it and all the info we already had. A day later they came back with a full malware analysis and we were able to issue an update to warn people who might still be affected by it. Avast also pushed updates towards their own users and they were able to block access to the Bulgarian servers used by the hackers. Finally, the addresses the malware was connecting to were either shut down or blocked by Kaspersky’s DNS sinkhole. I’ve been really impressed by Avast and the awesome work they did, it really helped us react quicker.

I’d like to thank our friends at eUKhost and AYKsolutions. Whenever we needed help, they were there.

I’d like to thank the people who first detected and reported the attack, the people who helped us scan for vulnerabilities and the various people who gave us security advice and challenged us in checking more and more security aspects as the week progressed.

I’d like to thank everyone at Sucuri and their leader Daniel Cid in particular for how awesome they have been with us. They had a great reputation and so we naturally went towards them to get our servers scanned for malware and cleaned up. Our servers are now monitored by Sucuri and protected by their firewall. We’ll be entering a partnership with them and it’s a real pleasure not just to benefit from the protection and the range of services they’re offering us but also to have that close relationship with security experts and to be able to quickly get in touch with them whenever our project needs it.

And finally, I want to thank you. When things go bad and somebody’s hurt we see all sorts of reactions. You’ve been great and that also really helped us. We always had a special relationship with you, we see it every month with your donations, your comments and your support. After the attacks, you were worried and you needed answers but you were also extremely patient and supportive. We tried to answer as many people as possible, it was hard in the middle of all the work we had to get done, but we kept getting taps on the back, we started to see people within the community step up and answer queries, reply to others and generally help in various different ways. We already knew what a great community we had. It was really put to the test here and it didn’t disappoint. We’re really proud to be working for you and we can’t wait to get back to work on the distribution itself.

New security aspects

Aspects directly related to these attacks:

To protect ourselves and reduce the risk of future attacks, many restrictions were placed on our servers. This might affect some of the websites a bit. If you find yourself unable to comment, to upload or to do something that worked well before, please let us know.

Aspects which could be used in future attacks:

To protect you and reduce the risk of man-in-the-middle attacks, almost all websites moved to HTTPs so you’re guaranteed you’re looking at the real Linux Mint server and the communication between you and us is encrypted. These measures protect you against local attacks (somebody listening to your local network, somebody maliciously opening up free Wifi to capture passwords being typed in a public place, or even on a greater scale.. fake DNS resolution pointing you to malicious servers). Note: The blog is yet to switch to HTTPS, we’re working on that still.

To make ISO verification more accurate we’ll communicate SHA256 sums and GPG information more prominently going forward. MD5 was displayed as the primary mean of verification, with SHA256 and GPG being available for people who wanted them. We’ll review the way this information is shown and try to make more people use SHA256 and hopefully also GPG by default.

Aspects which relate to the operating system:

We’re considering re-adding Gufw to the default software selection. What happened was very uncommon but as our project and Linux in general are getting more and more popular, our operating system is becoming more and more of a target. We cannot ignore the threat of malware and think that it only affects Windows. The centralization of our software and the better practices of our users who rarely directly install 3rd party packages or binaries are an asset, but they can also be a vulnerability. A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users. It’s important to understand that the reason we’ve been so safe until now is because we’re smaller and because we therefore represent a much less interesting target. We can’t just protect ourselves from attacks, we also need to think of how we can react to them after they’ve taken place. We need scanners, and we’ll look into that as well, and we need something people can use to quickly and easily configure outgoing traffic and review applications communicating with their network, and Gufw does that very well.

One of the key advantages of Linux Mint is its stability vs security policy, the level of information shown and the fact that update management is configurable. It puts power in the hand of the user, which is something that is lacking in many other operating systems. For that power to be an asset though, users need to understand what’s at play. We’ve seen times and times again now, so-called experts and developers alike who were really struggling to understand the core of the problem itself. This isn’t something they’re learning from and this isn’t something which is properly documented. I think we need to do a better job when it comes to presenting the problem, raising awareness around it and making it easier for people to form their own strategy and have the operating system follow it. There is no one-size-fits-all solution to this. The key is configuration, but to rely on the user, we need the user to have access to better information and easier management. We’ve worked on this in almost every releases, and we’ll continue to improve it.

Donations and development

Many thanks to all the people who donated to us and to all our sponsors. We feel a bit guilty this month because the attacks took all our focus and we didn’t work on Linux Mint as much we’d want. There are some really cool things going on within the development team, there are now 4 X-Apps projects (xed, xreader, xplayer and xviewer), most of the Mint tools were migrated to python3/GTK3/gsettings and given better HiDPI support, we’re looking at better out of the box touchpad support in Cinnamon (which should probably go into MATE also) and the possibility to set different backgrounds on each workspace…etc. It’s a bit too soon to give any details though, so we’ll wait until we’re done working on security aspects and we’ll then start to cover improvements and new features on the Segfault blog and in the next monthly news.

 

Thank you to all of you.

 

Sponsorships:

Linux Mint is proudly sponsored by:

Platinum Sponsors:
Private Internet Access
Gold Sponsors:
Linux VPS Hosting
Silver Sponsors:
ThinkPenguin.com
Bronze Sponsors:
Vault Networks *
AYKsolutions Server & Cloud Hosting
7L Networks Toronto Colocation *
BGASoft Inc
David Salvo
Milton Security Group
Sysnova Information Systems
Community Sponsors:

Donations in January:

A total of $11606 was raised thanks to the generous contributions of 539 donors:

$360, Teach English Abroad
$200, Adam M.
$173 (14th donation), Andreas Schmidt
$143, Andreas und Carsten Mahr
$112, Salvador P. C. B.
$112, Bogdan S.
$112, Jack B.
$112, Carsten S.
$112, Heltyca Srls
$112, Roland L.
$100 (3rd donation), Timothy P.
$100, Kenneth P.
$100, Jim G.
$100, Charlie G.
$100, Jan-erik Ö.
$100, Kirk H.
$100, Robert H.
$100, James C.
$100, Colin S.
$100, Charlie E.
$100, Thomas K.
$100, Enetics Technologies Pty
$100, Brian S. J.
$100, Vincent W.
$77 (16th donation), Kouji K.
$71.84 (18th donation), Wolfgang P.
$70, Jhonatan V.
$64, Audio C.
$60, Scotland L.
$56 (2nd donation), Hans-georg T.
$56 (2nd donation), Paul A.
$56 (2nd donation), Christian D aka “zorbeck”
$56 (2nd donation), Oliver P.
$56, Nora V. W.
$56, Hans L.
$56, Udo W.
$56, Bruno D.
$56, Viviane S.
$56, Dirk S.
$56, Crispin M.
$56, Klaus B.
$50 (68th donation), Matthew M.
$50 (67th donation), Matthew M.
$50 (2nd donation), Forrest B.
$50 (2nd donation), Brian M.
$50 (2nd donation), Paul B.
$50 (2nd donation), JimM
$50 (2nd donation), Dennis B.
$50 (2nd donation), Eric J.
$50 (2nd donation), Douglas J.
$50, Wei X.
$50, Michael L.
$50, Thomas G.
$50, Dennis B.
$50, David S.
$50, David H.
$50, Thomas J.
$50, Laura H.
$50, Javon S.
$50, Michael A.
$50, David S.
$50, Joel Carlson aka “Fox7799
$45 (2nd donation), Nasser Bader aka “VIRUS
$45, Wolfgang K.
$45, J R. R.
$45, Alexander K.
$43, Giuseppe V.
$40 (3rd donation), George J.
$40, Emile S.
$40, John M.
$38 (2nd donation), Bernard R. aka “Beer4661”
$35, Andre’ D. J.
$34 (71th donation), Olli K.
$34 (3rd donation), Markus T.
$34, Cathal H.
$34, Christoph M.
$34, Alejandro F. B.
$34, Christian H.
$34, Birgit B.
$34, Wolfgang G.
$34, Reijo H.
$30 (6th donation), Jerry G.
$30 (2nd donation), Lawrence D.
$30 (2nd donation), Joe K.
$30, Josef R.
$30, Steven T. aka “oakhilltop”
$30, Nicklas S.
$30, Christopher A.
$30, David B.
$28 (6th donation), John K. aka “jbrucek”
$28 (4th donation), Carlos M. S.
$28 (2nd donation), Daniel L.
$28 (2nd donation), Anton W. aka “redant
$28, Peter D. W.
$28, Daniele P.
$28, Jens K.
$28, Stefan W.
$28, Lars H.
$28, Jan B.
$28, Daniel M.
$28, Thomas W.
$28, Roland P.
$28, Carsten M.
$28, Stefan L.
$28, Robert P.
$28, SSM aka “Gelbros J3”
$27 (3rd donation), Stefan A.
$27, Michael B.
$26.87 (9th donation), Scott L.
$25 (53th donation), Ronald W.
$25 (11th donation), Curt Vaughan aka “curtvaughan ”
$25 (6th donation), Larry I.
$25 (4th donation), Joseph G.
$25 (4th donation), iMarketing Solutions LLC aka “iMarketing
$25 (4th donation), Guillaume C.
$25 (3rd donation), Frances K.
$25 (3rd donation), John L.
$25 (3rd donation), JanEspen
$25 (2nd donation), Peter L.
$25 (2nd donation), Reel D.
$25 (2nd donation), Rajesh Hazari aka “Rajesh
$25 (2nd donation), Todd B.
$25 (2nd donation), Donald I.
$25 (2nd donation), Philip G. aka “-PGG-”
$25 (2nd donation), N1X3L
$25, Derek B.
$25, Jesse S.
$25, Christopher B.
$25, Timothy H.
$25, Nigel B.
$25, Horst S.
$25, James C. aka “inhiway”
$25, Charles S.
$25, Tomas L.
$25, David E.
$23, Shaun C.
$22 (4th donation), Pentti T.
$22 (4th donation), Per J.
$22 (3rd donation), Theodore S.
$22 (2nd donation), Adriano A.
$22 (2nd donation), Thomas W.
$22 (2nd donation), Bernard D.
$22 (2nd donation), Markovic D.
$22, Loïc P.
$22, Michal T.
$22, Christoph H.
$22, Rico N.
$22, Maurice G.
$22, Christian G.
$22, Florian R.
$22, Tom S.
$22, Jean-pierre S.
$22, Leslie W.
$22, Michal P.
$22, Mario K.
$22, Jacques S.
$22, Marco F.
$22, Marco D.
$22, Kim aka “Voodooseeker”
$22, Joachim K.
$22, Frank H.
$22, Thomas S.
$22, Jordi B. M.
$22, Gil the Arm
$22, Bernd Z.
$20 (48th donation), Tsuguo S.
$20 (12th donation), Curt Vaughan aka “curtvaughan ”
$20 (6th donation), Tom T.
$20 (5th donation), Aleksey Eletsky aka “promise”
$20 (5th donation), Julie H. aka “Kjokkenutstyr
$20 (4th donation), Scott Anderson aka “lwarranty”
$20 (3rd donation), Joshua R.
$20 (3rd donation), Peter L.
$20 (3rd donation), Douglas H.
$20 (3rd donation), jmkent aka “Burton”
$20 (3rd donation), Phil H. aka “smef
$20 (2nd donation), David B.
$20 (2nd donation), Peter R.
$20 (2nd donation), Jason D.
$20 (2nd donation), Oblong Software Products
$20 (2nd donation), Stefan A.
$20 (2nd donation), Ian C.
$20 (2nd donation), T. H.
$20 (2nd donation), Stephen B.
$20, Gordon M.
$20, Eric L.
$20, Keith D.
$20, Guillermo M.
$20, Timothy A.
$20, Duncan M.
$20, TomT3rd
$20, Vincent M.
$20, David R.
$20, Jeff D. B.
$20, David L.
$20, Frank J.
$20, R. C. F.
$20, John P.
$20, Vaughan B.
$20, 1455 Group LLC
$20, T. H.
$20, Joseph C.
$20, Keith B.
$20, Matthew D.
$20, Quadris Systems, Inc
$20, Charles L.
$20, Ronald K.
$20, Mr J. M. P.
$20, Momtchil R.
$20, Ariella B.
$20, Thomas O.
$20, Francis R.
$20, Jay F.
$20, Joseph S.
$20, Lance A.
$20, Luigi D.
$20, Kamil A.
$20, Noe R.
$20, Leon S.
$17 (3rd donation), Philipp M.
$17 (2nd donation), Ian B.
$17 (2nd donation), Derek T.
$17 (2nd donation), Pierre M. (2nd contribution)
$17, Jaap R.
$17, Richard H.
$17, Eric B.
$17, Philippe W.
$17, John R.
$17, Marcos M. P. D.
$17, Didier S.
$17, Philippe L.
$17, Angus M.
$17, Paolo T.
$16, Pierre R.
$15 (5th donation), Jobs Hiring aka “Jobs Near Me
$15 (4th donation), Jobs Hiring aka “Jobs Near Me
$15 (3rd donation), James T.
$15 (2nd donation), Anthony F.
$15 (2nd donation), Tyler B.
$15 (2nd donation), Ilya K.
$15 (2nd donation), Steve Sharp
$15 (2nd donation), Nasser Bader aka “VIRUS
$15, Vincent P.
$15, Gabriel B.
$15, Kirk W.
$15, Personnel
$15, Marco E. F. V.
$15, Gilbert D. R.
$15, Julien T.
$15, Aaron F.
$15, Rajendra S.
$15, James C.
$15, T2S Hire
$15, Gerald W.
$14 (2nd donation), Stefanos C.
$14, Stefanos C.
$12 (58th donation), Tony C. aka “S. LaRocca”
$12 (4th donation), Andreas S.
$12 (3rd donation), Michał M. aka “Zaraki
$12, Seahawks 12th Man
$12, EJ. Teh
$12, Jia F. L.
$11 (25th donation), Raymond E.
$11 (7th donation), Rene Schwietzke aka “Rene S.
$11 (6th donation), Brendan M.
$11 (5th donation), Queenvictoria
$11 (4th donation), Hosting 96
$11 (4th donation), J.C.Senar – linuxirun.com
$11 (4th donation), Artur Hapetta
$11 (3rd donation), Gabriele B.
$11 (3rd donation), Jerome M.
$11 (2nd donation), Danilo S.
$11 (2nd donation), F.D.P. Geurink
$11 (2nd donation), David B. aka “Jimbow”
$11 (2nd donation), Crefelean Nicolae aka “kneekoo
$11 (2nd donation), Ovidio A. H.
$11 (2nd donation), Josef M.
$11 (2nd donation), Laurent H.
$11 (2nd donation), Peter Chivers
$11 (2nd donation), Neil E.
$11 (2nd donation), W. Georgi
$11, Benjamin H.
$11, Jose J. P. I.
$11, Bruce Beardall
$11, Alberto S.
$11, Daniel B.
$11, Vedran S.
$11, Achim D.
$11, Bruce Beardall
$11, Jens M.
$11, William N.
$11, George K.
$11, Etienne H.
$11, Philipp H.
$11, Manuel B.
$11, Peter P. aka “Bulletproof Van”
$11, Sam N.
$11, Claus V.
$11, Rainer F.
$11, Jean C. A.
$11, Tom V. D.
$11, Henrik B.
$11, Felix L. M. R.
$11, Marc N.
$11, Jannick S.
$11, Michel V.
$11, Sergio Soriano Peiro
$11, Rajesh Nair aka “Nair”
$11, Franck M.
$11, Peter-Paul aka “Rimpelbekkie”
$11, Stefan E.
$11, Pierre Collette
$11, Stephan K.
$11, Simon L.
$11, Dimitrios Z.
$11, Richard M.
$11, Konstantinos T.
$11, Petr T.
$11, Silvia K.
$10 (10th donation), CW P.
$10 (9th donation), Jt Spratley aka “Go Live Lively
$10 (6th donation), Antoine T.
$10 (5th donation), Orion Metrics aka “Programmer
$10 (5th donation), Paul C.
$10 (4th donation), aka “Caturix
$10 (4th donation), Gonzalo Montes de Oca aka “RoyalGNZ
$10 (4th donation), Vitali K.
$10 (3rd donation), John J. aka “Sankaty”
$10 (3rd donation), A. K.
$10 (3rd donation), Jorge M.
$10 (2nd donation), Stephen D. Cope
$10 (2nd donation), Raul C.
$10 (2nd donation), Kordun Oleg
$10 (2nd donation), John C.
$10 (2nd donation), Clifton S.
$10 (2nd donation), Tomislav K.
$10 (2nd donation), Brynley F.
$10 (2nd donation), Thomas T.
$10 (2nd donation), William C.
$10 (2nd donation), Frederik M.
$10 (2nd donation), Jeremy V.
$10 (2nd donation), Yano Y.
$10 (2nd donation), Andreas S.
$10, Andre J.
$10, Godfrey H.
$10, Josef H. R. H.
$10, Rickey W.
$10, James H.
$10, Sergio L. L. R.
$10, Bastian B.
$10, Baki A. U.
$10, Philip H.
$10, Карпенко В.
$10, Russ A.
$10, Bryan G.
$10, Russell P.
$10, Mike C.
$10, eNeKuX aka “eNeKuX”
$10, Stephen K.
$10, Iain B.
$10, Matsko I.
$10, Aart E.
$10, Thomas C.
$10, Hot M.
$10, Fabio T.
$10, Colin M.
$10, Steve G.
$10, Tony B.
$10, Adam P.
$10, Yijun X.
$10, Tim O.
$10, Flaminio R.
$10, Thomas D.
$10, Steven S.
$10, Paul K.
$10, Larry. R.
$10, Ryan S.
$10, Missagh M.
$10, Barbaros E.
$10, Jill J.
$10, Tim K.
$10, Samraj R.
$10, Noah L.
$10, Lindsay O.
$10, Roger H.
$10, Rolf V.
$10, Norman B.
$10, David S.
$10, William D.
$10, Shannon F.
$10, Juan
$10, Black W. L.
$10, Petr Š.
$10, Ivanov D.
$10, Michael C.
$10, Aktar M.
$10, Jakub Š.
$10, James C.
$9.57, Todd M.
$8 (3rd donation), Stefan M. H.
$7 (4th donation), Paul S.
$7 (2nd donation), Glen R.
$7 (2nd donation), Lluis Solanelles
$7, Udo M.
$7, Doug Byfield aka “Doug B.”
$7, L L.
$6 (6th donation), Tung-Yi Chen aka “Tic”
$6 (5th donation), Arvis Lacis aka “arvislacis
$6 (5th donation), Nikita G. aka “Ni El Go”
$6 (4th donation), Lionel aka “Kinobi
$6 (4th donation), Andjelko Stojsin aka “Andjelko S.
$6 (2nd donation), Matthias W.
$6 (2nd donation), William T.
$6, Sortino R.
$6, Ludovic C.
$6, Electronic U. O.
$6, Robin B.
$6, Marco B. aka “Nightfly
$6, Maria L. H.
$6, Dieter W. K.
$6, Katja H.
$6, Stefan A.
$6, Luis I. R.
$6, Pawel J.
$6, Brendan Lyons
$6, Matus I.
$6, Georgios Mavropalias
$6, Miroslav aka “Xtrodinary
$6, Jan W.
$6, Dinesh G.
$6, Abbo K.
$6, Robert M.
$6, Jorge F. F.
$6, Diplom-Ingenieur (FH) Andreas Gerlich
$6, Петров Р.
$6, Jaume L. P.
$6, Hendrik Z.
$6, Emilie P.
$5 (12th donation), Libertad Tecnologica
$5 (10th donation), Jt Spratley aka “Go Live Lively
$5 (9th donation), Nicolás Costa de la Colina aka “NCosta”
$5 (5th donation), Hakim
$5 (5th donation), Sonmez S.
$5 (5th donation), Eric H.
$5 (4th donation), VPN Easy
$5 (4th donation), Jack H.
$5 (4th donation), Rachel
$5 (4th donation), Kirsti Drewsen
$5 (3rd donation), Michael J. N. J.
$5 (3rd donation), Vitali K.
$5 (3rd donation), Metal Roofing Installation
$5 (2nd donation), Pete E.
$5 (2nd donation), Geoffrey O.
$5 (2nd donation), F A Cianciolo
$5 (2nd donation), Michael J. N. J.
$5 (2nd donation), Elias J.
$5 (2nd donation), T A.
$5 (2nd donation), Cody X.
$5 (2nd donation), Diego Bezerra
$5, Пластеев Д. aka “Softericon”
$5, Christopher S.
$5, Fernando C.
$5, Zavisa N.
$5, Richard A.
$5, Jerry F.
$5, Alexey K.
$5, Kevin D.
$5, Sebastian T.
$5, Jorgen Rhode Jensen aka “jrj”
$5, Michael J. N. J.
$5, Lisa J.
$5, elogbookloan
$5, Daniel G. Lago
$5, Artur T.
$5, Duane W.
$5, Benceno
$5, Hweyun J.
$5, Tomasz aka “rogallrlz”
$5, Zachary M.
$5, Andrew G.
$5, Soul-Herbs.com aka “Ayahuasca
$5, Julian Montiel aka “jmontielc”
$5, payday loans las vegas
$5, Cristina S. B.
$5, Ultrabuy.com
$5, William G.
$5, Dave M.
$4 (2nd donation), Charles-david H.
$4, Brian B.
$4, Tom aka “tumek_pl”
$4, Gabriele M.
$4, Michal L.
$3 (15th donation), Kouji K.
$3 (5th donation), Stefan M.
$3 (5th donation), KnifeFellas.com
$3 (4th donation), Dmytro K.
$3 (3rd donation), safe-scripts
$3 (2nd donation), Saraplv aka “Sara”
$3 (2nd donation), Saraplv aka “Sara”
$3, Matthias G.
$3, Tahir H.
$3, Ricardo C. aka “xisso”
$3, Brian H.
$3, Audrius D.
$3, Tomasz U.
$3, Vitalii N.
$3, Sébastien J.
$3, Everett F.
$2.67, Vicki S.
$2.5 (4th donation), Peter Robert Jones
$42.99 from 29 smaller donations

If you want to help Linux Mint with a donation, please visit http://www.linuxmint.com/donors.php

Rankings:

  • Distrowatch (popularity ranking): 3161 (1st)
  • Alexa (website ranking): 7073

152 Responses to “Monthly News – February 2016”

  1. Trollboy says:

    I haven’t been around for a while, but followed the hack story with great interest. Kudos for handling it just about perfectly.

  2. LM says:

    2 Donations on my part are missing in donor dashboard listing (Jan 5, 2016 and Febr 14,2016). Also I’m NOT listed for Febr 2016 🙁

    Did you receive those monies?

    Edit by Clem: Hi L., sorry about the delay. The attacks delayed us but they also meant our infra was down. We also had to review a lot of it and make changes to harden security. About 500 donations are yet to be processed. Please note that this post shows the January donations. I checked the backlog and I see the donation on Feb. 14th (it’s not processed yet that’s why you can’t see it in your donor’s interface). I can’t see the Jan 5th donation though, did you use a different paypal email for it?

  3. Goetz says:

    Despicable, deliberate …, I think, these things happen sooner or later. Sooner is better because it’s a learning experience and improves professionality. The damage was limited (a bit more spam in my email), so I keep using no-nonsense mint. Thanks to all the contributions (mine will be some Euros only).

  4. Goetz says:

    You wrote: “… the attacks took all our focus and we didn’t work on Linux Mint as much we’d want …”

    Actually, you worked on what is Linux Mint. Security is important.

  5. Gabriel says:

    I was quite sad when I saw the news of the attack on Mint, but also not surprised. The internet has become a bit of a warzone of late, with hacking happening on a daily basis. I think this incident will be good for Mint in the long run as security aspects will get some close attention and review and make the project better prepared to withstand future attacks.

    Well done Clem and Mint team for the great communication, honesty and I’m sure late nights spent dealing with this. Looking forward to Mint 18 and will donate some money in the coming 1-2 months. Keep up the great work.

  6. Crewp says:

    Clem & Team, Mint’s the best, keep up the good work.

  7. Canuck says:

    Excellent work on the security front, tempering your infrastructure is critical to your growth and stability. Keep it up!

  8. Oc3lot says:

    “Many thanks to all the people who donated to us and to all our sponsors. We feel a bit guilty this month because the attacks took all our focus […]”
    Oh come on, that’s exactly working on Linux Mint! Don’t feel guilty because you’re not.

    Edit by Clem: Yes, well, of course… no work was done on making the OS itself better though. That’s what I meant by that. We lost more than a week if you look at the release cycle. It’s not the end of the world, it doesn’t change our expectations, we can release later, but it’s annoying nonetheless.

  9. kyuss says:

    I have been with Mint for the past 6 years and don’t plan on stopping any time soon. Luckily it seems like damage was limited and controlled. Keep up the great work.

  10. peter e says:

    Clem
    the listing of donations is important… a couple weeks delay is no big deal.
    Also the manner of donating is very important.
    I made many small donations and was also a Community Sponsor.
    I had to quit because of frequent problems with PayPal that I have never been able to resolve.
    when I Never saw me or my company listed I was suspicious that the money was Not getting into the Mint coffers.

  11. Grzegorz Z. says:

    Hello! How about to reconsider the structure of repositories in upcoming release, to address one aspect of criticism from Debian community. I think the rationale behind this one is valid, and itself is being far from just a FUD. I mean to resolve the issue of mixing Your own Mint repositories with repos from Ubuntu, which results in conflicts in namespace. Perhaps the Mint should take similar way Trisquel GNU/Linux community resolved this. They made their own separate repositories, based on Ubuntu LTS, but with their own changes. This would be the perfect way to avoid any conflicts in package names.

    Edit by Clem: There are places for this kind of things. For MDM, which only affects Mint and for which we never ever received a user request: https://github.com/linuxmint/mdm/issues/133. For hunspell-en-us which only affects Debian users https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=646693. For Cinnamon 3.0 which will affect Ubuntu 16.04 users when they try to upgrade via PPA because of 3 conflicts introduced by Debian (we fixed 2 of them, but the 3rd one simply isn’t compatible with the existing packages), we’ll probably see a LP bug report on Ubuntu and the root cause linking to a bugzilla report on Debian. In any case, this is the kind of things which gets solved between users and their maintainers, or between maintainers and developers, not on a blog, with an open letter, surfing on the wave of despicable attacks and in front of a hungry crowd. Somebody who communicates like that isn’t trying to solve a problem. Even if we wanted to respond to some of the content, we probably wouldn’t because the only way to deal with it professionally is to ignore it. I’m not too impressed with the hunspell conflict, I’m not too impressed with the gnome2 vs gnome3 conflict, I wasn’t too impressed with my fellow Frenchman Josselin Mouette’s attempts to block MATE, I’m not too impressed with the cdrkit vs cdrtools debacle which is frankly utterly unacceptable, there are people in Debian whose lack of pragmatism means they would never work for Mint, yet you don’t see me write blog posts about them and wonder publicly whether it’s acceptable or not, or question the quality of their entire distribution. You might spot some of our devs briefly rant about upstream from the semi-privacy of our dev IRC channel.. you won’t see us create or fuel controversy though. If some Debian community member has an issue with name conflicts, they should fix the ones in Debian first (so that we can take him/her seriously), avoid to spread FUD on public forums (so we can actually talk to him/her without looking unprofessional) and contact us (so we can talk calmly about it and consider changes with smiles on our faces).

  12. Roland L says:

    Thanks Clem and Team for everything you’ve done!

    You’ve still my FULLY 100% trust in everything you do! (Homepage, Update management, …) I’m absolutely sure you know all about this better than me so i’m thankfull for every preconfigured option by you!

    Linux Mint is the first Linux i can just use from the first contact without being an IT-Expert and slowly i begin to understand how everything works under Linux. Thanks for this! all i can do to support you is a donation, an thats what i did last month. 🙂

    (btw. at the moment i have an eye on apricity os too.. it’s to beta for daily use, but it looks beautifully and easy to use like Mint. i wish there where a co-op between the mint and apricity-team. the results from this both great teams will maybe be awesome!)

  13. Mark says:

    If your goal is simply create a good Linux distro, why not outsource everything else?

    You can outsource…

    (a) forums & comments to (static) blog posts to e.g. reddit (for less technically oriented people) and
    (b) bug reports and feature requests to e.g. github (for tech savvy people) and
    (c) business inquiries etc to email

    I suspect the vast majority of people prefer to use them because they are already familiar with them.

    This will free up your time/resources and you can use funds more efficiently on making a better Linux distro.

  14. radi1962 says:

    Clem & Team
    Thank you so much for your efforts and your work for mint. Such security problems will be solved and then it will be a huge step forwards for the distro. Keep fighting!

  15. TonyW says:

    I suppose it was bound to happen sooner or later, you can`t be the best distro without making a few people envious! You were upfront and kept everyone informed about what was happening.

    Other unnamed organisations would have kept people in the dark and pretended it never happened.

    You have nothing to feel bad about Clem, these things happen. You`ve found even more new friends to help and support, what a great community.

  16. Todd says:

    Clem
    Thank you for the update. I also donated, but I suspect you have not gotten to it yet for the reasons you specified. I have to admit I was was a bit surprised about the hack initially, and actually considered moving away from LM because of it as my first initial reaction. Once I read all of the information currently available I now feel more at ease. You guys are taking all of the right steps in my opinion, and I commend you for that. I have already said in a forum post, but I owe my freedom from Windows to the Mint project. Thank you for having a fast, graceful distribution that just works!

  17. Georgi says:

    This is not a wasted week, Clem. Security is important part of the distro and of it’s infrastructure so don’t blame yourself and keep up! We can wait for a new release, one week is nothing. 😉

  18. Wayne says:

    Only been on Mint since 17.2 but love it and still love it. Great work catching and fixing. I agree, going forward Mint should be more security aware in all things.

  19. happymintuser says:

    Thank you so much for all you are doing for this distro!!

  20. Mel says:

    @Comment-#12-“Mark”:

    <>

    If your goal is simply create a good Linux distro, why not outsource everything else?

    You can outsource…

    (a) forums & comments to (static) blog posts to e.g. reddit (for less technically oriented people) and
    (b) bug reports and feature requests to e.g. github (for tech savvy people) and
    (c) business inquiries etc to email

    I suspect the vast majority of people prefer to use them because they are already familiar with them.

    This will free up your time/resources and you can use funds more efficiently on making a better Linux distro.

    <>

    HELL no. Outsourcing is SUICIDE (and GROVELING, BEGGING, PLEADING, and IMPLORING for trouble. Not just ASKING for trouble). Just look at all the companies, organizations, etc. etc., that have done Outsourcing. Outsourcing reduces quality, it also reduces control that the owners of an object/company/project/thing/item/etc.-etc. have over that item/thing/something/company/project/etc.-etc., and it also reduces the amount of TIME that they have to make a really good product/project/item/source/company/server/service/etc.-etc./whatever-it-is-they’re-working-on because they’re so busy worrying-about/working-on everything else (such as, “are our outsource business-partners doing a good job running the stuff we outsourced to them? are they fulfilling the quality standards we set out to do when we ran the thing that they’re now running for us?”, etc.).

    Look at what happens when a company outsources their manufacturing to another company. Look at what happens when a company outsources their technical-service/customer-service/sales-over-the-telephone/whatever to another company.

    You don’t want to do that.

    You’re [not] just *asking* for trouble. You’re BEGGING, PLEADING, GROVELING, and IMPLORING for trouble.

  21. Jake says:

    HTTPS doesn’t work well for me. Firefox blocks mixed content, which means I have a warning on my padlock, and all the images are missing (which messes up the page’s formatting). In addition, trying to submit a comment from the HTTPS page is done using HTTP (again, the browser warns me I may not want to submit anything). So, it looks like there is still some work to do here.

    Also, I’m surprised you’re using Comodo instead of Let’s Encrypt. Is there a reason for that? Based on what I’ve read on Distrowatch, I’m not sure why people _wouldn’t_ use Let’s Encrypt.

    Edit by Clem: Hi Jake, on the blog and segfault it’s normal, we didn’t move them to https yet (even though their certificate is already in place). If you see mixed content elsewhere, please let us know (except for the forums where people’s avatars trigger it, there’s little we can do about that). Regarding cert providers we were going to go with a wildcard cert from Digicert, but we were also interested in using a WAF. Although they’re working with eUKhost, I ruled out Cloudflare mostly because of political reasons (I’m sorry, I don’t usually do that, but heh…). We also needed malware detection and monitoring, that brought us to Sucuri, they also had a WAF solution and they were working with Comodo, so there you go, you know the full story now.

  22. Dylan says:

    Hello, Clem:

    Wonderful, wonderful, wonderful blog post; since I first heard about the attacks, despite all the FUD I was seeing, online, I had every reason to believe that I and every other Linux Minter would see such a blog post. The simple reasoning behind this is the following: this is what and, more importantly, perhaps, HOW you do things.  Your post was exactly what we expected, open and honest, thorough, professional, and well-written. I wish you nothing but the best, with continued happiness and success; thank you for everything you do for us, the Linux Mint community. To Clem and the entire Linux Mint community: Well done, ladies and gentlemen…well done.

  23. CoreSec says:

    There are two types of computers on the Internet: what is already hacked and what will be hacked. The learning curves after an attack is always useful as it can help to build-in security awareness into the mindset.

    It looks the Linux Mint team solved the problem for now, so the only thing I can wish: keep up the good work! If this incident extending the time of development LM18, we can wait while you finish it, no pressure on you, guys!

  24. Piotr says:

    I would strongly recommend moving phpBB, WordPress and other popular php-based software to some kind of sandbox which can be destroyed without affecting Linux Mint ISO distribution.

    I had in the past few similar incidents with phpBB and now I would think twice before including this software on my serwer. Same happens with WordPress – this is very popular software with lots of possible flaws. Even if you perform all known hardering steps (OS, php, scripts, files, web server) there will be still some possibilities.

    If you want to be super-safe you can build whole main website in static website generator like Pelican (getpelican.com) and export all dynamic parts (like comments) to another server (for example using Disqus or by using sub-domains hosted on another server).

    Good luck!

  25. user7 says:

    although i am relatively new to lm i’d like to thank you for all the effort you made to handle this challenging situation.

  26. northernexposure says:

    I want to express very briefly how pleased I am to see the quick reaction that the Linux Mint team has brought to these recent intrusions. It comes to show the world that the third most popular operating system isn’t going to be brought down by a hacker. It also shows that you indeed care about the safety and security of your users. That….is what makes an operating system great. You have all done well and I prayerfully hope that your project continues to expand.

  27. samriggs says:

    Thanks for the transparency Clem much appreciated and something rarely seen nowadays.
    This whole episode just makes me want to support mint even more now.
    Just a quick big huge thank you to you the team.

  28. KenWeiLL says:

    “A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users.”

    Should we avoid using PPA at all? I’ve noticed that some PPA’s are officially maintained by upstream developers.

    How would we know that a specific PPA is safe to use or not?

    Edit by Clem: Reputation. There are other ways than PPA to compromise users without hacking the distribution. I just wanted to show you an example where security wasn’t at fault but users could be lured anyway.

  29. DarrenG says:

    Thanks Clem, your honesty and the way you keep the community informed is a huge bonus to Mint. I echo what others have said, the website is part of the Mint project, so time spent on them is not time wasted.

    I think re-adding Gufw to the default software selection is a good idea. May I also suggest firejail and keepassx? And perhaps a security topic in the forums where newbies can find out what they are and how to use them.

  30. calexil says:

    Thanks for the great post Clem, we are always happy to hear/see that the dev team is open and transparent about issues, and responses to them. We look forward to furthering Mints ‘market share’ in the Linux world and general public acceptance as a stable, safe, and easily utilized desktop-ready distro. Swing by the subreddit sometime so I can mod you (if you can squeeze us in from time to time, we do have almost 10k subscribers, ttys

    -the Linux Mint subreddit mod team

  31. Robert Irwin says:

    http://www.krebsonsecurity.com/
    Brian Krebs didn’t set out to become knowledgable; it happened to him as it did to you.
    He has helped get muderers, thieves and malicious s…heads arrested as well as preventing me and 1000s of others from bad mistakes. If he hasn’t already he’ll help, just ask.

