[Durham] Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
mark at aktivix.org
Thu Feb 25 09:32:08 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
> Please be aware that the Mint website was compromised recently,
> and hacked ISOs were uploaded containing a backdoor.
Fortunately, nobody I know seems to have been affected by this.
For some time now, me and some other Mint users have been advocating
for some simple improvements in security and I really hope we'll be
taken more seriously now.
The main things we were asking for were to use a stronger hash
function than MD5, to sign with GPG, to integrate the signing key into
the WOT, to move the forums to a different machine from the main site,
and to implement TLS on the main site (i.e. the site with all the
download links on it).
- From what's been written, it seems that the attack used a wordpress
vulnerability to get a www-data shell and thence edit the download
links. So that is a reminder to us all that we should keep our webapps
on different machines from other things, I think. And to have
nightmares about our IOT devices.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Durham