| |||||||||||||
Stallman: Ubuntu Spyware: What to Do?Stallman: Ubuntu Spyware: What to Do?Posted Dec 7, 2012 22:37 UTC (Fri) by coriordan (guest, #7544)In reply to: Stallman: Ubuntu Spyware: What to Do? by oever Parent article: Stallman: Ubuntu Spyware: What to Do?
> In that light it is hard to call the code spyware.
Huh? And if a video player is free software, is it hard to call it a video player??
Free or proprietary, spyware is spyware. Until now, the amount of spyware in free software was insignificant, and we could always say "free software doesn't contain spyware because taking it out is easy and the upstream developer would just lose face". Ubuntu might change this.
> the autocompletion in the Google search field in the browser.
I don't know much about this functionality, but it might be harmless. If you're trying to do a web search for "get mail folders", and your browser sends "g", then "ge", then "get" etc. to the server before you manage to type the whole string, then you're sending the server *less* info than if your browser waited for you to type the string.
(I agree with your other points, but wanted to point out these details.)
(Log in to post comments)
Stallman: Ubuntu Spyware: What to Do? Posted Dec 7, 2012 22:53 UTC (Fri) by apoelstra (subscriber, #75205) [Link]
> I don't know much about this functionality, but it might be harmless. If you're trying to do a web search for "get mail folders", and your browser sends "g", then "ge", then "get" etc. to the server before you manage to type the whole string, then you're sending the server *less* info than if your browser waited for you to type the string.
Not only is it physically telling the server more information (since "g", "ge", "get", ..., "get mail folders" totals roughly the square as many characters as just "get mail folders"), but you are also telling the server how fast you type, what kind of typos you make (and therefore your keyboard layout and whether you are human). If you are typing in the wrong field, it could obtain passwords or other personal information, or at least determine what other programs you're running.
Plus, by sending information every keystroke, you're sending highly-correlated information that can be matched up if you are connecting through some sort of darknet that uses multiple paths.
Not to mention, if you spend a significant amount of time at a keyboard, there is a tendency to use any text-entry mechanism as an extension of your immediate-term memory. So if this leaves your system, the remote server is literally reading your thoughts.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 7, 2012 22:56 UTC (Fri) by JoeBuck (subscriber, #2330) [Link] The auto-completion feature in Google or Bing search sends characters to Google or Bing as soon as you type them, but the user is fully aware that he/she is sending a query to a search engine. But Ubuntu sends the query to Amazon even when you thought that you were only searching your local computer, or that you were searching Ubuntu's package list for a program. At the very least, this should be opt-in, not opt-out.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 10, 2012 11:49 UTC (Mon) by coriordan (guest, #7544) [Link] Exactly. The two are not to be confused.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 1:18 UTC (Sat) by Lennie (subscriber, #49641) [Link]
It is one of several reasons why I use Firefox and not Chromium/Chrome.
Chrome will send everything you type in the address bar to Google (is there a prefered search engine setting ? I've have never checked).
Firefox will only send something to your prefered search engine when you type it in the search box.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 6:34 UTC (Sat) by mathstuf (subscriber, #69389) [Link]
Yeah, I set DuckDuckGo as my search provider in Chromium. DDG has a link to do that on their page. If you still want Google, at least change it to HTTPS.
Unfortunately, the Android Chrome only offers Google, Bing, and Yahoo! as search providers. I've set the browser icon on my launcher to instead just use DDG instead of using the stock New Tab page.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 10:28 UTC (Sat) by Lennie (subscriber, #49641) [Link]
Yes, that is the other problem, by default it is also a security leak.
If I start typing:
It will look up over HTTP:
https slashdot.org
Slashdot Posted Dec 8, 2012 18:17 UTC (Sat) by tialaramex (subscriber, #21167) [Link]
Of course when you hit enter:
* The fact that you're connecting to that specific site is revealed to anyone handling your DNS traffic, or your IP traffic, or to anyone doing transit.
* Slashdot redirects you to their non-SSL page anyway
But yes, in theory this particular auto-complete feature betrays things you might wish not to make public.
Slashdot Posted Dec 8, 2012 18:26 UTC (Sat) by mathstuf (subscriber, #69389) [Link]
> The fact that you're connecting to that specific site is revealed to anyone handling your DNS traffic, or your IP traffic, or to anyone doing transit.
