Language Selection

English French German Italian Portuguese Spanish

Linux Mint Website Hacked, Users Tricked Into Downloading ISOs with Backdoors

Filed under
GNU
Linux
Security
Web

Just a few moments ago, Clement Lefebvre, leader of the Linux Mint project, informes users of the popular, Ubuntu-based distribution that the servers where the Linux Mint website is hosted have been hacked to point the download links to specially crafted ISOs.

According to Mr. Lefebvre, it appears that a group of hackers created a modified Linux Mint ISO, which included a backdoor. Then, they hacked into the Linux Mint website and modified the download links to trick users into downloading the malicious ISO image.

Read more

More on the Story

  • Linux Mint hacked, ISO images compromised

    The Linux Mint team revealed today that compromised ISO images of Linux Mint have been distributed from the official website on February 20th, 2016.

  • Linux Mint website hacked, malicious ISO offered on Saturday

    In a surprising announcement, Clement Lefebvre -- head of the Linux Mint project -- said that the Linux Mint website had been compromised and that the hackers were able to edit the site to point to a malicious ISO of Linux Mint 17.3 Cinnamon edition on Saturday 20th, February.

    If you downloaded the Cinnamon edition prior to Saturday or downloaded a different version/flavour (including Mint 17.3 Cinnamon via torrent or direct HTTP link) you aren't affected. It's worth mentioning that since the issue was caught, everything has since returned back to normal now so it's safe to download the Linux Mint ISOs again.

  • Beware of hacked ISOs if you downloaded Linux Mint on February 20th!

    We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

  • Linux Mint downloads (briefly) compromised

Latest on Linux Mint

Response and Lessons

  • All forums users should change their passwords.
  • Backdoored Linux Mint, and the Perils of Checksums

    Someone hacked the website of Linux Mint — which, according to Wikipedia’s traffic analysis report is the 3rd most popular desktop Linux distribution after Ubuntu and Fedora — and replaced links to ISO downloads with a backdoored version of the operating system. This blog post explains the situation.

    [...]

    Besides the fact that the website isn’t available over HTTPS so network attackers could change those MD5 checksums to whatever they want as you load the blog post, MD5 is entirely broken and has been for many years. MD5 should never be relied on for verifying that you have the legitimate version of a file. It would not be difficult for someone to generate a backdoored Linux Mint ISO that has the same MD5 checksum as the legitimate ISO. Likewise, while SHA1 is considerable stronger, it also should not be used for security purposes anymore. Wikipedia’s SHA1 article says: “SHA-1 is no longer considered secure against well-funded opponent.”

  • Lessons from the Linux Mint Hack

    Unless you’re completely unplugged from the Linux news media, by now you’ve heard about the exploit that affected both the Linux Mint WordPress site and the Linux Mint 17.3 Cinnamon edition.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Programming Leftovers

  • Creating maps to share the coffee shops I have visited | James' Coffee Blog

    Maps were a dominant topic at yesterday's Homebrew Website Club London / Europe online meetup. I am not knowledgeable on maps so I sat back for a lot of the discussion and listened to others share their thoughts. In the meeting, we discussed everything from using maps on one's personal website to the inaccuracies of some country paths in the UK on open maps. On the Homebrew Website Club call, I learned about Leaflet. Leaflet is JavaScript tool that works with OpenStreetMap to let you create a map with custom plots. OpenStreetMap is an open source map to which anyone can contribute. It has an extensive set of data. For instance, OpenStreetMap documents the location of businesses. This is a key use for me because I wanted to be able to map coffee shops.

  • Replace NA with Zero in R | R-bloggers

    Replace NA with Zero in R, Using the dplyr package in R, you can use the following syntax to replace all NA values with zero in a data frame.

  • History of Version Control Systems: Part 3

    The third generation of VCS was distributed. It's best to describe it through the story of Git. Larry McVoy had worked on a VCS called Sun WorkShop TeamWare in the 90s. TeamWare mirrored many of the features of Subversion and Perforce but built on SCCS. In 1998, McVoy saw the issues with the growing development of the Linux Kernel, which was now seven years old and involved thousands of developers. In 2000, McVoy started a company called BitMover to solve these issues. BitMover published BitKeeper, a proprietary version control system, which offered a community version that was free for open-source developers. In 2002, the Linux kernel started using BitKeeper as its VCS.

  • Flexible I/O: Sink configuration | A Modicum of Fun

    To perform commutation with field oriented control, moteus needs to know the relationship between the rotor and stator in the magnetic domain. With the addition of the new flexible I/O system, some of the configurable values associated with this remain as they were, where there are some new ones. First, the number of poles for the motor is still at motor.poles, and whether or not to invert the ordering of the output phases is at motor.phase_invert. Similarly, the theta mapping table has the same semantics before and remains at motor.offset. Newly added is motor_position.commutation_source which controls which 0 indexed source is used to drive commutation. It is shown in the block diagram above, but not discussed here yet are the cogging compensation parameters. They’ll be covered soon, I promise!

today's howtos

  • How to Install Pip on Ubuntu

    In this tutorial, we’re going to show you how to install and use Pip (Python) on Ubuntu. This tutorial works for Ubuntu 22.04, Ubuntu 20.04, any other Ubuntu release, and even distros like Linux Mint. If you tried running a pip command and got a similar error to “Command ‘pip’ not found…”, you need to install pip on your Ubuntu. This tutorial will show you how to install Pip on Ubuntu 22.04, 20.04, 22.10, etc. with step-by-step instructions.

