Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Ubuntu Encryption Linux

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 107

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
This discussion has been archived. No new comments can be posted.

Ubuntu Founder Pledges No Back Doors In Linux

Comments Filter:
  • by Anonymous Coward

    Is this like the WMDs in Iraq??!

  • Yeah, right (Score:2, Insightful)

    by Anonymous Coward

    Shuttleworth is like any other citizen: a visit from the polite but scary government people will make him see the light.

    • Re: (Score:3, Informative)

      by KGIII ( 973947 )

      The headline is misleading and contradicts what the summary says. Mark has no such authority nor say. He's got no control over Linux. He uses the Linux kernel in Ubuntu and, rightfully, he spoke specifically about Ubuntu.

      The Ubuntu founder did not say what the headline claims. I was really kind of curious as to why he'd say such a thing and then I realized the summary actually told the truth. That's disappointing Slashdot. Disappointing indeed. Then again, I haven't checked to see if the submitter was the o

  • Since Mark Shuttleworth is not in charge of Linux, I don't see how he can make this pledge.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      What he's saying is that he will not willingly or knowingly allow or permit anything to be included in the userland, tool chains, and libraries that make Ubuntu what it is. The kernel is still open source and "given enough eyeballs, all bugs are shallow" (ESR). Anyone can take a look at the kernel sources given the skill and time. I agree with Mark. While Canonical does contribute to the kernel, as do Red Hat and others, FLOSS needs to ensure it's own playground is clean.

      • The kernel is still open source and "given enough eyeballs, all bugs are shallow" (ESR). Anyone can take a look at the kernel sources given the skill and time.

        It's been said as a counterargument that the source is massive and complex and beyond the capability of most people to sift through. And while that's true, the point is that it is open, and it only takes one person to find a backdoor or other such issue. Backdoors would eventually and inevitably be found and exposed. That is not at all the case with closed proprietary systems.

    • Nobody made any promises regarding Linux. As per the quote in the summary...

      Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.

      • by KGIII ( 973947 )

        Err... Have you read the title? Unless they changed it - the title clearly states that such a pledge was made.

        "Ubuntu Founder Pledges No Back Doors in Linux"

        The summary contracts the title. Shuttleworth hasn't the authority to make any such claim about Linux. He can, of course, make such claims about Ubuntu. Linux is not Ubuntu. The title is really quite erroneous and it might even be intentionally so.

  • by LichtSpektren ( 4201985 ) on Tuesday May 03, 2016 @09:50AM (#52035205)
    Nothing drives me further from Microsoft and Blackberry than their CEOs being wishy-washy about if your device is secure, even against "lawful interception" or whatever the gentle euphemism for backdoor is these days. But my only qualm here is that Mark Shuttleworth isn't currently the CEO of Canonical, perhaps the company itself should make a strong statement to this effect?
    • As should every F/OSS endeavor; from CLI utility to OS.
  • Comment removed (Score:4, Insightful)

    by account_deleted ( 4530225 ) on Tuesday May 03, 2016 @09:57AM (#52035263)
    Comment removed based on user account deletion
    • the whole point of Linux was that you didnt have to make any fucking pledges

      Bad headline. Shuttleworth was talking about Ubuntu, not Linux.

    • So you have the time and resources to run a full source code audit on the OS. (You might as well build from source all those components, just in case the source code that you review isn't the same what is in the binary.)

      The problem is we need Government and Corporations to do work that we don't have the resources to do yourself, now the problem is how can we trust them? Because I really don't want to spend 18 hours a day maintaining my personal infrastructure just to survive. I much rather focus on what

      • by KGIII ( 973947 )

        This is more a reminder than a personal question but I'm going to phrase it as a question - albeit a rhetorical one.

        When was the last time you returned some of those resources to the people you're relying on - such as donating to the various projects who write the source you use or maintain the distro that you use?

      • It's not so much about doing the work of auditing all the source yourself. It's about the source being open so as to prevent someone from slipping in a backdoor in the first place, and trusting that at least one person among the many millions who care about this would spot it and let everyone else know.

        I'm not rabidly anti-corporation or anti-government, but you have to understand that at their cores, neither of those entities has a vested interested in allowing you to maintain your privacy. Corporations

    • by Kjella ( 173770 )

      the whole point of Linux was that you didnt have to make any fucking pledges. (...) Further, the nature of open source code itself discourages the kinds of back-doors

      You know that and I know that and Mark Shuttleworth knows it too. And I don't think he was ever considering adding one. The pledge is just a PR grab and he can even top it off with saying everyone's welcome to verify that themselves by inspecting the source. If I was competing against two major closed source operating systems I'd do it too, who cares if it's a bit "well, duuuh" for existing open source users.

      "We don't do encryption to hide things; we do encryption so we can choose what to share"

      As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted. when you recontext my privacy in terms of what im willing to "share" with people it debases the very real need for encryption to circumvent things like warrantless wiretaps, blanket government surveillance, and invasive advertising. stop treating me like a toddler for using cryptography.

      It sounds like something Phil Zimmerman could have said, would your response have been the same?

      maybe you will, maybe you wont, but again, the point of linux is that I dont need a 60 million dollar corporation to reassure me about privacy. if you do it --like you screwed developers with contributor agreements and the UI-- ill just switch to a different distro or ill fork yours.

      Soun

    • As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted.

      So you agree with him then? Now take a breath. Because that's exactly what he was saying. YOU CHOOSE what to share. You do so by using or not using encryption to maintain information private between yourself and the person YOU CHOOSE to share it with. If he's going to speak in general words, and you're going to frame this into a me vs the government debate then I'm going to side with Shuttleworth since he is talking about the superset of possible people I may not want to share something with.

  • by Anonymous Coward

    Shuttlecock already frontdoored Ubuntu when they decided to send the user's LOCAL queries to amazon without permission or notification. I never recommend anyone use Ubuntu for any reason after that incident.

    • by cfalcon ( 779563 )

      > when they decided to send the user's LOCAL queries to amazon without permission or notification

      I'm pretty sure there was notification, and there was a configurable option to stop it.

      It was still wrong, of course, and it is being stripped out in Ubuntu Unity 8. So I wouldn't throw too many lemons at them- enough were thrown to get them to do the right thing already.

      • by Anonymous Coward

        I can tell you from first hand experience, it was opt out only, and there was no notification. Here's a popular AskUbuntu [askubuntu.com] article which shows how complicated it has been over the years (the interface changed a few times, etc). This PCWorld article [pcworld.com] claims that in the beginning there wasn't even a GUI option to disable it, meaning you had to know it was there, find the package and purge it. SUPER sketchy.

        It doesn't matter if they remove it as this point. As shuttlecock himself said of the whole fiasco, "[they

        • There was notification, for fricking sake it was one of the selling points of the new search lens that you could get results from Amazon back. Also they didn't send it directly to Amazon, they routed all traffic by their own servers so that Amazon not could collect source ip for each query. While the setting to disable it might have been changed you could always just apt-get remove the shopping lens and get rid of it that way. And as of 16.04 the lens is not opt in as it should have been from the start.

  • What are you going to do about the secret courts that you didn't know about making all those legal decisions you cannot tell us about?

    You cannot even believe your parking tickets when that system exists.

    Full transparency of the legal process is what must be enforced. How is the founder of some distro going to ensure that?
  • by Anonymous Coward

    Ever bother looking at that code?

    Good luck proving there's no back door in that.

  • sudo apt-get remove backdoor
    sudo apt-get remove backdoor-lib

    and

    sudo apt-get remove --purge NSA-spy-lib.4

    After that you want to reboot and then do a update and upgrade.

  • ... but we'll send all your desktop searches to Amazon...

    • Valid complaint. But I think you should give some credit to Canonical because it's no longer the default in 16.04. They learned from their errors.
  • Ubuntu Founder Pledges No Intentional Back Doors In Linux; Lots of Unintentional Back Doors.

