Author Topic: Security of Mint and Peppermint  (Read 1498 times)

Offline FlyingFox

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 0
  • New Forum User
    • View Profile
  • Peppermint version(s): 5
Security of Mint and Peppermint
« on: April 16, 2016, 01:54:07 pm »
i am an end user of peppermint and have also installed Mint on another computer for a friend.

I understand that there has been some form of security issue with Mint and as I feel responsible having put it on my friends laptop would like to know if any action can or needs to be taken to ensure continued safe use?

Also  does this security problem also affect Peppermint, please?

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Security of Mint and Peppermint
« Reply #1 on: April 16, 2016, 02:18:26 pm »
The Mint "security issue" isn't an issue with the OS itself .. more that someone hacked into their website and replaced the ISO image with one that contained some malware.

So unless you were unlucky enough to download/install one of the tampered images, you're okay.

The Peppermint sites were quickly checked and all our ISO's were found to be intact, we then digitally signed them all and put up instructions how to check the signatures on our main website .. therefore making it difficult for anyone to do the same to us.

All Peppermint websites have also recently been switched to SSL, so any connections are now secure.

As I said, the issue was never that Mint wasn't a secure OS .. just that someone had managed to stick a modified version of Mint into their supply route .. Mint very quickly informed people of the breach and took all necessary measures to fix the problem and make it as difficult as possible for it to happen again.

Peppermint was never affected, but we learnt from Mints misfortune and strengthened our own supply route.

If you think you may have downloaded the hacked Mint 17.3 ISO during the short window it was being offered .. it would probably be best to ask on the Mint forum how you can know for sure

Some info from their blog
http://blog.linuxmint.com/?p=2994

« Last Edit: April 22, 2016, 02:49:43 pm by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline scifidude79

  • Hero
  • *****
  • Posts: 4029
  • Karma: 870
    • View Profile
  • Peppermint version(s): Peppermint 9
Re: Security of Mint and Peppermint
« Reply #2 on: April 16, 2016, 08:04:45 pm »
It's also important to note that, despite the name similarity, Peppermint isn't actually affiliated with Mint.  It's a totally separate OS.

Offline FlyingFox

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 0
  • New Forum User
    • View Profile
  • Peppermint version(s): 5
Re: Security of Mint and Peppermint
« Reply #3 on: April 16, 2016, 11:49:41 pm »
Cheers for the replies guys - I'm pretty relieved to be honest!!

The friend I installed Mint for knows even less than me about these things so although I haven't checked it's most unlikely that he will have installed anything other than (I presume) the usual regular updates (as I do with Peppermint) when they appear. (I installed 17.2 for him) He uses it for internet banking so you can appreciate I was a bit concerned.

I appreciate Mint and Peppermint are not the same but only queried whether there was a possible link as don't both share or use code/info or whatever (note my ignorance here) with/from Ubuntu which I got the impression was involved in this breach of security.

Whilst I don't understand what's been done I'm very impressed by the swift action people like PCNetSpec and others clearly took to improve Peppermint and safeguard users like me.

Is it likely as Linux gets more popular that attacks by hackers is likely to increase and does that mean an anti virus software is now becoming necessary - if there is one, of course?

I'm really happy with Peppermint and given that Microsoft are to stop supporting W7 at some point in the future and that I don't want W10 I will be converting my second laptop to Linux in due course.

Thanks again for your advice and help.




Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Security of Mint and Peppermint
« Reply #4 on: April 17, 2016, 04:25:36 am »
AFAIK it was only the 17.3 ISO's that were replaced so if you installed 17.2 you're fine :)

Quote
Is it likely as Linux gets more popular that attacks by hackers is likely to increase and does that mean an anti virus software is now becoming necessary - if there is one, of course?

It's a myth that Linux isn't targeted because of it's lack of users, Linux runs the worlds servers including banks, stock exchanges, governments, military ... ignoring the script kiddies, if anything Linux has a bigger target on its back than Windows .. and yet it withstands attack without anti-virus because it's nearly impossible to get malicious code into the software chain in the first place .. and even if they somehow breached that barrier:-

a) with packages in the default repos all being digitally signed, any changes would immediately be spotted and rectified
and
b) Linux permissions, and the way binary executable received from the outside world have the execute bit disabled by default also represent a HUGE barrier to the spread of any virus

Any virus that can be spotted and killed faster than it can propagate isn't really a problem .. THIS is why Linux isn't a target, not because it's impossible to write Linux viruses (you most definitely can), but because there are too many barriers to stop them spreading meaning at worst you'll hurt a handfull of people.