  • How to Install Xfce Desktop on AlmaLinux 9 - LinuxCapable

    Xfce is a lightweight free, open-source desktop environment for UNIX-like operating systems. It is designed to be fast and light on system resources while visually appealing to the default desktop environments that ship with most operating systems. Xfce is very popular with older systems, with hardware as a key feature in its design to conserve memory and CPU cycles. For example, the desktop panel will not hog resources by constantly polling for changes, and the file manager has been designed to use minimal memory and CPU cycles. In addition, Xfce includes several power management features that can help reduce your carbon footprint. Overall, Xfce is an excellent choice for users who want a fast and stable desktop environment without sacrificing visual appeal or functionality. In the following tutorial, you will learn how to install Xfce DE on AlmaLinux 9 desktop using the command line terminal, along with some basic tips on running an update and removing the Xfce desktop environment.

  • How to Install Opera Browser on Debian 11 Bullseye - LinuxCapable

    Opera is a freeware, cross-platform web browser developed by Opera Software and operates as a Chromium-based browser. Opera offers a clean, modern web browser that is an alternative to the other major players in the Browser race. Its famous Opera Turbo mode and its renowned battery-saving mode are the best amongst all known web browsers by quite a margin, with a built-in VPN and much more. In the following tutorial, you will learn how to install Opera Browser stable, beta, or development (nightly) on Debian 11 Bullseye, including installing, updating, and removing the browser using the command line terminal.

  • How to Install Nginx Mainline on Debian 11 Bullseye - LinuxCapable

    For those using Debian 11 Bullseye, you might have noticed that installing Nginx directly from its repository does not install the latest stable or mainline version. This is a common trend in most distributions that focus on the stability of packages and provide only urgent bug or security updates until the subsequent major distribution. For most, using the default Nginx that comes bundled with the repository will be preferred, but often many require and want the latest version of stable or mainline for updated features. The following tutorial will cover installing the last stable or mainline versions of Nginx on Debian 11 Bullseye desktop or server utilizing the APT package manager with the PPA model Ondřej Surý or by importing the official Nginx.org APT repository and installing the latest version directly from Nginx.

EasyOS 4.2.3 Released

  • EasyOS Dunfell-series 4.2.3

    EasyOS was created in 2017, derived from Quirky Linux, which in turn was derived from Puppy Linux in 2013. Easy is built in woofQ, which takes as input binary packages from any distribution, and uses them on top of the unique EasyOS infrastructure. Throughout 2020, the official release for x86_64 PCs was the Buster-series, built with Debian 10.x Buster DEBs. EasyOS has also been built with packages compiled from source, using a fork of OpenEmbedded (OE). Currently, the Dunfell release of OE has been used, to compile two sets of binary packages, for x86_64 and aarch64. The latter have been used to build EasyOS for the Raspberry Pi4, and first official release, 2.6.1, was in January 2021. The page that you are reading now has the release notes for EasyOS Dunfell-series on x86_64 PCs, also debuting in 2021. Ongoing development is now focused on the x86_64 Dunfell-series. The last version in the x86_64 Buster-series is 2.6.2, on June 29, 2021, and that is likely to be the end of that series. Releases for the Pi4 Dunfell-series are still planned but very intermittent. The version number is for EasyOS itself, independent of the target hardware; that is, the infrastructure, support-glue, system scripts and system management and configuration applications. The latest version is becoming mature, though Easy is an experimental distribution and some parts are under development and are still considered as beta-quality. However, you will find this distro to be a very pleasant surprise, or so we hope.

  • EasyOS Dunfell-series version 4.2.3 released

    If you have already installed version 4.1 or later, you can click the "update" icon on the desktop to download a small "difference file" -- updating 4.2.2 to 4.2.3, the difference-file is 57MB.

  • OE and woofQ projects and kernel source for Easy 4.2.3

    Announcement of Easy 4.2.3 is pending.

Review: The Murena One phone running /e/OS 1.0

Earlier this year the Murena team announced the release of version 1.0 their /e/OS mobile operating system. To accompany this new milestone, the project also announced two smartphones which will be sold with /e/OS pre-installed. These devices are the Murena Teracube 2e and the Murena One. These devices sell for about $330 USD and $370 USD, respectively. (These amounts were converted to USD from the Canadian prices at time of writing and may change over time.) I currently own a Samsung S9 running /e/OS. I've had it for just over two years and it's been an unusually positive experience for a mobile device. The /e/OS platform is basically Android, but with the Google components, ads, and nag screens removed. The Google cloud services - storage, contact synchronization, and file sharing - have been swapped out in favour of Murena services. These services run on a custom, open source Nextcloud platform. It's a setup which I've found useful, convenient, and unusually trouble-free so far. I asked the Murena team if I could test drive one of their new phones and they kindly sent me a Murena One. The package, a small black box, arrived containing the Murena One and some useful accessories. Along with the phone is a USB charge cable, a power adaptor which appears to work with both North American and (I believe) European outlets. There is a quick-start guide which explains how to insert a SIM card into the phone, go through the configuration screens and, optionally connect to the Murena cloud service. There is a small widget for opening the SIM bay, a couple of screen cleaning wipes, and a protective case for the phone. The phone, I was happy to note, had a full battery when it arrived. Read more