SoylentNews is people
SoylentNews
The Register spotted Ubuntu behaving badly again with respect to users' privacy. In their article "Ubuntu wants to slurp PCs' vital statistics – even location – with new desktop installs: Data harvest notice will be checked by default", they note that in addition to installing popcon and apport by default, Canonical seeks much deeper data mining (without using the word "telemetry"):
[...] "We want to be able to focus our engineering efforts on the things that matter most to our users, and in order to do that we need to get some more data about sort of setups our users have and which software they are running on it," explained Will Cooke, the director of Ubuntu Desktop at Canonical.
[...] Data Canonical seeks "would include" the following: Ubuntu Flavour, Ubuntu Version, Network connectivity or not, CPU family, RAM, Disk(s) size, Screen(s) resolution, GPU vendor and model, OEM Manufacturer, Location (based on the location selection made by the user at install). No IP information would be gathered, Installation duration (time taken), Auto login enabled or not, Disk layout selected, Third party software selected or not, Download updates during install or not, [and] LivePatch enabled or not.
The system plans to leverage the power of the default setting by making the choice opt-out, not opt-in as popcon has been in the past: Cooke explained to the ubuntu-devel audience that "Any user can simply opt out by unchecking the box, which triggers one simple POST stating, 'diagnostics=false'. There will be a corresponding checkbox in the Privacy panel of GNOME Settings to toggle the state of this."
El Reg also noted Ubuntu's plan to address user privacy concerns:
"The Ubuntu privacy policy would be updated to reflect this change."
This seems less egregious than Ubuntu's past invasions of privacy, but much more invasive and Windows 10-like.
(Score: 3, Insightful) by AndyTheAbsurd on Tuesday February 20 2018, @12:52PM (20 children)
It's enough to make a user install Gentoo or Arch Linux (or maybe Linux From Scratch) just to be sure that nothing "extra" is running.
Of course, someone will probably come along and point out something shady that those distros have done, too...
Please note my username before responding. You may have been trolled.
(Score: 2, Interesting) by Anonymous Coward on Tuesday February 20 2018, @01:16PM (3 children)
What about computer name/hostname?
If not, then it looks like less intrusive feedback than Mozilla has been vacuuming up, and most of it looks like data that provides important feedback for usability related issues, a number of which I have discovered recently, especially in newer kernel versions (The biggest being HGST USB 3.0 enclosures hanging due to the uas drive in any kernel after 3.13 or so, and at least some RV8xx series gpus displays getting corrupted/over white with the 4.14 kernel under debian/devuan and the open source 2016 linux-firmware dpkg instead of the proprietary 2017 package.) These sorts of showstopped bugs for some users have been becoming more and more frequent. Worst yet, many of them *ARE* documented online, even in the right bugtrackers, but developers either don't have the devices or ability to reproduce the issues and thus they never get fixed.
FYI, also a gentoo user, but sometimes you need packages installed *NOW*, not in the 15 minutes to 72+ hours it takes to compile the particular package and all its prerequisites :D Devuan is a lot faster to install and update with fewer interdependency issues on average than gentoo as well.
(Score: 2) by Bot on Tuesday February 20 2018, @03:38PM (1 child)
If, as you say, bugs get reported anyway, what's the point of the whole drill.
Back to topic, which bugs are triggered by a different geographical location of the hardware? 1 in 10000000? So why report that?
Account abandoned.
(Score: 1, Informative) by Anonymous Coward on Tuesday February 20 2018, @08:41PM
It is just using the location the user selected when installing. Hardly fine-grained data. While not strictly necessary to collect (excepting for bugs in the installer), the location is used to set the timezone and provide defaults for localisation. And bugs can be related to those settings far more often than your 1 in 10000000.
It would be more appropriate to simple just record the timezone and localisation settings directly. I expect the reason they are collecting it is because they want better data on how much it is used in different countries.
(Score: 5, Insightful) by frojack on Tuesday February 20 2018, @07:34PM
Doubt it.
They said
Yet after decades of promoting linux for older and weaker machines, just about every distro swept 32bit machines into the trash bin, just because an extra compilation run was too much trouble. (I look around my home computer room and see three such 32bit machines that I've been runing linux on for years).
Would they have maintained 32bit distros if they had this telemetry?
It seems to me they ram crap down our throats regardless of what we say, totally ignoring what most users want.
So why give them any more data? They ignore us anyway, why give them a bigger stick to beat us with?
No, you are mistaken. I've always had this sig.
(Score: 2) by melikamp on Tuesday February 20 2018, @05:12PM (15 children)
Indeed, Gentoo & Arch both happily redistribute known closed-source malware to users, without any kind of explanation or warning about its malicious nature:
https://wiki.gentoo.org/wiki/Adobe_Flash
https://wiki.archlinux.org/index.php/browser_plugins#Installation
If that's the attitude, then it only takes a little bit of time for the dev team to connect the dots and realize that distributing their own, open-source, mostly benign, opt-outable spy-ware is not a big deal in comparison. I mean, letting third parties exploit a clueless user without getting anything for yourself is pretty stupid, right?
Without getting political and turning to something like FSF's certification, a pretty good way to spot a turd is by looking at the kernel supplied with a distribution. If it's a stock Linux kernel, with all the spyware blobs, and no warning to users in giant red letters, then the best case scenario, from the users' point of view, is that distro maintainers have their head in the sand, if not some place darker and smellier. The failure to supply a deblobbed kernel is a clear indication that maintainers either
(a) not aware of the spyware - i.e. completely incompetent when it comes to making something that has a modicum of respect for user privacy and security
(b) do not think it's their job to provide a spyware-free kernel - if a user wants a kernel without butt-probing features, they can build their own, because users have nothing better to do than configure, build, and then upgrade the kernel with a custom package
(c) on the same wave-length with adobe's ilk about exploiting the user
Distros like Gentoo, Arch, Slackware are mostly (b), Ubuntu is mostly (c), and poop-on-a-stick aka Tails seems to be (abc), but either way, none of these OSes should be recommended to a non-technical user who just wants their computers to respect privacy or security.
(Score: 2, Informative) by Anonymous Coward on Tuesday February 20 2018, @05:51PM (9 children)
no because you have to install that software it is not part of the distribution my friend.
ive been running arch on desktop and server for 10 years and browser plugins are never installed by the distro, they are only installed by the user.
(Score: 2) by melikamp on Tuesday February 20 2018, @06:18PM (8 children)
Why bother with facts, right? When we can just swim in a pool of semantic bullshit? If there's a package and a maintainer, then it's a part of the distribution: https://www.archlinux.org/packages/extra/x86_64/flashplugin/ [archlinux.org]
And if neither the package nor the distro admit that "malware included", then they must assume (at best) a tech-savvy user who does his own software audit, with respect to spyware inclusion, and is capable enough to hunt for equivalent benign packages and to rebuild the kernel. If you are one of these tech-savvy users, good for you, and there's no reason to get your nickers in a bunch over the fact that from the average user's point of view, your distro of choice is rife with malware, and is unreasonably difficult to fix. Once again, this is not political. If your distro gave as much thought to this issue as Debian, which provides a libre kernel as well as a libre package repository, then I wouldn't list it here.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @07:29PM (7 children)
Okay, I can accept the argument that "the distribution" means "all software in the repos maintained by the company." Although I could also buy "the distribution" as meaning "the ISO that is distributed to you when you download it."
But then you immediately go off the rails and talk about compiling out the offending package, when the parent poster says it's not included in the image. It's too much to ask to do some basic research before installing optional packages?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by frojack on Tuesday February 20 2018, @07:49PM (5 children)
Why, Yes, yes it is too much to ask.
You can't do ANY of that stuff till AFTER you install the default installation.
You're going do research and recompile the kernel to leave out all that spyware? On what? Using What software? On what OS?
You are asking the impossible, not the "merely inconvenient".
"Live Distro" you say? Try it some time buddy!
You have to suffer the spyware and the telemetry just to get platform you can trust. The Exact OPPOSITE of what should happen.
No, you are mistaken. I've always had this sig.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @07:59PM (2 children)
I don't understand the frothiness in this conversation. GP is talking about browser plugins, and you two are yelling about kernel modules.
Yes you can perform the default installation without installing Flash.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Tuesday February 20 2018, @08:11PM
After rereading this thread several time, this conversation is a version of that one scene in Doctor Who
or
So you guys aren't talking about browser blobs, those were just brought up as an example of what we weren't talking about.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by frojack on Tuesday February 20 2018, @08:12PM
This is a subthread of https://soylentnews.org/comments.pl?noupdate=1&sid=24175&page=1&cid=640732 [soylentnews.org] melikamp's post.
I suggest you read that again. Try reading past the first paragraph this time.
No, you are mistaken. I've always had this sig.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @08:04PM (1 child)
And for the record, I *did* use a wide variety of live distros a handful of years ago. They were all eminently usable until you decided to install, so I'm not sure what point you're trying to make here either.
Well sure, in an ideal world. In the world we live in, you use the untrusted platform just long enough to find the one you can trust, then wipe the former and install the latter. I guess that means you're giving Microsoft hints as to what distro you'll end up using? Ooooh yeah that's a big problem.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @08:42PM
Why does anyone install and configure while connected to the internet?
One can download an iso and extra packages needed and do the install and configuration
of a new system offline. Only when the system is "hardened" should it connect to the internet.
(Score: 3, Interesting) by RS3 on Tuesday February 20 2018, @09:03PM
You both have great points.
Two points / problems for me:
1) If it's 3rd-party stuff, no, we should be wary. But if it's from the distro, yes, it is too much to ask. I've heard good things, and had good experience with X distribution in the past and I want to be able to continue to trust them and not have to dig into each module, library, default config file, etc. Now I don't trust _anything_ from them.
2) Interconnected with my #1 point, I wasn't aware there could be a problem; I didn't know I had to worry.
With Windows, I often (usually) run a packet sniffer (smsniff) when installing something new, or upgrading. It's troubling how much today's software "phones home to mommy" both during installs, and just starting up. I often disconnect from the network during installs. I try to turn off automatic updaters, etc.
