Timeline Of Events: Linux Mint Website Hack That Distributed Malicious ISOs

An anonymous reader writes: The Linux Mint website was hacked last night and was pointing to malicious ISOs that contained an IRC bot known as TSUNAMI, used as part of an IRC DDoSing botnet. While the Linux Mint team says they were hacked via their WordPress site, security experts have discovered that their phpBB forum database was put up for sale on the Dark Web at around the same time of the hack. Also, it seems that after the Linux Mint team cleaned their website, the hackers reinfected it, which caused the developers to take it down altogether.

forum

why put up the forum for sale? they totally gave themselves away... what noobs

Re:forum

[KGIII]

They were selling the database. The PMs aren't encrypted in most forums, I'm not sure about phpBB. The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords. They'll have email addresses that tie in with usernames. They'll know a little about the person so spear phishing is a possibility as is just plain phishing.

I've got some data involved in this one. Nothing major, nothing important. I am not the least bit concerned. I did not download any of the torrents. I do have the legit versions of the .ISOs seeding - all current versions and some older versions - going back to at least v. 14. So, it sucks but it's not the end of the world - unless this damages their reputation so much that people bail on them.

I like Linux Mint. I call it Linux for Retards - which means that I can use it without even looking at the manual. They're well supported, give access to the Ubuntu ecosystem, a cautious and safe build, and not a horrible community. I have a laptop with me that has Cinnamon on it. They'll be okay.

But, there's a few things that make the database valuable. The emails and username combinations are a good start. They can then do some work and figure out more personal traits and then attempt some social engineering, phishing, and even targeted malware - if they want to invest enough energy.

Re:forum

Probably not a lot of useful stuff if they sold it for $85

Re:forum

[lucm]

Remember that such exploit is merely a way to create zombies, and a huge botnet of thousands and thousands of active zombies can be rented for a few dollars per hour. It's not a very lucrative market when you consider the labor and risk involved.

That explains why those hackers who got caught by the FBI a few years ago were immensely thrilled when they made $7,000 in bitcoins.

Re:forum

[KGIII]

Probably not. You know they like Linux, you've got a known working (verified) email address, you've got a username, you might be able to make some sort of personal profile based on forum comments. You can check locations with IP addresses but that's not always a certainty. You can probably narrow down which is their preferred Mint. Depending on what they've said in public (and maybe in private) then there's some potential to assign that profile to a person. If they've used the email and/or username elsewhere, they can put some more data together.

It really depends on what they're willing to put into it for effort. $85 is pretty cheap but they're probably not selling it as an exclusive so others will be targeting the users. They'll probably be coming through the data. It's a relational database so they may even automate some of this away (I would) and then simply start running reports. They might even have a way to weigh the data and find the more prominent posters and "mash up" what data they've shared. They'll potentially have some of the site's maintainers, admins, and even the dev team interacting with each other via PM. They might have even been dumb enough to PM passwords to each other.

But no, really that's not much. Not as far as data spillage goes, it's not much at all.

Re:forum

[arth1]

The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.

They can brute force their way to at least some of the passwords. And given that there's likely an overlap between the group of people who choose insecure passwords and people who reuse passwords on other sites, it doesn't take a lot of hits before the yield is valuable.

Re:forum

[KGIII]

Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?

Re: forum

Yeah right, hacked.

A Linux "distro" maintained by one guy who previously laced it with malware is now suddenly hacked and serving up more malware.

Re:forum

[shawn2772]

Doesn't phpBB use different salts for each user? If they do and if I am understanding properly then I'm not sure how far they'll get? Though, to be clear, I am not 100% certain that I'm understanding everything correctly. They really shouldn't be able to do much in the way of brute forcing?

Doesn't matter.

Unique salt (which is the only way to do salt; there's zero reason to bother salting if the salts aren't unique), just means that each password has to be brute forced individually. But passwords can be tested so fast that a high percentage of passwords on most sites are found with only a few minutes effort, so brute forcing is well worth the effort.

Passwords suck, and they're getting worse all the time.

Re:forum

[KGIII]

How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?

I'm really positive that I'm missing something. Thanks for your patience. ;-) What am I missing? They're all unique so they'd have to be done individually. Why (or even how) would they be futzing with the hash instead of just attacking the login system and resolving it like that with dictionary and then brute force methods? Even if they "brute force" it that way then they're not really even dealing with the hash as that'd do them no good in figuring out the next one in line.

Give me 20 minutes and a good search function and I can probably find the limit checks in the script and comment them out. I don't have a brute force tool and dictionary built (currently) but I can find one in a few minutes via Google. I'd be brute forcing the password, however. I'd not really be brute forcing the salted hash. The end result is the same, of course. :/

Re:forum

[Antique+Geekmeister]

> The passwords are salted and hashed so they're not gonna be digging out rainbow tables and getting passwords.

No, they can merely apply brute force guessing techniques to verify password guesses. I've seen no hint that the distributed work and very effective ruleset of Alec Moffett's old "crack" password guessing utility have ever yielded less than 10% of any DES or now 3DES based list of hashed passwords.

Re:forum

[thogard]

Brute forcing hash based passwords involves getting a program like John the Ripper or one of the versions that supports the bit coin mining hardware and just asking it to try a trillion of the most likely passwords in a few seconds.

I find it entertaining that many security experts are claiming sha-256 hashes are more secure than older weaker hashes yet I can spend less than $1,500 and buy hardware that will try more than 2 trillion sha-256 hashes a second yet the cost do the early md5 based passwords is now significantly higher.

I would like to see a mod of John the Ripper so it could be used as a PAM module to say "Your password would be found in round 4" using the rule 'substitute digits for letters'"

Re:forum

[arth1]

How exactly are they brute forced? I guess that's what I'm not getting. If they'd be doing simple brute force, why bother with the hash at all and just not authenticate it on a server that they control? How would they brute force the hash - and wouldn't each one be unique? It seems to me that's just a waste of time when they can use phpMyAdmin (for example) import the DB, and just use a local version of phpBB with timeout or attempt limits nullified from the script?

Going through a login interface is orders of magnitude slower than brute forcing the passwords from extracted hashes in specialized cracking programs. You load in the hashes and salts and run a fast loop with the hashing algorithm over millions of guesses in the same time it takes to do just a handful of guesses against a login interface.

And even though it's brute force, it's not dumb brute force. First, dictionary attacks including passwords found on other sites, permutations of words, letter substitutions and simple appending of digits are tried. A lot of passwords fall within a few seconds from that. Then an actual exhaustive search taking into account letter frequency distributions and adjacent letters more often found in passwords. Given a list of thousands of passwords, that will knock down some of them fairly quickly, no matter how secure the hashing algorithm is.

Re:forum

[KGIII]

Alright. I'm kind of getting it. Needless to say, I've not gone password cracking in a very, very long time. Err... I'm a bit more responsible these days. I'd also like to avoid felonies. We used to have some neat ways to just hammer on the regular user/password combos in a dictionary attack and get plenty of hits. If you can refine that to specific usernames, you're way ahead and there are a lot more cheap compute cycles kicking around now. I think I'm going to just continue to observe and pay attention as opposed to trying my hand at what's happening today. The landscape is much different and the penalties for doing so are much higher - as well as the likelihood of being caught.

