Thinkpads Forum

I spent some time on my Mint 17.2 install on my X201T. Nothing really to worry about. I had already added a few security enhancements like GUFW and Firejail and it is obvious at this time that the repositories were not touched by the hack. I don't think the Mint team would have the ability to cover anything like that up even if they intended to which hasn't been their style at all.

So, I have no intention of removing Mint from anything I've installed it on or worrying about the security. In looking at the security of the distro, I find it weak and even sloppy in places but not atrociously bad. Where it is lacking, it can easily be enhanced. It is still much better than any version of Windows I can think of.

sdi-p wrote:Everything you read is an Opinion.
I love conspiracy theories, but critical thinking and logic are required.

Re: Linux Mint
The who, what, and where of this event is hotly disputed. Many writers/posters say things that conflict with the others.
It is difficult to weed thru it all and come up with your own personal theory that rings true.

Options:
Read what is posted here, accept a theory that feels right, adopt it and move on... don't read further.
Do your own web searches and decide what you think the real facts are.

So, on to My Personal Opinion... I believe that the following is true:
1. the recent spoofed Linux Mint downloads with the back door were only Direct Downloads. ISO downloads that used Torrents during the same time frame were not effected
2. the Mint Forums were invaded and your email address, username, and password was harvested.
3. the repositories were Not effected at all

This is a Win Win for all of us!
We are all thinking about passwords, user security, program integrity, reliable sources, etc.
That is Great! Fewer people will be the easy prey for the bad guys.

----
I do suggest that your search includes the Mint website (http://www.linuxmint.com/),
Mint Forums (https://forums.linuxmint.com/),
Mint community Ideas (https://community.linuxmint.com/idea/welcome),
and the two threads on the subject in the Mint Blog (http://blog.linuxmint.com/?p=2994 and http://blog.linuxmint.com/?p=3001).
(Mint Blog is difficult to read, scan down in the comments for posts by Clam and use your browser's Find function and look for "Edit by Clem" ... Clem is the head guy at Linux Mint)

https://haveibeenpwned.com/
http://www.dedoimedo.com/computers/linu ... nsion.html
https://www.youtube.com/watch?v=zvfD5rnkTws
https://en.wikipedia.org/wiki/Linux_malware

all that said, I am a long time Linux user, I have tried many distributions but have settled on LMDE Mate for my personal and office computers. I am Biased, just like all of the rest.

this really creeps me out, because
a. I'm only hearing about it now, sort of randomly thru TPF (bad for timing, but sort of good since I never used the Mint forums?)
2. I downloaded cinnamon 64 on 2/24, which is still a little close to the mark.

I used that to install on the X2001 from emeraldgirl and have been using said-Frankie in my office - reading this thread only just now, immediately tried to ssh and shutdown, just in case, but then luckily he's already sleep/suspend - forgot I had closed the lid before leaving for the weekend.

also luckily I still have the .iso I used to burn a USB, and the md5sum matches what Clem posted. *whew!*

but you're right, we all have our personal theories - IMHO it's not outside possibility that the responses and checksums from Clem could still be suspect.

I do feel reasonably confident that the Mint repos are still safe, given the apparent nature of this hack.

(((but - my work is in forensic security, so I definitely have an unreasonable level of paranoia in general.)))

suggestions for anyone using any sort of flavor of lunix:
- install rkhunter. and make sure to update it. and make sure /etc/aliases ships mail to your actual email. and do a propupd immediately every time you do any sort of system update.
- install chkrootkit
- install fail2ban (yeah ok this won't really help vs. backdoors, but it is still just good practice)

somebody mentioned firejail - that sounds pretty interesting, basically like a linux analogue to sandboxie. for a long time now I've switched to chromium, which runs in its own sandbox, so no need for 3rd-party stuff - but e.g. if you're using Firefox or Thunderbird.

Firejail can do a lot more than the chromium sandbox. Like a lot of software, it can be used simply in a default configuration but it has extensive options if you take the trouble to study it a bit.

It is also very light. It is only around a 300kb download for the base file and less than 100k more for the Firetools GUI widget.

When looking at security, I alway judge the security needs by what I'm actually doing with the laptop. With the Mint install on my X201T, I'm not doing anything that requires a lot of security, mostly light browsing and some media playing. I might not be so casual about it if I was doing banking and finances with it or administering a website.

I just tried KDE5 in the new Kubuntu today. It seems okay. An awesome thing is that they finally made a decent dark theme. On the other hand, the default flat look is not to my taste. I don't like the look of modern Windows, nor I want it in my KDE. Fortunately, it's just optional, and one can simply switch to Oxygen with just a few clicks. As always with new KDEs, it is full of bugs, which I encountered even during the limited time I have used it. I'm not surprised though, as KDE4 became bugless to me only after my final update (4.12 to 4.14, in 4.12 i had graphical bug with pager). Hence, it will take a long time until KDE5 is as polished and stable as version 4, so I will stick to 4 for the coming years. KDE always had a rather weird development cycle combined with inclusion in distributions, where the new BETAs are almost always prefered to a stable version. I'm not sure why, but it certainly doesn't give KDE a good name. Which is a shame, really, because otherwise it's a really great environment. KDE becomes perfect only at the end of it's lifecycle, yet everybody is switching to the new and rough version to be the first to apply the "new and awesome" (many users wanting this though, and then complaining some stuff is bugged). KDE has quite a terrible release planning, which puts off new users as they are subjected to the new and unfinished version, but oh well, it's devs' choice. I'll be staying with 4 at least until 5 is finished (and 6 is in the works). There is no reason for me to use the new KDE5, and I prefer polished and stable over testing release.

Been using Ubuntu Gnome 17.4 for a couple weeks now. Couple bugs vs LTS however overall works well. I would probably recommend 17.4 and definitely recommend the LTS version (16.4?).

I really liked Mint however I had trouble getting 1080p external display resolutions (even with arandr) and odd things with outputting 5.1 (pass thru) which made me switch. Plus, while the Cinnamon desktop was pretty nice it was too much like windows. However its support base (Mint) was great.

I know it will be supported for a very long time I didn't want to get too used to Unity in vanilla Ubuntu. Seems like I'd be setting myself up for disappointment when the day came that I would need to move away from it.

I still use Mint. I think I have an older version 17.1
I like Linux.

Hans Gruber wrote: ↑

Sat May 20, 2017 8:04 am

I still use Mint. I think I have an older version 17.1
I like Linux.

For security I much prefer Debian or LMDE or SolydM
my new daily driver is SolydX with Mate desktop.

Linux Mint gave me problems, after years of LMDE we got a bad update that is still not fixed .... Migration is a chore, but such is life