Ubuntu Founder Pledges No Back Doors In Linux (eweek.com) 107
Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Re: That must mean... (Score:5, Insightful)
Exactly...he didn't try to hide it, and it's easy enough to disable. Yes, I know these kinds of things should be opt-in, but the difference between Ubuntu and, for example, Windows, is your getting a polished OS at zero financial cost to you - and to add insult to injury, in after paying for Windows it's nearly impossible to stop all the spying on you (especially for an average to newer user)... And I say that as someone who actually likes Windows 10, too.
No, the problem with CEOs and Presidents making claims like "no back doors" is that he can't control every employee, and while an employee might suffer the repercussions of an indiscretion like leaving a back-door in a program, so does the CEO and the company.
Re: (Score:1)
Re: (Score:3)
Oh sure, Windows 10 *looks* pretty, works reasonably well, but if you take into account the spyware aspects of it, it comes out being an "attractive nuisance", or as I like to call it, a CTD, a computer-transmitted disease, not unlike an STD
Re: (Score:1)
This fabled, nebulous "spying" we've heard so much about but have yet to actually see...
Re: (Score:1)
Re: That must mean... (Score:4, Insightful)
Ultimately, I can configure the Linux kernel to block all outgoing traffic except to a proxy server, and only the web browser would use that, so any other programs on the machine will not be able to phone home. Windows, who knows what is phoning home, and where. The only way I can ensure a Windows box isn't yapping to unknown people is to place it on its own subnet/VLAN and use a proxy server for applications like Firefox that have a separate credential/proxy storage.
Re: (Score:2)
It's got systemd to keep the front door open all day long.
Since you're so confident that there's a backdoor in systemd, perhaps you could help us millions of plebs on it and show us for our own safety?
What?! (Score:1)
Is this like the WMDs in Iraq??!
Re: (Score:1)
You mean the 400 Borak rockets filled with pure Sarin gas, or the 550 metric tons of yellowcake ?
http://dailyheadlines.net/archives/25993 [dailyheadlines.net]
Except that article is a full of shit as war criminals Bush and Cheney were.
If your country is being invaded by the most powerful military in the work and you have WMDs, you fucking use them you ignorant shill. Just like he didn't hesitate to use them back in the 80s when he had them and he was our ally, being invaded by Iran.
Yeah, right (Score:2, Insightful)
Shuttleworth is like any other citizen: a visit from the polite but scary government people will make him see the light.
Re: (Score:3, Informative)
The headline is misleading and contradicts what the summary says. Mark has no such authority nor say. He's got no control over Linux. He uses the Linux kernel in Ubuntu and, rightfully, he spoke specifically about Ubuntu.
The Ubuntu founder did not say what the headline claims. I was really kind of curious as to why he'd say such a thing and then I realized the summary actually told the truth. That's disappointing Slashdot. Disappointing indeed. Then again, I haven't checked to see if the submitter was the o
Re: (Score:2)
He can easily claim his company hasn't added backdoors, because they have already been added by others. Namely, systemd is the centralized backdoor.
Show me the backdoor in systemd.
Not For Him to Promise (Score:1, Informative)
Since Mark Shuttleworth is not in charge of Linux, I don't see how he can make this pledge.
Re: (Score:2, Insightful)
What he's saying is that he will not willingly or knowingly allow or permit anything to be included in the userland, tool chains, and libraries that make Ubuntu what it is. The kernel is still open source and "given enough eyeballs, all bugs are shallow" (ESR). Anyone can take a look at the kernel sources given the skill and time. I agree with Mark. While Canonical does contribute to the kernel, as do Red Hat and others, FLOSS needs to ensure it's own playground is clean.
Re: (Score:2)
The kernel is still open source and "given enough eyeballs, all bugs are shallow" (ESR). Anyone can take a look at the kernel sources given the skill and time.
It's been said as a counterargument that the source is massive and complex and beyond the capability of most people to sift through. And while that's true, the point is that it is open, and it only takes one person to find a backdoor or other such issue. Backdoors would eventually and inevitably be found and exposed. That is not at all the case with closed proprietary systems.
