Slashdot Mirror
Canonical Developer Warns About Banking With Linux Mint
sfcrazy writes "Ubuntu developer Oliver Grawert does not prefer to do online banking with Linux Mint. In the official mailing list of the distribution, Ubuntu developers stated that the popular Ubuntu derivative is a vulnerable system and people shouldn't go for online banking on it. One of the Ubuntu developers, Oliver Grawert, originally pointed out that it is not necessary that security updates from Ubuntu get down to Linux Mint users since changes from X.Org, the kernel, Firefox, the boot-loader, and other core components are blocked from being automatically upgraded." Clement Lefebvre, the Linux Mint project founder, has since made a statement and confirmed that Oliver Grawert seems "more opinionated than knowledgeable" adding "the press blew what he said out of proportion."
Nice job Oliver - we really needed more ammunition in the Everyone vs Canonical battle.
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
if you can't say how good your product is. tell everyone how shitty everyone elses product is.
Too bad i use sudo apt-get dist-upgrade!
The guy is obviously lacking in basic social skills. Sadly the Ubuntu developers and forum admins are alienating themselves rather than doing anything useful for Linux.
TFS makes it sounds like it's a long article about how Linux Mint is insecure.
Here's the entirety of his commentary:
The makers of Zeitgeist are concerned about privacy??
... I don't want anything more to do with Canonical, or Ubuntu, or Mint, or any of that lot. I'm sticking with Debian. I'm sure it has its problems and all, but at least the politics seem to remain mostly internal. These public pissing matches between distros just seem so counter-productive. But since I've been using Linux (1998), it seems to be a constant. Ego issues? I don't know. I don't particularly care. It's just so boring and off-putting.
Why would you want to use a different distro where you don't know what could happen to your personal info;Here at Canonical we build the selling of your private info right into the menu!
worry more about using 'secure' https in your company.
more often than not, there will be a corp firewall there and you can bet that if you didn not build your entire software system yourself (ie, install your own distro from scratch and solely control its root pw) that you have a bogus cert or two installed and you'll get MitM'd.
windows, macOS, linux - does not matter. if you go thru a corp router, you are probably not secure.
--
"It is now safe to switch off your computer."
And nothing of value was lost.
Bye!
Delete the preferences file in /etc/apt. Simple solution.
So everything that is a derivative of something else is vulnerable?
Isn't Ubuntu a derivative of Debian?
I'm a good cook. I'm a fantastic eater. - Steven Brust
Everyone who knows anything about security and follows linux distros, of which mint is popular enough for it not to slip under the radar; these people should know mint doesn't have security advisories nor mailing lists nor a security "team" such as it's grandparent distro. What is canonical thinking? They must like stirring the shit up. What do they have to gain from doing this? They're already on everyone's shitlist.
It's not surprising he'd try to bash Mint, considering they ate part of Ubuntu's marketshare when Ubuntu made stupid design decisions. That's what happens when you try to cram weird GUI changes down peoples throats in open source.
Don't move my Close, Minimize, and Maximize buttons to the left side by default unless you're going provide some spectacular improvements in return. I tried using it that way for a couple days and was still reflexively clicking on the empty right side to close the window. Eventually I found a config mod that fixed it, but then they went to the stupid Ubuntu mobile desktop and I couldn't be assed to work around it any longer so I switched.
It's worth mentioning that if you don't like Ubuntu repos, Mint also has a version based directly on Debian.
Good!
May they suffer.
I found this interesting Google+ post from the Muktware article comments.
I tell them to use GNU Hurd. It can't actually visit your bank's site, so there's no risk. Plus I think any applications that actually do run, are in userland, and hence are pretty slow. As a result, my clients spend less time on their computer, and more time wheeling and dealing.
The banksters have AT LEAST ten times your money. It's the law and they are doing God's work, so don't ask questions.
Linux Mint creator's take:
http://segfault.linuxmint.com/2013/11/answering-controversy-stability-vs-security-is-something-you-configure/
Summary: Nothing to see here; Let's move on.
Another person on the same thread:
http://benjaminkerensa.com/2013/11/18/linux-mint-stay-calm-make-free-software
Summary: Nothing to see here; Let's move on. Oh, Mate is cool.
The quoted developer:
http://ograblog.wordpress.com/2013/11/18/lots-of-canonical-in-my-mouth/
Summary: Nothing to see here; the Press sucks, let's move on. Oh, Mate is cool.
Don't use Mint on Mint.
(Ubuntu, which never ever mentions the word Linux on its websites and webpages)
482 of the Top500 supercomputers run Linux, and China’s Tianhe-2 is the fastest
http://www.linuxbsdos.com/2013/11/18/482-of-the-top500-supercomputers-run-linux-and-chinas-tianhe-2-is-the-fastest/
Enjoy!
This is just another piece of evidence that confirms my suspicions. Canonical has been threatened by the Mint project for years now. This is not the first interview that has come out with an Ubuntu dev speaking ill of Mint, and I'm sure it wont be the last.
Somewhere, something incredible is waiting to be known. -Carl Sagan
Ubuntu is in a rut. They're not making money, growth is plateauing, it's mindshare is diminishing. It's questionable if they'll ever make a profit. I mean why Ubuntu over Novell, Oracle or RedHat for enterprise stuff? RedHat is a billion dollar publicly listed company..Novell is owned by attachemate group (a billion dollar revenue company) and Oracle poops money.
The Ubuntu Edge was a hail Mary pass that failed. They lack the revenue (and wherewithal) to get into hardware and no hardware maker wants to partner with them.
I have to wonder, when will shuttleworth stop? Would it be extreme to say Canonical is a failed company? At what point is Ubuntu going to transition into a community driven OS? Ubuntu TV is vapourware, their phone OS relies on someone willing flashing their nexus..They've totally fucked their Desktop OS and it's unclear why anyone would select them for enterprise support considering the breadth of their competition.
If you believe you are safe, think again.
Oh, it gets worse than that... much, much worse...
Quo usque tandem abutere, Nimbus, patientia nostra?
Ubuntu developer Oliver Grawert does not prefer to do online banking with Linux Mint.
"prefers not" would be a less ambiguous way of putting it. But hey, you just copy-pasted the whole thing, it's not like Slashdot expect to you to write summaries in your own words. Oh wait, they totally do.
One of the Ubuntu developers, Oliver Grawert, originally pointed out that it is not necessary that security updates from Ubuntu get down to Linux Mint users since changes from X.Org, the kernel, Firefox, the boot-loader, and other core components are blocked from being automatically upgraded.
Err, what? I honestly can't be sure what this means. First, Grawert was already introduced in a previous line of the summary/article. Doing so again is just confusing, but even more so is that it's impossible to tell whether this second sentence, containing as it does the word "originally," is meant to agree or disagree with the idea that Mint is vulnerable.
systemd is Roko's Basilisk.
Compare this with the Slashdot article title:
Whether he is technically right, or not, I find it disgusting that such a side note becomes news on Slashdot.
By the way, the subject was another new distribution based on Ubuntu, similar to Mint, therefore the Ubuntu developer actually encouraged an Ubuntu derivative.
Because Year of the Linux Desktop went from being a joke to just being sad. Look at what Google accomplished with Linux yet the desktop folks are still bickering and blaming users for the lack of adoption. It is a clear example of where "dogfooding" doesnt work, Microsoft does it too little and the desktop Linux community does it too much, everything seems simple and intuitive when you have spent so much time on it and have a keen interest in it but the average user (90%+ of the target audience) doesn't. That is why this issue with MINT seems like a non-issue to MINT users and developers, they actually understand the perils and benefits of pulling in these updates but an average user does not and this is not clearly communicated to those average users either but by all means continue to just say these users are idiots and move on ignoring them.
Face it, Linux isn't for everyone and may never be. So fucking what? It's good for the people that use it. It's been my desktop since 1999 when I finally retired my Amiga 3000. It's the desktop of choice of a lot of people. I've seen the average windows user and guess what? They mostly don't know what they're doing. The overwhelming majority of windows users happily install malware on their computers on a daily basis. That's the desktop we're shooting for in the Linux community? Average users are going to fuck up their systems regardless of what platform they use.
