motd-news transmitting private hardware data without consent or knowledge in background
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
base-files (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
In package base-files there is a script /etc/update-
This solution is simple:
1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/
2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it.
Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased.
CVE References
no longer affects: | ubuntu-mate |
tags: | added: eoan focal |
Launchpad Janitor (janitor) wrote : | #1 |
Changed in base-files (Ubuntu): | |
status: | New → Confirmed |
tags: | added: bionic cosmic disco |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #2 |
This ticket should be updated to Security issue +250 points
I highly doubt that this Motd News "feature" is compliant with EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https:/
Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer.
Daily report of computer's private infos without the users consent
It affects Ubuntu Servers and Desktop (including roaming computers like laptops)
since at least 18.04 LTS and also the current 20.04 LTS
Sensible data sent
- IP address of the computer running Ubuntu
- Date of the HTTPS query
- Kernel Version
- CPU Vendor and Model
- Uptime
- Cloud identifier
- Version of Curl so version of Ubuntu running ...
$curl_ver $lsb $platform $cpu $uptime $cloud_id
Sample from our PC Engines running Ubuntu 18.04 LTS:
```
curl/7.
```
https:/
```
* MicroK8s gets a native Windows installer and command-line integration.
https:/
```
The perfect opportunity to map all Ubuntu Linux users worldwide on a daily basis?
https:/
https:/
See also
https:/
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #3 |
Anyone privacy-conscious using any version of Ubuntu should do this in a shell ASAP
sudo sed -i -r 's/(ENABLED)
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #4 |
Thanks security-conscious Dustin Kirkland for this great bash script
("I've insisted on shell here for transparency! - Dustin ")
and other contributions like NSA's SELinux or security sensible
software like Pollinate (Entropy-
https:/
Packing so many sensible info inside User-Agent sent daily by default
from all Ubuntu to https:/
less /etc/update-
```
# 50-motd-news - print the live news from the Ubuntu wire
# Copyright (C) 2016-2017 Canonical Ltd.
# Copyright (C) 2016-2017 Dustin Kirkland
#######
# This program could be rewritten in C or Golang for faster performance.
# Or it could be rewritten in Python or another higher level language
# for more modularity.
# However, I've insisted on shell here for transparency!
# - Dustin
#######
# Curl browser version, for debug purposes
curl_ver="$(dpkg -l curl | awk '$1 == "ii" { print($3); exit(0); }')"
# Distribution version, for messages releated to this Ubuntu release
. /etc/lsb-release
lsb=$(echo "$DISTRIB_
codename=
# Kernel version and CPU type, for messages related to a particular revision or hardware
platform="$(uname -o)/$(uname -r)/$(uname -m)"
arch="$(uname -m)"
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")"
cloud_id="unknown"
if [ -x /usr/bin/cloud-id ]; then
/usr/
if [ $? -eq 0 ]; then
# sanitize it a bit, just in case
if [ -z "${cloud_id}" ]; then
fi
fi
fi
# Some messages may only be pertinent before or after some amount of uptime
read up idle < /proc/uptime
uptime=
# Piece together the user agent
USER_AGENT=
...
# Fetch and print the news motd
if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT" -o- "$u" >"$NEWS" 2>"$ERR"; then
```
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #5 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #6 |
Part of the base OS ... resistance is futile
dpkg -L base-files | grep motd-news
/etc/default/
/etc/update-
/lib/systemd/
/lib/systemd/
sudo grep news /var/log/syslog
Jun 4 04:44:22 mbx 50-motd-
Jun 4 04:44:22 mbx 50-motd-
Jun 4 04:44:22 mbx systemd[1]: motd-news.service: Succeeded.
Jun 4 08:57:00 mbx systemd[1]: motd-news.timer: Succeeded.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #7 |
Please give the Message of the Day (MOTD) every time I get online on the Internet
or I reboot my Ubuntu computer ...
Hold on, connecting to Amazon Cloud (Amazon Data Services) motd.ubuntu.com ...
Your message of the day is
Building Trust is Hard, Breaking Trust is Easy
In exchange, please give me your User-Agent will all your private informations
so I know who you are (IP, Ubuntu Cloud ID, Linux Kernel Version, Curl version, etc.)
GET /bionic/x86_64 HTTP/1.1
Host: motd.ubuntu.com
User-Agent: curl/7.
/x86_64 Intel(R)
2047.71 cloud_id/unknown
Accept: */*
https:/
[Unit]
Description=Message of the Day
After=network-
Documentation=
[Service]
Type=oneshot
ExecStart=
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #8 |
Thanks Canonical for this great Telemetry master piece
hidden in a Daily "News" (Message of the Day) deep inside
the core of Ubuntu.
I found it active on all the Ubuntu laptop of my friends
and coworkers, all Ubuntu servers from local ISP and my
work. As well as on all Ubuntu flavours and Ubuntu derived
Linux distros.
It is also present in cloud-init images of major cloud providers,
and all Docker images from Docker Registry based on Ubuntu.
What a (s)hell for transparency!
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #9 |
This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.
A remote code-execution (RCE) vulnerability
in all Ubuntu of the world! Why?
Simple
curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https:/
if someone (like 3-letters or 4 letters) controls this Amazon Web server
knowing the version of curl (provided by the script) exploit any local
known vulnerability present in curl or use a curl zero day it will have
"root" access to any Ubuntu Server or Desktop, Laptop of the world!
Proof of Concept
Add the following before the for calling curl in /etc/update-
date +'%Y-%m-%d %H:%M:%S' >> /tmp/test
whoami >> /tmp/test
echo $USER_AGENT >> /tmp/test
wait 12 hours... or 12:00 / 00:00 or reboot
cat /tmp/test
2020-06-05 12:00:00
root
curl/7.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #10 |
motd-news is present in Nvidia Jetson Nano (derived from Ubuntu)
and Ubuntu for Raspberry Pi. It is enabled by default and also calling Home
Ubuntu via Amazon Cloud.
motd-news is also present in Ubuntu Core 18 for embedded systems (like Tesla Car)
but unlike Ubuntu Server and Desktop Distro it is not enabled by default.
I don't have a Tesla car to verify if it is enabled or not.
unxz ubuntu-
sudo mount -o loop,offset=
sudo unsquashfs -d /tmp/core18 /mnt/system-
/tmp/core18/
/tmp/core18/
/tmp/core18/
/tmp/core18/
/tmp/core18/
sudo grep ENABLED /tmp/core18/
ENABLED=0
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #11 |
The original request for motd-news came from Dustin Kirkland on 2016-10-30
https:/
tags: | added: rls-ff-incoming |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #12 |
I recommend the following action points to restore a bit of trust in Ubuntu Product
after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical)
- Run all motd scripts including motd-news AND curl as non privileged account -- not as root
- Move motd-news functionality from base-files to a removable package called motd-news
- Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent
(during install and later with cloud-init)
- Remove private information from User-Agent (uptime, kernel version, curl version, type of cloud) and stop using HTTPS Header such User-Agent as proxy to exfiltrate sensible infos from Ubuntu
- Make the code behind https:/
- Check the logs of https:/
Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it
and any software update of base-files could bring back the security issue.
Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in theory execute code on any Ubuntu if a serious vulnerability in curl has been found or if the user did not update curl.
Running curl as root, reporting the curl version and the kernel version give all the information needed to implemented a persistent backdoor in any Ubuntu worldwide.
sudo apt-get purge base-files
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
base-files bash
0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded.
After this operation, 4,525 kB disk space will be freed.
You are about to do something potentially harmful.
To continue type in the phrase 'Yes, do as I say!'
?]
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #13 |
I don't think it was safe decision to link the security of Ubuntu
base OS to curl running as root every 12 hours via motd-news just
to display Ads for products and not important security messages
like suggested in the original ticket (1637800).
Just imagine the consequence of https:/
starts to redirect to a TFTP URL and send private memory contents
from root account every 12 hours or if curl has a new vulnerability
such as buffer overflow discovered automatically by Google's OSS-Fuzz
and not yet patched within 30 days by curl maintainers or by
Ubuntu Security Team.
https:/
A malicious HTTP(S) server could redirect a vulnerable libcurl-using client
to a crafted TFTP URL (if the client hasn't restricted which protocols it
allows redirects to) and trick it to send private memory contents to a
remote server over UDP.
https:/
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #14 |
The usage of motd-news as Advertising media for Canonical products is well documented.
Now we need to know if Canonical share the crafted User-Agent with sensible info in it with third party and use it for telemetry like Microsoft Windows 10.