  • A complete sham (Score:4, Interesting)

    by mushroom blue ( 8836 ) on Tuesday May 03, 2016 @11:25AM (#52036139)

    If you're really concerned about security, you are likely running OpenBSD or a heavily-modified linux kernel by now.

    Linus Torvalds was asked during a LinuxWorld keynote two years back if he was told by government agents to put hardware backdoors in linux. he said no, while nodding yes. His father, Nils Torvalds, a member of EU parliament, put it on the record that his son was approached by government agents requesting backdoors.

    There is a known issue with the random number generator being _forced_ to do hardware-based (known to be broken on Intel/AMD chipsets) random number generation. under Open/Net/FreeBSD, there's an intermediary (software) random number generator that ensures actual randomness. Linus uncharacteristically led this charge to keep the RDRAND weakened, even resorting to calling others stupid for thinking otherwise. a prominent developer resigned due to it.

    There is at least one recent Intel Management Engine talk at last year's Chaos Communication Congress. There was a similar talk the year before about AMD chipsets and their secret undocumented internal firmware. If you enjoy strong encryption, you would be wise to apply the proposed RDRAND patches that Linus rejected.

    Now that all the major distributions have adopted systemd, there's now a full RPC backdoor to not only the GPL's linking requirements, but a backdoor to run "Approved" (by whom? we'll get to that) code automatically. Many people have pubatlicly posited that systemd will be the cause of "The Big One" vulnerability that eventually comes out of Linux and ruins its reputation.

    Now, for the Ubuntu side: Canonical is incorporated in City of London, which means they are under the jurisdiction of GCHQ. Anyone who has watched/read a talk by Moxie Marlinspike will know that SSL/TLS is easily-spoofable by nation states. They will probably also know how exploitable SSL/TLS is today. All the draconian crap the GCHQ has jurisdiction over can easily be extended to a corporation registered under their governance. If Canonical refuses, they will be forced to, the way Google is forced to comply in the United States under similar framework. End result is that you cannot trust anything beyond your initial install CD, if you can even trust that.

    You will likely never look through the custom patches compiled into your binaries, let alone think about Ken Thompson's "Trusting Trust" essay. You will just download your updates, and assume everything is A-OK. You are an end-user, and that's okay. Just don't think Shuttleworth's words are anything but a big fat placebo to keep his stock value afloat.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Theo Tso fixed it back in 2012 by just using it as an additional (but not sole) source of entropy:

      https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9 [kernel.org]

    • Been approached and asked about putting a back door in and actually comply and putting a back door in are two different things. All we know is that he probably have been asked to do it, we do not know if he complied, considering that the source if completely open it's very likely that he explained to NSA et al that it couldn't be done.

      Regarding Canonical there is AFAIK no equivalent of the US National Security Letters in the UK, courts there can order gag orders but only to protect the privacy of people and

    • At the last RSA Conference, a friendly salesman for a hardware company (not Intel or AMD) eagerly told me about his company's main product: They have a chip embedded in over a billion currently-deployed devices, including laptops and phones, that offers complete remote tracking and ownership functionality at the hardware level. Or so claims the salesman. He was selling it as a theft-recovery service for bigcorps, but more nefarious possible uses are pretty obvious.

  • ... I don't believe a word he says. Yes, Ubuntu is far and away the best OS choice today. And yes, Ubuntu is almost certainly already backdoored. Canonical does lawful business in anti-freedom countries like the United States and China. Therefore Canonical's software must be compromised.

  • Isn't it like saying 'I will never be a serial killer'? It's not like lying is worse than doing the act, so what would make a malicious actor even hesitate to make the same claim?

    This is nothing about Canonical, just an observation on the pointlessness of such statements in general.

  • With likely over 10,000 distinct authors of code, most without any type of mandated review process... Dude, I wouldn't be worried about 007 and Edward Snowden spying on you with Ubuntu. I'd be worried about your neighbor's anti-social looking teen having a trojan somewhere. Use Fedora. The NSA does :P

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...