Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Yes this is a play on Free vs free... but the majority of users out there can't see the difference because the word free is covered by things like Angry Birds with Commercials and other software.
Stallman: Ubuntu Spyware: What to Do?
Posted Dec 7, 2012 21:49 UTC (Fri) by oever (subscriber, #987)
In that light it is hard to call the code spyware. The user can turn off the spying functionality, just like she can turn off the autocompletion in the Google search field in the browser.
Services that send information to a server should be opt-in, not opt-out. The feature in Ubuntu that sends this information is akin to tab-autocompletion on the command-line on a NFS volume; Amazon is added to your search space. It is less traffic to send your queries to Amazon then it is to send the Amazon search index to your machine. There was a time when dead tree catalogs were delivered to every house. It would be better for privacy if the entire catalog could be downloaded and browsed offline.
Posted Dec 7, 2012 22:37 UTC (Fri) by coriordan (guest, #7544)
Huh? And if a video player is free software, is it hard to call it a video player??
Free or proprietary, spyware is spyware. Until now, the amount of spyware in free software was insignificant, and we could always say "free software doesn't contain spyware because taking it out is easy and the upstream developer would just lose face". Ubuntu might change this.
> the autocompletion in the Google search field in the browser.
I don't know much about this functionality, but it might be harmless. If you're trying to do a web search for "get mail folders", and your browser sends "g", then "ge", then "get" etc. to the server before you manage to type the whole string, then you're sending the server *less* info than if your browser waited for you to type the string.
(I agree with your other points, but wanted to point out these details.)
Posted Dec 7, 2012 22:53 UTC (Fri) by apoelstra (subscriber, #75205)
Not only is it physically telling the server more information (since "g", "ge", "get", ..., "get mail folders" totals roughly the square as many characters as just "get mail folders"), but you are also telling the server how fast you type, what kind of typos you make (and therefore your keyboard layout and whether you are human). If you are typing in the wrong field, it could obtain passwords or other personal information, or at least determine what other programs you're running.
Plus, by sending information every keystroke, you're sending highly-correlated information that can be matched up if you are connecting through some sort of darknet that uses multiple paths.
Not to mention, if you spend a significant amount of time at a keyboard, there is a tendency to use any text-entry mechanism as an extension of your immediate-term memory. So if this leaves your system, the remote server is literally reading your thoughts.
Posted Dec 7, 2012 22:56 UTC (Fri) by JoeBuck (subscriber, #2330)
The auto-completion feature in Google or Bing search sends characters to Google or Bing as soon as you type them, but the user is fully aware that he/she is sending a query to a search engine. But Ubuntu sends the query to Amazon even when you thought that you were only searching your local computer, or that you were searching Ubuntu's package list for a program. At the very least, this should be opt-in, not opt-out.
Posted Dec 10, 2012 11:49 UTC (Mon) by coriordan (guest, #7544)
Posted Dec 8, 2012 1:18 UTC (Sat) by Lennie (subscriber, #49641)
Chrome will send everything you type in the address bar to Google (is there a prefered search engine setting ? I've have never checked).
Firefox will only send something to your prefered search engine when you type it in the search box.
Posted Dec 8, 2012 6:34 UTC (Sat) by mathstuf (subscriber, #69389)
Unfortunately, the Android Chrome only offers Google, Bing, and Yahoo! as search providers. I've set the browser icon on my launcher to instead just use DDG instead of using the stock New Tab page.
Posted Dec 8, 2012 10:28 UTC (Sat) by Lennie (subscriber, #49641)
If I start typing:
It will look up over HTTP:
Posted Dec 8, 2012 18:17 UTC (Sat) by tialaramex (subscriber, #21167)
* The fact that you're connecting to that specific site is revealed to anyone handling your DNS traffic, or your IP traffic, or to anyone doing transit.
* Slashdot redirects you to their non-SSL page anyway
But yes, in theory this particular auto-complete feature betrays things you might wish not to make public.
Posted Dec 8, 2012 18:26 UTC (Sat) by mathstuf (subscriber, #69389)
The DNS traffic can be minimized with a caching DNS server. The external request(s) then go out every so often, not every time you try to access the site. And if you have an array of computers using the caching server, things should be hard to correlate. Of course, a proxy can be inserted which does additional DNS requests for any site referenced on downloaded pages as well to help add some "plausible noise" into the streams.
> Slashdot redirects you to their non-SSL page anyway
That's…yet another reason to avoid slashdot? I kid, I kid. Only half. Maybe.
Posted Dec 9, 2012 1:48 UTC (Sun) by paulj (subscriber, #341)
yum install caching-namserver + beat NM into leaving resolv.conf alone somehow. +1
Posted Dec 9, 2012 2:37 UTC (Sun) by Lennie (subscriber, #49641)
Because we really don't want every desktop talking to the root or top level domain servers.
Posted Dec 9, 2012 6:45 UTC (Sun) by paulj (subscriber, #341)
Posted Dec 9, 2012 14:24 UTC (Sun) by Lennie (subscriber, #49641)
You really want every device with a browser to talk to the TLD servers for each of these domains ? (yes many are the same domain: so let's say 7 per website you visit).
That's doesn't add up.
