Ubuntu Disputes 'Ads In MOTD' Claims

Thursday Lproven (Slashdot reader #6030) wrote: It appears that Ubuntu is using a feature it has added -- intended to insert headlines of breaking tech news (security alerts and so on) into the Message of the Day displayed at login to the console -- to display advertising and promotional messages.
The message in question linked to a Hacker Noon article titled "How HBO's Silicon Valley built 'Not Hotdog' with mobile TensorFlow, Keras & React Native." Later that day Dustin Kirkland, a Ubuntu Product Manager for the feature's design (and the Core Developer for its implementation) suggested the message had been mistaken for an ad, describing it on Hacker News as a "fun fact... an interesting tidbit of potpourri from the world of Ubuntu," and later saying it was intended like Google's doodles. "Last week's message actually announced an Ubuntu conference in Latin America. The week before, we linked to an article asking for feedback on Kubuntu. Before that, we announced the availability of Extended Security Maintenance updates for 12.04. And so on." He later confirmed Canonical received no money for the message, and also pointed out that the messages all come from an open source repository, and "You're welcome to propose your own messages for merging, if you have a well formatted, informative message for Ubuntu users."

Click through for a condensed version of the complete response by Dustin Kirkland, Ubuntu Product and Strategy at Canonical.

Kirkland describes the design of the feature as follows:

• Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"
• It sources 3 admin-editable config variables in /etc/default/motd-news. The defaults are: ENABLED=1, URLS="https://motd.ubuntu.com", WAIT="5"
• The admin can disable it entirely (ENABLED=0), change or add other MOTD news sources (your corporate IT team could run its own), and change the wait time in seconds
• If it's enabled, that systemd timer job will loop over each of the URLS (note, that it's important that these should be https with valid SSL certificates), trim them to 80 characters per line, and a maximum of 10 lines, and concatenate them to a cache file in /var/cache/motd-news
• Every ~12 hours thereafter (with a little bit of random timer fuzzing), this systemd timer job will re-run and update the /var/cache/motd-news
• Upon login, the contents of /var/cache/motd-news is just printed to screen.

Kirkland notes the message can be customized by local IT administrators, or used to deliver warnings about serious vulnerabilities like Shellshock or Heartbleed. And he also describes the dynamic motd as a Ubuntu feature since adopted by other distros (including Debian) as "a flexible framework that enables distro packages or administrators to add executable scripts in /etc/update-motd.d/* to generate informative, interesting messages displayed at login... for almost 40 years of Linux/UNIX, the 'Message of the Day' was anything but that... It was a message that was created at one point in time, when the distro released, and that's about it. And we managed to change that."

Tech Industry Robber Barons

[Anonymous Coward]

Tech industry robber barons have finally destroyed the last vestige of Unix freedom.

The message of the day is for local news to local users.

MOTD is off limits to vendors, you money grubbing assholes!

You damn kids, get off my box!

Re:

[Anonymous Coward]

Sounds like neither open nor proprietary software is the way to go. So what should we do? Become luddites?

Re:

[Slashdot Junky]

A big problem with software today and for years is that we don't concern ourselves with hardware specs to anywhere near the degree we should. Instead, resources are wasted left and right, because we're not limited by an 8Mhz processor and 64K RAM.

Re:

[Tenebrousedge]

I nominate this for the most thoroughly retarded comment that has ever been posted to Slashdot. Fuck off permanently.

Re:

[Anonymous Coward]

Stopped reading at "communist".

Re: Tech Industry Robber Barons

[Zontar The Mindless]

You have the freedom to live in a home that's any colour you like, as long as you're willing to paint it or hire someone to do so.

According to the parent, this isn't freedom.

Discuss.

Re: Tech Industry Robber Barons

[KGIII]

Do you mean axis?

Re: Tech Industry Robber Barons

[KGIII]

I've gotta stop posting while stoned. Sadly, I knew that.

Re:

[antdude]

Move out, duh.

Re:

[Anonymous Coward]

With OSS you don't need time to fix things yourself, you can hire someone to help.

Reality is unless you're a corporation with some cash to throw around it's cost-prohibitive to hire software developers to make changes to your system.

Re:

[serviscope_minor]

Who modded this junk up?

It basically says that the only freedom is when someone does all the work for you and hands it to you on a plate. Freedom doesn't mean people give you exactly what you want all the time. Freedom means no one will stop you doing what you want.

Re: Tech Industry Robber Barons

[Zero__Kelvin]

I know! It seems no matter what software I use it isn't free! Whoever writes the dann software can just use a typedef when I think they should use a #define! It is an atrocity I tell You! Where is my software written by me using the libraries I want, but with someone else doing all the work damn it?!!!