Samples output of motd-news mirrored in both login prompt via motd and syslog
- MicroK8s gets a native Windows installer and command-line integration.
https:/
- How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow, Keras & React Native on Ubuntu
- Overheard at KubeCon: "microk8s.status just blew my mind".
https:/
https:/
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #15 |
- motd-news.txt Edit (242.2 KiB, text/plain)
All messages received over a year (Ubuntu 18.04):
* Congrats to the Kubernetes community on 1.16 beta 1! Now available
* Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
* Keen to learn Istio? It's included in the single-package MicroK8s.
* Kubernetes 1.18 GA is now available! See https:/
* Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud
* MicroK8s 1.15 is out! It has already been installed on more
* MicroK8s 1.15 is out! Thanks to all 40 contributors, you get the latest
* MicroK8s passes 9 million downloads. Thank you to all our contributors!
* Multipass 1.0 is out! Get Ubuntu VMs on demand on your Linux, Windows or
* Multipass 1.1 adds proxy support for developers behind enterprise
* Overheard at KubeCon: "microk8s.status just blew my mind".
* 'snap info' now shows the freshness of each channel.
* Ubuntu 20.04 LTS is out, raising the bar on performance, security,
* Ubuntu's Kubernetes 1.14 distributions can bypass Docker and use containerd
None of them are about security and none of them are customized
using uptime, ubuntu version, kernel version, curl version, ip, ...
Why do pack all this into User-Agent which can be linked to public IP every 12 hours?
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #16 |
Privacy:
Ubuntu users don't have the opportunity to opt-out from motd-news before all the private infos
and telemetry are sent via User-Agent. So even if people change ENABLED=1 to ENABLED=0
in /etc/default/
done in background after the boot via systemd/motd-news service.
I repeat, this doesn't look GRPD-compliant at all. There is no prior consent ever asked for.
The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018.
motd-news has been designed in 2017 and is enabled by default on all Ubuntu Server,
Ubuntu Desktop, Ubuntu Flavors (such as Mate, Raspberry), Ubuntu derived such as Nvidia Jetson Nano
without prior consent.
Security:
Run curl as root every 12h are you serious?
Richard Harding (rharding) wrote : | #17 |
Thank you for taking the time to report this issue. As you note, this is a long-standing feature of Ubuntu that Canonical leverages to help understand our user base and improve and prioritize work that makes Ubuntu better for all. I can assure you that all information is GDPR compliant and that we implement all policies as far as accessing any such data. For example, as the manager of the Ubuntu Server team, I’ve never seen the IP address of any Ubuntu user and am unable to map the installs out there.
As you note, this feature was done transparently, with clear documentation, and is trivial to disable if anyone is uncomfortable. I am marking this bug as “Won’t Fix” as it’s a design decision, and while there are some that do not agree with it and I respect those feelings, it’s also not something we’re currently planning on changing. This allows us to make Ubuntu better for everyone and make sure that we’re doing the best that we can. Thanks.
Changed in base-files (Ubuntu): | |
status: | Confirmed → Won't Fix |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #18 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #19 |
Maybe as manager of the Ubuntu Server team, you should ask to improve motd-news software
to not curl as root.
You should also improve landscape and landscape on premises level of access so any users
cannot list all processes and reboot any servers or execute shell script as root.
Good luck, I think we are done with Ubuntu.
Joao Matos (c-joao) wrote : | #20 |
Well, it is disappointing that you choose to close this as “won’t fix”.
As pointed out in the initial bug report, this “feature” is implemented without notice or consent.
In other words, and to rephrase, this was done transparently in an hidden way. Which is, to say the least, not corresponding to standard usage and best practices, let alone the security aspect by running it as root.
This is definitely not very reassuring for users who are left with the suspicion, confirmed by the manager of the Ubuntu Server team, that Ubuntu is comfortable implementing (and might implement in the future) this kind of “features” and data collection without further notice or consent from the users.
As professional users we have already our share of burden to protect our assets from all kinds of threats, being obliged to add to that list the base OS leaves us with no other choice but to reconsider Ubuntu as a (un)trusted provider. Sad.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #21 |
By the current design, you don't give choice to the Ubuntu users as they cannot opt-out BEFORE
the laptop or server contacts motd.ubuntu.com sending the telemetry. By implementing it as
essential package, you don't let user remove it but only disable it when it is too late.
The same apply to landscape, you don't give choice to disable some dangerous features
like executing very powerful script, list all processes, etc. This is why, we decided to stop
using landscape (both in the cloud and on premises).