But I _expect_ this with all things Windows (and Android). It's sad to see these power, control, and greedy attitudes creeping into Linux distros.
(Score: 4, Insightful) by tangomargarine on Tuesday February 20 2018, @07:33PM
In my experience these demographics are largely mutually exclusive. If you try to complain about your OS spying on you to a nontechnical user, their eyes will glass over and they won't understand what the problem is.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by Thexalon on Tuesday February 20 2018, @07:44PM (2 children)
OK, so walk with me through this scenario:
1. User installs an OS and distro. That OS and distro doesn't include anything that could be considered evil. I think we both agree so far, so good.
2. User wants access to a feature that requires something evil. Now, which of the following do you do, if you're the distro maintainer:
A. Provide a package that by default does everything it can to limit the evil in question. Possibly with a nice big warning about how evil it is.
B. Refuse to provide a package, but direct users to rely on potentially risky instructions from random sites on the Internet. Or even worse, "Pipe this random file from the Internet into a root shell".
C. Force users to follow instructions from the maker of the evilware in question. Manufacturers of evilware would never even dream of using their installer to install things the user didn't want.
What's a distro to do? I'd generally see option A as the least evil. And yes, it would be better to have a warning issued when you go to install it, but everyone on here knows that users routinely ignore warnings. And one way I know that is that at least some of the distros I've tried out (currently on Slack, have run Gentoo, LFS, Arch, and several others) included warnings about the Adobe misfeatures, and you just acted like those warnings didn't exist, which probably means you didn't even take any notice of them if you saw them.
Now, I'll grant you that the best option would be to create, fund as needed, and default to a non-evil way of getting that feature, and I'd be glad if something like that existed. But sometimes there isn't one (often for legal reasons), and the user wants to get that feature however they can.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by frojack on Tuesday February 20 2018, @07:53PM (1 child)
You lost me at #1.
You haven't read a single word Melikamp said.
No, you are mistaken. I've always had this sig.
(Score: 2) by Thexalon on Tuesday February 20 2018, @09:20PM
And you're assuming I'm referring to either Red Hat-based stuff, or Ubuntu-based stuff. Some examples of distros that leave that kind of thing out:
- Linux From Scratch. Which, since everything is directly compiled and installed by the user, means it's damned near impossible to include something other than what the user wants.
- Slackware. Which doesn't include Flash, NVidia, and other binary blobs by default.
- ArchLinux. Which also doesn't include Flash by default, but provides you a couple of different packages you can use if you want it. It also provides a bunch of FOSS alternatives that might solve the users' problem.
If you're super-concerned about your personal privacy and the risk of your computer giving away information about your activity, then you'll need to:
1. Review all the code on any software that will be run on your computer to look for backdoors, spyware, and other bad behavior.
2. Build your compiler, making sure to take steps that prevent Ken Thompson's classic compiler-based attack [cmu.edu].
3. Compile all the software you're going to use yourself, following code review.
4. Just to be sure, monitor all network traffic crossing the firewall between your computer and the public Internet.
5. If you're really really serious, you need to add an air-gap, and have a separate unsecure machine to first read through everything that will be going onto your transferable media, and of course be looking at your transferable media with low-level tools to ensure that there's nothing transferring via a hidden channel on your media.
That's the kind of thing the TLAs do when they're trying to maintain the security of their systems. It's a lot of work, and even they screw it up sometimes.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @08:59PM
Can you list a few of the "spyware" included in a "default" Gentoo kernel?
That could help us all better understand the problem.
I agree its a constant battle to keep a linux system usable from a security point of view.
After I do an install, I routinely shut off many "services", uninstall as many bloat packages
as I can, sometimes directly remove executable files because of dependency hell.
For internet connection(s), the best I've come up with so far is to use a customized "live"
distro booted from a USB key with no persistent storage except from time to time when
I insert another USB key to save downloads.
Then when I reboot, I again have a new system until it might get pawned. This does not
guarantee that the system is 100% secure to begin with, but its the best I have come up with.
(Score: 2, Informative) by Anonymous Coward on Tuesday February 20 2018, @01:09PM (15 children)
I remember when Linux was the OS that just did what the user told it and never spied on the user. It was YOUR computer and Linux respected that. (Back in the days of Slackware and early Red Hat)
But that was considered normal and expected behavior then. Even Windows acted that way! (Windows 95, 98, NT)
(Score: 4, Interesting) by janrinok on Tuesday February 20 2018, @01:19PM (6 children)
It still is - the user decides whether to activate this feature or not. This differs significantly from the Microsoft option where it is next to impossible to remove the telemetry feature and, if you do, it will probably get reinstalled at the next update. It would be better to be opt-in rather than opt-out but, if you are capable of installing your own OS, you should be able to deselect the appropriate option at installation time.
(Score: 2, Informative) by Grishnakh on Tuesday February 20 2018, @05:45PM (3 children)
It still is - the user decides whether to activate this feature or not. This differs significantly from the Microsoft option where it is next to impossible to remove the telemetry feature and, if you do, it will probably get reinstalled at the next update.