The track record of these Linux barriers speaks for itself, and has a MUCH better record than playing the 'catch up' game played by anti-virus where it can't block stuff it doesn't know about.

The Mint breach tried to sidestep the whole process by providing the malware "at source" .. so you installed it with the OS, it was quickly spotted and not just the ISO's taken down but Mint took down their ENTIRE web presence whilst they investigated and remedied the breach .. they told the world about it rather than trying to sweep it under the carpet thus allowing users to figure out if they had a problem, and the rest of the Linux community to learn from their misfortune .. I'd say Mint behaved admirably, and we're stronger now than ever .. even anti-virus can't stop "first attack" or "zero day" exploits ;)

In short - IMHO, Linux doesn't currently require anti-virus and I doubt this will change unless Linux does.
« Last Edit: April 17, 2016, 05:31:58 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline darthlukan

  • Trusted User
  • Member
  • *****
  • Posts: 157
  • Karma: 27
  • Sith
    • View Profile
    • Brian C. Tomlinson dot com
  • Peppermint version(s): DEV
Re: Security of Mint and Peppermint
« Reply #5 on: April 17, 2016, 09:00:40 am »
Hi.

To add on to what PCNetSpec said about attack spreads: This is why it's so important to pay attention to which command you execute with sudo or as root, because if you just haphazardly download some script from the internet and execute it as root (or sudo, yes, there's a difference) and that script has some malicious code in it, the script executes as root and therefore has complete access to the entire system.

Something I always tell ALL users, regardless of experience level: "Don't run a command if you don't know what it does, especially as root or sudo." Sure, you don't have to know a lot nowadays to run Linux, but part of protecting yourself as a user is knowing how your system works and what you're looking at when you open a script. That means that yes, you should learn at least a little BASH (the most widely used shell by default in Linux distributions) and also understand your environment variables.

As an exercise, I recommend users do the following in order to have a sane baseline of knowledge:

1. In your terminal, run
Code: [Select]
$ env. This prints all of the environment variables which are set for the current user. Anything that you don't understand, search for it on Google.  For example: "LC_ALL environment variable linux" will let you know what the heck
Code: [Select]
$LC_ALL=POSIX means if you don't understand (it's a locale/language setting FYI).

2. Read a BASH tutorial so that you are familiar with what it can do and can review any shell script somebody (or some site) recommends downloading and running.  The beauty of open source is that "many eyes makes bugs small", but only if you know what you're looking at. A really good BASH primer is this one provided by IBM.

3. Learn good desktop administration habits. Among many other things, this means "use the least amount of permissions required to do the work". Don't log into your system as root from an X (GUI) session, don't turn on root ssh access, don't execute scripts as root unless you know precisely what that script is doing (if you don't know, ask someone!), do learn about file permissions in Linux and how to use them properly, do take advantage of automated maintenance (read up on cron), and do learn about sudo and how to control it.

To a beginner, those three things might seem very complicated, in practice, they are much easier to understand than you might think at first glance. Linux users gain a lot of power by default when using any Linux distribution, understanding that power is the key to being safe and is also a fun exercise in learning.

I hope that helps you to have more confidence in yourself while running any Linux distribution and that it clarifies what you may hear a lot of Linux users say when they talk about security.



As an added note, there are antivirus programs for Linux, the most famous and widely used of which is clamav.
Team Peppermint | GPG: 3694569D | Github

Offline FlyingFox

  • Newly Subscribed
  • *
  • Posts: 10
  • Karma: 0
  • New Forum User
    • View Profile
  • Peppermint version(s): 5
Re: Security of Mint and Peppermint
« Reply #6 on: April 18, 2016, 03:06:47 am »
Hi, darthlukan,

Thanks for your response.

The friend I installed Mint for is very happy with it (he tells me) it's just used for emails, the occasional letter writing, pictures, and generally surfing the net it's just something that replaced XP and like I suspect 99% of Windows users his laptop is like his T.V. switch it on, use it, switch it off.

As long as he can do those basic tasks and the OS continues to work well that's it.  To recommend that he should do as you suggest would no doubt send him scurrying to PC World to buy a new laptop with Windows 10.  :)


 




Offline Alex

  • Member
  • ***
  • Posts: 98
  • Karma: 8
    • View Profile
Re: Security of Mint and Peppermint
« Reply #7 on: April 22, 2016, 12:04:01 pm »
I still learn reading these topics.
Peppermint is safe and easy to use. Linux Mint is safe too. Now both websites distros are https and you are safe.
Be careful with your internet navigation (malware websites, certain online games) and enjoy Linux.
Cheers.