Re:forum

[KGIII]

Yeah, that'd probably be faster than punching through the phpBB script's login function. I'd have just built a local phpBB instance and pounded on it after removing the timeout security checks and capcha if applicable. I've not done anything of the sort in a very long time. I'm not going to start up now. But, that's how I'd have gone at it. Start with dictionary then brute-force. It should be fast enough as it's being run locally. Anyone without a complex password is gonna be found pretty quickly. Unless I'm missing something. As I mentioned in my other reply, the landscape has changed and it's a felony to go out poking at stuff like that. Screw that.

I guess I could build one out and just populate it with a little data and see what happens. That's not a crime. Then again, they might say I have hacking tools. I don't think that's illegal, yet. It's too bad, I'd have liked to have kept up on it in detail. There were times when it was rewarding - not financially or anything. Just a success is fun. Err... PHP was still pretty new the last time I really even played with it.

Re:forum

[KGIII]

I don't know how to do the latter. If I were to try this, I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results. Anyone with a short and easy password will be gone quick. I've already got a list of usernames to check, I might split them and assign them some priority based on what I can glean from the site and see who's an admin and whatnot. I might even load it on a few boxes and do different priorities. Why not?

It should be clear that I'm not gonna do that. I have no interest in doing that - but I do have curiosity. In other words, I'm not interesting in breaking into their property. That's how you go to jail. I wouldn't mind a phpBB DB to play against. I haven't done anything like that since the mid-1990s. A lot has changed since then and I'm sure the tools are really nice. I'd probably just use CURL and check the resulting page for welcome text and build my own. :/ Err... I'm pretty sure your way would be much faster. (Consider, I've never actually looked at phpBB's security but I'm sure I could find it and comment it out.)

You newfangled kids and your fancy and effective (and cheaper and faster) methods! Get off my lawn!

Oh, and I'm well behaved today. I have to be. You go right to prison for playing those sorts of games now. I could just build my own DB and poke at it. I'm not sure what the benefit would be.

Re:forum

[arth1]

You newfangled kids and your fancy and effective (and cheaper and faster) methods! Get off my lawn!

Oh, and I'm well behaved today. I have to be. You go right to prison for playing those sorts of games now. I could just build my own DB and poke at it. I'm not sure what the benefit would be.

I'm not as young as you might think.

As a sysadmin, I periodically run crackers against the password hash databases for apps I admin, and send users notifications to change the password if it falls quickly to fairly standard cracking programs, or if it falls and the same password turns out to be used for more than one service. Either is bad, and scanning for and correcting this is a good thing, if we ever get hacked.

Also, for servers in attacked positions, "haystacking" them, injecting tens of thousands of fake users with random hashes, which slows down any attack. By having 90% fake users, the amount of time to crack any password increases 10-fold too. A difference between it taking 3 days for a cracker or 30 days can be significant enough to make this worthwhile.

Re:forum

[SQLGuru]

Azure and AWS aren't that expensive, either.....a single core VM on Azure is $0.09/hr. Not quite as cheap as some sliver of thousands of machines, but not as shady.

Re:forum

[shawn2772]

I'd strip out the time checks and security from the phpBB script, run it locally, and hammer that with a dictionary and then a brute force attack. It'd work and I'm gonna get results

Sure, but a few orders of magnitude slower than doing the hashing locally on dedicated hardware.

The best way to do this is to run the hashing on a set of GPUs, each of which has dozens to hundreds of cores. With your method you'll be lucky to test a thousand passwords per second. With dedicated hardware -- and assuming a computationally cheap hash like SHA-256 or MD-5, you can build a system that will test a billion passwords per second for a few thousand dollars -- or rent one on AWS or similar for a few hundred dollars (AWS has systems with GPUs for computation). If the target database used a proper password hashing algorithm like PBKDF2, scrypt, bcrypt, Argon2, etc., then it's slower on a given amount of hardware, but you can always speed it up by throwing more hardware at it.

Re:forum

[KGIII]

Unless the fake users have data associated that mirrors other users, I'm gonna filter that out. Well, maybe not, compute cycles are cheap today. But, I'd filter admins, active users, and things like that. I'd just then pop several instances up in DB and my own LAMP stack and hammer on 'em until I got them. I'm gonna be pretty slow anyhow. I might as well filter out the more active users, admins, and the likes. Then I'd work my way backwards, starting with the newest, that's likely to be the most "fresh" data. So, if you inserted your "haystack" all at once, it's a relational database, I'll filter those out fairly well by that means too.

It does kind of pique my interest. I do sort of miss that type of thing. If I had done something like that then I'd have not really done much of anything with 'em before. If I would have done so in the past then I'd mostly just have dumped 'em to a newsgroup and they were usually porn passwords. You know, if I had... I can't really admit to having done anything of the sort. But, I have been known to be curious before.

Re:forum

[KGIII]

Yeah, I can do the former and I don't even need dedicated hardware. I don't know how to do the latter. I could probably find it on Google and with some work but I've never done it. I'd have to whack at it my way - or I would because it'd be easier for me to do it that way than it would be to actually go through and figure it out the faster way. That and, well, I'd not actually be in any great hurry.

I do use the same password there as I use anywhere else. In fact, I know what that password is and it's safe and sound. They can have that password. The next time I visit, I'll change it. It's a sacrifice fly and I don't consider it a great loss. They could probably use that password to... Well... Nothing? They can't even figure out a system from it and the email password's not the same. In fact, none of my accounts are the same.

So, I'll be okay. Hopefully others are smart enough to know not to reuse passwords. Or at least to let 'em have only a small chunk at a time.

At any rate, I'll have to read about the other ways. I'd only know how to do it like I described. I could bang out a pretty quick and dirty script and then find me some dictionaries. I don't keep those sort of things on hand. I've got a few PERL skills left in me! Err... No, really, I'd probably write something quick and in PERL. I'm sure there are tools out there to do it but I don't know who made 'em, where to go to find something that can be trusted, nor have I maintained a relationship with any who kept up with it. I could probably ask around...

I am tempted to install phpBB and populate it with some data, extract the database, and then throw stuff at it until it breaks. I'm just not sure it would be all that rewarding and what the benefit (for me) would be. It might amuse me for a few days, there's that. It is interesting trying to keep up with all the changes. I mentioned elsewhere, it's probably been since 1995 when I was last interested in this sort of thing - interested enough to poke at it and learn a wee bit. I'm not even sure where I'd go looking for large, reliable, proxy lists.

I am guessing some time with Google and on the .onion domains (maybe a few invite only forums - I can probably score an invite out of my contacts list) would be a good start. I'm way too lazy for that and it's not nearly rewarding enough with low-enough risks. It would be lots of neat stuff to learn.

