[ubuntu-studio-devel] How wide spread is Linux spyware?

Ralf Mardorf ralf.mardorf at alice-dsl.net
Sat Jul 11 12:49:15 UTC 2015 

Begin forwarded message:

Date: Sat, 11 Jul 2015 14:45:18 +0200
From: Ralf
To: xubuntu-users at lists.ubuntu.com
Subject: Re: [xubuntu-users] "System program problem detected"


On Sat, 11 Jul 2015 19:21:32 +0800, lukshuntim at gmail.com wrote:
>On Saturday, July 11, 2015 06:49 PM, Michael Höhne wrote:
>> On Sat, 11 Jul 2015 17:23:22 +0800
>> lukshuntim at gmail.com wrote:
>>> On Saturday, July 11, 2015 12:23 PM, blind Pete wrote:
>>>> Rob Ward wrote:
>>> Maybe searching for "apport" and "whoopsie" with your preferred
>>> search engine will give you more information. :-)
>> And if someone really doesn't like it: You are free to uninstall
>> them ;-)
>
>IMHO, any package that "phones home", for whatever purpose :-), should 
>be installed opt-in, accompanied by succinct explanation to the user. 
>After all, free software is about user empowerment.

Full ACK, since a user unlikely can be aware about all the software
that by default is installed by a OOTB working distro.

However, it's an option to read about "apport" and "whoopsie", balance
pros and cons and as the case may be to purge the packages.

If you manually report a bug to a bug tracker a developer advice you
how to provide additional information. The developer might ask you to
post a log or debug file and informs you to read it first and remove
passwords and similar critical data.


Apport

"[...] You can click on "Show Details..." to see what data it collected
[...] Apport is not enabled by default in stable releases, even if it
is installed. The automatic crash interception component of apport is
disabled by default in stable releases for a number of reasons:

    Apport collects potentially sensitive data, such as core dumps,
    stack traces, and log files. They can contain passwords, credit
    card numbers, serial numbers, and other private material. [...]"
- https://wiki.ubuntu.com/Apport


Whoopsi

"Invitation for metrics collection

For any administrator, after the first time only that they respond to
an error alert, a second alert should appear to invite them to opt in
to metrics collection. (The “Esc” key should activate “Don’t Send” in
this alert, but the “Enter” key should not do anything.)

[...]

The “Privacy…” button should open System Settings to the Privacy panel.
Choosing “Send” should be equivalent to checking “Send occasional
system information to Canonical” in the Privacy settings.

[...]

Along with the report, Whoopsie sends an obfuscated (SHA512) system
identifier (DMI system UUID). This information is collected so that we
can show a graph of the average errors per calendar day. It also lets
us answer questions like, “is Ubuntu more stable in the first week of
use or subsequent weeks?”" - https://wiki.ubuntu.com/ErrorTracker

So root privileges are likely needed to get the unique ID of a
computer.

DMI

$ sudo dmidecode | grep -i uuid
$ sudo cat /sys/class/dmi/id/product_uuid


Collecting such data has less to do with a serious bug report, this
is what we expect from restricted operating systems. Some might still
think I spread FUD. It's the individual user's self-responsibility to
balance pros and cons.

Regards,
Ralf

More information about the ubuntu-studio-devel mailing list