I warn people away from Ubuntu and towards Debian or another reputable distro that is not selling your info and loading your os with AD's and spyware. Yes if you are sending info for targeted ad's you are bundling SPYWARE.
Ubuntu has tainted the water. It's not a safe OS.
Do not look at laser with remaining good eye.
Where Amazon can watch you and tailor ad's based on your balance
Mint has no security. They intentionally run with access control disabled on the X server (xhost +). Keyloggers and screen scrapers are trivial in this case. Bugs have been filed about this, but Mint considers it working as designed.
It might not solve all issues, after all, it's not like Ubuntu itself is never hacked. But my solution is to run the Mate desktop over Ubuntu 12.04 LTS and get the best of both. It works great, and avoids the crap that is unity, gnome3, you name it - it's like having a stable version of gnome2 that actually works right. I agree with the commentors on many of the other issues. Unity is crap on a multi monitor desktop. It has built-in surveilance on you for crying out loud, huge icons if you've got 4 24" monitors, that you can't move. I like to be able to put the tic-tac-toe buttons where I wish, I like menu and task bars I can autohide, and put on the monitor I want. I paid for every single pixel on them - don't tell me what I can have on my screen or where I can put it. It's not like I don't have other options. Cannonical really stuck its head up its butt in a number of ways of late - and when told so, they said it was our fault for not liking their stupid ideas, which were and are genuinely stupid. Too bad, otherwise they were the good stuff. But they are not alone. Somone figured out that most computers hit the dumpster with the same opsys they shipped with. Since PC sales are falling (the ones out there are all good enough by now anyway, why buy a new one is a good question for most users) - they decided on a "one size fits all" for PCs and mobes. Stupid idea - I have both and use them for different stuff and at different levels of security for that different stuff. It seems the current crop of programmers is too stupid to put in a single boolean - true if PC, false if mobe, or vice versa, and do the rest of the install based on that. Even if my quad monitor setup was reachable by anything but my extended legs and was touch enabled, I'd think this current bunch of Ubuntu stuff was crap for it, what I have is far better, and a lot more usable. It might work out on my nexus, only it's better the way it is already, than unity would make it. They really jumped the shark on this - in company, but still....
Why guess when you can know? Measure!
Not really. Linux is still the least likely OS to contain backdoors and the most likely community to find and out them.
Linus is not even in the top 100 kernel contributors these days so his opinion on the matter is questionable.
... NSA Security-enhanced Linux is a set of patches to the Linux kernel and some utilities to incorporate a strong, flexible mandatory access control (MAC) architecture into the major subsystems of the kernel."
The NSA is a contributor to Linux.
"The United States National Security Agency (NSA), the original primary developer of SELinux, released the first version to the open source development community under the GNU GPL on December 22, 2000.[3] The software merged into the mainline Linux kernel 2.6.0-test3, released on 8 August 2003
OpenBSD, which has multiple people involved in periodic security audits of existing code, would be the operating system less likely. It is a myth that many users means many eyeballs looking for exploits and bugs.
I don't know which community you belonged to but flamewars have happened from the beginning eg. Linus vs Tanenbaum, and before Linux there was GNU. You WANT these flamewars to happen because these guys DO things, especially to prove a point. If this issue proves to be a genuine security concern in some cases then expect the argument to end with an improvement of the software you use.
By inferring that Linux in any form or shape might be not worthy of "online banking",
I think this has hurt Linux an immense amount.
He probably just now blocked tens of thousands of people of trying *Canonical*,
because the article reads "*Linux* is not good to do online banking with".
Smooth.
I wonder if he can do anything to repair the damage. :(
Everyone versus Linux. That's the ammunition he gave out for everyone outside the Linux world.
Because Year of the Linux Desktop went from being a joke to just being sad. Look at what Google accomplished with Linux yet the desktop folks are still bickering and blaming users for the lack of adoption. It is a clear example of where "dogfooding" doesnt work, Microsoft does it too little and the desktop Linux community does it too much, everything seems simple and intuitive when you have spent so much time on it and have a keen interest in it but the average user (90%+ of the target audience) doesn't. That is why this issue with MINT seems like a non-issue to MINT users and developers, they actually understand the perils and benefits of pulling in these updates but an average user does not and this is not clearly communicated to those average users either but by all means continue to just say these users are idiots and move on ignoring them.