It will be your responsibility as Ubuntu Server manager, if motd.ubuntu.com gets compromised
and motd-news is exploited because it runs curl as root and all Ubuntu servers could get
compromised at the same time within 12 hours.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #22 |
And don't tell me that the fact that Canonical use motd as Telemetry was done transparently,
with clear documentation... most users complain only about the advertising but don't realize
that the motd-news is used as telemetry tool but seems to act as a advertising / news purpose
and the risk of the bad design decision of running curl as root.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #23 |
Best practices by Dustin Kirkland
https:/
- No mention of curl running as root
- No mention of the exfiltration of private data done via User-Agent
- No mention of the novel concept of advertising via motd
- No mention of using motd-news as telemetry
- No mention that motd-news is part of core Ubuntu "base-files" and cannot be removed
Feel free to guide me to the correct info on your website or update your documentation.
Additional discussions on Twitter
https:/
https:/
https:/
https:/
https:/
https:/
https:/
...
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #24 |
I have decided to contact ICO (Information Commissioner's Office).
Because Canonical Ltd. has handled my personal information
(IP address, Hardware CPU, Choice of Cloud Hosting, and various meta-data)
and the one of the company I work for without concent.
The same apply to all users of Ubuntu (persons, companies, governements)
worldwide on a daily basis.
By collecting twice a day the following informations:
- The public IP address where Ubuntu system is used (part of the log of the HTTPS server)
- Date / Time when collected (part of the log of the HTTPS server)
- Harware info such as CPU Vendor and Model (via /proc/cpuinfo)
- The distribution version (via /etc/lsb-release)
- The operating system (via uname -o)
- The Linux kernel release (via uname -r)
- The computer architecture aka machine hardware name (via uname -m)
- Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init)
- Total number of seconds the system has been up (via /proc/uptime)
- The sum of how much time each core has spent idle in seconds (via /proc/uptime)
- Version of curl software (launched as root which is a bad IT practice and a security risk)
On top of that by making motd-news unremovable in the core of Ubuntu's base-files
(like it was the case for Internet Explorer in Windows or the Telemery in Windows 10),
they enforce the telemetry before you can disable it or opt-out from it.
Fell free to fill your own complaint or contact your local information commissioner
as this ticket is marked as Won't Fix by the manager of the Ubuntu Server team.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #25 |
I will first contact the Data Protection Officer (DPO) of Canonical Group Limited
<email address hidden>
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #26 |
FYI Canonical's legal departement is reviewing motd-news "feature" (such as telemetry)
and will provide updated information next week.
All motd-news related tickets
"Canonical has launched the Ubuntu Appliance initiative which aims to transform Raspberry Pi devices or personal computers into secure, self-updating solutions" (source 9to5linux). I checked nextcloud-
Zachary Fouts (zfouts) wrote : | #27 |
I too, would like to see this fixed. I initially reported something very similar in https:/
This is unacceptable, especially for EU users. It needs to be an option top opt-in at install time. By default I believe this should be opted out.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #28 |
- motd-news.service started during installation Ubuntu Desktop 20.04 Without Consent Edit (483.0 KiB, image/png)
No updates from Canonical's legal departement
"A picture is worth a thousand words"
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #29 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #30 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #31 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #32 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #33 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #34 |
- motd.ubuntu.com hosted in the Amazon EC2 cloud in Dublin, Leinster, Ireland Edit (146.6 KiB, image/png)
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #35 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #36 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #37 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #38 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #39 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #40 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #41 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #42 |
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #43 |
https:/
Article like "Canonical Under Fire for Putting Ads in the Ubuntu MOTD"
miss the point that motd-news is not only displaying Advertising in the login prompt but it a Privacy Nightmare because it has an hidden Telemetry feature which is enabled by default Without Consent and leak IP Address, System critical informations (Kernel Version, Uptime, CPU Vendor, CPU Model, Idle Time, Uptime) every 12 hours via User-Agent from curl on all Ubuntu Desktop and Ubuntu Server including the current version of Ubuntu.
On top of that, motd-news is also a security nightmare as it runs curl as root which can be exploited to gain root on any servers, laptops etc.
I recommend that all Ubuntu users open a Terminal and execute the following
sudo sed -i -r 's/(ENABLED)
sudo apt-get -qq -y purge curl
N.B. curl is not installed if you explicitly select Ubuntu Minimal during the installation of Ubuntu Desktop so motd-news cannot contact motd.ubuntu.com without curl even if ENABLED=1 by default
GDPR : EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https:/
Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer.