The DNS traffic can be minimized with a caching DNS server. The external request(s) then go out every so often, not every time you try to access the site. And if you have an array of computers using the caching server, things should be hard to correlate. Of course, a proxy can be inserted which does additional DNS requests for any site referenced on downloaded pages as well to help add some "plausible noise" into the streams.
> Slashdot redirects you to their non-SSL page anyway
That's…yet another reason to avoid slashdot? I kid, I kid. Only half. Maybe.
Slashdot Posted Dec 9, 2012 1:48 UTC (Sun) by paulj (subscriber, #341) [Link]
A local, caching, fully capable recursive resolver (e.g. an actual nameserver) should be a default install on all machines really. Better for privacy, better for DNS-Sec (who is ever going to configure a stub-resolver with TSIG, and DNS-Sec validating stub resolver has to do all the work of a fully functioning recursive server), better for avoiding poisoning attacks on shared recursive nameservers.
yum install caching-namserver + beat NM into leaving resolv.conf alone somehow. +1
Slashdot Posted Dec 9, 2012 2:37 UTC (Sun) by Lennie (subscriber, #49641) [Link]
If everyone did that, then I hope you mean: local, caching, fully capable, forwarding recursor.
Because we really don't want every desktop talking to the root or top level domain servers.
Slashdot Posted Dec 9, 2012 6:45 UTC (Sun) by paulj (subscriber, #341) [Link]
Forwarding would just add latency and fragility. The .'s are a fixed set (in terms of the IPs), both the . and TLDs are quite a large set in terms of # of servers. The commonly contacted ones would be cached. Also, I've seen scribblings in the IETF journal once that questioned whether hierarchy of caching achieved much in the way of gains. Finally, the .'s and TLDs can handle the additional load - anycast is a powerful tool.
Slashdot Posted Dec 9, 2012 14:24 UTC (Sun) by Lennie (subscriber, #49641) [Link]
The average website has 14 domains linked from the first website people visit: http://httparchive.org/trends.php
You really want every device with a browser to talk to the TLD servers for each of these domains ? (yes many are the same domain: so let's say 7 per website you visit).
That's doesn't add up.
Slashdot Posted Dec 9, 2012 18:12 UTC (Sun) by paulj (subscriber, #341) [Link]
The roots and TLDs are *more* than capable of handling requests from every device on the internet, without caching. There is a simple proof for this: They *did so* - users will regularly make typos in their browsers, queries for these non-existent domains will go out to the "." and (if the TLD is valid) to the TLDs.
Perhaps this decreased a little since browsers started diverting things typed into the address bar to search engines.
However, the fact remains that the roots and TLDs *already* get hit by queries from *every* device with an interactive user, as well as any which happen to query for some misconfigured or no longer valid hostname. The . and TLDs are *already* setup to handle this kind of load, cause they already get it.
What the intermediate caches do is:
a) Not provide effective caching (distribution of queries is very long tailed) - see e.g. http://dl.acm.org/citation.cfm?id=581877 (and I think there's a more recent ISOC article that found the same thing)
b) Potentially add latency - it may take longer for your computer to get its answer.
c) Provide a huge, juicy target for attackers - a DNS poisoning attack is so much more efficient if you poison a widely shared cache.
Slashdot Posted Dec 9, 2012 10:19 UTC (Sun) by tzafrir (subscriber, #11501) [Link]
You man: Beat NM into not using dnsmasq for this? (At least in Debian. Not sure about other distributions).
Slashdot Posted Dec 9, 2012 12:57 UTC (Sun) by hummassa (subscriber, #307) [Link]
Ubuntu, too. I was asking myself the same thing.
Slashdot Posted Dec 9, 2012 16:37 UTC (Sun) by cortana (subscriber, #24596) [Link]
AFAIK dnsmasq is used for the connection sharing feature. I'm using NM on my machines and it merely writes the DHCP- or user-specified name servers into /etc/resolv.conf.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 21:28 UTC (Sat) by geofft (subscriber, #59789) [Link]
Is that actually true? I recall hearing that it will stop sending as soon as you type "https", for exactly that reason.