You still have the option, as a user, to decide whether to activate these features with Microsoft Windows 10. If you don't want these telemetry features, it's very simple: don't install or use Windows 10. No one's physically forcing you to sit at a Windows 10 computer and use it.
(Score: -1, Troll) by Anonymous Coward on Wednesday February 21 2018, @01:38AM
Wow, thanks for the tip, moron.
(Score: 2) by TheGratefulNet on Wednesday February 21 2018, @03:26PM (1 child)
No one's physically forcing you to sit at a Windows 10 computer and use it.
forced to use win10 at work ;(
we use linux for real work, but the corp idiots who know nothing - OF COURSE picked MS for the whole company and so there's no real choice for the employees.
last job we used linux at the desktop and it was great. no MS at all in my working day. now, sadly, they are forcing everyone (even win7) to 'upgrade'. they take people's laptops for half a day, render that employee useless for that time, and then return the pc with that crapware on it.
sometimes, security really is just a word that is used by corps but not at ALL understood. my current company is like that ;(
"It is now safe to switch off your computer."
(Score: 2) by Grishnakh on Wednesday February 21 2018, @03:45PM
forced to use win10 at work ;(
1. No one's physically forcing you to do that job, and preventing you from finding another.
2. At work, you're being paid to put up with bullshit. Dealing with stuff like Win10 and "enterprise software" is part of the job, and what you're being paid for.
3. Perhaps most importantly, if you're working at a company of any real size, there's no telemetry in Windows 10 (which is what this thread was complaining about in the first place). The enterprise edition of Win10 doesn't have it. And even if it did, they're spying on your employer, not you.
last job we used linux at the desktop and it was great.
Should have stuck with that job :-) There are jobs like this, and if more people avoided the Win10 jobs and went for the Linux-only jobs, we'd have some improvement. When a corporate recruiter calls and tries to get you to interview with them, find out what their IT system is running, and when you find out it's Win10, tell them you're not interested in dealing with that, or you expect a very handsome salary bump for it. Maybe they'll eventually learn if enough candidates tell them this.
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:25AM (1 child)
According to the summary, this is not the case. Ubuntu decides to activate this feature, and the user may decide to opt out, when he happens to learn about it three years later.
Until the user touches the checkbox in question, the user has not decided to activate it.
(Score: 2) by janrinok on Wednesday February 21 2018, @12:15PM
If you are installing an OS and don't know what you are doing, perhaps you shouldn't be installing an OS!
You have to select locale, disk configuration and formatting, what packages you wish (server, desktop etc), which environment (MATE, KDE etc) and so on. Yet you think the same person who can make informed decisions on such things cannot decide whether to accept or decline the option to feed some data back to Ubuntu?
(Score: 5, Insightful) by Runaway1956 on Tuesday February 20 2018, @02:50PM (4 children)
Linux isn't collecting your data. Canonical / *buntu is collecting data. People commonly make a similar mistake with telephones. "My phone is spying on me - Android is terrible!" In actuality, Android doesn't spy on you - your phone provider configured the phone to spy on you. Linux is very different from *buntu. *Buntu is a customer of Linux, Linux is not dependent on *buntu.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @10:47PM (1 child)
You're drawing an awfully fine distinction to protect Linux's good name.
The fact that Linux can be and is being configured to spy on you thanks to a very, very popular distribution does sully Linux. Linux is not a "safe" choice.
(Score: 2) by Runaway1956 on Tuesday February 20 2018, @11:14PM
It really isn't that fine a distinction. You go to an auto dealership, buy a car, and drive it home. Over the course of time, you figure out that your car has GPS tracking attached to it. Someone is spying on you. Investigation determines that the dealership equips all cars sold at their lot with GPS tracking devices, so that they can repossess more easily. Do you blame General Motors for that tracking?
Linux isn't configured OOB to spy on anyone. Torvalds offers his kernel, free of charge, with source code, to be configured however people wish to configure it. He encourages the people who own the computer to compile and configure his kernel to their liking. Ubuntu is doing exactly that - they are configuring the kernel and the OS to their liking.
You don't confuse an auto dealership with the auto manufacturer, why are you confusing a distro with the kernel? This isn't Windows, which does actively spy on your computer usage. Nor is it Apple's walled garden. If you don't like something on your computer - change it. Anything and everything can be changed. Unless, of course, you don't own your computer. Ahhh, Ubuntu. Ubuntu has made decisions in the past that suggest that they wish to retain ownership of your computer. So far, the nefarious level has only reached the level of "alarming". That is, we should all be alarmed that Canonical doesn't respect user's rights. Canonical isn't Microsoft, but they would like to be.
No matter what you wish to acquire, always make sure that the sales force isn't trying to screw you over. You can get the same Linux elsewhere, at the same price, WITHOUT any kind of tracking. Choose a better salesman.
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:28AM
Too bad they all use the Google version of Android (If google had a dime for every time they spied on someone, they would be as rich as - well, Google).