Re: (Score:3)
Nobody made any promises regarding Linux. As per the quote in the summary...
Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Re: (Score:2)
Err... Have you read the title? Unless they changed it - the title clearly states that such a pledge was made.
"Ubuntu Founder Pledges No Back Doors in Linux"
The summary contracts the title. Shuttleworth hasn't the authority to make any such claim about Linux. He can, of course, make such claims about Ubuntu. Linux is not Ubuntu. The title is really quite erroneous and it might even be intentionally so.
Re: (Score:3)
Did you even read the summary?
His quote was:
"We will never backdoor Ubuntu; we will never weaken encryption,"
He never made any promises about Linux as a whole. Equating Ubuntu to Linux as a whole was a mistake of the editors here - not Shuttleworth.
Re: (Score:2)
Did you even read the summary?
Did you even read the headline?
Did you even read the comment? GP acknowledged the error and blamed Slashdot already.
Re: (Score:1)
Whoppee doo. He just said that Ubuntu won't mess with any of the Debian packages that they rebrand.
So what, it's the same thing.
Now, a real pledge would be that Ubuntu would actively audit security-critical packages from upstream providers to prevent disasters like the real-life backdoor that Debian added to OpenSSL when they screwed up the PRNG: https://freedom-to-tinker.com/... [freedom-to-tinker.com]
Was it evil NSA conspiracy? No, but it was a real backdoor added to an open source project!
Re: (Score:2)
Was it evil NSA conspiracy? No, but it was a real backdoor added to an open source project!
Which was duly found and exposed, which is the point with open source. I certainly won't claim that no one will ever try something shady. What I do claim is that it will inevitably be brought to light. Can you say that about closed proprietary systems?
Canonical should make an official statement (Score:5, Interesting)
Re:Canonical should make an Official Canary (Score:2)
Re:Canonical should make an official statement (Score:5, Informative)
Agreed. When Linus was directly confronted about whether he has been approached about backdoors in Linux, he said no, but while nodding his head. What a trustworthy guy!
Are you familiar with the concept of national security letters [wikipedia.org]
Saying yes is the kind of action that makes you end up in a secret court where you aren't allowed to disclose any information to your lawyer.
By saying no while nodding he has given us the information we need without breaking the gag-order.
Re: (Score:2)
Agreed. When Linus was directly confronted about whether he has been approached about backdoors in Linux, he said no, but while nodding his head. What a trustworthy guy!
Are you familiar with the concept of national security letters [wikipedia.org]
Saying yes is the kind of action that makes you end up in a secret court where you aren't allowed to disclose any information to your lawyer.
By saying no while nodding he has given us the information we need without breaking the gag-order.
This should be modded +10 informative.
Re: (Score:2)
His father (EU Member of Parliament Nils Torvalds) put his son's actions (saying no, while nodding yes) on the record in EU parliament shortly afterwards. His father believes he's been approached.
Comment removed (Score:4, Insightful)
Re: (Score:2)
the whole point of Linux was that you didnt have to make any fucking pledges
Bad headline. Shuttleworth was talking about Ubuntu, not Linux.
Re: (Score:2)
So you have the time and resources to run a full source code audit on the OS. (You might as well build from source all those components, just in case the source code that you review isn't the same what is in the binary.)
The problem is we need Government and Corporations to do work that we don't have the resources to do yourself, now the problem is how can we trust them? Because I really don't want to spend 18 hours a day maintaining my personal infrastructure just to survive. I much rather focus on what
Re: (Score:3)
This is more a reminder than a personal question but I'm going to phrase it as a question - albeit a rhetorical one.
When was the last time you returned some of those resources to the people you're relying on - such as donating to the various projects who write the source you use or maintain the distro that you use?
Re: (Score:2)
It's not so much about doing the work of auditing all the source yourself. It's about the source being open so as to prevent someone from slipping in a backdoor in the first place, and trusting that at least one person among the many millions who care about this would spot it and let everyone else know.
I'm not rabidly anti-corporation or anti-government, but you have to understand that at their cores, neither of those entities has a vested interested in allowing you to maintain your privacy. Corporations
Re: (Score:2)
the whole point of Linux was that you didnt have to make any fucking pledges. (...) Further, the nature of open source code itself discourages the kinds of back-doors
You know that and I know that and Mark Shuttleworth knows it too. And I don't think he was ever considering adding one. The pledge is just a PR grab and he can even top it off with saying everyone's welcome to verify that themselves by inspecting the source. If I was competing against two major closed source operating systems I'd do it too, who cares if it's a bit "well, duuuh" for existing open source users.
"We don't do encryption to hide things; we do encryption so we can choose what to share"
As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted. when you recontext my privacy in terms of what im willing to "share" with people it debases the very real need for encryption to circumvent things like warrantless wiretaps, blanket government surveillance, and invasive advertising. stop treating me like a toddler for using cryptography.
It sounds like something Phil Zimmerman could have said, would your response have been the same?
maybe you will, maybe you wont, but again, the point of linux is that I dont need a 60 million dollar corporation to reassure me about privacy. if you do it --like you screwed developers with contributor agreements and the UI-- ill just switch to a different distro or ill fork yours.
Soun
Re: (Score:2)
As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted.
So you agree with him then? Now take a breath. Because that's exactly what he was saying. YOU CHOOSE what to share. You do so by using or not using encryption to maintain information private between yourself and the person YOU CHOOSE to share it with. If he's going to speak in general words, and you're going to frame this into a me vs the government debate then I'm going to side with Shuttleworth since he is talking about the superset of possible people I may not want to share something with.
Re: (Score:2)
Newsflash: Linux has "sold out". Even slackware is being forced to go down that path, recently allowing pulse audio to infect their system becuase (get this) bluetooth won't work without it. (Are you kidding me?)
If you want pure and clean today, what you want is BSD.
If you don't like PulseAudio, uninstall it. If you have some pathological need to avoid it in your default install, use Gentoo.
Re: (Score:2)
Running Gentoo. Full KDE5 desktop.
Never installed PulseAudio or Network Manager. doing great with WPA_GUI and Jack2/Cadence. Bluetooth doesn't depend on either, and my wiimotes/speakers work great with the bluetooth stack.
Jack allows me to take a WebRTC audio stream, pipe it into FL Studio (Under WINE!) for effects, and then pipe that output into Skype/Audacious/Audacity/VLC/ffmpeg/Carla at the same time, to as many different sound outputs as I want (even on different PC's!), in _realtime_. PulseAudio is a
Ubuntu Is Already Frontdoored (Score:1)
Shuttlecock already frontdoored Ubuntu when they decided to send the user's LOCAL queries to amazon without permission or notification. I never recommend anyone use Ubuntu for any reason after that incident.
Re: (Score:1)
> when they decided to send the user's LOCAL queries to amazon without permission or notification
I'm pretty sure there was notification, and there was a configurable option to stop it.
It was still wrong, of course, and it is being stripped out in Ubuntu Unity 8. So I wouldn't throw too many lemons at them- enough were thrown to get them to do the right thing already.
Re: (Score:1)
I can tell you from first hand experience, it was opt out only, and there was no notification. Here's a popular AskUbuntu [askubuntu.com] article which shows how complicated it has been over the years (the interface changed a few times, etc). This PCWorld article [pcworld.com] claims that in the beginning there wasn't even a GUI option to disable it, meaning you had to know it was there, find the package and purge it. SUPER sketchy.
It doesn't matter if they remove it as this point. As shuttlecock himself said of the whole fiasco, "[they
Re: (Score:3)
But dude (Score:2)
What are you going to do about the secret courts that you didn't know about making all those legal decisions you cannot tell us about?
You cannot even believe your parking tickets when that system exists.
Full transparency of the legal process is what must be enforced. How is the founder of some distro going to ensure that?
Yeah, good luck auditing OpenSSH (Score:1)
Ever bother looking at that code?
Good luck proving there's no back door in that.
It's easy.... (Score:2)
sudo apt-get remove backdoor
sudo apt-get remove backdoor-lib
and
sudo apt-get remove --purge NSA-spy-lib.4
After that you want to reboot and then do a update and upgrade.
We will never back door Linux... (Score:1)
... but we'll send all your desktop searches to Amazon...
Re: (Score:2)
Re: (Score:2)
Or rather... (Score:2)
Ubuntu Founder Pledges No Intentional Back Doors In Linux; Lots of Unintentional Back Doors.
A complete sham (Score:4, Interesting)
If you're really concerned about security, you are likely running OpenBSD or a heavily-modified linux kernel by now.
Linus Torvalds was asked during a LinuxWorld keynote two years back if he was told by government agents to put hardware backdoors in linux. he said no, while nodding yes. His father, Nils Torvalds, a member of EU parliament, put it on the record that his son was approached by government agents requesting backdoors.
There is a known issue with the random number generator being _forced_ to do hardware-based (known to be broken on Intel/AMD chipsets) random number generation. under Open/Net/FreeBSD, there's an intermediary (software) random number generator that ensures actual randomness. Linus uncharacteristically led this charge to keep the RDRAND weakened, even resorting to calling others stupid for thinking otherwise. a prominent developer resigned due to it.
There is at least one recent Intel Management Engine talk at last year's Chaos Communication Congress. There was a similar talk the year before about AMD chipsets and their secret undocumented internal firmware. If you enjoy strong encryption, you would be wise to apply the proposed RDRAND patches that Linus rejected.
Now that all the major distributions have adopted systemd, there's now a full RPC backdoor to not only the GPL's linking requirements, but a backdoor to run "Approved" (by whom? we'll get to that) code automatically. Many people have pubatlicly posited that systemd will be the cause of "The Big One" vulnerability that eventually comes out of Linux and ruins its reputation.
Now, for the Ubuntu side: Canonical is incorporated in City of London, which means they are under the jurisdiction of GCHQ. Anyone who has watched/read a talk by Moxie Marlinspike will know that SSL/TLS is easily-spoofable by nation states. They will probably also know how exploitable SSL/TLS is today. All the draconian crap the GCHQ has jurisdiction over can easily be extended to a corporation registered under their governance. If Canonical refuses, they will be forced to, the way Google is forced to comply in the United States under similar framework. End result is that you cannot trust anything beyond your initial install CD, if you can even trust that.
You will likely never look through the custom patches compiled into your binaries, let alone think about Ken Thompson's "Trusting Trust" essay. You will just download your updates, and assume everything is A-OK. You are an end-user, and that's okay. Just don't think Shuttleworth's words are anything but a big fat placebo to keep his stock value afloat.
Re: (Score:2, Informative)
Theo Tso fixed it back in 2012 by just using it as an additional (but not sole) source of entropy:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9 [kernel.org]
Re: (Score:2)
Been approached and asked about putting a back door in and actually comply and putting a back door in are two different things. All we know is that he probably have been asked to do it, we do not know if he complied, considering that the source if completely open it's very likely that he explained to NSA et al that it couldn't be done.
Regarding Canonical there is AFAIK no equivalent of the US National Security Letters in the UK, courts there can order gag orders but only to protect the privacy of people and
Re: (Score:2)
At the last RSA Conference, a friendly salesman for a hardware company (not Intel or AMD) eagerly told me about his company's main product: They have a chip embedded in over a billion currently-deployed devices, including laptops and phones, that offers complete remote tracking and ownership functionality at the hardware level. Or so claims the salesman. He was selling it as a theft-recovery service for bigcorps, but more nefarious possible uses are pretty obvious.
As an Ubuntu user for nearly 10 years... (Score:2)
... I don't believe a word he says. Yes, Ubuntu is far and away the best OS choice today. And yes, Ubuntu is almost certainly already backdoored. Canonical does lawful business in anti-freedom countries like the United States and China. Therefore Canonical's software must be compromised.
What's the value of such pledges? (Score:2)
Isn't it like saying 'I will never be a serial killer'? It's not like lying is worse than doing the act, so what would make a malicious actor even hesitate to make the same claim?
This is nothing about Canonical, just an observation on the pointlessness of such statements in general.
There's over 7,000 packages in Ubuntu's main repo (Score:1)
Re: (Score:2)