Re:forum

OMG
They might be able to log into another useless forum or dating site. Reusing passwords for trivial crap is okay as long as you tier your passwords a bit...
Banks and email (high level unique)
Stuff that is closely tied to my real identity or had direct access to friends or family (medium some reuse)
Tech forums and dating sites (low level who cares)

Re:forum

But passwords can be tested so fast that a high percentage of passwords on most sites are found with only a few minutes effort, so brute forcing is well worth the effort.

Use bcrypt! https://codahale.com/how-to-safely-store-a-password/

Re:forum

[Flavianoep]

Also, they can try every username to find the ones whose password is '123456' or the like.

Re:forum

[shawn2772]

I don't see how what you know how to do or are interested in learning to do are at all relevant to the impact of the breach or why the attackers might be interested in selling the database.

Re:forum

[KGIII]

Well, it's things that they may opt to do - and if I can think of a way to get the data then anyone can figure it out, so it's likely that it won't be long before they're able to use that data. You can do some pretty targeted spear phishing and social engineering with this data, making the most out of it is pertinent, yes? It's why the data might be of value and was what the subject was before the tangent into hash values.

The data, in aggregate, is worth more than just passwords but the passwords are a start and a part of that data. The users include admins, actual Mint maintainers, and things of that nature. My thinking is that if I can figure out ways to make use of it, and to access it, then there are people who are far more adept than I. On top of that, I figure broaching the subject may get helpful and educational replies - and it typically does. It even did this time.

Re: forum

Randall, is that you?

WordPress ???

[Billly+Gates]

The worst of the worst unless anyone can figure out that spaghetti called Drupal.

It is the IE 6 of CMS and people keep using it.

I swear we all should just give up and write our own cms.

Re:WordPress ???

[MightyMartian]

Which is how we got Joomla, which is the IE 7 of CMSs.

Re: WordPress ???

[Billly+Gates]

Only as bad as IE 7? Oh OK then

Re:WordPress ???

Ah, Drupal. Drupal is amazing, in that it's clear the developers looked at PHP, said "this is a horrible insecure language" and then decided "let's create a giant platform on top of it to try and fix up the flaws" rather than "let's look for a language that isn't terrible."

So now Drupal is its own language and library onto itself, and PHP has evolved to fix many of the problems Drupal attempts to solve but Drupal is stuck with their own implementations.

The amount of code Drupal has to load to render a single webpage is hilarious and somewhat worrying. It's enough that Drupal has to have its own code caching system on top of Zend or whatever you use to try and get performance to reasonable levels.

Which is probably the only reason you hear about WordPress getting hacked more than Drupal. Drupal has an impressive list of CVEs, but most people who try and use Drupal end up saying "fuck this" and using WordPress instead, because it's possible to get WordPress running without driving yourself insane.

Re:WordPress ???

PHP isn't insecure, improper use of the programming language leads to insecure applications. With your logic we should just call every language that has ever been used improperly insecure.

Lets use this unvalidated input all through out our application without every verifying it and making sure the input is what we're expecting!
Clearly this is all the programming languages fault! /sarcasm

Re:WordPress ???

[itsenrique]

Accidental downmod, sorry.

Re:WordPress ???

[stooo]

in the world of machine safety, we call it "reasonably foreseeable misuse". If a programming language allows security flaws happen when the programmer is lazy, it's a bad language, and should not be used for this application. Point.

http://www.controleng.com/blog...

Re:WordPress ???

It's written in Personal Home Page, what do you expect?

Re: WordPress ???

[cyber-vandal]

Please don't. There's about a million of them already. A CMS is the text editor of web development where someone thinks they can do better than the existing ones and is usually wrong.

Re:WordPress ???

[houstonbofh]

The problem with idiot proofing things is that they keep coming out with better idiots.

Re:WordPress ???

[interval1066]

PHP is insecure by design. I don't mean by conscious design, but by design non the less. How can you stay on top of a language that is so inconsistent that its laughable? The possibility of putting together insecure code without realizing it is very high with PHP.

Re:WordPress ???

Even if you do write secure PHP, there's a good chance that changing server setting can make it insecure.

Re:WordPress ???

Wordpress outstrips Drupal in number of users, because Wordpress actually solves problems without requiring a few million dollars handed out to barely competent agencies.

In terms of security? They're both pretty okay, assuming you fucking update core and modules.

That is, of course, the problem. Wordpress, nobody updates because it's playing to the lowest common denominator. Drupal, nobody updates because it will fuck up your site like DICE fucked Slashdot, requiring Magic Johnson levels of cash injection to fix.

As a result, you have CMS software sitting in a docroot, outside of package management, never updated.

Yeah, shit's getting owned.

Re:WordPress ???

The possibility of putting together insecure code without realizing it is high, in any language, even ones with massive safety nets like VMs, strict typing, garbage collection ala Java...none of those systems, or any one that you could mention either, eliminate the possibility of the _programmer_ making a mistake. It's not that difficult to miss, either. SQL injection is still one of the most popular website hacks, why? The mistakes that lead to SQL injection are easy to make, in any language.

Bad PHP programmers are just as likely to be bad Python/Ruby/insert-your-pet-language-here programmers...and bad programmers negate most of the advantages that your supposedly "safe" languages would provide, so perhaps the language isn't the entire problem. Perhaps bad programming practices are part of the problem. It's always easier to point the finger of blame at somebody else I suppose. Blame the language rather than accept your lack of talent.

Re:WordPress ???

[Ice+Station+Zebra]

Says the anonymous coward who is probably still struggling with their first "Hello World" program in quick basic.

Re: WordPress ???

Yeah but basic, documentation-driven help and examples are insecure.

PHP is just awful.
Most languages DO have silly, broken syntax, but PHP core is what is broken.
SQL, likewise, suffers from massively abusable syntax.

Re:WordPress ???

It's not so much that PHP is insecure as such (you aren't likely to find a website that is exploitable purely by virtue of being PHP), but the language itself, but it is hazardous in that it has many surprising gotchas that can cause your programs to run in unexpected ways. Considerably more so than C++, for example, which says something because C++ itself takes a lot of flak these days in this regard.

Re:WordPress ???

[unencode200x]

For sure. OWASP has a good guide on prevention. https://www.owasp.org/index.ph...

Re: WordPress ???

moo:
mooo "Moo moo"
moooo moo

Re:WordPress ???

[Applehu+Akbar]

Ever try to archive a WordPress site? Nothing but reams of PHP, and good luck finding the site's content.

Re:WordPress ???

PHP encourages bad programming practices and has non-intuitive semantics that don't follow convention. If I made a car that engaged the airbags if you inserted the keys upside down, you wouldn't say "RTFM you scrub", you'd say that's a poorly designed car.

Re:WordPress ???

[stooo]

Yep, but by putting basic idiot proof, you tackle the low hanging fruit 95% of errors. And that lacks in the Software industry.

Re:WordPress ???

Or, more likely, someone who's on a project where management decided to use Drupal over the tech staff's objections. As another AC said, you're looking at "Magic Johnson levels of cash injection" to get a Drupal site up and running, and then once it's up and running, pray you never have to upgrade it because that's going to be another round of contractor-led fixes.

The best part is that the super-expensive contractor we're using is using PHP 5.4 and IT requires us to use PHP 5.6 - which means the website they created for us won't even run on our servers. Because PHP.

