Posted by: duskfire | February 26, 2016

Security issues, Linux Mint, and switching distros

I recently switched back to using Linux Mint (17.3 KDE) after over a year using Windows 10. I am used to this particular Linux distribution and have strongly preferred it ever since I began using it back in 2008. I am not a power user, but also not a total newcomer to using Linux. I am 51 and have been using Linux for about 14 years now. Recent events involving Mint have prompted me to think about why I use it, about some of the criticism it has gotten, and whether or not it is time to move on to a different Linux distribution full-time at home.

Short answer: Not yet. But it’s something I will consider carefully for the future.

Last Saturday (2/20/16) the website at Linux Mint was hacked and the download page for the default installation ISO was redirected to point to a malicious specially crafted ISO that included a backdoor. This has been fixed (initially by taking down the page), but meanwhile it turned out that the forum’s database had also been stolen at some point in January and fairly substantial private information from users was obtained (and later apparently offered for sale.) My installation was on February 2nd, so I am fine (and I use KDE, which wasn’t even the edition the crackers had changed). The forum password (for me only) was just a long complex one that Mint had sent me as a reset from a year ago, which I never changed. So I got really lucky – I don’t have to change any other passwords because that one was unique to the Mint forums.

Since this attack, I have read quite a few opinions about Linux Mint. As is so often the case with popular things, there seems to be a lot of heat but not a whole lot of light on the question of “Is Linux Mint still a trustworthy distro?”

As I see it, there are three issues here, only two of which are related.

  1. Whether people ought to move away from LM because of the security breach/poor security practices
  2.  Whether people ought to move away from LM because the crew are few in number and have become overwhelmed.
  3.  Whether people ought to move away from LM because the distro devs make technical choices that are poor compared to other distros (outdated kernel, holding back crucial updates, etc)

Taking these one at a time… I think it is still too early to decide whether Linux Mint is no longer trustworthy. They have changed their forum db, they were open about the details of the breaches as soon as they happened, and it remains to be seen if the developers will get overwhelmed.

I also think people need to keep something in mind – breaches do happen. I do not want to minimize the impact at all, but this is hardly the first time a Linux distro has been directly attacked by crackers. Way back in 2003, Debian suffered a breach of their servers. In 2008 and again in 2011, Fedora also suffered some kind of breach. And as recently as 2013, less than 3 years ago, Ubuntu’s forums were hacked into and over 1.5 million user accounts and passwords were exposed. As far as I know, no one is currently saying they no longer use Ubuntu, or Fedora, because of past successful breaches. So I’m willing to give Linux Mint, Clem Lefebvre, and the other developers the benefit of the doubt when it comes to learning this lesson, strengthening their security, and keeping their site software patched properly.

During the last few days, I have also seen references to Linux Mint being a hobbyist distro and implying or stating that its popularity has grown way beyond the devs’ ability to keep it maintained adequately. In my view, when you look at the list at Distrowatch, the overwhelming majority of distros can be referred to as “hobbyist”, including several in the “top 20” of the page hit ranking list. Again, I think it is too early to be sure that the developers of Mint are overwhelmed. Most people who use Mint seem pretty happy, and personally I have not had any issues with it either. Mint has always focused on what is best for their users, and I admire that.

The last point, technical decisions made by the devs, does have some measure of validity. There are certain practices that Linux Mint does that a few people say are bad decisions from a technical point of view. Personally, I either am not bothered by them or have found workarounds past them. The benefits I get by using Linux Mint, together with its stability and lack of issues (for me, on my laptop), combine to make it feel that changing distros would be counter-productive at this time. However, some of the arguments – the ones that refrain from juvenile potshots at Mint – sound like valid concerns and I would be foolish to ignore them.

If I were to change, though, I’d do a fair amount of research. I would prefer to use a distribution that uses the KDE desktop, with a decent sized repository. The concerns over proper security and other issues would apply equally to any new choice. Fedora, Xubuntu, Mageia, or Debian would be among the handful at the top of any list of new day to day Linux distribution, but that would also be after checking to ensure that the KDE or Xfce desktop version was getting adequate attention from the official core community and not just an afterthought. I have tried several distributions who use GNOME 3 and it just is not suited for the way I tend to use my computer. The same goes for Unity – I know a lot of people like it, but I do not.

To summarize, the breach at Linux Mint has hopefully gotten the developers there to be even more security-minded than before. It has again shown the wisdom of not using the same password on multiple sites. And perhaps I am not the only person using Linux who would benefit from taking a more thorough look at exactly why I have chosen the particular flavor of Linux that I use every day. Switching to a new one is not something I’d advise doing lightly for anyone, if the one you use is serving you well.

I also promise that if I do switch away from Linux Mint, I’ll explain the factors that went into my decision and what I like about my new choice for a day to day distribution.

 

Advertisements

Responses

  1. Good stuff – all the right points considered. I will be interested in seeing how you progress with this. I agree with you, there is no point in blindly abandoning Mint over this. Like you, I have been watching Mint for a very long time, and I have been impressed with their work, their attitude, and their response to problems in the past. This is one of the biggest problems they have had to face, but I believe they will be up to the challenge.

    Personally, I stopped using Mint as my everyday distribution several years ago because of the slow update policy – not only that of Mint themselves, but of Ubuntu upstream as well. For the way I work and the things I do, I really need a rolling distribution so that it is always as up to date as possible.

    It is worth mentioning, though, that the Mint developers have made some changes to improve this. Mintupdate was changed not too long ago to make it easier to see, select and install updates which were not installed by default.

    jw

    • Thank you, Jamie.

  2. The Mint guys should have implemented selinux on the server, too minimize damages. If someone get root access, selinux have rules for what an app can do or not do, making it very difficult for any intruder. Does anyone know what went wrong or caused the hacking of Linux mint? Bad passwords, bad security, inside job?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: