Linux Mint users in hot water for being slow with security updates, running old versions

Automatic updates? 'We have ideas on how to improve this,' says founder


Linux Mint founder Clem Lefebvre has complained that too many users are slow to apply updates or run unsupported versions of the operating system.

Lefebvre used Firefox as an example. Mozilla's browser is frequently updated and has fixes for security vulnerabilities described by the firm as critical, which it defined as "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." The latest such update is dated 5 February 2021 (though it is a Windows-only problem).

"If you're not running the latest version, check which version of Firefox you're using and count the number of critical (red) patches you're missing," he said.

Linux Mint does not collect telemetry data from users, but used Yahoo! users as a sample to inspect the user agent of Linux Mint traffic – information sent from the browser with every request. "We were able to observe that only 30 per cent of users updated their web browser in less than a week," he said.

Lefebvre also noted that some users of Mint do not apply updates at all, and that "between 5 per cent and 30 per cent of users run Linux Mint 17 [which] reached end of life in April 2019. In other words, it stopped receiving security patches for almost two years now!"

The exact statistics are uncertain, but appear to have been based on users with the default browser start page and usage of the Mint APT (Advanced Package Installer) repositories. "It really doesn't matter to us if the real number is 10 per cent or 15 per cent. It needs to be 0 per cent," said Lefebvre. The team is so concerned about these users that they "decided to send an emergency update to upgrade your Firefox."

The Linux Mint update manager includes system snapshots, intended to reassure users that there is a route back

The Linux Mint update manager includes system snapshots, intended to reassure users that there is a route back

Microsoft, Apple and Google have also wrestled with getting users to update. The solution with most editions of Windows 10, for example, is that updates are compulsory, though they can be deferred. Google's Chrome OS automatically downloads updates and prompts the users to restart to update. Such approaches would not be possible in the free software community, but the necessity of updates for security remains.

In the case of Linux Mint, Lefebvre feels that features such as TimeShift, which snapshots the system so that rollback is possible in the case of a bad update, should give users reassurance that they are safe. It also has an update manager which can be set to make snapshots automatically.

Someone with a crowbar trying to break in through a door

Decade-old bug in Linux world's sudo can be abused by any logged-in user to gain root privileges

READ MORE

Why are so many users not upgrading? There are several reasons, and it is not just a simplistic belief that Linux is somehow always secure. "It's naive in itself to assume that all the users yet to upgrade to Linux Mint 20.x are doing so because they are novice or uninformed. There are a plethora of reasons, compatibility and stability being big ones. I haven't done it because of serious issues with video drivers going on between releases 19.x and 20.x versions of Linux Mint," said a user – though this at least is 19.x and not 17.x. Another user said they had an older machine and needed 32-bit Mint, which is not available in version 20.

"I'm gonna be radical (and maybe controversial) here, and say that Microsoft got this right," said another user.

There are pros and cons, said Lefebvre, but updating automatically by default seems a reasonable option since those who dislike it can easily opt out. He promised to return to the topic in a future post and said that the team has "ideas to improve this."

There is no perfect solution. The idea of leaving something alone if it works seems attractive, but in computing it is not safe – especially for internet-connected machines. Equally, automatic updates can break systems or simply make them perform worse over time; keep an Apple iPhone or iPad up to date, for example, and while it probably will not break anything, it does become more sluggish, as this owner of a 2013 iPad Air can confirm. ®

Similar topics


Other stories you might like

  • D-Wave deploys first US-based Advantage quantum system
    For those that want to keep their data in the homeland

    Quantum computing outfit D-Wave Systems has announced availability of an Advantage quantum computer accessible via the cloud but physically located in the US, a key move for selling quantum services to American customers.

    D-Wave reported that the newly deployed system is the first of its Advantage line of quantum computers available via its Leap quantum cloud service that is physically located in the US, rather than operating out of D-Wave’s facilities in British Columbia.

    The new system is based at the University of Southern California, as part of the USC-Lockheed Martin Quantum Computing Center hosted at USC’s Information Sciences Institute, a factor that may encourage US organizations interested in evaluating quantum computing that are likely to want the assurance of accessing facilities based in the same country.

    Continue reading
  • Bosses using AI to hire candidates risk discriminating against disabled applicants
    US publishes technical guide to help organizations avoid violating Americans with Disabilities Act

    The Biden administration and Department of Justice have warned employers using AI software for recruitment purposes to take extra steps to support disabled job applicants or they risk violating the Americans with Disabilities Act (ADA).

    Under the ADA, employers must provide adequate accommodations to all qualified disabled job seekers so they can fairly take part in the application process. But the increasing rollout of machine learning algorithms by companies in their hiring processes opens new possibilities that can disadvantage candidates with disabilities. 

    The Equal Employment Opportunity Commission (EEOC) and the DoJ published a new document this week, providing technical guidance to ensure companies don't violate ADA when using AI technology for recruitment purposes.

    Continue reading
  • How ICE became a $2.8b domestic surveillance agency
    Your US tax dollars at work

    The US Immigration and Customs Enforcement (ICE) agency has spent about $2.8 billion over the past 14 years on a massive surveillance "dragnet" that uses big data and facial-recognition technology to secretly spy on most Americans, according to a report from Georgetown Law's Center on Privacy and Technology.

    The research took two years and included "hundreds" of Freedom of Information Act requests, along with reviews of ICE's contracting and procurement records. It details how ICE surveillance spending jumped from about $71 million annually in 2008 to about $388 million per year as of 2021. The network it has purchased with this $2.8 billion means that "ICE now operates as a domestic surveillance agency" and its methods cross "legal and ethical lines," the report concludes.

    ICE did not respond to The Register's request for comment.

    Continue reading
  • Fully automated AI networks less than 5 years away, reckons Juniper CEO
    You robot kids, get off my LAN

    AI will completely automate the network within five years, Juniper CEO Rami Rahim boasted during the company’s Global Summit this week.

    “I truly believe that just as there is this need today for a self-driving automobile, the future is around a self-driving network where humans literally have to do nothing,” he said. “It's probably weird for people to hear the CEO of a networking company say that… but that's exactly what we should be wishing for.”

    Rahim believes AI-driven automation is the latest phase in computer networking’s evolution, which began with the rise of TCP/IP and the internet, was accelerated by faster and more efficient silicon, and then made manageable by advances in software.

    Continue reading
  • Pictured: Sagittarius A*, the supermassive black hole at the center of the Milky Way
    We speak to scientists involved in historic first snap – and no, this isn't the M87*

    Astronomers have captured a clear image of the gigantic supermassive black hole at the center of our galaxy for the first time.

    Sagittarius A*, or Sgr A* for short, is 27,000 light-years from Earth. Scientists knew for a while there was a mysterious object in the constellation of Sagittarius emitting strong radio waves, though it wasn't really discovered until the 1970s. Although astronomers managed to characterize some of the object's properties, experts weren't quite sure what exactly they were looking at.

    Years later, in 2020, the Nobel Prize in physics was awarded to a pair of scientists, who mathematically proved the object must be a supermassive black hole. Now, their work has been experimentally verified in the form of the first-ever snap of Sgr A*, captured by more than 300 researchers working across 80 institutions in the Event Horizon Telescope Collaboration. 

    Continue reading
  • Shopping for malware: $260 gets you a password stealer. $90 for a crypto-miner...
    We take a look at low, low subscription prices – not that we want to give anyone any ideas

    A Tor-hidden website dubbed the Eternity Project is offering a toolkit of malware, including ransomware, worms, and – coming soon – distributed denial-of-service programs, at low prices.

    According to researchers at cyber-intelligence outfit Cyble, the Eternity site's operators also have a channel on Telegram, where they provide videos detailing features and functions of the Windows malware. Once bought, it's up to the buyer how victims' computers are infected; we'll leave that to your imagination.

    The Telegram channel has about 500 subscribers, Team Cyble documented this week. Once someone decides to purchase of one or more of Eternity's malware components, they have the option to customize the final binary executable for whatever crimes they want to commit.

    Continue reading
  • Ukrainian crook jailed in US for selling thousands of stolen login credentials
    Touting info on 6,700 compromised systems will get you four years behind bars

    A Ukrainian man has been sentenced to four years in a US federal prison for selling on a dark-web marketplace stolen login credentials for more than 6,700 compromised servers.

    Glib Oleksandr Ivanov-Tolpintsev, 28, was arrested by Polish authorities in Korczowa, Poland, on October 3, 2020, and extradited to America. He pleaded guilty on February 22, and was sentenced on Thursday in a Florida federal district court. The court also ordered Ivanov-Tolpintsev, of Chernivtsi, Ukraine, to forfeit his ill-gotten gains of $82,648 from the credential theft scheme.

    The prosecution's documents [PDF] detail an unnamed, dark-web marketplace on which usernames and passwords along with personal data, including more than 330,000 dates of birth and social security numbers belonging to US residents, were bought and sold illegally.

    Continue reading
  • Another ex-eBay exec admits cyberstalking web souk critics
    David Harville is seventh to cop to harassment campaign

    David Harville, eBay's former director of global resiliency, pleaded guilty this week to five felony counts of participating in a plan to harass and intimidate journalists who were critical of the online auction business.

    Harville is the last of seven former eBay employees/contractors charged by the US Justice Department to have admitted participating in a 2019 cyberstalking campaign to silence Ina and David Steiner, who publish the web newsletter and website EcommerceBytes.

    Former eBay employees/contractors Philip Cooke, Brian Gilbert, Stephanie Popp, Veronica Zea, and Stephanie Stockwell previously pleaded guilty. Cooke last July was sentenced to 18 months behind bars. Gilbert, Popp, Zea and Stockwell are currently awaiting sentencing.

    Continue reading

Biting the hand that feeds IT © 1998–2022