[kwlug-disc] Linux Mint site hacked

Bob Jonkman bjonkman at sobac.com
Wed Feb 24 12:44:31 EST 2016 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While "Peace", the hacker who compromised the Linux Mint site,
provided evidence of a the breach in January, there is no evidence
that Clem or anyone else performing SysAdmin work on the site was
aware of the breach until it was announced.  A tweet is hardly
responsible disclosure.

You're likely to find similar one-person shops for many other Free
Software projects: GnuPG, NTP, GNUsocial. None of those have the
staff, money or other resources to conduct regular pentests or
intrusion detection.

SysAdmin is hard. SecAdmin is harder.

- --Bob.


On 2016-02-24 12:29 PM, Khalid Baheyeldin wrote:
> I am not questioning intentions. Good intentions on their own are
> not enough. And I am not commenting on skill or expertise.
> 
> Specifically, the big issues that the incidents at hand uncovered
> are:
> 
> - Being silent about a hack that copied user data for a month. -
> Not providing kernel updates - Not publishing CVE information
> 
> This could all be oversight, but in the end it puts users in
> danger.
> 
> The prudent action by any user is to find an alternative,
> regardless of what the details are.
> 
> 
> On Wed, Feb 24, 2016 at 12:20 PM, Bob Jonkman <bjonkman at sobac.com>
> wrote:
> 
>> It's all well and good to say Free Software projects must be
>> managed to professional SysAdmin standards, but how many people
>> have contributed towards that goal? As far as I know, Clem is the
>> only person actively working on that project, and he openly
>> publishes the donations he receives: 
>> http://linuxmint.com/donors.php It looks substantial, but when
>> you subtract the costs of running the site there's not much left
>> over for food and shelter.
>> 
>> --Bob.
>> 
>> On February 24, 2016 12:06:14 PM EST, Khalid Baheyeldin
>> <kb at 2bits.com> wrote:
>> 
>>> And the forum database was hacked and sold a full month before
>>> they announced they were hacked.
>>> 
>>> Very disappointing to see a popular free software project
>>> being mismanaged that way, with no proper updates.
>>> 
>>> 
>>> http://news.softpedia.com/news/linux-mint-forum-database-compromised-for-at-least-a-month-before-announcement-500901.shtml
>>>
>>>
>>> 
- ------------------------------
>>> 
>>> kwlug-disc mailing list kwlug-disc at kwlug.org 
>>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>>> 
>>> 
>> 
>> --
>> 
>> Bob Jonkman <bjonkman at sobac.com> Phone: +1-519-635-9413 SOBAC
>> Microcomputer Services http://sobac.com/sobac/ Software ---
>> Office & Business Automation --- Consulting GnuPG Fngrprnt:04F7
>> 742B 8F54 C40A E115 26C2 B912 89B0 D2CC E5EA
>> 
>> 
>> _______________________________________________ kwlug-disc
>> mailing list kwlug-disc at kwlug.org 
>> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>> 
>> 
> 
> 
> 
> 
> _______________________________________________ kwlug-disc mailing
> list kwlug-disc at kwlug.org 
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Ensure confidentiality, authenticity, non-repudiability

iEYEARECAAYFAlbN6/wACgkQuRKJsNLM5epNsgCg3KtmolqY2wRgypAdYaUHHfWC
4FIAoOI14aqB71PTDgNUXl91Kfo2vGEK
=VCH3
-----END PGP SIGNATURE-----

More information about the kwlug-disc mailing list