SoylentNews is people
SoylentNews
The Register spotted Ubuntu behaving badly again with respect to users' privacy. In their article "Ubuntu wants to slurp PCs' vital statistics – even location – with new desktop installs: Data harvest notice will be checked by default", they note that in addition to installing popcon and apport by default, Canonical seeks much deeper data mining (without using the word "telemetry"):
[...] "We want to be able to focus our engineering efforts on the things that matter most to our users, and in order to do that we need to get some more data about sort of setups our users have and which software they are running on it," explained Will Cooke, the director of Ubuntu Desktop at Canonical.
[...] Data Canonical seeks "would include" the following: Ubuntu Flavour, Ubuntu Version, Network connectivity or not, CPU family, RAM, Disk(s) size, Screen(s) resolution, GPU vendor and model, OEM Manufacturer, Location (based on the location selection made by the user at install). No IP information would be gathered, Installation duration (time taken), Auto login enabled or not, Disk layout selected, Third party software selected or not, Download updates during install or not, [and] LivePatch enabled or not.
The system plans to leverage the power of the default setting by making the choice opt-out, not opt-in as popcon has been in the past: Cooke explained to the ubuntu-devel audience that "Any user can simply opt out by unchecking the box, which triggers one simple POST stating, 'diagnostics=false'. There will be a corresponding checkbox in the Privacy panel of GNOME Settings to toggle the state of this."
El Reg also noted Ubuntu's plan to address user privacy concerns:
"The Ubuntu privacy policy would be updated to reflect this change."
This seems less egregious than Ubuntu's past invasions of privacy, but much more invasive and Windows 10-like.
(Score: 2) by melikamp on Tuesday February 20 2018, @05:12PM (15 children)
Indeed, Gentoo & Arch both happily redistribute known closed-source malware to users, without any kind of explanation or warning about its malicious nature:
https://wiki.gentoo.org/wiki/Adobe_Flash
https://wiki.archlinux.org/index.php/browser_plugins#Installation
If that's the attitude, then it only takes a little bit of time for the dev team to connect the dots and realize that distributing their own, open-source, mostly benign, opt-outable spy-ware is not a big deal in comparison. I mean, letting third parties exploit a clueless user without getting anything for yourself is pretty stupid, right?
Without getting political and turning to something like FSF's certification, a pretty good way to spot a turd is by looking at the kernel supplied with a distribution. If it's a stock Linux kernel, with all the spyware blobs, and no warning to users in giant red letters, then the best case scenario, from the users' point of view, is that distro maintainers have their head in the sand, if not some place darker and smellier. The failure to supply a deblobbed kernel is a clear indication that maintainers either
(a) not aware of the spyware - i.e. completely incompetent when it comes to making something that has a modicum of respect for user privacy and security
(b) do not think it's their job to provide a spyware-free kernel - if a user wants a kernel without butt-probing features, they can build their own, because users have nothing better to do than configure, build, and then upgrade the kernel with a custom package
(c) on the same wave-length with adobe's ilk about exploiting the user
Distros like Gentoo, Arch, Slackware are mostly (b), Ubuntu is mostly (c), and poop-on-a-stick aka Tails seems to be (abc), but either way, none of these OSes should be recommended to a non-technical user who just wants their computers to respect privacy or security.
(Score: 2, Informative) by Anonymous Coward on Tuesday February 20 2018, @05:51PM (9 children)
no because you have to install that software it is not part of the distribution my friend.
ive been running arch on desktop and server for 10 years and browser plugins are never installed by the distro, they are only installed by the user.
(Score: 2) by melikamp on Tuesday February 20 2018, @06:18PM (8 children)
Why bother with facts, right? When we can just swim in a pool of semantic bullshit? If there's a package and a maintainer, then it's a part of the distribution: https://www.archlinux.org/packages/extra/x86_64/flashplugin/ [archlinux.org]
And if neither the package nor the distro admit that "malware included", then they must assume (at best) a tech-savvy user who does his own software audit, with respect to spyware inclusion, and is capable enough to hunt for equivalent benign packages and to rebuild the kernel. If you are one of these tech-savvy users, good for you, and there's no reason to get your nickers in a bunch over the fact that from the average user's point of view, your distro of choice is rife with malware, and is unreasonably difficult to fix. Once again, this is not political. If your distro gave as much thought to this issue as Debian, which provides a libre kernel as well as a libre package repository, then I wouldn't list it here.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @07:29PM (7 children)
Okay, I can accept the argument that "the distribution" means "all software in the repos maintained by the company." Although I could also buy "the distribution" as meaning "the ISO that is distributed to you when you download it."
But then you immediately go off the rails and talk about compiling out the offending package, when the parent poster says it's not included in the image. It's too much to ask to do some basic research before installing optional packages?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by frojack on Tuesday February 20 2018, @07:49PM (5 children)
Why, Yes, yes it is too much to ask.
You can't do ANY of that stuff till AFTER you install the default installation.
You're going do research and recompile the kernel to leave out all that spyware? On what? Using What software? On what OS?
You are asking the impossible, not the "merely inconvenient".
"Live Distro" you say? Try it some time buddy!
You have to suffer the spyware and the telemetry just to get platform you can trust. The Exact OPPOSITE of what should happen.
No, you are mistaken. I've always had this sig.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @07:59PM (2 children)
I don't understand the frothiness in this conversation. GP is talking about browser plugins, and you two are yelling about kernel modules.
Yes you can perform the default installation without installing Flash.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by tangomargarine on Tuesday February 20 2018, @08:11PM
After rereading this thread several time, this conversation is a version of that one scene in Doctor Who
or
So you guys aren't talking about browser blobs, those were just brought up as an example of what we weren't talking about.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by frojack on Tuesday February 20 2018, @08:12PM
This is a subthread of https://soylentnews.org/comments.pl?noupdate=1&sid=24175&page=1&cid=640732 [soylentnews.org] melikamp's post.