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @02:05PM
"Android" may not spy on me, but Google, via GApps and other very tightly connected apps does. I think confusing the two is fair for most purposes, in the same way that if IE6 was spying on Internet use in 1998, it would be fair for people to say "Windows is spying on my Internet use". Actually, it's more fair. The main Android OS distros, as promoted by the phone companies, includes GApps as a selling point and most people aren't even aware there is an alternative to the Google Play Store. At least in 1998, most people knews there were other browsers available and were easy to install.
(Score: 4, Informative) by Arik on Tuesday February 20 2018, @06:28PM
Those days are now.
http://slackware.com/
If laughter is the best medicine, who are the best doctors?
(Score: 2) by FatPhil on Wednesday February 21 2018, @10:34AM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @12:42PM
I have been using Linux since 1995.
I understand all the pitfalls.
The endless fragmentation of Linux distributions and policy changes within them means someone who just wants an OS they can trust and trust to just work is not a simple task.
Your dismissive attitude of others who aren't experts is part of the "Linux" problem. But, it has ALWAYS been this way. Nothing changes, and this is why Linux is forever an OS suitable only to run servers, maintained by people who do this for a living.
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday February 20 2018, @01:13PM (5 children)
And how, pray tell, do they plan on transmitting the "not" back to themselves?
My rights don't end where your fear begins.
(Score: 2) by janrinok on Tuesday February 20 2018, @01:20PM (1 child)
(Score: 2) by Spamalope on Tuesday February 20 2018, @02:07PM
or Windows/Facebook like install opted in, slurp and cache the data they'd like to take and then send that based on the 'opt in' at install whether the user opts out before the first network connect or not.
(Score: 2) by KritonK on Tuesday February 20 2018, @02:53PM
This is probably an excuse to stop supporting installations that are not connected to the network and cannot be spied upon. (100% of the surveyed machines had network connectivity, therefore...)
(Score: 3, Interesting) by Bot on Tuesday February 20 2018, @03:43PM
To nitpick, that is "Data Canonical seeks" not "Data Canonical gets reported back", so the absence of network connectivity can be desumed or reported when connectivity resumes.
Canonical is getting too canonical for my tastes.
Account abandoned.
(Score: 3, Funny) by cmdrklarg on Tuesday February 20 2018, @07:50PM
Smoke signals. Hopefully not too much magic smoke is needed.
The world is full of kings and queens who blind your eyes and steal your dreams.
(Score: 5, Interesting) by janrinok on Tuesday February 20 2018, @01:14PM (13 children)
As the only thing to do to prevent this is untick one box at installation time then I think that I can cope with that. I'd prefer that it were opt-in rather than opt-out, but I'm not going to get excited. I'd also want the data that is sent to be in a format that is easily readable - not encrypted or obfuscated which will only create distrust.
Most of the data is available to Ubuntu at the time of installation - CPU, GPU, hardware etc. And at the time of installation it is hardly likely to contain any information that I would consider private. The location is based upon your timezone, and if that is as close as it gets then it hardly compromises my identity. It might narrow it down to a country, but that doesn't worry me. Third party software installation? Well, I'd be pleased if they would notice that I always install Pale Moon, and if they would let me do that instead of Firefox or Chromium I would be delighted. And letting me install my VPN at installation time would also be nice too, but it isn't too much effort to add it later.
There again, I have always opted in to popcorn (which, for those who do not know, simply lets Ubuntu know which packages/programs you install.) This seems to me to be a sensible thing to do - there is no point in putting effort into supporting a program that nobody uses, and allows the devs the ability to concentrate on those things that the users find important/useful.
Sure, if they start wanting to collect every URL that I access, or recording username/passwords, then I will certainly object loudly, strongly and with my feet. But I am prepared to wait and see.
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 20 2018, @01:22PM (2 children)
But certainly would like the application itself to be easily straced/run in debug mode/open source with verifiable build binaries so it can be clear what is being sent.
Having the data sent in plaintext with current 5 eyes surveillance is actually MORE damaging than sending this information to Ubuntu itself, since in the former they also get your IP address and related details for free and are in a far better position to leverage other intelligence to identify the system running Ubuntu directly, based on your probable credit card purchase of the hardware, name on the ISP bill, census data on your family, etc.
(Score: 2) by Spamalope on Tuesday February 20 2018, @02:15PM
And this will let them tie MAC address and any other processor/hardware serial numbers to an individual as well. Say goodbye to an anonymous free press as long as total surveillance prevails.
So far poisoning the well with addition false information to slurp seems to be the only counter tactic for the data vacuum cleaners.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @02:28PM
Most of what they're asking to collect looks benign to me. Even location, isn't that only accurate to the closest timezone? But still, I'd prefer if it's simply not sent, regardless of encryption.
If encrypted, then how can we trust it's sending what it says it's sending? Maybe this argument applies more to the MS-style closed-source slurping, since in theory, one can read the source code of what Ubuntu is trying to do - hopefully this is available. But even so, how many people will actually do this?
If not encrypted, then as pointed out others in the position to intercept that data can also consume it.
