OT: Update: Linux Mint hacked - infected ISOs on website

Sounds like it was more than just one occasion and to a deeper degree.

I *really* hope the Mint site wasn't running Linux servers as those Linux fanatics won't ever be able to show their faces again. ;-(

formatting link

A 'Linux botnet' eh.

Cheers, T i m

Reply to
T i m
Loading thread data ...

Now, now, TNP will tell you there are no linux machines in botnets. He must run them all to know.

Reply to
dennis

Of course he will. It says it must in his 'Linux advocates handbook' (that reads very much like 'The Watchtower' to me). ;-)

He does and not a KVM in sight! ;-)

Linux is ok, certainly for what it cost and I have it here on several machines (mostly dual boot), but it really is 'just another OS'. Whilst it may be intrinsically (conceptually?) 'more secure' than say Windows, it will never be part of the anti-malware / spam / botnet (hmm) solution until it is considered as a direct replacement for the incumbent *by ordinary users*. And that is the bit the Linux geeks really can't 'get', *because* they are Linux geeks. ;-(

Cheers, T i m

Reply to
T i m

... and what about the Windows geeks? :-)

We're all ordinary users, or not, we're all unique users as well.

It's all moot anyway, desktop machines are no longer common and even laptops are not so popular with the smartphone (and tablet) taking over everywhere.

Reply to
cl

Whilst there are some of course, few 'ordinary users' actually choose Windows as it come on whatever PC's they buy so are unlikely to be as 'geeky' as those who make the conscious choice to go to Linux or buy a Mac (with OSX).

Whilst you are probably right when you look at the global statistics (and it's commonly put up as an 'excuse' re the failure of Linux on the desktop ), 'most people' I know (and certainly the constant stream of people going to my mates PC shop) or the people asking me to recommend their next new laptop. Just recently I've built a new (W10) desktop PC for a mate and given him another (XP) to play with. I'm currently trying to help a local lady get back online with a Linux on one of her two laptops.

Both daughter and I have smartphones and mobile data and whilst I can and do use it mobile for data, I only do so in emergencies (partly because of the small screen but mostly because I don't find it 'efficient'). Daughter has better eyes and is more 'mobile' so uses her phone more for the Web but still fires up her Laptop for doing 'important' stuff like designing her website.

We have also got tablets but again, it's not portable enough for daughter to bother with over her phone (and rarely charged) and whilst I have 3, I generally pick up a laptop when I'm doing anything other than a quick browse, WiFi connectivity test or going to be waiting in the car somewhere (hospital driving then using my phone as a mobile hotspot).

Mum uses her iPad a lot, mostly as a big camera, some IM to us, a bit of email (mainly receive) and her Canasta game.

And of course *every* office is filled with desktops and laptops and probably will continue that way for a long time.

Cheers, T i m

Reply to
T i m

Don't be more pathetic than you have to be Dennis. I know its hard, but try.

Reply to
The Natural Philosopher

In message , T i m writes

Your poking of the Linux advocates is as tedious as the Windows bashing by others.

Whether or not the server was running Linux (almost certainly I'd imagine) is not really relevant.

It was the software running on the server that was the issue AIUI. They were able to get into the Wordpress installation running the Linux Mint site, which meant they were able to change the download link and checksum to point to the dodgy ISO.

They also seem to have been able to download the forum data.

I've not followed this enough to know quite why this was able to happen, I've seen a suggestion that they might have been running an older version of Word press and were able to access a vulnerability in that.

Of course if you are able to modify the source of a software distribution then you can get it to do whatever you want really. But you would be lucky to get wide distribution. (this was discovered and the site taken down pretty quickly). Rather different to getting botnet malware installed on 10,000 Windows PC's because of virus laden e-mail or drive by download on a website

Reply to
Chris French

Yes. When Richard Feynman was working on the Manhattan Project during WW2, he had from time to time to visit the office of bigwig generals, who'd boast to him that they had this uncrackable safe. After indulging in a bit of idle conversation with the general, Feynman was sometimes able to go over to the safe and open it. Often because the general had left the safe's code on factory settings, or used his date of birth. Visiting mathematicians it was even easier - they used e or pi. Nothing changes, eh.

Reply to
Tim Streater

I used my mother-in-laws former telephone number. I also sometimes use my parents' first telephone number

Reply to
charles

Understood. It's a shame though the Linux advocates don't have the balls (or facts) to substantiate their ridiculous claims (as proven by yet another example re this thread) and then have to run away and hide behind their cowardly killfiles?

Well, it is relevant if the whole concept of running 'Linux servers' is supposed to make things much more secure than running (say) Windows servers. That is *the* point.

Again, 'Linux software' presumably? You know, all those millions of eyes checking over all this code ...? See, I've never made such claims of any other OS, the Linux advocates are constantly ramming such things down other people throats as if it is a fact when it's blatantly obvious that in many cases it's far from the truth (long term bugs and security weakness that finally come to light).

Ok.

Yup, along with many peoples personal details and potentially passwords.

Did the link I provide not explain that sufficiently? (Genuine question).

Quite, like provide a Linux botnet ... from an installation DVD!

Although it suggests it had been going on since January so I'm not sure if I'd rate that as 'pretty quickly'?

Oh indeed, I have no issue realising the real world implications and risks here, it's just I've never tried to claim Windows was specifically secure.

I have nothing against Linux, if I did I wouldn't have installed it myself and / or offer it to others, it's just I don't like all the lies and BS the Linux advocates try to spread when they will continue to try to do so, even when we see problems like these.

That and their total denial that many 'other people' don't seem to be able to be able to make as much use of Linux as the geeks ... and for good reason, because they (of course) don't realise that they are 'geeks'. ;-)

I guess I should try to accept that even people I generally respect, who generally come out with reasonable ideas and can have reasonable discussions, will also have their flaws and where logic and common sense will go right out the window. 'Forgive them because they do not know what they are doing'?

Cheers, T i m

Reply to
T i m

No, the point is that it makes the OS more secure, as it's a lot harder to hack.

Well if it wasn't Linux software it wouldn't run, now would it. Just like you can't run a .exe file under OS X (and you get a polite message telling you so, if you try).

Well it is a fact. Although I agree that the repetition gets tedious.

What has that to do with the present case?

See T i m the actual point is that it was the WordPress installation that was hacked, probably easy to do if you don't secure it in the right way. WordPress seems to consist of PHP scripts and a MySQL server, which will run on Linux, OS X, and almost certainly Windows. I imagine the MySQL part was not configured securely, and that has nothing to do with the underlying OS.

Reply to
Tim Streater

The problem with most content management systems is that they are supplied to make it easy for stupid computer illiterate 'creatives' to construct superficially attractive websites, generally on *shared* hosted servers,

That latter part is important, because it means that there is no other way to access the administration, than the same web server that runs the site itself.

I.e. there is no administrative 'back door' running over - say secure https - only a front door that anyone can in theory access, protected by usually a simple name and password.

And in a place that, unless its altered by the wordpress* installer, is the same for every site that uses wordpress.

So you can, as I did with UKIPS website before they fixed the glaring security hazards, guess a URL and be rewarded with a login prompt....

Then its only a question of running name/password combos at it quietly until you crack it.

Hacker code is available to do all this automatically.

This of course is nothing to do with Linux , and everything to do with the way websites are designed, deployed and maintained.

Which is, frankly, s**te.

Because I run a politically 'hot' site - Gridwatch - I have looked into this in some depth. Suffice to say that the only content management systems on my websites are designed by me and accessed in ways not available to the world at large.

You CAN design far more secure websites. But it takes time, skill and therefore money.

*I use Wordpress, because its what happened here. Joomla is even worse.
Reply to
The Natural Philosopher

Should make it you mean?

Now I see why you don't like reading the more complicated stuff Tim. ;-)

No, really? No, my point was you can't gut offset the risk down to an OS just because of the risk of a program it is running, especially if that weakness was caused by a bug that should have been found by the 'millions of eyes' we are told is checking all the open source stuff (at least).

No, it has often been proved to be a myth. Note, I'm not saying it's never the case, I'm suggesting it doesn't seem to be sufficient to actually have any major positive impact. 'Most people' writing open source software are probably good and trustworthy and so most of their work, especially when it's simply a mod or a patch probably goes un-viewed, especially by 'millions of people' and for quite a time.

And because of the above it's especially so.

Because it's part of 'the point' re my reply re the Linux advocates and their bluster and lies.

But probably running on a 'Linux server' and 'apparently' that makes (should make) it 'safe'?

See above ... only that we are often given the suggestion that anything running Linux or running on Linux is 'secure' (or even more secure than any other server OS when properly secured) when it's obvious that it isn't. As you referenced, it doesn't matter if the base system is inherently more secure if the security is then compromised when you actually connect it to the outside world or run other / real world programs on it.

I knew that, most (interested) parties know that but it's not the image the Linux advocates try to put across.