I suggest you read that again. Try reading past the first paragraph this time.
No, you are mistaken. I've always had this sig.
(Score: 2) by tangomargarine on Tuesday February 20 2018, @08:04PM (1 child)
And for the record, I *did* use a wide variety of live distros a handful of years ago. They were all eminently usable until you decided to install, so I'm not sure what point you're trying to make here either.
Well sure, in an ideal world. In the world we live in, you use the untrusted platform just long enough to find the one you can trust, then wipe the former and install the latter. I guess that means you're giving Microsoft hints as to what distro you'll end up using? Ooooh yeah that's a big problem.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @08:42PM
Why does anyone install and configure while connected to the internet?
One can download an iso and extra packages needed and do the install and configuration
of a new system offline. Only when the system is "hardened" should it connect to the internet.
(Score: 3, Interesting) by RS3 on Tuesday February 20 2018, @09:03PM
You both have great points.
Two points / problems for me:
1) If it's 3rd-party stuff, no, we should be wary. But if it's from the distro, yes, it is too much to ask. I've heard good things, and had good experience with X distribution in the past and I want to be able to continue to trust them and not have to dig into each module, library, default config file, etc. Now I don't trust _anything_ from them.
2) Interconnected with my #1 point, I wasn't aware there could be a problem; I didn't know I had to worry.
With Windows, I often (usually) run a packet sniffer (smsniff) when installing something new, or upgrading. It's troubling how much today's software "phones home to mommy" both during installs, and just starting up. I often disconnect from the network during installs. I try to turn off automatic updaters, etc.
But I _expect_ this with all things Windows (and Android). It's sad to see these power, control, and greedy attitudes creeping into Linux distros.
(Score: 4, Insightful) by tangomargarine on Tuesday February 20 2018, @07:33PM
In my experience these demographics are largely mutually exclusive. If you try to complain about your OS spying on you to a nontechnical user, their eyes will glass over and they won't understand what the problem is.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 3, Interesting) by Thexalon on Tuesday February 20 2018, @07:44PM (2 children)
OK, so walk with me through this scenario:
1. User installs an OS and distro. That OS and distro doesn't include anything that could be considered evil. I think we both agree so far, so good.
2. User wants access to a feature that requires something evil. Now, which of the following do you do, if you're the distro maintainer:
A. Provide a package that by default does everything it can to limit the evil in question. Possibly with a nice big warning about how evil it is.
B. Refuse to provide a package, but direct users to rely on potentially risky instructions from random sites on the Internet. Or even worse, "Pipe this random file from the Internet into a root shell".
C. Force users to follow instructions from the maker of the evilware in question. Manufacturers of evilware would never even dream of using their installer to install things the user didn't want.
What's a distro to do? I'd generally see option A as the least evil. And yes, it would be better to have a warning issued when you go to install it, but everyone on here knows that users routinely ignore warnings. And one way I know that is that at least some of the distros I've tried out (currently on Slack, have run Gentoo, LFS, Arch, and several others) included warnings about the Adobe misfeatures, and you just acted like those warnings didn't exist, which probably means you didn't even take any notice of them if you saw them.
Now, I'll grant you that the best option would be to create, fund as needed, and default to a non-evil way of getting that feature, and I'd be glad if something like that existed. But sometimes there isn't one (often for legal reasons), and the user wants to get that feature however they can.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by frojack on Tuesday February 20 2018, @07:53PM (1 child)
You lost me at #1.
You haven't read a single word Melikamp said.
No, you are mistaken. I've always had this sig.
(Score: 2) by Thexalon on Tuesday February 20 2018, @09:20PM
And you're assuming I'm referring to either Red Hat-based stuff, or Ubuntu-based stuff. Some examples of distros that leave that kind of thing out:
- Linux From Scratch. Which, since everything is directly compiled and installed by the user, means it's damned near impossible to include something other than what the user wants.
- Slackware. Which doesn't include Flash, NVidia, and other binary blobs by default.
- ArchLinux. Which also doesn't include Flash by default, but provides you a couple of different packages you can use if you want it. It also provides a bunch of FOSS alternatives that might solve the users' problem.
If you're super-concerned about your personal privacy and the risk of your computer giving away information about your activity, then you'll need to:
1. Review all the code on any software that will be run on your computer to look for backdoors, spyware, and other bad behavior.
2. Build your compiler, making sure to take steps that prevent Ken Thompson's classic compiler-based attack [cmu.edu].
3. Compile all the software you're going to use yourself, following code review.
4. Just to be sure, monitor all network traffic crossing the firewall between your computer and the public Internet.
5. If you're really really serious, you need to add an air-gap, and have a separate unsecure machine to first read through everything that will be going onto your transferable media, and of course be looking at your transferable media with low-level tools to ensure that there's nothing transferring via a hidden channel on your media.
That's the kind of thing the TLAs do when they're trying to maintain the security of their systems. It's a lot of work, and even they screw it up sometimes.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @08:59PM
Can you list a few of the "spyware" included in a "default" Gentoo kernel?
That could help us all better understand the problem.
I agree its a constant battle to keep a linux system usable from a security point of view.
After I do an install, I routinely shut off many "services", uninstall as many bloat packages
as I can, sometimes directly remove executable files because of dependency hell.
For internet connection(s), the best I've come up with so far is to use a customized "live"
distro booted from a USB key with no persistent storage except from time to time when
I insert another USB key to save downloads.
Then when I reboot, I again have a new system until it might get pawned. This does not
guarantee that the system is 100% secure to begin with, but its the best I have come up with.