I expect it's probably easier to send poisoned data as well if it's not encrypted, or if the source code of the telemetry programs are available. Is the stuff digitally signed when transmitted, in a trustworthy manner to the collector, so the collector knows it's not fake?
The only paranioc solution is to not allow such data to be sent regardless of method. I suppose data poisoning is also an option for those upset enough and so inclined.
(Score: 2) by Bot on Tuesday February 20 2018, @03:46PM (2 children)
> I have always opted in to popcorn
damn autocorrect, I guess you have never said no to popcorn anyway.
For those interested in googling, it's "popcon" POPularity CONtest, a debian thing which ubuntu and others use too.
Account abandoned.
(Score: 2) by janrinok on Tuesday February 20 2018, @03:53PM
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:31AM
So, con as in con man?
(Score: 5, Interesting) by requerdanos on Tuesday February 20 2018, @04:36PM
Not quite simply that. popcon also reports what programs you run and approximately how often by checking the atime on the binaries.
Quoting popcon's official site [debian.org]:
I, too, choose to run popcon on several machines, but when someone chooses to do so, it's better if they know what's in the report rather than thinking that it's simply a sterile report of installed packages. popcon reports the usage stats in order to track what gets run the most frequently. Nothing nefarious, but not "just a list" either.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @06:04PM (1 child)
if it's a check box during install then this doesn't fit the normal params of opt in/opt out and is largely click bait/fud. normally, when people say "opt out" they mean you do something without asking them then they have to go find it and unset it once they find out you did it. big difference.
now, if canonical didn't learn their lesson from last time about not using tls to transmit this data then some moron should be fired. They're just too fucking stupid to have a job. also, if they haven't automated apport then that annoying SOB needs to be opt in, not opt out. regular ubuntu users don't want to learn all about bug reporting, FFS. report the bug yourself with permission, using encryption or leave the user alone.
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:35AM
If it's already checked then it absolutely is opt out.
It's the same kind of opt out that get your grandmothers Firefox replaced with Chrome every time her bank requires that she updates Java.
- Which makes Ubuntu just as much malware as Java - both install unauthorized software. Not doing anything is not authorization, so as long as the user doesn't touch the checkbox, there can be no authorization and thus the checkbox being checked by default results in the installation of unauthorized software.
(Score: 3, Insightful) by NotSanguine on Tuesday February 20 2018, @09:08PM (2 children)
There. FTFY.
Opting out isn't the only thing. It's been my experience that voting with your feet/wallet is one of the more effective ways to limit that kind of crap.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by digitalaudiorock on Tuesday February 20 2018, @09:52PM (1 child)
Amen to that. I think Canonical is taking a cue from Redhat, who clearly believes they're powerful enough to turn Linux into their Windows with the whole systemd cluster-fuck. Opt-out? Yea, they clearly think they've got the clout to act like MS. Vote with your feet indeed...tell them to go fuck themselves. I'm using all Gentoo here, and my company moved from CentOS 6 to Devuan. These scumbags will only take your Linux away if you let them.
(Score: 2) by janrinok on Wednesday February 21 2018, @12:20PM
Perhaps, like Redhat, you are not the person Ubuntu is aiming their distro at?
(Score: 2) by FatPhil on Wednesday February 21 2018, @10:40AM
The tickbox that you should selecting should appear before installation time, before even download time.
[ ] I wish to run a distro which has insane defaults that I need to opt out of, and may not even know about.
[ ] I wish to run a distro which has sane defauls
Pick wisely.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 4, Insightful) by Hyperturtle on Tuesday February 20 2018, @02:37PM (2 children)
They are supposed to update the policy BEFORE MAKING CHANGES TO THE PRODUCT and reference the changes are coming soon.
Having the info there prior to making the change lets a user know what is being agreed to! They can even post it the very moment the new version and updates become available -- so that anyone interested can find out what they are actually agreeing to.
Further, I should not have to go on-line to visit the policy for the first install. Include this on the distribution. It is a text file. It is not large and numerous copies of everything ever stated as policy that one could agree to can be stored locally -- with references to go on-line for updated info. None of that crap about it changes and local storage is hard; if you introduce code into a new install that changes the policy, then force that privacy info up on the user when those updates go in.
Having an outdated privacy policy is almost as bad as having no policy at all! Promising to update it comes across as a "oh man we better do this even though we put 100% of our efforts into making the exploitation as seamless as possible based on seeing the success and limited user pushback with other operating systems because personalized tracking benefits users because ads!"
Sometimes, people choose an alternate because it's not the same as the others, you know? People are not choosing to install Ubutuntu to get more of the worst aspects of the other options!
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @09:49AM (1 child)
Having a privacy policy is like having a policy for whose pussy you grab without consent (a privacy policy is written by the perpetrator, and thus can not give any form of consent). It never includes a list of information they will NOT steal (that list would be ~infinite).
So, how is having an outdated one better (almost as bad) as not having one? Is forgetting to update your policy grabbing policy from blondes to brunettes "almost as bad" as not grabbing pussy at all?
(Score: 2) by Hyperturtle on Thursday February 22 2018, @12:17AM
Well, in that context, it's like your prenup changed when she started dating a lawyer, and based on his advice, she didn't tell you of the changes. But, she posted the pictures of you for everyone to see since you'd agreed to the changes because you didn't say no, then sent you the bill for the bandwidth used while profiting from the ads alongside the photos as the site mined monero going to her lawyer's account.
It is best to opt out of that before it happens, not get opted in. Having the old policy as the only one you know about puts you into a compromised position because you don't know there's a problem with a new policy not made available to you... at least not until its too late.
(Score: 2, Interesting) by whatevs on Tuesday February 20 2018, @02:57PM (12 children)
I carefully read through the explanation before making my typical knee-jerk reaction, and I'm glad I did. I can understand why they would want to do this, and why they would want to make it the default action. And I fully support them in choosing to do this with their distribution. It's not the direction I would take it if it were mine, but I see what they're trying to accomplish, and their motives don't seem nefarious. I assume they understand the law of unintended consequences, and they still felt it was worth doing, and I support that.
I'm also not going to use Ubuntu anymore. Combined with other decisions they have made over the years, they're just not the distribution for me anymore, and that's okay. I'm just not their target user, nor are the people whose computers I maintain.
Back when I switched from Gentoo to Ubuntu (back when Ubuntu thought nudity was appropriate in the artwork for their distribution) I did it because of the wide range of available packages and being able to install them right away. It turns out, I don't actually need any more than what Debian is able to provide. I don't fully agree with the decisions Debian has made, so I'm not going to use their distribution, either. But Devuan has been working well since the beta, even for the few Steam games I play, so I'm going to keep using that and putting that on family members' machines. I've been using that since before 1.0 at home and work. I do spin up Ubuntu VMs for testing, which is unfortunate, as I have to make sure my stuff is still compatible, but I definitely don't use them for day to stuff anymore.
Who knows what direction Ubuntu will take in the future, but unless the new distro makes similar choices, I don't imagine I'll be going back.
(Score: 2) by Gaaark on Tuesday February 20 2018, @03:33PM (8 children)
I stopped using ubuntu mainly because it seemed to get slower and slower. The same with plain debian (though not as bad as ubuntu).
I switched to Arch (Manjaro) because of speed, but then learned they switched to systemd.
If i had the time and a faster/better machine i'd try distro hopping in a VM, but that's not really an option right now.
I think i'm going to try void and gentoo (used gentoo for a while, but kind of opted out when the whole shit-stain happened with (Daniel??) the lead developer being tossed and the upheaval....).
I dunno: void, gentoo, calculate, maybe some others. But damn, Manjaro is sooooooo nice: except systemd.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @03:49PM (2 children)
You could look at nosh, http://jdebp.eu/Softwares/nosh/, [jdebp.eu] it's able to convert systemd unit files to it's own style and provides shims to allow usage of sysv, bsd or systemd syntax to manage services. It also seems to have a superset of functionality while not making the most egregious errors in design found in systemd and without the mission creap.
(Score: 2) by Bot on Tuesday February 20 2018, @03:57PM (1 child)
nosh sherlock, interesting- remove the , from the link to get to its homepage.
Account abandoned.
(Score: 2) by The Mighty Buzzard on Tuesday February 20 2018, @08:49PM
Damnit, stop finding bugs already, you bastards.
My rights don't end where your fear begins.
(Score: 3, Informative) by Bot on Tuesday February 20 2018, @03:50PM
antix mxlinux, you still get .debs and systemd optional
Account abandoned.
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 20 2018, @04:23PM
For desktops, I use PCLinuxOS, no systemd, and, on the whole, it just works™..
For servers, *BSDs I'm afraid (migrated from the last systemd-free Debian distro).
Firewall, I'm conflicted, I've a seriously 'fucked with' PCLinuxOS box doing the job at present (only the base packages, development and kernel are from the distro, the rest are compiled from source and local hackery) which is either going to be replaced with a Devuan box (the easy option) or another *BSD one.
(Score: 2) by Azuma Hazuki on Tuesday February 20 2018, @08:48PM (1 child)
Definitely try Void. It's like the lovechild of FreeBSD and Arch in all the good ways. I've been using it for a while and recently wrote a journal entry on it even.
I am "that girl" your mother warned you about...
(Score: 2) by Gaaark on Tuesday February 20 2018, @09:36PM
That's where i got it from :)
Yeah, looks really interesting: looks like what i like about arch but no systemd....
Is it flawless?
That's one reason i'm still with Manjaro (plus no time to hop around): it. is. flawless for me.
I am finding it hard to look elsewhere, at least until i have time.
Might have to try to see if i can get it into a vm, even if it runs sloooowly, just to see how it is.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by FatPhil on Wednesday February 21 2018, @10:53AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by requerdanos on Tuesday February 20 2018, @04:37PM (2 children)
I assumed this for a long time, but their nutty responses to the Amazon-search-lens issue absolved me of that notion in a heartbeat.