Re:

[Waccoon]

Nobody said freedom is practical.

Re:

[Lumpy]

Except it's not happening in Slackware, Debian, or Gentoo..

ubuntu is NOT all linux distros, but simply the only one that is heavily marketed. It doesnt even have the lions share across all linux installs.

Double Standard

[Anonymous Coward]

When Microsoft places ads in the form of recommended apps in Windows 10, it's denounced as evil. When Ubuntu places ads in the MOTD, it's somehow okay and completely acceptable. It's not unlike Ubuntu sending searches to the internet by default to retrieve recommendations for the user. Of course, this was also tolerated and considered acceptable. There's a double standard in which Microsoft is criticized for the very things open source also does. Now, I'll surely get censored by aggressive moderators who would prefer rather to mod me down to -1 rather than discuss the hypocrisy in what is otherwise an open source echo chamber.

Re:

[lucm]

Ubuntu is the Microsoft of the Linux world. Everyone knows that. Why would anyone be surprised by this kind of invasive "feature" is beyond me.

Also I personally don't get the whole Debian thing, but if someone wants that on their machine, why would they take a retarded relative instead of going for the real thing? That's like choosing Oracle Linux over Red Hat.

Re:

[Anonymous Coward]

It gets a pass because it actually isn't an ad and because Ubuntu is open source meaning if you don't like something, you can change it.

Let me know when Microsoft releases the source code for Windows 10 so I can strip all of that spyware, adware and auto update crap from it.

Re:

[chipschap]

It gets a pass because it actually isn't an ad and because Ubuntu is open source meaning if you don't like something, you can change it.

Let me know when Microsoft releases the source code for Windows 10 so I can strip all of that spyware, adware and auto update crap from it.

Yes, you're spot on. The Ubuntu MOTD thing is ridiculous but easily fixed by any user with enough knowledge to have installed Ubuntu in the first place. The poster above who claimed there is no freedom in free software was completely wrong. You do have to be willing to put in a little effort (in the MOTD case, very little).

Re: Double Standard

[Zero__Kelvin]

Plenty of people use Ubuntu who could not simply fix this, and others will spend time fixing it when they could be making money so this is a costly decision on multiple levels. Bottom line: Linux is still awesome, but Ubuntu sucks donkey sucks even bigger than yesterday's.

Re:

[chmod a+x mojo]

Plenty of people use Ubuntu who could not simply fix this.....

Yep, plenty of noobs are going to be logging in on the CLI console instead of into a greeter, all day, every day. Not like the default install a newbie would do includes full desktop and greeter on whatever flavor they have downloaded.... You are aware that MOTD is only displayed in a console TTY yes?

That's right, the only people who wouldn't know how to fix this are the one who will never even see it. Kind of a really shitty way to deliver ads if you ask me. Almost makes you think that it isn't really an a

Re: Double Standard

[Zero__Kelvin]

Despite your SlashID you are clearly a noon yourself. This is a background process running regardless of if anyone uses the terminal. The attack vector is there and people who don't use the terminal are just as vulnerable as those who do. Please don't post anymore until you learn how computers work. Thanks.

Re:

[chmod a+x mojo]

Yeah, I'm a "noon" whatever that is, because I don't see something as being a great attack vector. Or ad vector for that matter. The only thing slightly worrying is the useragent it sends to get the tailored MOTD data, no compelling need for exact CPU type and uptime.

Do tell me, how exactly is this so called attack that you worry about supposed to work? Magic text stored in the MOTD file that executes when cat'ed? Maybe you should learn how computers ( and logic for that matter, your post history indicates

Re: Double Standard

[Zero__Kelvin]

I haven't looked at the code, but one possibility is to use DNS poisoning to get the computer to pull from a hostile host that sends an endless stream which fills /etc and therefore makes root dir "/" unwriteable. Another is that there may indeed be a buffer overflow that can be exploited allowing code to be executed with systemd privs. My phone changed noob to noon, because like you it thinks it is smarter than me, but is really quite stupid. HAND and FOAD!

Re:Double Standard

[cas2000]

No, neither of those actions by Ubuntu are or were considered acceptable or tolerable. The phone-home search bullshit caused a huge outcry and many complaints until Ubuntu stopped fucking doing it. The MOTD phone-home has just happened and is at the very early stage of that same process.

Microsoft gets complained about more often when it does this shit because it does it far more often and far more comprehensively. Also, Microsoft either ignores complaints, or pretends to "accommodate consumer feedback" and then just does it again, more sneakily at a lower level in the system so it's even harder to get rid of.

