Linux Mint Hack Highlights Risk Balance

Following the Linux Mint hacking scandal? Both sides have a point. The answer is not absolute.

Howtogeek.com and TechRepublic.com discuss the situation.  ZDNet.com did an interview with the hacker and a quick guide on how to diagnose and repair your situation if you were hacked.

The essential argument from some is that not doing security updates causes problems. The Mint design team would argue that the DOing automatic updates causes problems. Which cause of problem is worse? In either case, my computer becomes useless until a more skilled person fixes it or helps me fix it. IMHO, this must become a risk management issue.

Per se, I don’t care if I’ve been hacked, upgraded, denied service, crypto-locked, or caught in a well-meaning “hardware upgrade refresh cycle”. If it breaks by ability to do my computer work, it is bad. Which is worse? Risking security hacks on my system or risking that an upgraded package will break my system?

There are extremists. One of the quotes that immediately discredited the writer in my eyes was “There is no reason to not automatically do all security updates. Period!  End of discussion.” That person is smart in their small tech circle but not so wise in a larger scope.

The fact that they are so Linux smart that they can rewrite xorg configuration and multi-remote-user scripts in a minute is irrelevant when a tiny simple configuration change kills my monitor and I don’t know how to fix it. I always dread during updates the infamous, “shall we replace your existing config file with a new one or add to the existing config file?” How the heck should I know?! Clearly there is a choice here: replace or upgrade. As a user, I need guidance.

In the Federal government offices, Windows updates are pushed automatically. Except when they accidentally break workstations. Security against hackers is pointless when we DOS ourselves with failed upgrades!

Consider also who gets to define what is a security update. In many ways, Win 7 automatically upgrading to Win 10 when Microsoft changed it over to “recommended update” status can be considered a security updated. Should that be forced on everybody?

This is a risk management issue that needs discussion not argument. Some installations require defense against external hackers. The Mint developers are defending stability against upgrade risk.