I land back in Britain jetlagged, wake up from a brief sleep to find the news flooding my phone's news feed that the Linux distro, LinuxMint, had a bad day at the office. ISO images with backdoors and forum / website rooted and modified with some data potentially stolen.

The thing with LinuxMint is that it's a great project with high user figures, easy to run, it's the goto Linux for the user fed up with Windows and even I have a couple of Mint laptops. However, it's never been "security first and foremost" in the minds of the tiny release crew.

This post isn't going to attack the team behind Mint. Mint is a great project, it's default build does a lot of things right that other distros get wrong. In the default install it allows you to use whole of disk encryption and it also allows you to wipe the target disk and encrypt the user home directory which other distros do not by default. Thats a huge win for users. It's only let down by the default state of the build not defaulting to secure itself down using UFW or basic hardening out the box and a better state of repository awareness to ensure that a better security patching infrastructure isn't utilised. Anybody installing Mint who has a clue needs to spend 45 minutes post build tying it down, once achieved your workstation is pretty damn tight with one exception. That exception is underlying assured trust.

The packages for LinuxMint and other Ubuntu derived projects uses so much bleeding edge and community derived not sanitised code that it is very much a suck it and see approach, e.g you wouldn't deploy Mint in a commercial or workplace environment or anywhere where total data security was an issue. It's a lot more secure than Windows 10 so lets set that straight before we jump into the reasons why you shouldn't be using Mint now on an ongoing basis.

Mint, like many Linux distros before it is built on love. It's maintainer is an amazing guy who has put heart and soul into his project and worked miracles to get regular releases out the door. It's regularly hailed by my friend Stephen J Vaughn Nicholls as a great distribution. A great distribution for hobbyists. You can't compare say Fedora and Mint. Fedora is built on engineering and built by major engineering teams in the OSS community meeting at conferences worldwide (but still built on a tiny shoestring budget and goodwill). Mint relies on Ubuntu but ignores some of the basic security doctrines that Ubuntu has built in (e.g root user hardening) and also ignores some of the upstream patching conventions too.  Makes zero sense, but thats where we're at and you'd think in 2016 there would be more common sense approach to understanding user / sudo segregation and risk avoidance.

The issue with the rooting of the website was just daft. Reading the timeline on the website it looks to have been "handled quickly" and in good order but the damage to reputation may now already have been done. As a community project you never utterly control community gifted mirrors but you should have better controls over your portal and your storage of user data.

Already the finger pointing has started. I'm not sure it helps. One thing is for sure this is a bad day at the office for a project that has given a lot of home Linux users a first taste of Linux.  Mint is not a company with infinite resources and engineers, they're trying their best and marching on goodwill. Now is not the time to tar and feather now is the time to just nod your head and realise that it was a bad day at the office but it was a long time in the making.

Nothing wrong with being a hobbyist, thats where so much goodness in the community is derived.

If you want a Cinnamon flavoured workstation, install Fedora, install Fedy post install then install Cinnamon from the command line. Done. Secure and ready to go to work.

Heading back to The Moscone Center in San Francisco in just over ten days to record a series of radio shows with some of the leading lights in the security industry. Thanks to Emily and Julie in the Press and PR office at RSA for laying the groundworks.

I will be posting a feed location and other information on each episode here and on Twitter.

Planning 12 shows but we will see what we can get.

One of our friends, one of our team, one wearing a red hat with pride is in the battle of his life and faced yet another huge skirmish today. I've mentioned before we have someone in our midst who is desperately ill with a disease that this week has claimed two famous souls and therefore is on so many radars in the most raw fashion. Except this time for us it's personal. Someone who matters to all of us at Red Hat who has given everything he has for the cause needs some prayers and has our admiration, respect and unconditional affection.

Tonight I would welcome you direct you point any prayers towards the Northern Lights for a man mountain whose bravery is without peer in my lifetime. Someone who means so much to many people on my friends list and who is not just a peer but so much more than I can ever be as a human. A father, one of my best friends, an Open Source apostle, a traveller - a journeyman who has helped carve the Red Hat story for over a decade. 

As the light faded this evening a group of us who wear the scarlet fedora sent a request, no a demand, a fervent commanding dictat to whichever idol we individually worship for the heedful and gentle loving care of one of our own.

This will be a long night, a long weekend. This hasn't been a battle, it's been a fucking onslaught, it's not been a scrimmage, it's been a campaign and now the guns fall silent and we hope for a quiet uneventful and peaceful armistice that creates a silent place where things start making sense.