Posted Dec 9, 2012 18:12 UTC (Sun) by paulj (subscriber, #341)
Perhaps this decreased a little since browsers started diverting things typed into the address bar to search engines.
However, the fact remains that the roots and TLDs *already* get hit by queries from *every* device with an interactive user, as well as any which happen to query for some misconfigured or no longer valid hostname. The . and TLDs are *already* setup to handle this kind of load, cause they already get it.
What the intermediate caches do is:
a) Not provide effective caching (distribution of queries is very long tailed) - see e.g. http://dl.acm.org/citation.cfm?id=581877 (and I think there's a more recent ISOC article that found the same thing)
b) Potentially add latency - it may take longer for your computer to get its answer.
c) Provide a huge, juicy target for attackers - a DNS poisoning attack is so much more efficient if you poison a widely shared cache.
Posted Dec 9, 2012 10:19 UTC (Sun) by tzafrir (subscriber, #11501)
Posted Dec 9, 2012 12:57 UTC (Sun) by hummassa (subscriber, #307)
Posted Dec 9, 2012 16:37 UTC (Sun) by cortana (subscriber, #24596)
Posted Dec 8, 2012 21:28 UTC (Sat) by geofft (subscriber, #59789)
(I do avoid Chrome because I dislike Google's corporate policies in general, but I think the individuals comprising the Chrome team are generally quite great about privacy issues like this.)
Posted Dec 8, 2012 21:32 UTC (Sat) by Lennie (subscriber, #49641)
Just checked now, with an updated version on Windows which I hardly use (so I assume that is the default setting).
Posted Dec 9, 2012 20:03 UTC (Sun) by literfizzer (guest, #31274)
Posted Dec 9, 2012 21:56 UTC (Sun) by mathstuf (subscriber, #69389)
Posted Dec 8, 2012 11:30 UTC (Sat) by oever (subscriber, #987)
> Huh? And if a video player is free software, is it hard to call it a video player??
The source code is readable. It is not a secret that the software sends your keypresses to the amazon server. Spyware is secret.
An interesting point is how one can confirm that the binaries that Ubuntu ships are unadulterated results of the source code. There may be some binaries published by Ubunty, Debian, or any other distribution, but it is very hard to show that they are the result of compiling the exact published source code.
So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.
There's latent checking and spot checks
Posted Dec 8, 2012 18:37 UTC (Sat) by coriordan (guest, #7544)
There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).
And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.
The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.
Posted Dec 8, 2012 20:10 UTC (Sat) by ikm (subscriber, #493)
Posted Dec 8, 2012 21:22 UTC (Sat) by oever (subscriber, #987)
In the above example of WordPress, I assume OP checked the production PHP code. Since WordPress is shipped only as source (as far as I know), this would rule out the presence of spyware in the site.
If the site was running a compiled CGI plugin, finding that the source code has no spyware, does not mean that the binary has no spyware. The spyware might even be in the apache binary.
Posted Dec 10, 2012 11:52 UTC (Mon) by coriordan (guest, #7544)
Posted Dec 10, 2012 15:33 UTC (Mon) by dlang (✭ supporter ✭, #313)
True, but is this really spying on you?
For me, Spyware is when the software claims to be doing one thing and is sending your information out to someone. They key here is being deceptive about it.
It's hard to argue that this is doing so without your knowledge, at least after the very first time that you use it and get results back from Amazon.
They are not being deceptive about this, they are advertizing the Amazon results as a feature.
If this was scanning your system to gather information and sending it out over the Internet while claiming to do something else, I would be up in arms about this as well, but sending something that you are searching for to a search engine is not being deceptive.
Calling this "spyware" dilutes the term and weakens fighting real spyware.
Posted Dec 10, 2012 22:06 UTC (Mon) by hummassa (subscriber, #307)
I tend to agree with this. But it *is* adware. But, just like android adware, it's simple to turn it off.
Posted Dec 7, 2012 23:50 UTC (Fri) by wagerrard (subscriber, #87558)
It's the internet. Your packets aren't private.
Posted Dec 8, 2012 1:42 UTC (Sat) by rsidd (subscriber, #2582)
True, the first time they see an Amazon result they may do a wtf, learn about this misfeature, and perhaps turn it off.
OT - I just stripped off all the bloat from my two ubuntu computers - gnome, unity, kde, xfce. Only gtk and some very basic gnome libraries remain, with software like libreoffice, evince, inkscape, gimp, and of course latex/emacs/compilers etc remain. I'm using the i3 window manager. It feels so much faster and I'm so much happier.
Posted Dec 10, 2012 15:00 UTC (Mon) by KSteffensen (subscriber, #68295)
Why install Ubuntu in the first place? Allow me to recommend Debian and Gentoo.
Posted Dec 10, 2012 15:29 UTC (Mon) by rsidd (subscriber, #2582)
Posted Dec 8, 2012 12:48 UTC (Sat) by Wol (guest, #4433)
Okay, I don't like deb systems anyway, but I wouldn't bother turning off that misfeature - I would just trash / and replace the entire distro with something else.
The ONLY time I want sales results is usually when I go directly to a shop site and use their local search engine. Going via Google all too often finds me in maze of nasty little aggregation sites, all alike. Google search is polluted enough already without all these shop / sales-aggregation sites moaning that they don't get enough prominence in the results!
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds