My Journey to Becoming a Linux End User on Linux Mint
-
Linux Mint is widely considered the best desktop distribution of Linux. It's completely focused on that role and developers two of the leading desktops (Cinnamon and MATE) itself rather than using "just what is on the market." It's the only large market desktop focused Linux option and is absolutely awesome. Cinnamon is far and away my favourite desktop so using it on its native Mint makes sense. Mint is also very stable, heavily tested and maintained and extremely up to date.
What makes something "the best" is pretty subjective, but there is very little competition for Linux Mint when it comes to general desktop use. And it is full of options like Gnome, KDE, LDXE, XFCe, etc. should you want to move between different desktops.
-
So thought of trying Linux Mint, tried downloading the iso and looks like the Linux Mint site is down now!
-
Apparently Linux Mint ISO was hacked and injected a backdoor with it, which could be why they took down the site till that is fixed! http://blog.linuxmint.com/?p=2994
-
@scottalanmiller as per the Linux Mint blog "As far as we know, the only compromised edition was Linux Mint 17.3 Cinnamon edition." You have this version rite?
-
Not good news for open source software.
-
@Breffni-Potter said:
Not good news for open source software.
Not really bad news for OSS in general. Highly embarrassing for Mint. (forking it up
) -
yeah, not an OSS problem, people had the exactly same thing happen to closed source Apple apps. It's a universal problem
-
I did not install from ISO, so probably not impacted.
-
I guess I picked a bad time to try out Mint.
-
Actually, it appears it was just on the 20th, so it looks like I am OK.
-
@BRRABill said:
Actually, it appears it was just on the 20th, so it looks like I am OK.
Or AM I????????????????????????????
-
@BRRABill said:
@BRRABill said:
Actually, it appears it was just on the 20th, so it looks like I am OK.
Or AM I????????????????????????????
As per their post:
How to check if your ISO is compromised?
If you still have the ISO file, check its MD5 signature with the command βmd5sum yourfile.isoβ (where yourfile.iso is the name of the ISO).
The valid signatures are below:
6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.
-
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
-
@scottalanmiller said:
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
They also hacked that on the website, didn't they?
-
I don't have the ISO anymore. Plus, after weeks of learning about never feeling safe with malware here, not sure how anyone could feel 100% safe it was only on the 20th.
If you read further down in their comments, even they say there's no way of 100% knowing.
-
@BRRABill said:
@scottalanmiller said:
In a "do what I say, not what I do" mode, remember it is always good to do an MD5 check of your downloads. Protects against most cases of this kind of thing.
They also hacked that on the website, didn't they?
They might have, can't recall the exact working, on the WordPress site (one more reason I'm scared to death of standing up a WP site). But there were many other sources of the MD5 hash on other pages that were unaffected. Granted that wouldn't help most - why would you ever go out of your way to verify the MD5 has to more than one site.
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
-
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
-
@BRRABill said:
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
Does anyone sign their ISOs today?
-
@Dashrender said:
@BRRABill said:
@Dashrender said:
I saw a question - why not move to a signed ISO, you check the cert signature and you're golden - the Mint guys said they were looking into that.
From the comments on that page, it seems a lot of the stuff the Mint guys were doing were not 100% secure.
Hopefully they can learn from this and move on.
I said to @scottalanmiller it's almost ridiculous how you can't be secure anywhere.
Does anyone sign their ISOs today?
Pretty much all places offer MD5 hashes.
But if I was trying to hijack a distro, I would post an updated hash too.
-
Even the hacker agrees (from an article on ZDNET)...
The hacker then used their access to the site to change the legitimate checksum -- used to verify the integrity of a file -- on the download page with the checksum of the backdoored version.
"Who the f**k checks those anyway?" the hacker said.