Re: WordPress ???

Try Sharepoint sometime. Just being able to install the full version is an achievement worth awarding a medal

Re:WordPress ???

So your argument is making point that someone doesn't feel the need to create a account which links every comment they've ever made, making it easier to data mine that user and trace their habits? Then your second argument is regarding a fictional scenario that you made up yourself..

You do not you're supposed to use actually facts and figures to make points instead of just pulling a bunch of BS from your arse.

Re:WordPress ???

[i.r.id10t]

What language will totally prevent errors and exploits like buffer over flows and sql injection? Or allow clear text storage of passwords? Or hashed, but unsalted passwords?

The biggest "problem" with PHP is that it allows just about anyone to start writing code and putting it out there, with no guarantee of developer skill or security consciousness. And because they got it to just about work and they want to "be helpful and give back", they publish the code/solution as a half assed howto or web article or reply to a forum posting. Then some other idiot comes along and copy/pastes that as a "well, someone posted it so it must be OK" thing into their half-baked code and .... you get the idea.

Re:WordPress ???

[houstonbofh]

Or, let Darwin free!

Re:WordPress ???

[Electricity+Likes+Me]

Rust? Go? Javascript? Buffer overflows are totally prevented in most higher level languages. You can cause them, but the application will *always* crash safely.

SQL injection is a product of SQL itself being a poor language that doesn't clearly delineate data and code.

Re:WordPress ???

The problem with idiot proofing things is that they keep coming out with better idiots.

Nicely done mate!

Re:WordPress ???

ah ... so many Einsteins on slashdot .... how is it that slashdot readers and writers are smarter than anyone? When will slashdot reader cure cancer ?

They Need To Take EVERYTHING Down

They've got a serious breach with no idea how the attackers got in and continue to get in. They need to take EVERYTHING down including their name servers and verify that their registration with the root servers hasn't changed, until they have done a through post breach analysis. Only then can they bring up newly installed servers with whatever vulnerability fixed.

This should take several days. Possibly even weeks, depending on the extent of their infrastructure.

MD5/SHA1's compromise?

I'm not a Mint user so wasn't effected but it seems to me like this attack of taking over a web page could be dangerous in another way too. Many people check the MD5 or SHA1s against what's reported by the distro maker on their web site, but an attacker controlling the web site could change the checksums to match their malicious version.

Re:MD5/SHA1's compromise?

[Junta]

This is one reason why GPG signed would be a much better idea than posting sha512sums. The sums are marginally useful to verify a mirror or whatever, but a gpg signed would allow you to verify new content going forward.

Re:MD5/SHA1's compromise?

[interval1066]

I'm a mint user and I wasn't affected by it either. What do you think is going to happen, if your a mint user the page is going to reach out and grab your machine? It only affected one ISO and you would have had to down load it on the 20th. Then, you would have had to install the image. Simply being a mint user is meaningless.

Re:MD5/SHA1's compromise?

This only effected Mint users. The download site for Mint (and only Mint) was pointed to a malicious source, so being a Mint user was required here.

Not that other distros have not had their own problems mind.

Re:MD5/SHA1's compromise?

[war4peace]

"affected".

Re:MD5/SHA1's compromise?

[gweihir]

That is why you use PGP signatures. Unless they compromise the key before you got it, they are out of luck.

Re:MD5/SHA1's compromise?

[gweihir]

Indeed. Checksums are only good to check for transmission errors, unless the checksums are PGP-signed. Checking for transmission errors is a good idea with these sizes, but not any protection against attacks.

I hope the virus was open source at least

[elrous0]

I mean, at least make the code available.

Re:I hope the virus was open source at least

[markdavis]

There was no virus, it was a security flaw in Wordpress.

Re:I hope the virus was open source at least

The source code is one of the first google results for tsunami irc bot , but there's no license.

Re:I hope the virus was open source at least

From http://www.csoonline.com/article/3035743/security/linux-mint-hacked-compromised-data-up-for-sale-iso-downloads-backdoored.html:

"Kaiten has been open source since about 2001, so the code isn't something new or unique. Early reports on the hack said the IRC bot was Tsunami, which is technically correct, as that's one of the names used to identify the bot's core code (AV companies use this name too), but the code itself is Kaiten.c."

STFU

The only reason that WordPress gets so much shit is because it is the best option available and is therefore used by absolutely everyone.

Name a better CMS. Better yet, got write your "superior CMS" yourself and try to prove your baseless assertions, asshat.

Re:STFU

[Z00L00K]

I now got an idea for a project to teach myself Erlang.

Re:STFU

AH yes the old "WINDOWS JUST GETS SO MANY VIRUSES BECAUSE IT'S POPULAR" and yet still the iPhone platform has been relatively damn secure through its life (and I say this as someone who doesn't otherwise like Apple products that much).

WordPress gets so much shit re security because it is so shit re security. It is popular because of inertia and because the options aren't any better - again, just like Windows through the '90s and early '00s.

Re:STFU

[Billly+Gates]

I now got an idea for a project to teach myself Erlang.

No man, all the cool kids use Outlaw Techno Pyschobitch as the real rockstar language.

Re:STFU

[stooo]

>>Name a better CMS.
Notepad.

Re:STFU

[Aethedor]

Name a better CMS.

The Banshee Content Management Framework.

Re:STFU

[houstonbofh]

Name a better CMS.

Offline. There is no way to secure WordPress for any length of time, so use it as a static site generator and post that. (Or Drupal, or anything else) More security and less resources needed.

Re:STFU

[KGIII]

It's not really WordPress that's so bad. Not really. They used to be pretty bad but they, themselves, have gotten their act together. The problem is that people don't keep things updated and will use extensions and add-ons and the likes from anywhere. They won't keep those updated either. If they're maintained well, if you pick the add-ons by activity and reputation and timely security fixes, and if you're a little attentive then you'll be okay.

There are a few add-ons (oddly enough) to help with this. There are ways to automate unattended updates. There are ways to lock down the permissions and make the suggested changes. Use a separate administrator name than user. Rename a couple of pages. After setup, remove the setup files, set the permissions to 555 when not in use, etc... You can do quite a bit, if you want. I've seen a few good guides - hell, there's a few people here who have done it enough that they can write you a guide in ten minutes and know which add-ons to use to secure it and which files to rename, all without opening a new tab.

(That's a hint, by the way. If, you know, someone's got some advice...)

Re:STFU

To be fair, Apple products (including the iPhone) have had tons of issues themselves (with the recent bricking being obvious, but also tons of malware even in the app store). Whenever there's a Windows or even Linux issue, people proudly dump on it and promote iWhatever; whenever there's an issue, no matter how terrible it is, with the Apple products, it seems to mostly go by without any notice. I always did wonder what that bias was all about.

Re:STFU

[Gr8Apes]

First, if the default out of the box is highly insecure, the product's insecure. If it has a plugin framework that is insecure, the product is insecure.