They have utterly no concept of said law.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @07:20PM (1 child)
I think the word you're looking for is "disabused." "Absolved" would seem to say that the search lens thing was *your* fault somehow.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by requerdanos on Tuesday February 20 2018, @10:28PM
That's a more apt word choice, but it's a little more nuanced: The absolution would be not of blame for the lens thing, but of my guilt at naively believing that Ubuntu had a general do-the-right-thing mentality with a backup plan of make-it-right-without-being-forced-to-do-so, and thus recommending that folks try Ubuntu when I now would not do that. No, the fiasco didn't absolve me of that, and I hereby pledge to choose better words in the future as a general mentality. Thank you.
(Score: 2) by jmorris on Tuesday February 20 2018, @03:58PM (4 children)
If it is like Fedora's old attempt with smolt or Debian's popcon there isn't an issue here. The problem is the nutters obsessing over privacy to the point it is creating anti-information. What hardware is most used? Really important information when deciding what to buy, what to expend development effort into, etc. But because of the nutters that information is intentionally suppressed.
We demand 100% Free Software and at the same time put unreasonable demands on the people providing it. Then most of the same nutters give Zuckersperg and Jack every last intimate detail of their life.
(Score: 3, Interesting) by requerdanos on Tuesday February 20 2018, @04:44PM
Debian's popcon is off by default, and not by accident: Someone doing the equivalent of clicking next next next through a portion of the install won't actually turn on a potentially compromising feature by accident that way. And since Debian and derivatives are intended for use in many situations, some very sensitive, this is a good thing from a security standpoint.
Ubuntu proposes here specifically to change their port of popcon to be on by default, as well as turning the rest of it on by default.
So, sort of like it, in that popcon is involved, sort of not like it, in that the Debian developers have a privacy goal (and clue) not shared by those of Ubuntu.
(Score: 1) by tftp on Tuesday February 20 2018, @05:35PM (2 children)
It's not a useful information. There are many reasons why people run Linux on an old PC. It absolutely does not mean that Ubuntu should pay special attention to old PCs. Ubuntu should pay attention to features that people directly ask for - like removal of spying features or, perhaps, replacing Unity with something familiar. But I fear that financing of Ubuntu is based on commercialization of the distribution.
(Score: 3, Interesting) by jmorris on Tuesday February 20 2018, @05:47PM (1 child)
Don't be retarded. You don't run things based on the few who yell loudest. That is like thinking the callers to a radio talk show are reflective of the listeners. We don't make public policy based on the few morons with the free time to stand out on the street waving signs. It would be really good to know whether the irritating asshole who is yelling on the bug tracker and mailing list is the only known user of a piece of hardware or if 5% of the current user base is impacted. Bug fixing is a matter allocating finite resources. Likewise, as a user I'd like to know that 5% have that specific item since odds are any problems would be quickly addressed.
(Score: 3, Insightful) by requerdanos on Tuesday February 20 2018, @10:29PM
This whole effort is based on that idea.
(Score: 5, Informative) by requerdanos on Tuesday February 20 2018, @04:40PM (3 children)
I submitted this story, and wrote this headline, which was posted (after eds corrected the grammar--thanks) pretty much as-is, but it's misleading--making users opt-out is only in the proposal on ubuntu-devel, and not in any shipping version of Ubuntu. This is their plan for the future, not something they are doing.
I regret the miscommunication.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @06:51PM (1 child)
So what is the actual situation right now? Is it on by default with no easy way to opt-out or off by default?
(Score: 4, Informative) by requerdanos on Tuesday February 20 2018, @10:42PM
No, It doesn't exist yet; it is being loosely planned by the Ubuntu Desktop Team for future releases of Ubuntu.
Earlier this month, Will Cooke, who works on that team, posted to the developers the following:
Here's a link to his post: https://lists.ubuntu.com/archives/ubuntu-devel/2018-February/040139.html [ubuntu.com]
The TLDR is in bold, above.
(Score: 0) by Anonymous Coward on Wednesday February 21 2018, @10:15AM
It's not really misleading if that post wasn't followed up with a post a couple of minutes later from a manager asking who came up with this stupid idea, and would said persons please get their asses to his office asap, as should have happened in any business that cares about privacy.
Yes, normally such a post would be kept in private, but in this case the idea is already public and damaging Ubuntus image, so keeping the rejection private would allow the damage to continue.
(Score: 2) by Subsentient on Tuesday February 20 2018, @05:09PM
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 2) by urza9814 on Tuesday February 20 2018, @05:44PM
Sounds like El Reg is just full of it, yet again. Because what they've described isn't location data, it's just timezone data. And that's pretty much their whole headline. So the entire core of their scaremongering is just a complete and total fabrication.
I mean I'm not a huge fan of Ubuntu collecting this data, but I see nothing really identifiable in there. It's just measuring what defaults you install with. It's not going to be unique, it's not going to be identifiable. If they're doing their jobs right, most responses will come back identical. Might be nice if they could just ask the users, although that's likely to return skewed results, so I can understand why they'd want to go this route instead. As long as the opt in/out screen is sufficiently clear about what's going on, I see no problem here.