Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux.org hacked????


  • Please log in to reply
9 replies to this topic

#1 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:12:13 AM

Posted 13 December 2015 - 01:59 PM

I went to linux. org to look for a bootable distro and saw they had an announcement that they had been hacked maybe and for all members to change their credintals [log-ins etc].

 

Now how can I trust that that is all that has been changed. Can I now trust their down loads at all.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


BC AdBot (Login to Remove)

 


#2 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 13 December 2015 - 02:27 PM

Like with any site/server/...

Did you ever (blindly) trusted anything on the internet?

 

- All software on the site has been updated

- All passwords have been reset to random
- You will need to use the lost password function to reset and login.
- If you used a shared password on this site you need to remove it from other sites as well
- Assume your old linux.org user/password combination is on pastebin somewhere.

Source: http://www.linux.org/threads/possible-breach.8589/

 

Greets!



#3 pcpunk

pcpunk

  • Members
  • 6,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida

Posted 13 December 2015 - 02:30 PM

 

Now how can I trust that that is all that has been changed. Can I now trust their down loads at all.

 

You can't, that is how the internet is-a virtual WildWest.  I'm not to familiar with the site but I wouldn't worry to much about the downloads as they seem to have corrected the issue.  I always download from an official site if possible.


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#4 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 3,218 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:13 AM

Posted 13 December 2015 - 02:36 PM

Server compromises happen regardless of the OS so all are equal to having a virtual teardown.

One cannot be overly paranoid though, really the only true system that is safe is one buried under the ground with no internet connection


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

xu847p-6.png


#5 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:13 AM

Posted 13 December 2015 - 03:13 PM

 

Can I now trust their down loads at all.

You can always check the MD5 of the software.



#6 dannyboy950

dannyboy950
  • Topic Starter

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:05:13 PM

Posted 13 December 2015 - 04:37 PM

That is assumeing I have the correct md5 hash number and know how to verify the number is real.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#7 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:12:13 AM

Posted 14 December 2015 - 02:54 AM

That is assumeing I have the correct md5 hash number and know how to verify the number is real.

Well, I've been able to locate the hash on the download page, the utilities for verifying/generating a hash have been in the system for a long time (man -k md5 or man -k sha).  As for the question "is the file I grabbed from linux.org compromised" well, that's when one goes to mirror sites and looks to see if hashes match.

 

Before you let this make you lose all faith in Linux or other open source software, at least you have the chance to "trust but verify", what do you think a commercial company would do?  Are you 100% satisfied that you're pulling Windows updates from an offical uncompromised server (Windows/Microsoft used as an example)?


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#8 Guest_GNULINUX_*

Guest_GNULINUX_*

  • Guests
  • OFFLINE
  •  

Posted 14 December 2015 - 04:30 AM

And also...

Your username/password/email was never safe to begin since they are using http, just like BC...  :o

 

As mremski said: "Trust but Verify"

I even have a distro where it is built in to the file properties!

 

2rjWoNN.png

 

Greets!



#9 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,540 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:02:13 AM

Posted 14 December 2015 - 04:38 AM


 

  Are you 100% satisfied that you're pulling Windows updates from an offical uncompromised server (Windows/Microsoft used as an example)?

Have a look at how Windows 10 is getting updates, PC's on my network and PC's on the internet Who's PC's? Mine? Yours? Some script kiddies? How long before somebody compromises the updates from  PC's on the internet?



#10 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH

Posted 14 December 2015 - 08:02 AM

Another thing to keep in mind is that linux.org appears to be an "aggregator" site;  general news and links that are Linux related, with obligatory forums.  If you post in any of the forums over there (like you do here), then you will need to reset your password.  Now, if your password over this is the same one you've been using for your banking information (which is really really bad) change that right away.  Download links look like they mostly lead to off-site web pages, so that helps limit mucked up software, but could raise the specter (spectre for UK contingent) of links to bad places, so just double check where your clicks are leading you.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users