[Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background

Guy Baconniere 1867424 at bugs.launchpad.net
Fri Jun 12 17:48:03 UTC 2020 

Best practices by Dustin Kirkland
https://manpages.ubuntu.com/manpages/focal/en/man5/update-motd.5.html

- No mention of curl running as root
- No mention of the exfiltration of private data done via User-Agent
- No mention of the novel concept of advertising via motd 
- No mention of using motd-news as telemetry
- No mention that motd-news is part of core Ubuntu "base-files" and cannot be removed

Feel free to guide me to the correct info on your website or update your
documentation.

Additional discussions on Twitter
https://twitter.com/lusis/status/880446088083329024
https://twitter.com/astarrb/status/880170781841514496
https://twitter.com/lelff/status/1210619413885575168
https://twitter.com/hessu/status/1269994718018056199
https://twitter.com/nikitonsky/status/1073714951104184320
https://twitter.com/wamdamdam/status/1044197012353298433
https://twitter.com/marcodavids/status/1245054456955314178
...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424

Title:
  motd-news transmitting private hardware data without consent or
  knowledge in background

Status in base-files package in Ubuntu:
  Won't Fix

Bug description:
  In package base-files there is a script /etc/update-motd.d/50-motd-
  news that harvests private hardware data from the machine and
  transmits it in the background every day.  There is no notice, no
  consent, no nothing.  This should be by default disabled until there
  is informed consent.

  This solution is simple:

  1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 
  2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.

  Creating databases that maps ip address to specify hardware is a
  threat to both privacy and security.  If an adversary knows the
  specific hardware and the ip address for that hardware their ability
  to successfully attack it is greatly increased.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions

More information about the foundations-bugs mailing list