  32. Robert Irwin says:

    that should have read murderers

  33. FlowXP says:

    great that you are learning,
    just be VERY careful who you trust and who helps you.
    After all, in this world, it’s a trend to give someone problems and after that give that someone YOUR solution…
    Great to have you back up and running !! 🙂

  34. vrizov says:

    Congratulations to all the Linux Mint team!!! Thank you for your awesome work and your way to inform the community about everything that happens to Mint – that’s one of the main reasons this operating system to be the best for me. Thank you all!!!

  35. Jonas says:

    Another problem-are the universe and multiverse repositories. Am I right that they doesnt get support or bug fixes by the Mint or Ubuntu Team?
    The Mint Security Incedent woke me up to think about it.

  36. Ultraviolet says:

    Been using Mint since Julia and I have always had nothing but respect for the stability and reliability it brings so this event shocked me, and the shockwave of negativity I have heard and seen towards the project over this – having said that, I still use Mint and will continue to do so. This attack has helped me to adjust my own approach to security and has helped me learn more and more ways of staying safe – moreover, it has solidified my trust in the work the Mint team undergo and have been impressed with their resolve and hard work in fixing this.

    Once again, you guys are heroes – so thank you all ^_^b

  37. Pjotr says:

    Job well done, thanks! One remark about your blog post, though: I hope you’re not planning on adding antivirus to Mint now.

    If you’re worried about potential malware coming from PPA’s, I think a better approach would be to team up with Canonical and filter what people are trying to upload to Launchpad.

  38. Radish says:

    “#21 Clem Said [regarding HTTPS]: Hi Jake, on the blog and segfault it’s normal, we didn’t move them to https yet (even though their certificate is already in place). If you see mixed content elsewhere, please let us know (except for the forums where people’s avatars trigger it, there’s little we can do about that).”

    With respect to avatars would it not be possible to just store them on Mint servers? I’m not saying you should do that, only that it might be a solution (if one is needed).

    Another solution might be to just rule that avatars must be pointed to at an HTTPS address. (Would doing that work?) Ditto for any images posted into the forums, though that might be more difficult with respect to images in already existing threads). But, if this would work, and Mint went at it one step at a time things would gradually improve.

  39. Erick says:

    Had to wait till the first of the month for cash. As I had mentioned in the other blog… will be money coming your way from me as well. Not much, but that discussion to show that we still support you despite what happened. Still using the distro, and I doubt I’ll stop.

  40. Arkines says:

    Thanks to every one working on Mint! Don’t let any of this upset you, We all know that you are doing your best to keep Mint secure. You are not to blame.

  41. Adrian says:

    Clem, thank you very much for taking the time to write such a detailed and transparent post! Really….

    I felt extremely sad, after learning about what had happened to you – the Mint-Team and the Community. However, I’m glad that you managed to overcome this serious situation in such a professional way and received such strong support.

    Thank you so much for your hard work!

  42. Mark says:

    Clem:

    What happened was awful but an indication that Linux Mint is becoming fairly popular – we’re not flying under the radar anymore!

    It’s too bad that LM was the first distro to be attacked like this but you can bet the other distros are battening the hatches now and trying to learn from the experience. We’re patient zero, unfortunately.

    However I am sure your actions have significantly hardened the project against future attacks and I’m sure LM as a whole will become more security-conscious in the future. It was a wake-up call and fortunately the damage wasn’t too widespread.

    Clem, thank you so much for all your hard work, and to the rest of the developers as well. You put the users and their privacy and security first despite all that happened.

  43. Jake says:

    @21, 37
    Thanks, Clem, for your explanation on the certificates. I agree with your reasoning. You guys are handling this well, so thank you!

    Regarding pictures/images, something should be done, but I’m not sure what. Linking and displaying external content can bring in problems that have nothing to do with your site. That’s how malvertising works: you displayed malware an advertising network allowed through. While javascript is the biggest vector, bugs do get fixed in image processors, so someone could be taking advantage of those if they wanted.

    If it were me, I’d want to keep everything “in house” and then try to sort it out from there. At least if the images are on your servers, you could “scan” and pull them. You’re in control. It’s probably easier than going back to filter someone else’s content and editing posts. It also keeps users from becoming blind to mixed content errors since they are intended to show a real problem (the connection could be compromised). Something to think about, I guess.

    @28
    I only use a few PPAs, but I do like having them. I use them mostly for security updates that aren’t being brought into the distro more so than for new features. They are either directly from the software publisher I already trust (e.g., Oracle for Virtualbox) or someone I’ve verified multiple ways (e.g., the Ubuntu Mozilla security team for Firefox). The key is to verify things for yourself; don’t blindly trust other people’s recommendations.

  44. av8r0023 says:

    Great job Clem and team.

  45. Filipe Martins says:

    Hi Clem,

    After the MINT breach you should secure your server much better!
    Here is how to do it:

    1) Fixing your Web Server’s Security Headers: From Hall of Shame to Hall of Fame
    https://www.cloudinsidr.com/content/fixing-your-web-servers-security-headers-from-hall-of-shame-to-hall-of-fame/

    2) Secure Your Web Server against Attacks via XSRF/CSRF/XFS: How to Design a Content Security Policy
    https://www.cloudinsidr.com/content/secure-your-web-server-against-attacks-via-xsrfcsrfxfs-how-to-design-a-content-security-policy/

    Besides you should also use HTTP/2 (with HTTPS and TLS 1.2 encryption)

    Here is how to do it!

    3) How to Activate HTTP/2 with TLS Encryption in NGINX for Secure Connections without a Performance Penalty
    https://www.cloudinsidr.com/content/how-to-activate-http2-with-ssltls-encryption-in-nginx-for-secure-connections/

    Please feel free to ask if you have any questions!

  46. Patrick says:

    Good to hear.

  47. Drygar says:

    Hello Clem, LM team,
    Thank you for your great work on this and for the prompt reaction. Thank you for the update. As we all know generally GNU/Linux is considered safer than Windows due to many many reasons. I hope the project, you and all of us (that are somehow involved – even users) get more security savvy and aware. However, I also hope you don’t get too paranoid about this. Personally, I don’t think GUFW is needed as it basically uses ufw which is already in place. Could you comment on “We need scanners, and we’ll look into that as well, and we need something people can use to quickly and easily configure outgoing traffic…” ? What scanners you talk about ? I hope you don’t think of including antivirus or similar in LM.
    Thank you!

  48. Drygar says:

    Hello Clem,

    Would you mind sharing where are the LM update servers – are they in the Sucuri network as well ?

  49. Nomen luni says:

    Legendary comeback, Clem+team.

    I think GUFW would make an excellent addition to the standard install. How about an applet that warns you when the firewall is turned off (obviously with the option to disable the warning) much like Windows?

  50. Elad Hen says:

    My 5$ donation from February 25 doesn’t appear 🙁

  51. Elad Hen says:

    Be that as it may – I hope everything is back on track. Go on being great!

  52. DarrenG says:

    @Elad Hen, these are the Donations in January as it said at the top of the list.

  53. stragu says:

    Good work on handling this, and don’t worry about work on features: security is priority number one, not only for Linux Mint but also for the whole GNU/Linux ecosystem. Keep up the great work and the transparency about it, everyone appreciates it.

  54. LowTekk says:

    Thank you Clem and team for working so hard on our behalf, and never forget just how much we appreciate your years of devotion, both to Linux Mint and the community. Since you shut down the main site to address the hack, I’ve been keeping all of you in my prayers. Don’t ever feel guilty for having to pick up the pieces after an attack like this, Clem. All of us understand where your heart is, and would never be so childishly impatient that we would blame you and your team for having to suspend development to protect both our online data and anyone who needed a system reload. I for one am eternally grateful that you guys reacted so quickly to address this attack and to inform us of the details in nearly real time.

  55. LowTekk says:

    Continued from 50(dang my LibreOffice muscle memory):

    I’m ashamed to admit I had to temporarily bail to Ubuntu MATE Edition a couple days after the hack, but perhaps as an expression of poetic justice, it just doesn’t feel right. I’m writing the final chapters of a novel I’ve been working on since the beginning of 2012, and just as Linux Mint is for you, it’s a labor of love. Because I’ve never had to question the stability of Linux Mint, or the passion of you and your team, you’ve won your place in the acknowledgements. If God blesses me with enough sales to cover all my publishing-related expenses and I start turning a profit, I WILL give a donation worthy of the service I have enjoyed since I wrote the first pages. Keep on truckin’, Clem. We’re all right behind you.

  56. Torsten says:

    Hello Mint team,

    I’m using your distribution since version 5 (Elyssa?), haven’t taken not all of your release changes in the past but:
    since the beginning I’m really impressed of what you guys did for this great operating system called Linux.
    So I found, especially after the incidents of the last two weeks, it’s time to support you in your work with a small donation.

    Wish you best luck for the future!

    Mint will always be one of my favourite Linux distributions…thanks for your hard work….

    regards from germany
    Torsten

  57. alessandro simon says:

    Address Ip 5.104.175.212 was registered in the name of Lyubomir Bambov, which is selling Linux Mint forum for $ 85.00, which in my opinion is already the case of police.

    greetings and strength.

  58. SteveS says:

    Great job handling this. I can only hope my organization would react as well.

    Now would seem to be a great time to take what you’ve learned, and create a server version of Mint (assuming your servers were running Mint…). We would certainly use it.

    A donation is in process, regardless…

  59. dada says:

    Very nice to read all this, thank you for the good work!

  60. Dino says:

    Thank you all for your great job! I appreciated a lot the way you coped with the attack and the honesty in informing community about it.
    I plan to do a second (small) donation in a few days.
    Glad to see that a lot of people from other FLOSS products helped to solve the problem.
    Keep on the good job and thank you again.

  61. Orzech says:

    Will you address the issue of disabling some updates by default and lack of security bug tracker?

  62. Orzech says:

    Was LMDE affected at all, or was it just Ubuntu-based iso image issue?

  63. Robert M says:

    I have been trying to get to the linuxmint website this morning and all aspects refuse to load.

    Tried three different browsers to no avail. I did get invalid security certificates and thats all.

  64. RayoGlauco says:

    @57. alessandro simon: this IP 5.104.175.212 may have been hacked, and this Lyubomir may be another victim of the real hacker. More research may be needed to know.

  65. Luca says:

    Clem, if it can be useful I commented on some post in the forum, and as I was seing the padlock in FF because of the mixed content, I started pointing my avatar and signature images both to https. I can see no media has an http:// URL, but still it gives mixed content.
    Here is the link, all the media under right click, View Page Info, Media tab show an https:// URL.
    https://forums.linuxmint.com/viewtopic.php?p=1135522&sid=2aaf1e22766b75600fb627ad99d240b1#p1135522

    I can see that only the feeds are pointing to http:// may it be the reason?

  66. salvatore says:

    Don’t feel guilty, I see an investment in neglected components of the project Linux Mint, that should receive regular attention as part of the project’s lifestyle. If this event is perceived as a distraction from the distro component, history is going to repeat.

    Anyway, these specific changes that you have mentioned had to be done at some point, and were untold wishes of some users.

  67. M Welinder says:

    The Changelog entries in mintupdate should also go via https.
    Right now it will show whatever a man-in-the-middle server chooses
    to display. (A captive portal is a benign example.)

  68. obertscloud says:

    Thanks for being transparent, regarding Mint’s future I see that some schools are moving to Linux.
    Maybe some investors, want to donate hardware with preinstalled Mint
    and some education, music, programming, video etc tools pre-installed.

    Heres a link to the article
    http://www.zmescience.com/research/technology/estonian-schools-open-software/

  69. Rufus Dexter says:

    Hey Linux Mint team, I am a regular Ubunutu user, I have been following Linux Mint for a while, I have seen the trouble you’ve gone through recently. I really want to say I am at this moment downloading the Linux Mint and I am planning to test it against my current Ubuntu installation and give it a go if positive. I also wish to express my support to you guys and to say that I’ve only heard good things about you from my fellow Linux users who have been using Mint in different flavours. Best wishes from Romania!

  70. Rufus Dexter says:

    Tried the live disk, it’s great. Good job, keep it up. Mint is a great alternative to ubuntu, much more “umph” out of it. Thank you.

  71. Shian says:

    “You can’t stand up – before you fall”

    I feel guilty that you are working so hard for me…

    Thank you and all the best; this way or another – Linux Mint is the only OS for me.

  72. Luis D says:

    My donation is missing too. It was done on Feb 23rd.

    Edit by Clem: Hi Luis, these are the January donations. We’ll modify the site again to show the donations for the last 30 days. Note that there’s also a lot of donations which haven’t been processed. We’ve a huge backlog here 🙂

  73. Quiroga says:

    I’m concerned about linux mint security. I like this linux distro and for me it’s a nice replacement for windows 7, but are some things which seem wrong:
    a) the project does not issue security advisories
    b) It’s a community project, funded by donations
    c) Linux Mint website looks very amateur

    I use and, I repeat, I like this linux distro but, in my opinion, it’s time to search parterns like canonical, microsoft or apple. Linux Mint deserve grow up.
    Please, Clem, look at users security and do a profesional job.
    Cheers for all mint users.

  74. jazzi says:

    Just donated a few bucks, hope to help build this community more secure.

    Thanks for all the work Clem.

  75. Dom says:

    Fantastic to hear that you received so much help. You have all put in a fantastic effort and thanks should be directed none the less to the developers and community of Linux Mint for putting in this effort and creating a better OS, better security and a better experience for users.

  76. M.Z. says:

    I have been a bit fascinated by this new sandbox tool called Firejail since the attack happened on the Mint site. It seems fairly easy to use & provides the added protection of blacklisting certain actions web browsers like Firefox and about 30 other apps that have profiles.
    I have the tool is working fairly well in my LMDE 2 Cinnamon system & my Mint 17.3 KDE system &, aside from limiting my download locations, it is fairly seamless on both desktops. I do notice an odd message on my browser window about being in superuser mode in LMDE Mate, but otherwise it seems like a great & easy to use alternative to things like SELinux. It’s also worth noting that Firejail should be in the repositories upstream of Mint & much of the functionality of the tool is already integrated in the Linux kernel.

    I think something like a Mint tool to automatically set programs with profiles to start in Firejails sandbox would do a lot to enhance Mint security. To start things in the sand box you currently have to either do it in the command line using ‘firejail firefox’, or editing configurations adding the firejail command in front of the program name. Anyway I thought it might be worth looking into adding something like this to Mint with a tool to set things to start sand boxed automatically. Something like that could help make Mint a leader in desktop security while being one of the easiest to use security solutions.

    I hope you consider doing something with Firejail or a similar security tool, & good luck with the rest of your security & development efforts.

    More info:

    http://distrowatch.com/weekly.php?issue=20160222#tips

    https://firejail.wordpress.com/

  77. User says:

    Hi. Because you think about security & like to re-add GUFW, I would like to suggest on you to add “SE Linux” & enable it by default. It will give additional security layer for Linux & if any issue result from it then user can temporaly disable it by following command:

    sudo echo 0 > /etc/selinux/enforce

    To re-enable SE Linux again use this command:

    sudo echo 1 > /etc/selinux/enforce

    Also, I would like to suggest on you adding ability to “disable Ipv6” from graphical user interface. It will be very usefull if you add such option because disabling Ipv6 from terminal somewhat defficult.

  78. peter e says:

    @Quiroga
    Security Advisories… there are few because there are very few events to be concerned with.
    If you want to know about Linux Mint security read this blog and the other blog posts… lots to read, but it is all there.
    … your list of “things that seem wrong”
    perhaps you should consider moving back to the product of one of the major corporation’s like canonical, microsoft or apple since they provide whet you would be comfortable with.
    For ME, I feel much more secure with Mint because major corporations are NOT involved.

  79. alessandro simon says:

    All talked about security in the comments, falls water when I think that safe things do not happen as for example in the development, is a race of cats against mice, in which the only really safe thing is unplugged and in the future or that . This attack was good in my opinion, showed the weaknesses and brought upon many teachings.

    greetings everyone.

  80. Ridhwan says:

    So can I start downloading Linux Mint ISO again? We’re still using MD5 for now.

  81. Quiroga says:

    @peter e says

    It’s my opinion. Avast helps Linux Mint and Avast Software is a big company. What’s wrong about this? What’s wrong if microsoft helps linux mint?
    I’m not a linux dreamer. We live in society, if you want security, you need to search parterns.
    Linux Mint is the 4th most widely used operating system in the world. We not talking about […] or other [xxx] distro. 7 million users. It’s a huge responsibility and users need security to use this linux distro.
    It’s my opinion and I wish success and the best for Linux Mint.
    It’s a idea and i only try to help with my experience and it’s my point.
    More security and better ideas for the future. I’m a linux mint user and i want security, good software programs and a solid distro with ideas and good parterns.

    “perhaps you should consider moving back to the product of one of the major corporation’s like canonical, microsoft or apple since they provide whet you would be comfortable with.”

    Yes, i like windows and ubuntu, but i like mint more. I’m free to express my opinion. Nothing wrong with this. I’m not a hacker or microsoft employer. I’m a simple user.

    Sorry my bad english, i wrote this with google translator helps.

    Cheers for all mint users.

    Edit by Clem: Hi, there’s really no need to disrespect other projects. Whatever their size, their quality and your opinion about them, we can talk about Mint without promoting or insulting other distributions.

  82. Alan Bentham says:

    Many thanks to everyone that helped. There are some really nice people out there willing to chip in and that is all part of the magic of Linux.

  83. Adam says:

    Just keep on working. We shall be here to support. Thanks for the much you’ve done already….better stay vigilant next time.

  84. Rafael K. says:

    Hi Clem,

    you said you didn’t work as much for LM as you want, but that’s wrong, I think you did more than before, because LM is the full project, not only the distribution. So it’s really good, that this happened, because sometimes you need this to get another point of view for some aspects, in this case for security. In this case the aspect is security, which is a reeeally important one. So I’m glad you and all other supporters managed to get this handled that quick. We better have a secure system (one of the main aspects I’m using Linux) than more features 😉

    Thank you Linux Mint Team.

  85. Mintkatze says:

    hi together

    I can also onlyy say: the reaction of LinuMint was the only right thing to do! Security has to go first! There is no doubt about this.
    And to be honest: I have avast in my Browser active (Vivaldi-Browser, Chromium-Browser, IceWeasel). And I would greet it, if Avast would bring out AntiVirus-Software for Linux again. Actually they only have packages for Windows. This is a mess. I would like to use Avast in my LinuxMint. For now I use Bitdefender as AntiVirus-Software.

    What is also absolutely right is to switch over to HTTPS. I have that enabled in ALL my browsers! NO Browser should be without this anymour! Also not Qupzilla. And there comes a question:

    How can I put in Avast and HTTPS Everywhere in Quozilla?? And the next question is: how can I re-enable Video in Qupzilla??

    Because there i have the problem, that I can hear the sound but I do not see the picture (I use html5 and NO flashplayer!! I uninstalled flashplayer!).

    And Why I use Bitdefener this has the background, that I also got attacked! I lost one external Harddrive to this bullshit Malware Locky! this is so ugly. I lost so many absolutely personal files which I partly cannot recover!

    That’s why I also take updates twice a day now for LinuxMint as well as for Bitdefender.

    And what’s also strange: youtubeUnblocker got removed from IceWeasel a few days ago without me being able to interact or stop this. The information I got ist, that youtubeUnblocker would mean a risk to IceWeasel and a stability risk. Thiy sounds strange to me. Because this was NEVER bevore! And the next strange thing I discovered is, that one discussion-platform – Disqus – no longer works on all my browsers. That worked without problems bevore.

    So I have the somehow strange feeling, that my system could perhaps have been corrupted. That’s why I am currently downloading an iso-Image of Makulu-Linux and I also would like to get a fresh and clean Iso-Image of LinuxMint.

    So my question is: are the servers of LMDE clean again?? Can I download there again without risk??

    And one thing to the point gufw: why gufw?? There is another firewall in Synaptic called firewalld! Firewalld is better than gufw. It also has a gui and is not to difficult to set the settings.

    Greetins
    Mintkatze

  86. Mintkatze says:

    And what I wanted to add:

    Thank you Clem and Team for the hard work you did to protect us users. There I want to be honest and say my big THANK YOU to you and your team. And to be honest: this user who attacked you, I have seen here in the forums the weeks before the attack happend!

    So I think, you got attacked by one of your own users. This user should be blocked and banned form the Forums and from LinuxMint!

    I also dislike very deep when users of such a nice distro do such things. This is not fair. No way!! Such attacks are also not only illegal, they are also agains international law.

    That’s why I deeply hope, that this user will be caught by police and be brought to court!

    No one has the right to attack such a good Distro like LinuxMint. And also no one has the right to be disrespectfull to other good Distros like Makulu-Linux or even Manjaro-Linux. And this is why I would like to stick with LinuxMint or even Makulu-Linux. And then I would try my best to get all the Mint-sources into Makulu-Linux. I do not want to miss the good things on LinuxMint. Perhaps there should also be a partnership between LinuxMint and Makulu-Linux. Because Makulu-Linux is also debian-based.

    But what I would say is: do NOT put SE-Linux into LinuxMint. SE-Linux has been written by NSA and this is an NSA-Backdoor for LinuxMint. I can only warn about that. This would harm the dist and your users. Because this backdoor makes it easier for NSA to spy out your distro and your users. This would be the wrong way.

    Greetings
    Mintkatze

    Edit by Clem: Hi Mintkatze, please send us any info you have on the user you mentioned. You can reach us by email at root@linuxmint.com.

  87. Mintkatze says:

    hi 17 Georgi

    I want to refer to your comment:

    “17 Georgi says:” (March 1st, 2016 at 8:02 pm)

    “This is not a wasted week, Clem. Security is important part of the distro and of it’s infrastructure so don’t blame yourself and keep up! We can wait for a new release, one week is nothing. 😉”

    I see it from the same angle. Before a new distro can be published, this problem with this attack has to be solved first place. So it is really nothing waiting another week. And you are right: one week more is nothing. And I am willing to be pacient.

    Clean and his team did a very good job on reacting onto this matter. And it is really right to work together with such AV-producers like Avast, Bitdefender, Kaspersky and others. And so these AV-producers should return back and setting up AV-Software for Linux, not only for Windows. For this, these AV-producers have to be blamed. I had done visits to their webpages the last months. But I never found AV-Software for Linux on their webpages except by Bitdefender. They are – currenty – the only producer who support Linux and us LinuxUsers. This is a big problem!! Also in these times of Cyberwar by useing such Malwares, State-Trojans (like our german government does it, the british government, the canadian government, the us-Administration, the australian administration, everyone).

    So I would really say: we shoul pressure up these AV-producers to put better support into Linux. We Linux-Users are also affected by such bullshit Malwares and Mac is currently also. I found a report by zdnet, that Mac-Users currently fight a hard lesson with a Malware-Hacker:

    http://www.zdnet.com/article/mac-malware-prompts-speculation-of-hacking-team-resurrection/

    This is so unfair! I think this is, because Apple does not work together with the FBI, what is absolutely right!! Apple is absolutely right to refuse, because the FBI is working in favour of the NSA who want more and even more spying on us Users. I think, NSA is pressuring the FBI to force Apple and this is disgusting!!

    This is highly illegal state-War against us Users. And if nobody pays attention, this might cause – at the long end – a new nucelar worldwar 3! Our politicians are so crazy!! They don’t see or do not want to see what they are doing so badly wrong!!

    And then such things happen with such attacks on LinuxMint and other Linux-Distros. This must be stopped by international courts. Such politicians and such crackers (the word hackers is not correct in this point, it needs to be crackers) need to be brought to court, entenced to lifelong prison and then be jailed!!

    Why the word hacker is wrong in this context:

    hackers are the professional whitehats like Chaos Computer Club and others.