Just because you can make it secure (you think) doesn't mean the product is secure. Take windows for example, you can run it standalone with only vetted code in a vault and it'll be pretty "secure", but that doesn't make windows secure. You can also run a very stripped down version with lots of unnecessary crap removed and that will make it more secure than the default, but the system itself, in this case, is still not secure. And I'd posit that securing WordPress is the same game of security whackamole played by those attempting to secure windows. When you start building on sand, your task never ends.

Re:STFU

[KGIII]

It's not highly insecure out of the box. It used to be pretty bad but it has improved greatly. The plugin framework isn't insecure, in and of itself.

Nothing is secure, they're all varied degrees. I get far more security updates on a stock Linux distro install than I ever did on a stock Windows install. Yet, I'd still say that Linux is secure - because I know that nothing is completely secure, so the definition is reduced to "reasonably secure."

Speaking of Windows, you can use Windows normally and just fine - without any active resident anti-malware application. Just keep your browser locked down, get apps from their source, and keep things up to date. I did it for years just to prove it can be done. I'd check and do the various scans with updated definitions here and there and never *noticed* any signs of intrusion or malware and was actively looking for such.

You don't *have* to rename pages, change permissions, or even use a separate admin - so long as you're willing to use a long/complex password. The security issues come with people being people. If you don't follow the directions, you get insecure products. If you leave the setup.php behind (after having been instructed to remove it - when the server's not configured to allow it to do it on its own) then you get an insecure product. If you're using add-ons that are insecure, you have an insecure result. That's not the fault of WordPress. That's the fault of people being people and trying to do things they're not qualified to do thus have no business doing.

So, I gotta disagree. Security is a process, not an application. The converse is quite frequently true. If you're not going to be attentive and keep things up to date, that's hardly the fault of the software. The framework's not bad (so far as I know) by itself. The script isn't even bad - by itself. You can make it a bit more secure but, by itself, it's not bad. It's when they don't update it or the add-ons that they get insecure. In fact, I have a couple of WordPress installs that are just fine. They don't have any third party extensions at all and the password's a long and complicated affair - and I've got a different username but that username's probably easily guessed.

Re:STFU

Nope. In practice it's the basic Wordpress itself that gets nailed, no extensions necessary. Wordpress is that bad.

Re:STFU

Name a better CMS. Better yet, got write your "superior CMS" yourself and try to prove your baseless assertions, asshat.

Here's a list of CMS products that are as good or better than Wordpress (as the list includes Wordpress itself).

Here's a more challenging question for your turn: Name a CMS that is worse than Wordpress. You can even go for a fairly obscure systems if you need to.

Good luck.

Re:STFU

Here's some thoughts:
Expression Engine - https://ellislab.com/expressio...
PageKit - https://pagekit.com/
Concrete5 - http://www.concrete5.org/

Re: STFU

It is not bricked. It can be fixed at home by any user that can search for "DFU mode and iPhone"

Re:STFU

[stephenmac7]

In that case, you might be looking for Zotonic, an Erlang web framework/CMS.

Re:STFU

Hilarious.

Anyone have a straight answer?

Re:STFU

[myowntrueself]

AH yes the old "WINDOWS JUST GETS SO MANY VIRUSES BECAUSE IT'S POPULAR" and yet still the iPhone platform has been relatively damn secure through its life (and I say this as someone who doesn't otherwise like Apple products that much).

WordPress gets so much shit re security because it is so shit re security. It is popular because of inertia and because the options aren't any better - again, just like Windows through the '90s and early '00s.

Last year iOS and OSX each had more security vulnerabilities than Flash.

Re:STFU

[JustOK]

notepad++

Re:STFU

[Antique+Geekmeister]

Git, hosted at Github.

If you mean a "web publishing system", then Wordpress has a reasonable history of being one. But that doesn't make it a CMS.

Re:STFU

At the risk of pedantry, 'offline' is not a CMS.

Re:STFU

Could you imagine the bitch-fit Slashdot would have thrown had Microsoft proposed a walled garden back when they firmly controlled most of the market? We'd probably still be hearing about it, kind of like we still read posters mocking MS for bugs they fixed in Windows 98.

Re:STFU

The only reason that WordPress gets so much shit is because it is the best option available and is therefore used by absolutely everyone.

Apparently you don't understand how the lowest common denominator works. Here's a clue - macaroni and cheese OR fried chicken != best food.

Name a better CMS.

In no particular order: Concrete5, MODX, e107, Magento, SilverStripe, CMS Made Simple, Contao,

I drive a Holden because they're the best! I've never really tried anything else.

Re:STFU

Just another demonstration that the anti-WP, anti-PHP crowd is firing blanks. They got nothin'.

Re:STFU

It's not highly insecure out of the box. It used to be pretty bad but it has improved greatly.

Summary: now it doesn't suck as much.

Jokes aside. It caters to the biggest userbase. That's a lot of Joe Sixpacks who like to press Enter and have the attention span of a speed-crazed goldfish in a busy shopping mall.

It can be made very secure - but it's not the primary design purpose. High security requires more than trust in the vendor - it requires work (and thought) by the administrator. The simpler the framework, the simpler the auditing - but a truly simple framework (and interface) is not easy for Joe Sixpack to understand (because he doesn't want to understand). Joe Sixpack wants a market-place and a video that tells him how to press Enter.

Don't confuse Peter Pointyhead with Joe Sixpack. Peter has an Apple and is a webdesignener. He used to love Flash but it's no longer trending. He likes obscurity and while gifted in technobabble can only program in Twitter posts. Peter loves Drupal (he used to love Joomla). For $300 an hour he'll tell you why.

Re:STFU

[KGIII]

Drupal is awesome but not that easy to figure out at first. 'Snot too bad once you get it figured out. Joomla kind of sucks. I've tried to theme Joomla and, well... Let's just say that I am not a graphics artist. Or a patient man... I can handle Drupal. I don't mind WordPress but it needs babysitting. At least it's generally pretty smooth to update.

Re:STFU

Sitecore. It's a slow buggy pile of shit that makes everything harder rather than easier.

Better yet: it's proprietary and expensive! Double trouble.

Re: STFU

[jofas]

Nope. WordPress is a catastrophically awesome choice if you want to get owned. As was mentioned, the only way to use WordPress securely is to use it to generate static HTML content.

Re:STFU

OUCH... that was painfull.... Don't do that again.

Re:STFU

[Aaden42]

The problem is that people don't keep things updated

I've got a big problem with that idea. If WordPress is only secure today because you had to install a critical update a week to keep it that way, that means WordPress is NOT secure. It doesn't matter if at 10:07 EDT as I write this, a fully updated WP install is free of known security issues. The fact that there were a dozen issues that I had to patch for previously means there were inevitably stretches of time when there *were* known issues. Even if I script it so every update is installed the instant they drop it, there's still time between reporting and fixing, and zero-days are a thing...

WordPress is not a secure platform. Even just core, with no add-ons. It happens to be one of the most usable and featureful platforms, but it's not secure. Just adding an add-on to auto-update isn't the same thing as having secure code to run.

