Tag Archives: Linux

I land back in Britain jetlagged, wake up from a brief sleep to find the news flooding my phone's news feed that the Linux distro, LinuxMint, had a bad day at the office. ISO images with backdoors and forum / website rooted and modified with some data potentially stolen.

The thing with LinuxMint is that it's a great project with high user figures, easy to run, it's the goto Linux for the user fed up with Windows and even I have a couple of Mint laptops. However, it's never been "security first and foremost" in the minds of the tiny release crew.

This post isn't going to attack the team behind Mint. Mint is a great project, it's default build does a lot of things right that other distros get wrong. In the default install it allows you to use whole of disk encryption and it also allows you to wipe the target disk and encrypt the user home directory which other distros do not by default. Thats a huge win for users. It's only let down by the default state of the build not defaulting to secure itself down using UFW or basic hardening out the box and a better state of repository awareness to ensure that a better security patching infrastructure isn't utilised. Anybody installing Mint who has a clue needs to spend 45 minutes post build tying it down, once achieved your workstation is pretty damn tight with one exception. That exception is underlying assured trust.

The packages for LinuxMint and other Ubuntu derived projects uses so much bleeding edge and community derived not sanitised code that it is very much a suck it and see approach, e.g you wouldn't deploy Mint in a commercial or workplace environment or anywhere where total data security was an issue. It's a lot more secure than Windows 10 so lets set that straight before we jump into the reasons why you shouldn't be using Mint now on an ongoing basis.

Mint, like many Linux distros before it is built on love. It's maintainer is an amazing guy who has put heart and soul into his project and worked miracles to get regular releases out the door. It's regularly hailed by my friend Stephen J Vaughn Nicholls as a great distribution. A great distribution for hobbyists. You can't compare say Fedora and Mint. Fedora is built on engineering and built by major engineering teams in the OSS community meeting at conferences worldwide (but still built on a tiny shoestring budget and goodwill). Mint relies on Ubuntu but ignores some of the basic security doctrines that Ubuntu has built in (e.g root user hardening) and also ignores some of the upstream patching conventions too.  Makes zero sense, but thats where we're at and you'd think in 2016 there would be more common sense approach to understanding user / sudo segregation and risk avoidance.

The issue with the rooting of the website was just daft. Reading the timeline on the website it looks to have been "handled quickly" and in good order but the damage to reputation may now already have been done. As a community project you never utterly control community gifted mirrors but you should have better controls over your portal and your storage of user data.

Already the finger pointing has started. I'm not sure it helps. One thing is for sure this is a bad day at the office for a project that has given a lot of home Linux users a first taste of Linux.  Mint is not a company with infinite resources and engineers, they're trying their best and marching on goodwill. Now is not the time to tar and feather now is the time to just nod your head and realise that it was a bad day at the office but it was a long time in the making.

Nothing wrong with being a hobbyist, thats where so much goodness in the community is derived.

If you want a Cinnamon flavoured workstation, install Fedora, install Fedy post install then install Cinnamon from the command line. Done. Secure and ready to go to work.

Please be under no illusions. This latest podcast is a big deal. It's also a bit of a coup. Tackling difficult topics in Cloud from a vendor neutral perspective is always hard. This podcast takes one of the most difficult topics that can sometimes cause Cloud ambition to stumble, and addresses it as best we can in the short format I bring you weekly.

Nobody likes wondering whats in your average sausage never mind talking about it, well in much the same vein nobody really likes talking about Cloud and the law, no matter where you are globally this affects you directly and is another reason why you should be listening in to my shows, if you aren't already.

So joining us today is Kuan Hon from Queen Mary University in London. Getting her on a podcast was a dream come true, I've read her papers and her analysis and views on Cloud and law for so long now and she's a heavyweight who knows her topics inside and out. A qualified attorney in the US and solicitor in the UK shes taken time out to go and do her PhD and also write a great blog, speak at events (including Defcon) and to carve out a reputation as the eminent goto person on everything Cloud and law.

Do take time out to visit her blog and also vist the QMUL Cloud portal to read some of her published papers that just further add credence to her ability and reputation - and also demonstrate why I worked hard to get her on a podcast to talk to you. From the House of Commons to Microsoft, from Forbes to the European Union, Kuan is taken very seriously as a voice of legal common sense and authority. Her papers both in her own right and as a co-contributor continue to shape and influence the ability of law to pervade Cloud sensibly and with clarity. You can read selected papers shes written on every aspect of Cloud law and contract law within Cloud by visiting this link.

It has taken walking over broken glass to get it out the door, recorded in the offices of Red Hat in London a month ago this podcast has been through legal review and internal review at Red Hat to get it out the door. My public thanks go to Michael Cunningham Chief Legal Counsel at Red Hat and to his team and to David Perry especially for taking time out of his diary to work with me to get this to release.

Remember: This podcast is two geeks talking, it does not constitute in any way any legal advice. You should always consult your attorney or company legal counsel before taking any action that potentially impacts you or your data, your company data or assets at risk by way of contract or exposure. However, at least with this podcast you know where to go to ask the right questions.

Enjoy the podcast - come back next week for more great content. For now I'm taking a few days off to celebrate with my wife and family the second birthday of our eldest son Christopher so I'm going to leave you with this podcast and disappear into the ether.

Download the podcast here in MP3 format only

1 Comment

jmh

Today you have a real treat. Episode 1 of 2 of a podcast that I recorded with Jon Maddog Hall. Jon and I go way back in Open Source and I made the seven hour round trip to drive to meet him to record this, and then go on a walk around Cambridge where we promptly turned into snowmen walking around the campuses of the colleges. A great time with someone I'm very proud of calling a friend and someone who has made such massive changes to the way computing globally is consumed and understood. A lifetime as an educator and as a voice of reason.

Jon is appearing alongside Red Hat's Phil Andrews tonight (12th March) at University of Birmingham, tickets available on Eventbrite if you move quick.

Come back Friday for Episode 2 of this release. Enjoy - we had a great time recording it and this is very different to stuff Jon would normally record.

Download the podcast here in MP3 format only

Today's podcast is with Robyn Bergeron who is of course the Community Project Leader of the Fedora Project, the erstwhile evergreen Linux distribution sponsored by Red Hat.

Last June Robyn and I were in Boston together and I meant to get her in front of one of my microphones to record a podcast but it was the last day of Red Hat Summit and people were packing up and getting ready to disappear all points east and west and it never happened.

So it was a given that the first opportunity I had to record something with her turned into a forty five minute recording I've cut down to about 25 minutes or so for this podcast.  We talk Fedora of course, releases, release criteria and etiquette, conventions and community, we talk OpenStack, we talk Aeolus and JBoss and all things technical that make up Fedora's capabilities as part of upstream RHEL.

Listen carefully and you may even hear John Mark Walker from Gluster.org muscle in on the recording. Do of course download and listen, or subscribe via iTunes, Stitcher Internet Radio, Podfeed or via the RSS using your client of choice.

Download the podcast here in MP3 format only