    Crackers are these highly dangerous Blackhats!

    Greetings
    Mintkatze

    Edit: I woul like to stick with LinuxMint and so I think we should have a respin of LMDE.

  88. Fernand Dionne says:

    Hello, I would like to thank the Team for all their effort and great work. I am on Mint since 3 years and loving it !
    I have erased windows in over 60 customer computers and replaced it by Mint, and they all very happy. So keep up the good work !

  89. Clem says:

    Hi everyone,

    Just a quick note to let you know we’re starting processing donations again. We’ve been flagged for SPAM (we had to send more than 100,000 emails to warn forums users after the attacks) so it’s possible you might not receive an email from us.

    The donation page was modified to show the donations for the last 30 days: https://www.linuxmint.com/donors.php

    We received more than 600 donations since the 9th of February, so there’s a bit of a backlog. We’re hoping to get through them this week-end.

    Many thanks to all the people who donated to us. Please accept our apologies for the inconvenience.

  90. Maou says:

    Can you catch the bad guys who did this?

    Anyway, keep up the good work.

  91. Mintkatze says:

    hi 90 Maou

    I also hope, that the police will catch these bad guys who did this. And to be honest: one of them – his nickname is Peace – I had seen here in the Forum some weeks before the attack. And there he already started to critizise LinuxMint for SecurityLeaks.

    And so I think, he was already planning his attack at that time.

    So one thing for more security in LinuxMint should also be a closer look of all of us Users here, if such critics show up here. Because such critics should be sent to Clem first and then to these AV-producers to retest this in the laboratories and NOT out here in the wild. This endangers Millions of users.

    So here in the forums, we should have a closer look at such users. OK, seurityleaks must be talked about, if the AV-producers confirm them in their laboratories and if Clem can also confirm it after retesting.

  92. Mintkatze says:

    @ Cleam

    I come back to this point from you:

    “Edit by Clem: Hi Mintkatze, please send us any info you have on the user you mentioned. You can reach us by email at root@linuxmint.com.”

    OK, I will try to do that. Because there is plenty stuff out in the Internet about this thing. There have been lots of articles about that and there, this user was also mentioned.

    Greetings
    Mintkatze

    Edit by Clem: Thanks but please don’t link or quote hackers interviews or FUD, that gives them credit.

  93. Quiroga says:

    “Edit by Clem: Hi, there’s really no need to disrespect other projects. Whatever their size, their quality and your opinion about them, we can talk about Mint without promoting or insulting other distributions.”

    Hi, Clem. My apologies for my words, I meant no disrespect.
    I’m a linux newbie (and probably always will be). I appreciate your work. Linux Mint it’s a great distro for those unfamiliar with Linux.
    Problems help us grow, develop, learn, and become stronger.
    I would suggest in the next Linux Mint release a presence of Antivirus and a more clearer update manager. Levels 4 or 5 are very confusing for linux newbies.
    I like this linux community and my apologies for my words.
    My words only express what i feel. I’m a simple user, we have the power of choose. Success and the best for Linux Mint.
    Thank you for your time reading this comment.

  94. mean_hamster says:

    The way you handled this situation is simply fantastic. Great job Clem -my first ever donation is on the way 🙂

  95. peter e says:

    @Quiroga
    I apologize for jabbing at you. Your heart is in the right place.
    … perhaps someone could start a wiki specific for Mint flavors (including LMDE) highlighting Security.

    BTW: the Debian wiki is rich with a ton of info…
    https://wiki.debian.org/FrontPage

  96. Quiroga says:

    @peter e says

    I’m only concerned about security. My questions: how secure is Linux Mint? Is safe to use for a child? Who maintain this webiste? Are the donations enough to maintain the distribution?

    I would like this questions answered. I use this distro, but should i recommend this distro for a friend,for my boss or for my son?
    I’m not a child. We talking about free software provinding by who? In past i paid for windows, antivirus and i had no problems. But windows and office software is expensive for me and many other people in poor countries. It’s a responsability provide software for other people. It’s my opinion.

    A good week for all.

  97. Mike G says:

    Excellent work Guys! Notice the unflinching support and undeniable solidarity on this page? That’s because we believe in you and will ALWAYS stand by you. KEEP YOUR HEAD UP!

  98. Kenneth Scharf says:

    For the past two days I haven’t been able to update, some of the files do not load during the refresh operation. I tried changing mirrors, but this made no difference. I can manually (apt-get) attempt an update and upgrade, but haven’t seen any new packages in two days. Is this related to the server attack?

  99. Mintkatze says:

    hi Clem

    again thanks for your absolutely right and great reaction to this. You did absolutely right!
    And also thanks for the new ISO-images in the download-section. I got me a fresh ISO-Image and reinstalled this morning.

    But one question:

    I tried to install gufw, rebooted.
    But: I did not find it anywhere in the menu, so that I was not able to configure it. So I switched back to firewalld, which I installed by Synaptic. This worked now for me.

    And I wanted to tell all users, that one more thing for security is, that one should install the Avira-Browser Addon really in ALL Browsers. Avira brings even more security. Then I found in the Addons-Section, that the Bitdefender-Quickscan-Addon as well as McAffee Scan Plus detection Addon are not available for Firefox/IceWeasel 44.0.2. These Addons should be updated.

    They could help us, to Scan better for Malware and such things.

    Then I suggest, that one should also install the AntiVirus Program by Bitdefender. In the Internet, you find it in google with “Bitdefender for Unices”.

    Greetings
    Mintkatze

  100. ttjimera says:

    Mintkatze, gufw appears as “Firewall Configuration” in the menu, under “Preferences.”

  101. peter e says:

    @ ttjimera
    “location of gufw” I suppose that depends on your desktop environment (and the Menu in use…)
    in Mate (menu bar) it is in Applications/System Tools.
    But all of that is in the Mint Wiki

  102. ttjimera says:

    peter e, sorry, I forgot to mention, I am using Cinnamon. Thanks for the reminder.

  103. Shian says:

    { 73. Quiroga says:

    I’m concerned about linux mint security. I like this linux distro and for me it’s a nice replacement for windows 7, but are some things which seem wrong:
    a) the project does not issue security advisories
    b) It’s a community project, funded by donations
    c) Linux Mint website looks very amateur
    … }

    Reply:

    1. Windows is a proprietary software, closed-source software; Therefore it’s impossible to estimate its vulnerabilities.

    2. Linux Mint is an open-source, therefore vulnerabilities are exposed and security can be improved instantly.

    3. Commercial company will not report to its users about each hack or critical vulnerability. Using a commercial OS does not mean that your data is safe.

    4. Most users are probably donate their money for improving Linux Mint OS itself; not for maintaining a fancy/expensive website.

    5. Windows OS is really vulnerable to malware. I’ve seen it at work on a daily basis, as a registered Windows user, for many years. It was one of the reasons that I’ve decided to give Linux a try.

    …Just trying to be more realistic.

  104. Rogier de Groot says:

    Keep up the good spirit!!

  105. Martin says:

    All this new connections and friends made during this attack, only made Mint stronger and better.
    Good job. Good luck to the team.

  106. Richard Sierakowski says:

    Hi Clem and team.

    Excellent work in the manner that this hack was mitigated. Hopefully this will encourage confidence in the Mint users. The open and honest way in which this was disclosed is highly commendable when compared to the secretive manner used by companies motivated by financially exploiting their customers.

    Hopefully this wake up call will result in much more attention and effort being applied to security and encryption for Linux users in general.

    Users also have a responsibility to check their downloads against published check-sums to ensure they have a valid copy. These procedures are necessary to keep out criminals and government agents out of citizens private systems. These check-sums need to be published on numerous sites to reduce the risk of having them maliciously replaced.

    I hope users will be generous in their donations to help fund all the extra work required to improve security in the Mint Linux systems.

    Well done for all the work that is requires to produce such a first class system.

    Richard

  107. Florian says:

    Great response guys, can’t believe this just happened but keep up the good work!

  108. mikef90000 says:

    Surprised no one has mentioned alternatives for verifying the ISO SHA-256 values. The package ‘gtkhash’ is a nice standalone GUI for doing this. The companion ‘thunar-gtkhash’ also adds it to the thunar context menu.

    Nautilus-gtkhash and nemo-gtkhash are available for those file managers.

  109. Don Paga says:

    Did you ever publish a full postmortem on this? It would be an interesting read and I think it would improve user confidence immensely in Mint’s security measures.

  110. Brian36 says:

    Thanks Clem and the Team for the quick response and the production of a usable operating system. It works for me. I suppose I must look into the anti-virus side of things, perhaps some advice on might be useful. Now the distro is so popular we must expect the bad-boys to get interested.(LM 17.3 Mate user on desktop and various laptops.)

  111. Mintkatze says:

    hey together,

    I wanted to come back to you all and say that firewalld works nice for me. And to add: I checked the whole Menue after installing gufw under “all programs” even after a reboot and it wasn’t there. So I uninstalled it again and installed firewalld instead. There the Icon turned up immediatelly and it is also nicely configurable.

    I also installed Avira Browsersafety now in all Browsers so far. And I also contacted Avira for the addon in Qupzilla. I found out, that this addon is not available for Qupzilla. I would like to have it there also. One more thing I am missing in Qupzilla is the Addon NoScript. Adblocker is there and highly configurable. I have this enabled.

    But one question for future development of LMDE:
    can we have the Midori-Browser back into the Distro again?? Midori is also nice, lightwight, opensource and is based on Firefox so that the Firefox-Addons work in Midori too. This would be a nice replacement for Firefox alongside with Qupzilla, IceWeasel, Chromium-Browser and Vivaldi-Browser. Vivaldi-Browser has a debian-Repository. So why not haveing these Browser side-by-side in peaceful co-existence??

    Greetings
    Mintkatze

  112. Dupo says:

    Hi,

    happy that all things are all right for Mint now. 🙂

    @Clem: Will it be possible to have a 32bit Uefi support for Linux Mint 18 ?

    Thanks.

  113. aimeelw says:

    @ mikef90000, I agree with you about gtkhash, I use this myself and also have the Nemo plugin as well, makes it really quick and easy to check ISO or any file from with in Nemo :o)

  114. Piedra del Nilo says:

    Hi
    Thanks: Clem, Team, Avast. phpBB, eUKhost and AYKsolutions, Kaspersky for help my favorite OS Linux, of course to community Linux wonderful workers minds, (sorry I don’t know English) oh! and Sucuri excelent job. I love you all.

  115. Mintkatze says:

    hi together,

    I just downloaded, installed and tested Midori-Brower today and I found it really enjoying. Video is working out of the box, it brings many Addons out of the box (Adblocker, NoScript, and several others). It is opensource and lightwight. I learned – that instead of being based on firefox – that it is the same webkit-technlogy like Qupzilla.

    And what is wondering me: since I installed Midori-Browser today, Video has come boack to working in Qupzilla, what was not working before. I don’t know, why that is. But I am happy about that.

    So I would really again suggest, we bringt back Midori-Browser into LinuxMint as a replacement for Firefox. And I would really enjoy if Qupzilla, Midori, Chromium-Browser and Vivaldi-Browser would exist peacefully besides each other in LinuxMint. All these browsers have their right to exist. I think, it should be the right of choice by the users, which browsers they install and use.

    And I would like to know, that Clem would think about this idea??

    Then another suggestion would be, if LinuxMint could get another nicer default-Background. Perhaps something in a green mint colour??

    Greetings
    Mintkatze

  116. bensocket says:

    Thanks to the Linux Mint Team who did all the work to make mint safe again and also to make the website safer..
    Really love mint…it is like the best linux distro 🙂

    thanks again

  117. ttjimera says:

    Has anything just changed in the Community Website? I cannot sign on with my old password (I was able to do so a few days ago). So I requested a password reset. But after I signed on with the new password, I cannot find any place where I can change my password. Anybody?

