[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Fri Jun 12 14:15:31 UTC 2020 

By the current design, you don't give choice to the Ubuntu users as they cannot opt-out BEFORE
the laptop or server contacts motd.ubuntu.com sending the telemetry. By implementing it as
essential package, you don't let user remove it but only disable it when it is too late.

The same apply to landscape, you don't give choice to disable some dangerous features 
like executing very powerful script, list all processes, etc. This is why, we decided to stop 
using landscape (both in the cloud and on premises).

It will be your responsibility as Ubuntu Server manager, if motd.ubuntu.com gets compromised
and motd-news is exploited because it runs curl as root and all Ubuntu servers could get
compromised at the same time within 12 hours.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Won't Fix

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list