Security update treadmills aren't a valid security posture. It's better than not updating, and you're practicing risk mitigation at that point, but I don't think it's the least bit valid to say, "You got hacked because you didn't update." You got hacked because WP can't manage to release secure code. The longer you run unpatched, the greater your chances of actually getting hit, but "you didn't update" is plain old victim blaming.

And then of course you add add-ons (because WP as a platform is a huge part of why it's useful), and you might as well just give up at that point...

Re:STFU

[KGIII]

Then by your standards nothing is secure. Alright. We can agree to that. Stop using software that needs security updates. That includes every operating system out there.

Re:STFU

[Gr8Apes]

I don't think you're understanding where I'm coming from. Let's take a current iPhone. Out of the box, it's encrypted and set to lock and wipe via firmware. That's relatively secure. I believe the Galaxy Android phones are also shipping in a similar configuration now, but a whole host of Android phones are not. If you're running a macbook pro, out of the box, file-vault is not enabled, so it's significantly less secure by default. That requires 1 step to greatly enhance the system. All Apple's laptops should arguably be shipped with this default given their expected use cases.

WordPress out of the box is insecure as hell. It requires a litany of changes to become hardened. After that, it requires constant monitoring and babying to be sure you're not subject to some new found exploit, for it's sole intended purpose. That's not secure by any stretch of the imagination. Yes, I'm aware of the similarities to running an OS, but the amount of work to lock down a server for a single purpose like running a webserver is hugely dependent upon your OS choice. While it still requires monitoring, you can be relatively assured that you won't need to update even monthly to keep your system secure. Word Press isn't like that, unless you lock out much of its functionality to the average user.

Re:STFU

[dfsmith]

For anyone who's seen the original Erlang "movie", it's well worth watching the parent's OTP video. I pity the foo' who doesn't guffaw.

Not very long ago I installed

Sabayon and was hacked within seconds of fresh install.
So I switched to Mint.
KDE so far so good

Re:Not very long ago I installed

stop using shit passwords

I hope they fix their name someday

"Mint Linux" would be the correct name for a Mint-branded distribution of Linux.
"Linux Mint" means a Linux-branded variety of mint.

Re:I hope they fix their name someday

Linux Mint could also be a currency mint that creates Linux coins.

$1 coins could have Richard Stallman on them.

$10 coins could have Linus Torvalds on them.

Next door would be the Linux Paper Products Co, where toilet paper with Lennart Poettering's face on each sheet is manufactured.

Re: I hope they fix their name someday

[mseitz]

Suffixes can also be modifiers. Examples: Windows NT, Mustang GT, Bud Light.

Re:I hope they fix their name someday

I always wondered if it was a play on "Long Mint" (video on pornhub, NSFW obviously, eyes can't unsee, etc).

Re: I hope they fix their name someday

But it's a bit French, and therefore gay and communist.
--
roman_mir

Re:I hope they fix their name someday

You, sir or madam, win the prize.

This is what happens when you use Linux

Should have gone with BSD.

Re:This is what happens when you use Linux

[houstonbofh]

No, WordPress is still insecure as shit on FreeBSD.

Re:This is what happens when you use Linux

No, WordPress is still insecure as shit on FreeBSD.

Correct. At least use something like Sucuri in front of your WP site.

PHP is a security vulnerability!

[Ironlenny]

Don't use it!

Re:PHP is a security vulnerability!

OK, what should I used instead? Serious question.

I need to set up a dynamic site with an e-store, blog, forum, and mailing list, ready to go out-of-the-box, without having to hack piles of code to set it up and modify it. I don't have an endless budget or endless development time to do this. What should I use?

Re:PHP is a security vulnerability!

The question is why do you need all of those things if you're Linux Mint?

An e-store is nice, because it brings in revenue. There's e-store code out there that's not as vulnerable as WP.

A forum is not a bad idea - it allows your users to receive some kind of support and provides a place for announcements and FAQs. There's forum code out there that's not as vulnerable as WP.

While these are not as easy to use as some kind of 'universal' solution like WP, they are also much more secure. Getting hacked in this case doesn't just mean YOU getting hacked, but your users also facing risks when YOU get hacked.

As users, we should FORCE communities to stop using insecure shit like WP and PHP based garbage, because as users we also suffer the consequences when a hack occurs.

Re:PHP is a security vulnerability!

[houstonbofh]

Does not have to be. Several very secure and respected firewalls (m0n0wall, SmallWall, t1n1wall, pfSense, OPNsense) use PHP and do not have these problems. Of course, programming securely is hard...

Re:PHP is a security vulnerability!

[houstonbofh]

I need to set up a dynamic site...

Why? Seriously, why does the site need to be dynamic? Could you do what you need with a static site with a few dynamic pages? Thinking this way is how security works. Just going with some package downloaded off the Internet is how major compromises work.

Re:PHP is a security vulnerability!

You didn't answer the question, you just said there are other solutions available.

What should I use? I'm asking your professional opinion here.

Re:PHP is a security vulnerability!

Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.

It doesn't address the point anyway: people keep saying there are better languages than PHP that can do what PHP can do, only more securely. I seriously want to know what they are.

Re:PHP is a security vulnerability!

Okay my professional opinion is to copy what OpenBSD does. For everything. Down to being as abrasive as Theo de Raadt.

Re:PHP is a security vulnerability!

"Good, fast, cheap - pick any two". You violate the Iron Triangle at your own peril.

Re:PHP is a security vulnerability!

Okay, so I'll just install PHP on OpenBSD then.

Re:PHP is a security vulnerability!

Read and learn.

Re: PHP is a security vulnerability!

[MTEK]

Respected how? Usability? Ok, fine. But did you know pfSense runs PHP as root? Not something I would expect from a security appliance. Fortunately the head of the project publicly acknowledged this and is planning a new architecure, i.e., one without PHP.

Re:PHP is a security vulnerability!

Respected by whom? Fanboys who never learned a decent GUI?

I jest went through "Smallwall" and "pfSense" training, and they were both written by technical fanboys creaming their jeans because they learned the difference between a DNS resolver and a DNS forwarder, and couldn't get either of them right. My *god* they are horrible, horrible interfaces.

Re: PHP is a security vulnerability!

[houstonbofh]

Yeah, Chris is talented as hell. (And actually a super nice guy.) But that is not a small amount of work. Also, there is a slight difference in that pfSense by default does not actually have a shell. That makes it a bit easier since you do not have the typical method of launching commands. (You can, but it is non-trivial)

Re:PHP is a security vulnerability!

[houstonbofh]

I jest went through "Smallwall" and "pfSense" training...

Now where did you find SmallWall training? Because they do not have any. Not by them anyway. You may have taken some MOCC somewhere, but SmallWall didn't do it. So I am going to have to call bullshit, Mr. AC.

Re:PHP is a security vulnerability!

[houstonbofh]

Any idiot can make a site secure by serving up static content and web forms, but managing that content can be a big job. Making changes across a large site is a big job.

I guess we have different versions of "big job." Install WordPress internally. Let the internal devops idiots go wild. Run a script nightly that generates static content, pushes it in to a repository (like svn) for history, and then pushes it live. They break something and run a script to roll back SVN in push the last version live again while they fix it. Rocket science...

(Oh shut up about git being better. No need for anyone to fork it... It is a backup!)

wtf?

1. Not isolating download servers from forum/blog servers.

2. Not auditing changes of all critical files with immediate reporting.

3. Not instructing all users to check signature from various well-reputed third party locations.

4. Using Wordpress when most people need sufficiently few features that they'd be better off rolling their own.

Re:wtf?

[Sfing_ter]

FTA:
"During the second compromise, all Linux Mint ISO download mirrors were pointing to the same Bulgarian FTP site (IP: 5.104.175.212)"

repos unharmed?

Anyone checked repositories ?

Re:repos unharmed?

If it were the repos, we'd be hearing about Ubuntu, not Mint.

Stop. Using. Wordpress!!

[Aethedor]

The stubbornness of some people is just unbelievable. How many examples of Wordpress's bad security do you need?!?!?

Re:Stop. Using. Wordpress!!

[thegarbz]

What makes you think if someone is incapable of securing wordpress that the outcome would be different with any other system?

Re: Stop. Using. Wordpress!!

[cyber-vandal]

How is that relevant? I've never built a car either but I have still owned some really shit ones and have said as much. WordPress is messy, insecure and is tightly coupled to one DBMS. It's quick to set up but awkward to do it right.

Re:Stop. Using. Wordpress!!

Easy. Because then nobody would need to secure wordpress.

Honestly, that's like asking if someone incapable of building a functional space shuttle would be able to change a lightbulb.

Re:Stop. Using. Wordpress!!

Please do come up with as many examples of its bad security as you'd like, I'd be willing to bet I could find a running Wordpress site to match each one. A site that hasn't been hacked and isn't going to any time soon, because if you're basing your security model on the security of one particular web application, you probably don't know what the fuck you're talking about.

I'm implying you fall into that latter category, if you're a bit too slow to catch on. At least you managed to restrain yourself from spamming up the comments with links to your pet project, Hugo. Here's an example of Hugo spamming the Ubuntu forums for reference:

http://ubuntuforums.org/showth...

Re:Stop. Using. Wordpress!!

[Aethedor]

No one is capable of securing Wordpress. On the other hand, there are other CMSes out there that don't need special attention to make them secure.

Re:Stop. Using. Wordpress!!

[thegarbz]

No one is capable of securing Wordpress.

Most of the internet would disagree with you.

Re:Stop. Using. Wordpress!!

[Aethedor]

Of course. Ignorance is bliss.

Mint

So where can one find mint condition Mint Iso:s now?

Re:Mint

[mexsudo]

http://ftp.heanet.ie/pub/linux...

Re:Mint

[interval1066]

mirrors; just search on "mint iso", and check the date and md5 hash.

Re: Mint

Clem reposted valid hashes in blog.linuxmint.com.

Re:Mint

debian.org

Just an IRC bot

I read the article and man are these guys full of themselves.

They were disappointed at being a "top shelf Linux distro" and getting hacked by amateurs, for a lowly IRC bot.
"They hacked php-this and we thought they hacked php-that, they should have waited longer and really had us."
The whole article could have been reposted from 1998 with a hashtag thrown in.

You were burgled by amateurs, and your sysadmins should be embarrassed.

Re: Only COMMUNISM can save us

[lucm]

We need a revolutionary workers party that Lenin and Trotsky would call their own.

No! What we need is an all powerful nationalistic dictator who can "feel" terrorism and wave his satanic wand and do dark magic to fix everything!

TRUMP/PALIN 2016

TRUMP/PALIN FOREVER!!

What's awesome is how disconnected from the truth your comment is.

How is life on planet angry loon?

this is the worst thread I've seen on Slashdot this year, I had to be part of it.

#WorstOf2016SoFar

old-school

[lkcl]

y'know... there's a reason why debian sticks with old-school mailing lists and why the mirrors keep it as utterly simple as possible. but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?

Re:old-school

If the website is compromised the md5 sums available for download on the same website are highly likely to be compromised, too...

Re:old-school

[Burz]

but the other question is, were users verifying the md5/sha1 checksums on the ISO images? how would they do that (when usually they will be downloading a check-program from the same website)? would they *know* to verify the checksums?

Seriously?? This is why public keys exist...

Re:old-school

No. Public keys exist to ensure only one person can decrypt what you are sending. Digital signatures exist to ensure the authenticity of a communication. Hashes with that digital signature is required to ensure integrity. A public key on its own could not do what you want in this use case.

So many people that aren't specialists think they have even rudimentary specialist knowledge. And this is why the state of information security is so bad...

Re:old-school

[Xtifr]

No. Public keys exist to ensure only one person can decrypt what you are sending.

No, public keys also exist to verify private signatures. In all the years my public key has been out there, I've had it used for encryption maybe a handful of times (mostly for Debian voting verification), but it's been used for signature verification (mostly with Debian packages) more times than I can count.

Re:old-school

Yeah, exactly. You sign the published md5 checksums and people can verify the checksums they have are the ones they should have ...

Re:old-school

Uh, "public keys" is shorthand for all the things you can do with public keys... like verify signatures.

Idiot.

Re:old-school

md5

Whoa, granpa!
There's sha1,sha256 and firefox even uses sha512

Re:old-school

Didn't read more than the content you quoted?

Digital signatures exist to ensure the authenticity of a communication. Hashes with that digital signature is required to ensure integrity. A public key on its own could not do what you want in this use case.

Are you a political writer by chance? Quote out of context to make someone else look as if they are wrong when, in fact, you are agreeing with them and being called insightful for it. I guess your fans are a "pro-Trump" kind of crowd.

Re: Only COMMUNISM can save us

[radiumsoup]

We need a revolutionary workers party that Lenin and Trotsky would call their own.

No! What we need is an all powerful nationalistic dictator who can "feel" terrorism and wave his satanic wand and do dark magic to fix everything!

TRUMP/PALIN 2016

TRUMP/PALIN FOREVER!!

What's awesome is how disconnected from the truth your comment is.

How is life on planet angry loon?

this is the worst thread I've seen on Slashdot this year, I had to be part of it.

#WorstOf2016SoFar

give it a week.

I dodged this by following advice from paranoids..

When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"

So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?

Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!

To all the jerks that say I have a tinfoil hat, have fun with your viruses!

Blame it on Wordpress

[wjcofkc]

Disclaimer, I like WordPress.

While the culprit turned out to be something else, I think it speaks volumes that the folks at Mint jumped straight to the conclusion that it was a WordPress hack. WordPress must be among the must frequently targeted and compromised systems on the web. To a large degree, you can pin this on market share. But over the years, the many cries pointing out the insecurities in WordPress have not been entirely without merit. Hence the first conclusion. The great thing of course about Wordpress is that you can slap together a kick ass site with modern features pretty quick and with very little skill. Updating and maintaining is even simpler. I think this is best for people that really are helpless when it comes to web design. Personally, I would like to see a fork or similar that puts a strong and immediate focus on tight site security, with hardening, logging, and alarm measures all throughout, with an entire security control panel that would be above the heads of most. I am speaking of an implementation that would be impossible for the tech illiterate, but fresh air those of us who would understand what we would be looking at and configuring. I can hammer out my own HTML/CSS/Javascript, etc... But unfortunately building a CMS is in fact out of my league. But it seems to me that when I setup a WordPress site, I spend more time auditing, documenting, manually altering and trying to hack it than I do building the site.

Re:Blame it on Wordpress

[Qbertino]

I see your points, but the first thing a WP redo should do is redesign the architecture. It's the classic mess done by people who started developing in the first web-boom and never learned to normalise a DB correctly.

The security problems with WP are somewhat inherent to the LAMP stack and not so much WP. A proper Webapp Server built in some serious PL such as C++ or Go would to the trick, but that would kill the huge advantages of these awesome products cobbled together in PHP.

It's a tradeoff, and for that WP security is actually quite OK.

Re:I dodged this by following advice from paranoid

[Burz]

When I pressed the update icon in my toolbar (linux mint 17) I got a strange alert saying "cannot verify that the software is what it is supposed to be" (can't recall the exact wording, but everything I have read here and elsewhere said to me "don't install stuff you don't trust and can't verify"

So, I clicked cancel. The updates were fishy, even though they were through a legitimate source, but who knows when that source could get hacked?

Thanks slashdot for all the paranoia over security for the past 15 years, it's paid off, just last night. :) Cheers!

To all the jerks that say I have a tinfoil hat, have fun with your viruses!

That's exactly what you were supposed to do! And its properly called precaution, not paranoia.

Somebody wasn't doing their homework.

[Qbertino]

Now WP and PHP are going to get tons of flak, once again.

To put things into perspective: WordPress has north of 100 Million aktive installs. It powers more than a fourth of the entire web. That's orders of magnitude more than any other system on the planet ever has. For that, WP has an excellent security track record with the last new exploit infecting roughly 8000 websites. Once again of that type that weren''t following basic security procedures.

Using WP for a high-profile, high traffic website such as Linux Mint may be questionable due to load issues alone, but it is doable if you follow just the simplest security principles - such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.

All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress. That, and not showering your install with tons of plugin-bloat perhaps.

WordPress is a system for quickly cobling together a high functionality website and for that it is excellent. But you have to know your basics about PHP and the LAMP stack, otherwise you have no business setting up a WP intallation and are way better of getting one at wordpress.com or some other apphoster for WP. Which, btw., is a perfectly viable option if you've got your hands full maintaining a Linux distro and couldn't

The Linux Mint people screwed up and prerhaps even compromised some boxes that have yesterdays fake ISOs installed on them. They didn't to their homework in terms of basic web-security and this is not the fault of WP or PHP.

I hope they learn their lesson.

Re:Somebody wasn't doing their homework.

Switch up the login page and mildly obfuscate the SQL table names? THAT'S supposed to protect a WP site from 99.999% of attacks? I'll grant you these are some of the first baby steps to securing a WP site, but this is a far cry from the 99.999% you're throwing around.

Re:Somebody wasn't doing their homework.

> WordPress is a system for quickly cobbling together a fanboi "ooohh, I am an oob3r l33t g33k, proven because only an expert can get something workable and attractive out of WorfPress, so that makes me oob3r l33t."

Fixed That For You.

Re:Somebody wasn't doing their homework.

Not to mention most shell uploads and shells can be easily disabled by disabling PHP calls that aren't utilized, specifically centralized around shell commands and forking.

Re:Somebody wasn't doing their homework.

This is probably what happened. In fact they mentioned it them self at the comment section (comment #70).

"No plugins, latest WP, but a custom theme and lax file permissions for a few hours. The security experts will probably find the exact cause. At the moment there’s no indication it’s related to WP core (we’d probably see a lot more sites being hacked right now, this seems to be targeted specifically at us)."

From their comment there's no indication that the problem was caused by the core of WP itself. In fact if there's an 0-day exploit for the current version of WP then there would be big news about it because WP is being used by millions.

Re:Somebody wasn't doing their homework.

[CRC'99]

such as disabling the login page, using non-standard garbled logins, de-coupling login and username and using a non-standard table prefix.

All this is SOP on any non-development WP installation and mitigates 99.999% of the standard attacks on WordPress

<Location /wp-login.php>
        Order Allow,Deny
        Allow From 1.2.3.0/24
</Location>
<Location /wp-admin>
        Order Allow,Deny
        Allow From 1.2.3.0/24
</Location>

This is enough to secure most installs for brute force / stolen credentials.

Re:Somebody wasn't doing their homework.

Sounds legit. 99.9% of the attacks are automated script kiddie style stuff. Table name changes alone should break most of those.

Re:Somebody wasn't doing their homework.

This is so much bullshit. It's the same argument people use with Windows: "oh, it's only the most hacked because it's the most used".

Both Wordpress and PHP have terrible track records, and there's no excuse for it. There's plenty of stupid people programming in C and many other "unsafe" languages and using all sorts of CMSs, it's not a simple matter of statistics if a certain language or CMS has most of the vulnerabilities.

Re:Only COMMUNISM can save us

[Masked+Coward]

No! What we need is an all self-victimized woman president who can leak so many classified secrets via email that the terrorists see the error of their ways and turn themselves in.

HILLARY/TUMBLR 2016

HILLARY/TUMBLR FOREVER!!

MORE WOMEN IN TECH!!!

You forgot the hash tags.

You don't get to be number one

And not be challenged?

not a coincidence

I was JUST about to start a project today getting a new media server up on Debian, I downloaded the ISO last night before I went to bed. I guess its not a coincidence that an OS that a lot of people would use for a hobby gets attacked like this. Oh well, I know this post is about Mint, but just to be safe I'll just re-download the ISO before I get started.

Re:not a coincidence

If you have not download it 20 times, if is not safe. Do not check it against the checksums, every time you do it, Bill Gates feels like having a dump.

Re:not a coincidence

[gweihir]

Verify the ISO against the SHA512 hashes and the PGP signature of the hash-file. Unlike re-downloading that actually gives you security.

Consider

That these weren't the worse out there, for example how does anyone know that Linux repositories are not compromised, if not by run of the mill hackers then nation states.

"An anonymous reader writes"

Only on /. can readers actually write :-)

Updates

[phorm]

Yeah. My concern wouldn't be about the ISO's at this point but the repositories. If an attacker is able to get at those and say, provide a modified version of glibc, it would run rampant in short order.

Re: pet peeve about commas and "that"

Consider:
"Unlike re-downloading that actually gives you security." == "Unlike re-downloading which actually gives you security." (What you wrote is the opposite of what you meant.)

vs.
"Unlike re-downloading, that actually gives you security." == "Unlike re-downloading, [checking the hash] actually gives you security." (This is what you meant to say.)

Re: pet peeve about commas and "that"

[gweihir]

And one more: Unlike re-downloading, that gives you actual security.
And what about: Unlike re-downloading, this gives you actual security.

Language relies on the listener having a clue and interpret in the right way. Otherwise it does not work at all.
As the first sentence is an imperative, there really is no potential for misunderstanding here.