[sf-lug] Linux Mint iso files hacked.

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sun Feb 21 15:21:03 PST 2016


Color me not surprised at all.

One of the things that has always caused me to not consider Linux Mint to
be a "serious" Linux distribution, is they *never* established a
trust path to their ISOs!  Sure, they'd put a hash of the ISO on their
web site.  But not even SSL for the web site, and no signature for the
ISO file.  Always struck me as rather amateurish in that regard.
No trust path, no assurance that the ISO hasn't been compromised
or the download hasn't been man-in-the-middle attacked.
https://groups.google.com/forum/#!topic/berkeleylug/_go2zAGX1o8
http://buug.org/pipermail/buug/2014-November/004056.html
http://blog.linuxmint.com/?p=2361#comment-93804

Even where they post about the compromise:
http://blog.linuxmint.com/?p=2994
The give no trust path to the hashes (and egad, still using md5sum, at that).

Well, *maybe* they've finally gotten around to putting up detached signature
file for their distribution, but they still don't make finding trust
path very easy.  And ... only 1024D?  Still, really?  And is there trust
path to the signing key?

<sigh>
http://news.softpedia.com/news/linux-mint-website-hack-a-timeline-of-events-500719.shtml

> From: "Bobbie Sellers" <bliss-sf4ever at dslextreme.com>
> Subject: [sf-lug] Linux Mint iso files hacked.
> Date: Sun, 21 Feb 2016 14:11:08 -0800

> Hi LUGers,
>
> Just in case anyone got this recently:
>
>     Linux Mint iso files hacked!
>     IF you downloaded a Linux Mint iso on February 20, 2016
> It may be compromised with a backdoor.
> Full story and comments(read them) at:
> <http://betanews.com/2016/02/21/linux-mint-hacked-iso-image-compromised/>





More information about the sf-lug mailing list