Five years ago this week he and I, two mad Englishmen drove in thick driving snow from Westford, Massachusetts  to JC Penny cross the state border in Nashua New Hampshire to look at new iPads and pick up a MacBook for his wife because thats what you do, risk your life to play with tech toys. The snowdrifts were the size of trucks, we were in a front wheel drive rented sedan not a 4x4 or SUV and we needed our heads looking at. Later that evening we would drive up into the hills without a GPS without a clue where we were going for a team meeting, Laughing and probably farting nervously everytime the car skidded out. BOTH of our wives were pregnant at home in the UK and Sweden and with hindsight it was probably dumb but we survived.

Every minute I've ever spent with him has been a joy, every conversation, every piece of guidance and every laugh delivered in his own inimitable style. Breakfasting with him, whiteboarding stuff we would go on to try and invent with no resources, watching him train and shape the first steps of new starters at Red Hat saw him in his true light. Getting the best out of everyone around him.

So tonight dear friend, my companion in all things utterly politally incorrect, wrap yourself in all our love, every single drop of it is sent to cosset you as you roll up your sleeves and Queensberry Rules climb into the boxing ring for another pugilistic round with the demon that is this horrid disease.

This is for you because you would laugh, like a drain. Also he's your double !

We adore you. Ding Ding, seconds out, round 10 ....

Over the last month I've read a lot of inane crap posted by security journalists who should know better. I'm specifically addressing the issue around the vulnerability discovered in Juniper's NetScreen devices. Conspiracy theories ranging from "it's a US agency pretending to mimic Chinese state intelligence" to NSA influenced or deliberately backdoored code making its way into the release system bypassing internal QE testing.

I do "not" know the full story and nobody ever will but heres my starter for ten.

Juniper just like two dozen major US technical vendors providing catalogue items to US Government and Federal Agency / Defense customers (as well as other global government accounts and the private sector which makes up 70% of their revenues) have grown by acquisition. Not innovation. Acquisition.

Having been a CEO that exited handsomely from his own non VC funded startup I've got some experience here. As a casual investor, VC and journalist I sit and research this stuff to the nth degree and I'm still none the wiser about the rationale behind some "marriages" of technology vendors. There seems to be an expectation from a lot of analysts who frankly haven't the first clue about where tech comes from and is going, and institutional shareholders that companies should use warchests of saved revenue to grow their product range by acquiring other companies.

Rather than innovate and grow their own products safely and sanely - even if it means an increased R&D curve. Not every acquisition leads to bottom line success but often a company is acquired for its people not its product, or its market position and revenue share rather than it's product and people. It's not a precise science and you can count the number of commercially savvy acquisitions in the network sector where direct reflected growth has resulted on two hands. Often its the weak hugging the almost as sickly or it's the oft commented over valued acquisition where the inbound company (and their advisors) run towards the hills rubbing both hands as soon as their vesting period is done.

One of the problems with acquisition of technology is that most companies in the EU and the US are utterly clueless as to how to do due diligence. The financial due diligence and the locking down of commercially sensitive news and key figures takes precedence. The concept of code escrow or sanity checking of code and process is hardly ever adhered to, often there "isn't time". Sadly for Juniper (and other companies) this has cost them because as well as acquiring brand and market share and position they also acquired a lot of accidentally naive processes and a company who had gone to market delivering great value and promise that wasn't reflected in the methodology in engineering.

In October 2003 Netscreen acquired Neoteris to bolt on a lot of strength and focus around their SSL products, four months later Juniper acquired Netscreen. So you have a company, Netscreen who can't have onboarded Neoteris and their processes and engineering in key SSL processes by the time they are then acquired by Juniper. Then you have Juniper trusting the product specialists at Netscreen where there is already confusion and poor co-working on SSL engineering taking ownership of core PKI stuff.

Dumb decisions around key management and key generation, cipher strength and release engineering result because nobody at an engineering level is understanding the core skills and risks around how you onboard or do sanitisation of code and QE process. This is allowed to fester and results in a car crash that will eventually happen down the line - it was just a question of when.

Juniper aren't alone, and they're a great company. I could name six major companies all trading in the US and Israel five of them on NASDAQ, all six providing goods and services to US Gov and major government accounts where this lack of intrinsic technical and process management is compressed into forked Linux based appliances and where M&A mistakes and loss of key staff who have gone, once vested, over the horizon to do their next startup without back filling or competency checking. Worse there are two of them where GPL v3 code has been backported to GPL v2 to get around licencing issues that are generating cataclysmic future security issues which when you add to the dumb mistakes made in M&A process make you just want to bang your head on a desk.

Do I think the NSA went after Juniper ? No. Genuinely they aren't that silly, the NSA is run and managed by bright folk who are there for a reason. Do I think the NSA / GCHQ in the UK knew about the vulnerability ? Sure, I hope so, they hire the brightest and the best for a reason.

Enough poor security journalism, look at the underlying facts nobody wants to talk about - onboarding and QE failed and some engineering release managers probably held to ransom by sales guys rushed stuff out to hit a revenue cycle. It was going to happen it was just when.