    Edit by Clem: Hi, we had to make the change before making the announcements, but here is the explanation: http://blog.linuxmint.com/?p=3013

  118. leonard e ray says:

    As a retired/disabled marine/army vet and as a retired CompTia A+ IT
    Professional who is living on a fixed income and cannot afford
    to give donations like I wish like I wish I could please know
    that I find your professionalism and your patience a god send
    I have been running Mint for many years now and recommend it
    whenever asked what OS a person should use you guys are Tops
    In my book

  119. Radish says:

    @Mintkatze

    When you install GUFW its launch shortcut shows in the menus here:
    Menu > Preferences > Firewall Configuration

    You can also find it in:
    Menu > Preferences > System Settings > Firewall

    Something that really needs deal with as it is confusing that GUFW is named as three different things in the Software Manager, the Menu and the System Settings.

    Really it should just be named GUFW throughout. That gets rid of the confusion.

  120. ttjimera says:

    Thanks Clem for the explanation.

  121. Walt Thiessen says:

    I stumbled upon this after having Microsoft install Windows 10 on my computer this morning without permission. So I started looking around for alternatives, because enough is enough.

    I’m curious to know: have you discovered anything about the perps behind the attack? Do you know anything about their identities?

  122. Tom S. says:

    Hello Mint Team !
    Thanks for the detailed and honest statement about the current situation around Linux Mint. Through this incident, all have learned. There is no reason not to stay true Linux Mint… This incident does not diminish the quality of your fantastic work or the best operating system Linux Mint! Once again my sincere thanks! I look forward to Linux Mint 18 and will financially support the project also in the future! Greetings from Germany! (Sorry for my bad English 😉 )

  123. Tom Golem says:

    March 08, 2015 14:35 CST
    “Failed to fetch http://mirrors.liquidweb.com/ubuntu/dists/trusty-updates/main/i18n/Translation-en Hash Sum mismatch”

    I know this is about a Ubuntu mirror and not Mint… but…
    Is this simple downtime/maintenance or could the “Hash Sum Mismatch” be further attempted tampering by hacking at Ubuntu?

  124. Tom Golem says:

    re: 121
    Seems to be resolved. I still wonder.

  125. LinNewb says:

    Dear Sirs/Madams,

    Thanks ever-so-much for giving people a choice, from what appears to be malware like behaviour on other proprietary software.

    Installed/tested Mint, only to hear about this.
    I’m not swayed.
    Keep up the good work.

    Thank you.

  126. Clark Stafford says:

    update manager hasn’t worked in a while. Maybe a week. Related?

    Edit by Clem: What error message do you get? Is it due to Chrome stopping support?

  127. Jim (JR) says:

    Clem,

    (quote)
    Dylan says:
    March 1st, 2016 at 9:20 pm

    Hello, Clem:

    Wonderful, wonderful, wonderful blog post; since I first heard about the attacks, despite all the FUD I was seeing, online, I had every reason to believe that I and every other Linux Minter would see such a blog post. The simple reasoning behind this is the following: this is what and, more importantly, perhaps, HOW you do things.  Your post was exactly what we expected, open and honest, thorough, professional, and well-written. I wish you nothing but the best, with continued happiness and success; thank you for everything you do for us, the Linux Mint community. To Clem and the entire Linux Mint community: Well done, ladies and gentlemen…well done.

    Goetz says:
    March 1st, 2016 at 3:26 pm

    You wrote: “… the attacks took all our focus and we didn’t work on Linux Mint as much we’d want …”

    Actually, you worked on what is Linux Mint. Security is important.
    (/quote)

    Hear hear!

    I could go on and quote almost the entire thread – it is (almost) all spot-on.

    I think the real take-away for us users is not that you were hacked, or that you stomped on it quickly; what is most important to me is that you stepped up, took ownership, and were HONEST AND OPEN about what happened. Stepping up like that takes a set of Brass Balls, at least 3 feet in diameter!

    We all hate to be caught with our pants down. We especially hate having to own up to our mistakes. (or even to admit that we were schmucks in the first place :))

    I appreciate, more than you can possibly know, how forthright you all were about this. There are many O/S’s out there, including Linux distros, that are not this transparent.

    As far as I am concerned, though despicable, this sordid episode only serves to add to Mint’s burnished glory.

    If anyone is interested, here is an article I wrote on Mint awhile back.
    http://www.qatechtips.com/2013/03/all-hail-mighty-mint-new-king-of-linux.html

    I will probably be writing another article soon on the way Mint’s maintainers step up when the going gets tough

    Keep up the good work.

    Jim (JR)

  128. william says:

    Excellent news!

    I’d like to support the area concerning better information and documentation. As the end-user I have found it very difficult to grapple with what are essentially “issues at a systems level” because the whole-picture is not clear at the big-end of the telescope.

    A case in point was an issue about connecting with wired-USB networking. “Yes”, everything configured is accessible. “Yes” you can eventually dig, and poke, and google, and run some scripts, etc. … Until; you find something that helps. That’s just networking and interfaces.

    Security is ‘more’ complex or ought I say too often seen as “too much trouble” that other issues based on personal observation. I’d like to urge some important attitudes to adopt around these systems areas.

    1. Clarify the big picture — What is configured; Where are the config-s; What are the dependencies and dependents. Make diagrams or process-flows, etc. Ensure information is accessible.

    2. When you know where to look, ‘live’ config-s may-be and should be checked and verified. That lets me know that my system is as it should be and has not been re-configured or changed (see #3).

    3. Look for tools that verify wholistically. Fore example given a set of network dependencies (let’s say config files and shell script files) … We should be able to generate a SHA256 (or better) id for the entire concatenated file-set. That kind of thing can be checked easily at boot time by a little background job. But it isn’t as easy to do until the big-picture is clear.

    4. Keep it Simple, Keep it Easy, and Keep it Robust. The example above, #3 is simple. It needs to be easy otherwise folk will defer, delay and dump whatever is offered. Has to be robust to be trustworthy.

    5. And whatever is provided/offered, it has to be TRANSPARENT. Too much of many operating systems’ distro-s and set-up-s are either, or both: Opaque and complex (messy) enough to make them non-transparent. When I need to poke and peek and google, etc. that means the solution / threat is hidden from me. A dedicated (or bored) teenager can dig-into a possible attack-vector whereas I can’t because I probably don’t know where to begin.

    In other words complexity or under-documented inter-dependence make my system security and privacy Transparent to the //enemy// and opaque and dense to me and helper. Transparent security is a good thing. Transparent system config and alignment is a good thing. It helps defend and counter threats.

    6. Make security an end-user-admin power. Don’t be like Apple and make it a “vendor” issue. Ensure the power is with the owner.

  129. Eddie G. says:

    To all the men and women involved in the creation, development, maintenance, and promotion of the Linux Mint distribution:

    You are held in the highest regard by me and my family. I first “turned” my mother (who’s 70!) on to Linux Mint when it was still on version 12! (Her Windows XP machine gave up the ghost and I was loathe to put another version of Windows on her Dell Inspiron!) With the install of Mint (MATE desktop) she was able to navigate and use her PC without problems, she even updates it by herself. Add in the LibreOffice suite, and the Thunderbird email client, and she’s never been happier with her laptop. My sister (who’s an IT network engineer) didn’t even KNOW what OS was on Mom’s laptop! She kept pestering me to show her the ins and outs of it, and now? she uses it, her husband uses it, her oldest son uses it,…my two younger brothers use it, my uncle, his wife and their children use it!.MY 14 year old son uses it….and I’ve gotten almost 20 more people to make the switch! Your OS is truly a godsend, and I applaud you on your vigilant efforts to keep it safe from the idiots out there who would do it harm. Keep up the good work, and know that all your efforts are NOT in vain! You are?…..what Microsoft WISHES Windows was!! LoL! Cheers!

    EGO II

  130. Merry says:

    My second post on this blog – the first was just after the security breach. Thanks for all your hard work, I just made good on my donation pledge 🙂 I am committed to Mint now. Interested in your comments on Gufw – I enabled this shortly after I started using Mint Cinnamon 17.3. I also installed ntop as I missed the “live” picture of network connections I could get with Kerio 2.1.5 on my XP system.

    I like to keep an eye on things: Is there a simple “network activity” indicator that could be linked from, say, the network history aspect of system monitor to the other activity indicators/notifications area? This I would find useful.

    I have been so impressed with Mint – in order to switch from a familiar OS to an unfamiliar one it really helps when something is a pleasure to work with.

  131. Merry says:

    “…and we need something people can use to quickly and easily configure outgoing traffic…” – Strongly agree – I have found that finger-print (MD5) control of applications wishing to make connections (out) is helpful in maintaining control: is there a GUI process monitor making use of ufw that can do this for Mint?

    If new or modified (and therefore potentially malicious) networking applications are activated you get the chance to deny them access until you have investigated further. It doesn’t slow things down much (super user password to accept replacement of process / application) and is a useful backstop of software defence if your system becomes compromised – assuming root isn’t compromised of course – but if that point is reached I guess you have to regard your system as a rebuild project anyway.

  132. Dustin says:

    Thanks for being open and honest about what happened. That alone made me choose this distribution over all of the rest. (I’m sure there are others that have the same ideals, but I haven’t witnessed it yet.) I’m an application developer (10+ years) and it is very refreshing to see someone own up to their mistakes and take accountability. You rarely see that in the industry. Please do not wander from this philosophy. 🙂

  133. nfew says:

    Would you consider re-releasing ISOs to include patches for CVE 2015-7547 – ie to include at least version 2.19-0ubuntu6.7 of packages libc6 and libc-bin?

    It’s quite a serious vulnerability and it would be nice to be able to run from a live CD without being exposed to this exploit.

    (I believe upgrading after booting would not work because patching reliably requires a reboot).

  134. LowTekk says:

    I know you guys are still securing the site and the forum, but I’ve been skittish about coming back to Linux Mint since the hack, and I really don’t like any other distro anymore. Could you please let me know if the repositories have been completely vetted since the attack? I really don’t want to finish my book on any other distribution. It just wouldn’t feel right.

  135. DarrenG says:

    @LowTekk, as widely reported the website and forum were hacked through a wordpress vulnerability. As I understand it that is completely separate to repositories and mirrors. if you didn’t download 17.3 cinnamon on the 20th and you don’t use your forum password for your email and banking (which nobody should!) then you have nothing to worry about.

  136. LowTekk says:

    @DarrenG, when I found out about the hack, I stayed abreast of the situation, and I read that the level of access the hacker acquired made it possible for him to gain access to the repositories. While it was not said that the hacker had actually done anything to the repositories, I also didn’t see confirmation that they had been thoroughly scanned and verified as unaltered. Perhaps I missed the post containing this confirmation, and I hope I have, because I really do want to reinstall Linux Mint.

    Edit by Clem: I’m sorry to be blunt. I’ve also read a lot of nonsense after the attacks but this is new to me. Only one server was compromised and at the time it included the forums and the main website.

  137. DarrenG says:

    @LowTekk, may I refer you to Clem’s comments at http://blog.linuxmint.com/?p=2994#comment-125110 ” we didn’t find any trace of hacks affecting the repositories.” and at http://blog.linuxmint.com/?p=2994#comment-125663 “The repositories are functional and they were checked so you can apply updates.”

  138. Warlon says:

    @clem, what are your thoughts on this: https://www.reddit.com/r/linux/comments/407hgu/free_software_needs_marketing/

    Would it be a good idea to couple each LTS release with a kickstarter (or similar) campaign to gather more funding? This additional income could be used for example marketing and/or to hire professional graphic designers and usability experts to give every long term release that extra polish.

    Edit by Clem: I don’t think we need more funding, well we can always do with more, but we don’t need to ask for more anyway. We’re very well funded, I can’t thank people enough every month for how generous they are with us. It fuels our development and we recently started to talk about allocating a budget to the moderation team as well. Now, on the problems described there, I agree. It’s time we lack because outsourcing also takes time. For instance we want to redesign the website, and we can’t just throw money at it, we need to decide what we want, review designs, work with artists etc.. and it’s not our main priority during the cycle. When events like the recent attacks happen, it also impacts our ability to work on things like that. Ideally we’d have a team of artists within Linux Mint and we’re very well able to fund it, but there again, they need guidance, you can’t just put people together and let them work on their own, you’ll have a problem of empowerment at some stage and you need to be there, at the very least in the first few months before they can start taking over and working on their own. If there are artists out there, and they’re patient enough and interested in making Mint look better, I strongly suggest they meet the team and start hanging around on #linuxmint-dev (irc.spotchat.org), we always need to make things look better… every time there’s a new feature developed, in Mint, in Cinnamon, on the website, the blog, the forums, backgrounds, gtk themes, icons… there’s a lot to do there.

  139. unimatrix725 says:

    I just noticed this and how I missed it is unknown. I guess the title should not be “Mint RootKit, etc”. So my question is what should be looked for on a live system or installed system? Just the /var/lib/man.cy script? I cannot recall the exact date I re-installed Mint, but it was last month sometime. I am scanning with rootkithunter and have already put absentvodka.com in my hosts file. Will this be sufficient? I would greatly appreciate any help or scripts &or ip’s provided. Also thanks for Mint and keep up the great work!

  140. nickmartin says:

    If your goal is simply trying a good Linux firewall of ClearOS, why not outsource everything else?

    Here is the explanation: https://www.clearos.com/linux-servers-for-small-business

  141. Quiroga says:

    “we always need to make things look better”

    Hi, Clem.

    I suggest that you and your team clarify your position.
    Users should know some things: Serious project or a hobby distro? Future of this distro? Do you have enough resources to maintain this distro? Security vs stability ?!
    Security first. So many people use this distro with love: childs, businessman, women’s, poor and rich people, noobs and experts. Do you understand?

    Ubuntu, Windows, Fedora are safe to use. It’s true. And Linux Mint?
    People need security. I admire your courage and honesty. I only try to help.
    Mint 18 with security, spins for different people’s interests and good parterns (company parterns, sorry i’m not a linux fanboy).
    I promove Linux Mint in my country because i believe in Linux Mint.

    Sucess and the best for Linux Mint and his team.

    Edit by Clem: Do you know how trivial it is for us to ship Linux Mint 18 with all 5 levels and kernel updates enabled by default? It’s a change we can do in a few seconds. If we did that, we’d end up with roughly the same security policy as Ubuntu. We don’t do it, because it’s not good enough. Because that’s what you get when you blindly apply security without caring about regressions. It’s something Fedora and Ubuntu can’t change because they never worked on security vs stability and never gave their users the tools to configure it (well, to be fair, Ubuntu did work on staging so some people are randomly picked to guinea-pig for others). I don’t like pointing the finger and I don’t think criticizing competing projects makes us look better, so I’ll be brief. The web is full of fake Windows ISOs and Ubuntu forums got breached just like ours a couple of years ago. If anything these are signs of success, not weakness. It means these projects are important enough to attract unwanted attention. If you’re asking us if we know our audience, if we take our work seriously and if we put thoughts into our security vs stability policies, yes very much so, and when doing so we considered what was done in competing projects, we learnt from it and we did better. I’m sure we can do better still, but we’re already ahead in many respects. We already explained why we thought the security policies in Windows and Ubuntu were not acceptable, some people leave these OS and migrate to Linux Mint precisely because of that. We’re not in the business of dissing the competition though, we just focus on bettering what we do. Of the three projects you mentioned, only one is significantly larger than ours, in resources, funding and user base, yet it’s probably the project which has the most learning to do when it comes to user experience and protecting its audience. We take everything very seriously here, our users, our resources, our goals, other projects (and it’s funny you mentioned hobby-distros, because being serious doesn’t mean looking down on them, but quite the opposite, learning from their experiments), that’s how we learn and that’s why we’re in the position we are in.

  142. Sybren B says:

    Hi Clem! In short, I love the simplicity of Linux, I use Mate on my 10 year old fujitsu siemens, and it’s working better than ever! Even with double screens!

  143. VEGalin says:

    @Quiroga, yes, we always need to make things better goes with “we always need to make things look better”. It’s a some kind of Ying-Yang thing after all. And that’s right, the balance is very important of course.
    But Clem’s truth, like the truth of Father, is to make things better. That’s his truth of Father of Mint.
    Even with all his tenderness, tact, feeling of beauty, he is not able to tell every weeping poor motherless child the sweet lies that ALL is secure, you’ll NEVER die, and even if, it’s not soon… the truth of Mother…
    But now, when Mint has grown up, to get rid of a significant Ying-Yang disharmony around Mint is a great new challenge for Clem. The Mother approach is needed to be enchanced. Fortunately, in the loving user hands, Mint OS as herself is felt like a very well balanced weapon, excellent tool, outstanding product. No matter ‘serious project or hobby distro’ is she, or both. Who really cares… She helps and thanks for a gift of Mint.

    BTW nobody living can tell the future of distro, the future of ourselves, when we gonna die, or not gonna… and so on. Nobody living can tell enough or not enough are the resources to maintain somewhat, or somebody. Everybody use personal calculations and evaluations for these purposes. Who else cares…
    I think that nobody can clarify the position of Mint even more than it has already been done by Clem and the team. And I consider, not said means not decided yet.
    Too much challenges for Clem at the same moment still…
    Not to say about a new dress for Princess Sara… boys stuff is already not suitable for this lady, so many people will come to see her… (Mac-os 10 will be in haute couture though of ages, Win10 – in pret-a-porte of quality…). Mother Mint is needed again 🙂

  144. François Blais says:

    Windows is safe to use?
    Wow.

  145. Shian says:

    {139. Quiroga says:

    Hi, Clem.
    I suggest that you and your team clarify your position.
    Users should know some things: Serious project or a hobby distro?

    Ubuntu, Windows, Fedora are safe to use. It’s true. And Linux Mint?
    …}

    Reply:

    1. Answer to your self:
    Does Clem is not a serious person?
    Does Linux Mint looks like a toy?

    2. Excuse me, Windows is safe? I don’t think that any security agency or important government office, or police, will take your word for this.
    Certainly, Microsoft has enough money and power to convince a cow to buy rotten milk. (it’s not against anyone, it is the reality. period.).

    3. I don’t know about Ubuntu or Fedora, but Linux Mint is constantly improved and offers great interface and features which many people like. What’s the rush? Don’t you trust Linux Mint’s team?

    Please be more realistic and don’t rush.
    There is no “safe” OS in the world, unless it is locked in a box and a dragon is sitting on it.

  146. random happy user says:

    uhm… reading post 139 makes me wonder if ppl use their brain cells at all.

    “Windows is safe”? safe for who? Do you mean safe (and rather easy) for criminals do force in and profit? It’s so safe gov agencies that rely on it are still on XP… cuz it’s safe I suppose. Not that more recent releases are that better… windows is the most used desktop OS, that doesn’t mean it’s secure. Yeah, I do think Clem is right on this one.

    Now, I don’t know Clem (really knowing someone takes years), but I can judge on the actions… let’s see, did that big bank tell you they got compromised (no)? and that console maker did tell you the user data was compromised (no)? no business will ever tell you if not forced. That said Clem did tell us, which is good I’d say.
    About “security”: let’s face it, there’s not such thing, even if the offline box with a dragon sitting on top of it seems a secure place for your data, being a dragon master I could’ve the dragon itself give me the stuff, all for a piece of seasoned meat.

    Security is about being as secure -as possible-, and this needs to meet with the other requirement: talking about OS I think usability is one.
    The “security” argument on Mint is an old one; I personally don’t fully approve “stability before security”, but it’s a choice made by Clem and team, you can’t really change it. While they should keep the OS secure (patching vulnerabilities as fast as possible) I suppose they are right keeping old stable SW; after all new versions could introduce new issues too. Still I’d like some more “active” patching for vulnerabilities.

    Edit by Clem: I think we learn the most from the past. If we’re talking about security vs stability we need to look at people whose box was hacked due to a missing update vs people whose box didn’t restart due to an update. The thing when it comes to that is that there isn’t ONE truth or one size fits all. Some boxes aren’t sensitive or targeted but they’re maintained by people who can’t troubleshoot.. there stability is key. Some boxes are sensitive and/or targeted and maintained by experienced users and there stability isn’t as important and security is much more interesting. With that in mind, our first job is to make things configurable and to ship defaults which reflect most of our audience. That’s done already. Our second job is to make things understandable and easy to switch, and we can improve that. Ideally we never want to hear “I got hacked cause I didn’t take update X” (and we didn’t, yet), or “X no longer works after I updated Y” (we hear it too often to our liking but we know it happens much more frequently in other OSes, other distros, or even on your smartphone than in Linux Mint… it’s the nature of software development, new code means new bugs, we reduce that to some extent with levels and LTS but there’s still a bit of exposure to it, at least on non-critical components). The truth is, you’ll never be 100% safe from attacks and you certainly will never be 100% safe from regressions (unless you never take an update), but you’ve a team here who’s really thinking about the pros and cons and all that, and the many ways to make you aware of it and configure it to your liking. We improve our update manager all the time, in every release, because this can always get better.

  147. Quiroga says:

    Hi, Shyan.

    For example: where is Linux Mint privacy and policy?
    Linux have Nsa backdoors too. I know it and i don’t see anything wrong with this.
    Terms of use? Collected users information?
    You and the community should ask Clem and his team about this questions.
    Yes. Read the ubuntu terms of use, or windows if you want.
    I ask this questions but i only receive silence. In past i asked ubuntu and microsoft and they wrote me an e-mail talking about this questions.
    If you donate money for this distribution you have the right to know how things work.
    Cheers.

    Edit by Clem: Feel free to ask us anything, we’re at root@linuxmint.com. Please be patient, we get a lot of emails, but we try to answer as many as we can. Regarding terms of use, there aren’t any other than what’s dictated by licensing on individual packages. We don’t actively collect user information (I say actively, because we ship and use programs which do, but we don’t ourselves.. if that makes sense… for instance Firefox records what you visit, the passwords you accept it to remember etc etc.. phpbb records your email, IP etc.. and so on). If you have any doubts on anything in particular, do email us.

  148. Shian says:

    replay to 143. Quiroga:

    – “where is Linux Mint privacy and policy?”
    Privacy contracts cannot protect you. The law is illusive.

    – “Linux have Nsa backdoors too.”
    Secret agency will not ask your permission for nothing.

    – “Terms of use? Collected users information?”
    “terms of use” are there to protect the company – not you.

    – “… should ask Clem and his team about this questions.”
    Then you must ask these questions to each and any site you log into.

    – “Yes. Read the ubuntu terms of use, or windows if you want.”
    Again, “terms of use” are there to protect the company – not you.

    – “I ask this questions but i only receive silence.”
    The answer is simple: it’s impossible to guaranty total privacy.

    – “i asked ubuntu and microsoft and they wrote me an e-mail”
    Formal e-mail can’t protect your privacy.

    – “you have the right to know how things work. Cheers.”
    Clem is honest with us in this situation. that’s how it works.

    Not Windows, Linux Mint, Ubuntu, Android or FreeDOS can protect you from fraud. Because fraud is dishonesty, and it’s up to you to trust or not.

    All the best.

  149. random happy user says:

    @Shyan: while my 1st post awaits moderation… You got it right, things works just as you wrote; sadly, some ppl just don’t want to see.

  150. p brennan says:

    this is my first laptop i thought linux would be ok????recomended on windows forum for older laptops now i been using linux before the dreaded date how will i know if i have to reinstall.i downloade3d and put it onto cd and booted do you think it is safe??

    Edit by Clem: Check the live CD, see if you see a /var/lib/man.cy. If you don’t, you’re ok.

  151. w says:

    if the can change he d links they can change the advertised checksums

    i’d put the dl page and sums on a static html page – no CMS – maybe on a dedicated subdomain and cert downloads.linuxmint.com or something

    also run automated checks of listed mirrors – download the iso and run a checksum

    the package downloader checks the packages so i’d opt for a small/light netinstall iso which pulls the most up to date packages anyway.

    just my .02

    PS big fan of the great work done on this project 🙂 looking fwd to rolling out new shiny cinnamon/mint/ltsp thick clients soon.

  152. hal says:

    will we be able to update newer Gnome software/packages (for example brasero 3.20 or some other gnome softwares) easily (via update manager) when new Gnome 3.20 is released? thanks


Trackbacks & Pingbacks