Canonical Ltd. has handled my personal information without concent.
By collecting twice a day the following informations:
- The public IP address where Ubuntu system is used (part of the log of the HTTPS server)
- Date / Time when collected (part of the log of the HTTPS server)
- Harware info such as CPU Vendor and Model (via /proc/cpuinfo)
- The distribution version (via /etc/lsb-release)
- The operating system (via uname -o)
- The Linux kernel release (via uname -r)
- The computer architecture aka machine hardware name (via uname -m)
- Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init)
- Total number of seconds the system has been up (via /proc/uptime)
- The sum of how much time each core has spent idle in seconds (via /proc/uptime)
- Version of curl software (launched as root which is a bad IT practice and a security risk)
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #44 |
https:/
To: ICO
Dear Information Commissioner’s Office,
I confirm that I want to proceed with the creation of the case about
Canonical's motd-news as Canonical don't want to remediate the privacy
issue of sending by default hardware details and public IP of all
Ubuntu Desktop and Ubuntu Server twice a day, every day of the year.
Next to this message, you will find the final answer from Canonical.
The following are my comments on their legal information.
"The purpose of sending the system information is so that Canonical can tailor the message returned by https:/
This is wrong motd.canonical.com does not exist and is part of motd-news.
The server used by Ubuntu is https:/
lynx -mime_header https:/
Looking up motd.canonical.com
Unable to locate remote host motd.canonical.com.
Alert!: Unable to connect to remote host.
The evidence is part of the Ticket
https:/
"None of this data can be used to identify a machine or user."
"Along with this data, the IP address and other network information is transmitted to facilitate communication on the internet from the Ubuntu machine to Canonical. This information is not stored by Canonical."
This is wrong as Canonical is using Apache and the default is to store
IP address in the access log
https:/
Common Log Format
(%h)
This is the IP address of the client (remote host) which
made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine.
lynx -mime_header https:/
HTTP/1.1 200 OK
Date: Mon, 13 Jul 2020 06:05:38 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Mon, 13 Jul 2020 06:00:50 GMT
Accept-Ranges: bytes
Content-Length: 215
Vary: Accept-Encoding
Connection: close
Content-Type: text/plain
* "If you've been waiting for the perfect Kubernetes dev solution for
macOS, the wait is over. Learn how to install Microk8s on macOS."
https:/
"You can disable this service as follows:"
"/etc/default/
I assume 80% of Ubuntu Desktop users will not know how to disable motd-news
because they need a Terminal and sudo access. A regular editor running
a default user will not allow to edit this file as super user. So this doc
is useless.
On top of that Canonical send motd-news information before
the user can even opt out during the installation of Ubuntu Desktop
...
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #45 |
- canonical-legal-motd.pdf Edit (49.4 KiB, application/pdf)
I added https:/
https:/
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #46 |
On my point of view, it's NOT enough to implement a legal notice https:/
Nothing has been done regarding the consent of the user.
I except one of the following two options to be implemented by Canonical.
(A)
Ask for consent during the installation of the operating system Ubuntu and before sharing my personal information via the motd-news software used for Telemetry, Tracking, Advertising purpose instead of providing meaningful "security messages or other news" on a daily basis.
(B)
Or disable it by default via ENABLED=0 in the file /etc/default/
If Canonical doesn't takes data protection seriously by implementing technical measures such as stop calling motd-news during installation and after automatically without consent and implement an easy way to opt out for people without technical knowledge in linux shell then ICO will need to evaluate the choice of Canonical of enforcing Telemetry hidden in motd-news's User-Agent without asking user consent and not respecting "No, don't send system info" choice of the user during the installation wizard, sending beacons with IP address, system info twice a day, every day from all Ubuntu Desktop and Ubuntu Server installations worldwide.
B. (b-deactivatedaccount-deactivatedaccount) wrote : | #47 |
Ubuntu decided to remove uptime from motd-news' data leak (exfiltration) via User-Agent: and move /etc/default/
Remove uptime from the motd-news user agent
https:/
motd-news: use wget instead of curl
https:/
-- I hope they will stop launched it as root as well
see https:/
Split motd-news config into a new package
https:/
To Be
Continued --->
Status changed to 'Confirmed' because the bug affects multiple users.