There is too much navel-gazing attitude in the community, and that tends to produce stuff that only looks friendly to Unix greybeards and those who want to emulate their elitism. Ubuntu has distanced itself somewhat from that unhealthy dynamic, but IMO they are still missing certain ingredients for a successful desktop OS. I think Elementary OS also deserves a mention because although its based on GNU/Linux, they publicly renounce any status as another "Linux distro" or close association with that subculture... they do not live to be cozy with "upstream" as doing so ensures that whatever you publish will be the product of a consortium of tech committees.
Its the only OS that I'd trust to do online banking these days; BSD jails are flimsy compared to Qubes' XEN domains.
I'd also assume that any OS outfit offering "security" that doesn't have security researchers at its core is handing out a load of jive, especially if their system relies on a traditional kernel for said security.
I will admit it was nice try at first ... but now it's just a pile of commercial crap floating around the Internet.
I urge the GNU/Linux community send it to the recycling plant.
Iknow where you're coming from, but the problem isn't the Linux community -- it's squarely with Canonical, Shuttleworth, and the fans they've taught their attitude to. If you ignore them and just pay attention to the community-oriented distro teams/developers, you'll find that they haven't really changed.
I came to Linux because it's a worldwide community of people driven by their talents to work together and create something great & beneficial; as you said, no politics, big egos or childish bullshit. In the big window-button fiasco 2 years after I started using it, the Ubuntu leadership (echoed by fanboys) openly said they didn't give a shit what the users wanted or needed, and even mild criticism at the forums was leading to bans. Worse, after an update fucked up my install, I decided to try a live CD for another distro and discovered that the "all other distros are too user-unfriendly for regular users"was a load of FUD lies; they were willing to drive Linux users to Windows as long as it kept us from their "competitors"!
I almost gave up on Linux at that moment just because, like you, I assumed that the whole community must be like Canonical/Ubuntu. Luckily the live CD pointed me to Fedora's site, which had an area dedicated to showing users how we could use all different kinds of talents to help out & participate (making me feel wanted & useful) plus a forum full of people being honest without repercussions, and visiting the sites for other distros like OpenSuSE or SimplyMEPISshowed the same thing. I hope you'll be able to find a similar haven and enjoy the good parts of the community.
Now mostly at Usenet:comp.misc & SoylentNews.org (it's made of people!)
That's why I mostly stay away from mint
Last year there was a linux root exploit in the kernel. I tried the exploit and it worked: bang root shell!
So I waited to see when this would be fixed via the usual upgrade path... nothing happened during 6 months.
Until I finally wanted to use my system and so I looked into the reasons why I'm still vulnerable while all other distributions are ok.
So I need to run apt-get to get a new kernel! That's not "ready for the desktop".
Come on! All distributions are so proud to always say that fixes get quickly spread and there comes mint saying: "I won't even notify the end user that he should upgrade his X or kernel because it is vulnerable". That's dumb. Mint is wrong, Ubuntu is right.
Result: I don't like Ubuntu, I don't like Mint. Is there a Mint derivative which does it correctly or do I need to go with Apple?
Atari rules... ermm... ruled.
Mint is a security problem in itself.
It takes ubuntu, and strips it from upgrade, strips it from some updates, fro broken reasons.
Why break functionnality insted of making the right thing, which would be to limit it by default, for example.
aaaaaaa
Comment removed based on user account deletion
I've been using Mint for about a year now, through 13 and 15. I love how it 'just works' out of the box, but I'm switching back to SuSE today. It takes a little time to configure, but I've never had any trouble with past versions
Heck no, you don't want these flamewars to happen. What you really want is a respectable level of discourse between the participants. Flamewars are called that because it's all about flaming and not getting to the actual truth about the matter - and for an outsider looking into the discussion, all they see is insults and fanboyism and it gets very hard to know the facts and whether they're actual facts or spin.
Flamewars can be addictive I suppose, but they're the lowest form of "discussion" you can have and aren't productive.
And Google would never, never, sell your information? Not like that dastardly Canonical, or that awful Mint that just gives it away.