(I do avoid Chrome because I dislike Google's corporate policies in general, but I think the individuals comprising the Chrome team are generally quite great about privacy issues like this.)
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 21:32 UTC (Sat) by Lennie (subscriber, #49641) [Link]
It really does do that.
Just checked now, with an updated version on Windows which I hardly use (so I assume that is the default setting).
Stallman: Ubuntu Spyware: What to Do? Posted Dec 9, 2012 20:03 UTC (Sun) by literfizzer (guest, #31274) [Link]
The browser in CyanogenMod supports DuckDuckGo as a search engine choice out of the box.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 9, 2012 21:56 UTC (Sun) by mathstuf (subscriber, #69389) [Link]
That's good news, but what should really happen is that search providers are used instead. IIRC, Firefox on Android stopped doing so sometime after 12 or so. The DDG add-on even stopped working too (though about:config still works, which is…less than ideal).
Stallman: Ubuntu Spyware: What to Do? Posted Dec 8, 2012 11:30 UTC (Sat) by oever (subscriber, #987) [Link]
> > In that light it is hard to call the code spyware.
> Huh? And if a video player is free software, is it hard to call it a video player??
The source code is readable. It is not a secret that the software sends your keypresses to the amazon server. Spyware is secret.
An interesting point is how one can confirm that the binaries that Ubuntu ships are unadulterated results of the source code. There may be some binaries published by Ubunty, Debian, or any other distribution, but it is very hard to show that they are the result of compiling the exact published source code.
So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.
There's latent checking and spot checks Posted Dec 8, 2012 18:37 UTC (Sat) by coriordan (guest, #7544) [Link]
> So GNU/Linux distributions *may* contain spyware. I am not aware of anybody that bothers to check.
There's lots of latent checking. When people look at the code for any reason, they might spot the spyware (if there is spyware).
And there are spot checks when there's a suspicion. Someone accused me last year of running a site which sent info to a third-party server. I checked the code (it was WordPress) and found that the person was wrong.
The risks are pretty high since one person can remove the spyware and distribute a spyware-free version, so the original developer will lose face and will cease to be the upstream source of the software. With risks that high, latent checking and spot checks are generally enough to dissuade developers from putting in spyware in the first place.
There's latent checking and spot checks Posted Dec 8, 2012 20:10 UTC (Sat) by ikm (subscriber, #493) [Link]
I believe OP meant that binary packages may not correspond to the sources they were supposed to be built from, and it's hard to check whether they actually do.
There's latent checking and spot checks Posted Dec 8, 2012 21:22 UTC (Sat) by oever (subscriber, #987) [Link]
Yes, I meant that it is hard to match binary to source. Publishing a binary with spyware and claiming that it corresponds to source code which has no spyware can go undetected.
In the above example of WordPress, I assume OP checked the production PHP code. Since WordPress is shipped only as source (as far as I know), this would rule out the presence of spyware in the site.
If the site was running a compiled CGI plugin, finding that the source code has no spyware, does not mean that the binary has no spyware. The spyware might even be in the apache binary.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 10, 2012 11:52 UTC (Mon) by coriordan (guest, #7544) [Link] Software that spies on you is spyware. It doesn't matter if it's free or prorietary.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 10, 2012 15:33 UTC (Mon) by dlang (✭ supporter ✭, #313) [Link]
> Software that spies on you is spyware. It doesn't matter if it's free or prorietary.
True, but is this really spying on you?
For me, Spyware is when the software claims to be doing one thing and is sending your information out to someone. They key here is being deceptive about it.
It's hard to argue that this is doing so without your knowledge, at least after the very first time that you use it and get results back from Amazon.
They are not being deceptive about this, they are advertizing the Amazon results as a feature.
If this was scanning your system to gather information and sending it out over the Internet while claiming to do something else, I would be up in arms about this as well, but sending something that you are searching for to a search engine is not being deceptive.
Calling this "spyware" dilutes the term and weakens fighting real spyware.
Stallman: Ubuntu Spyware: What to Do? Posted Dec 10, 2012 22:06 UTC (Mon) by hummassa (subscriber, #307) [Link]
> Calling this "spyware" dilutes the term and weakens fighting real spyware.
I tend to agree with this. But it *is* adware. But, just like android adware, it's simple to turn it off.
|
|||||||||||||