Cheers, T i m

Reply to
T i m

Indeed, though I'd guess it was the PHP that was misconfigured, assuming the forums were under Wordpress too. Once you compromise Wordpress, you can read the conf file, so you can read the database, even if it means having to write and upload a bit of PHP to do it and dump the results to a browser.

The very ubiquity of Wordpress means it's a common target, like PHPBB was/is, and largely, the underlying OS is irrelevant in this case. As has been pointed out, if you managed to compromise servers or content managment hosting any OS download, you can infect that download.

Reply to
Chris Bartram

Well, indeed. I'm a unashamed Linux fanboi, but you only have to look at the many compromised IoT devices around. It's rare the actual OS has been broken into directly, but that hardly matters if the crappy web app running on top has the root password hardcoded :-)

Reply to
Chris Bartram

And that's fine, *I* am considered the same by many (me, of all people! ) but there is a big difference between someone who happens to like something, because of any or all of the variables (price, colour, suitability too them and/of their needs) and someone forcing those same virtues as they appear to *them* down the throats of others and denigrating all the alternatives and their users at the same time.

Don't you (well, 'they') think that if there was a free and 'more secure' OS that was available and *really* replaced something that had cost(s) and wasn't 'as secure' ... that the world wouldn't have cottoned on by now and we would all be using it (even if only alongside Windows / OSX / Android / whatever) etc?

Even when I have installed Linux for someone and set it up to replicate (as near as possible) what they are already familiar with (say Thunderbird, Firefox or LibreOffice), they still *choose* not to use it, often with very legitimate and practical reasons (which can include 'I just don't like it')? FWIW, I don't happen to 'like' the Apple OS's, even because of something as simple as not being able to right-click on the desktop and create a new text document, however, I can generally work my way round them and get them doing as much as anyone else could. Often however, that still isn't enough, and that doesn't surprise me as such, considering just how Windows centric the world is today.

Of course, I never suggested otherwise ... but it's not about making reasoned or reasonable comparisons, especially whilst considering the wants and needs of the masses (as that would be fine and dandy etc), it's (generally) just the opinion of someone who can't seem to see out from their own basement being put across as fact and at the expense of everything and everyone else. Put up real-world and rational reasons why Linux might not be the best thing since sliced bread and all you then suffer is personal insults and attacks.

'Of course', and that's the point. Very few ever put their solutions over as being perfect and especially for 'everyone, except a few of the Linux fanatics. The fanboys are generally more friendly and realistic.

I have never tried to push any OS on anyone or have the arrogance to suggest I know better in that regard. Neither do I resort to childish names like Winblows or Linsux because whilst (say) Linux or OSX might not do as much for me as Windows, I have, sometimes use and therefore appreciate each have their own merits, advantages and issues.

Cheers, T i m (Arduino Fanboy). ;-)

Reply to
T i m

Yes. A car number your dad once owned - or you did many years ago - might be pretty difficult for anyone to guess or find out.

I'm personally not keen on using any password I can't remember. ;-)

Reply to
Dave Plowman (News)

I've written lots of PHP but never used Wordpress, so I'm happy to be corrected on that.

Reply to
Tim Streater

In order to actually use a database, the PHP code must be equipped with certain access rights.

Its very rare that those access rights are so tightly controlled that all they can do is access the code in the way that the applications intend, and no further.

And indeed to set up such restrictions requires far deeper access rights than that anyway!

Trust me, I spent many months pondering these things.

It is essentially the same problem that any multiuser system has, in principle, to stop users getting at stuff, you need to limit what they can do BUT to set that up in the first places requires pretty general and dangerous access - like root on *nix.

IF you have total machine control you can in principle say 'well only the actual console will be allowed to do these things, and that's in a secure machine room. And you still need a password'

However in the context of a shared server, you can't do that kind of separation.

With *virtual private* servers you can get a long way, because typically the console access is very far removed from the access by random users and web pages. And you can use things like firewalls to limit other network access for admin purposes to specific IP locations.

But not using wordpress in the way its designed to be used.

What I am saying is that ultimately this has nothing to do even with wordpress mysql or php and certainly not linux. Its all about using the front door to get to the back office.

Ideally you use a back door, best of all its a back door with massive security. And a private corridor from your site to it, that no one else can use.

This is all about machine and network architecture, not about the OS or the applications per se.

Web server security is all these things, and it is not and never will be perfect.

Reply to
The Natural Philosopher

Ordinary users choose pcs with windows on them.

When they sold lots of netbooks with linux on them the return rate was in the 90% bracket (well it was at Staples where I new the shop manager) as they realised they had bought something they didn't want.

The only choice the majority make is between windows and mac.

Reply to
dennis

HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.