It doesn't matter at all who does it.

This

[s.petry]

If I recall correctly, Ubuntu removed the searches going to Amazon by default. I'm guessing they will also remove this motd crap too. That said, the search crap resulted in me refusing to use their products and attempting to steer people away from Ubuntu. Just like I attempt to steer people away from MS.

Canonical forgot the golden rules about trust. People will give you an initial level of trust, but that same trust can be instantly lost. Once it's gone, it's extremely difficult to regain.

Re:

[najajomo]

"When Microsoft places ads in the form of recommended apps in Windows 10, it's denounced as evil. When Ubuntu places ads in the MOTD, it's somehow okay and completely acceptable."

No it isn't, as this response [twitter.com] so clearly demonstrated. Go and take your strawman elsewhere and it is understandable why you would want to post anonymously.

Placing ads in the MOTD now? Really? [twitter.com]

Re:

[Zontar The Mindless]

There was a time when free software meant people didn't try to sell you shit. Those days are fucking gone.
Now every motherfucker is on the fucking grift. Even Linux motherfuckers.

Linux is also shit because EVERYTHING IS SHIT.

And, of course, there aren't, like, 50 other Linux distros that don't pull this kind of stunt for you to choose from.

You need to learn the difference between "is a subset of" and "equals".

Re:

[tepples]

Some people have work to do with a deadline that precedes when one would finish evaluating said 50 GNU/Linux distributions.

We get it

[s.petry]

Reading is not your strong suit. In fact a 3rd grader could whip you!

Aha!

[sunderland56]

>> Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"

So: proof positive that systemd is an evil tool of the devil.

Re:Aha!

[93 Escort Wagon]

Asynchronously, about 60 seconds after boot, a systemd timer fires which runs "/etc/update-motd.d/50-motd-news --force"

It seems like it would be a trivial matter to update that script so its output is mailed to pr@canonical.com .

Totally missing the point

[Anonymous Coward]

Whether the MOTD updates are advertisements or not is almost entirely irrelevant (although it's good for creating extra outrage).

The problem is that such a monumentally retarded mechanism exists *at all*. In fact, it's even a potential security issue. Sending arbitrary byte sequences to someone's terminal can do some very nasty things, unless they were smart enough to at least restrict it to printable ASCII. It's also an obvious vector for information leakage of various kinds.

The thing about the motd messages...

[rnturn]

...is that most users ignore them.

We used to have the motd file updated hourly with stats about availability, scheduled maintenance, disks that users should do some personal cleanup on, and other stuff that users were calling admins about and nobody paid much attention to the information. The more astute users quickly learned that that annoying information could be eliminated from their session by putting 'clear' in their profile.

Just like what happens with motd text, users will quickly learn where the ad

How about NO

[Anonymous Coward]

I can't believe this shit was ever accepted. As someone who maintains hundreds of systems with actual users logging in, get the fuck off my lawn.

In my case the motd and issue files present legal disclaimers. Yet once again we have a case of companies with either extremely arrogant or ignorant people pushing out changes because they can. Yes, motd has been around for decades and everyone who knows what motd is, knows this. Just because we haven't posted a repo on github doesn't mean it's not used, and n

I wonder how many use the terminal

[yuhong]

I wonder how many use the terminal in the first place for such an ad to be actually profitable anyway.

more than just advertsing

[Blymie]

platform="$(uname -o)/$(uname -r)/$(uname -m)"
arch="$(uname -m)"
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e "s:\s\+:/:g")"

# Piece together the user agent
USER_AGENT="curl/$curl_ver $lsb $platform $cpu $uptime"

Nothing really damning. However, there is an advantage to gathering this info, even if it is (mostly) anonymous.

EG, how long people leave their machines up, how long between a kernel security announcement, and an reboot after that fact, what types of machines the userbase has, an

Re:

[cas2000]

The problem is that it does this by default, without even asking for permission.

If people want to voluntarily participate in a cpu/kernel/uptime survey, that's great.

Forcing them to unless they happen to be aware of it and have the time to find out how to disable it is not great. it is the exact opposite of great. it is evil shit.

This is why, for example, popcon (the package "popularity contest", http://popcon.debian.org/ [debian.org]) is an optional package in Debian, not even installed unless you deliberately choose

Re:

[Blymie]

One must define levels of 'wrong'.

"Evil shit" might be a bit much. In the world of 'evil', this is like jaywalking. Or, not picking up your dog's shit.

Re:

[yuhong]

Yea, the problem with the Ubuntu search term debacle is that they were sending things like local filenames and making money off it. This is not the case here.

two points

[cas2000]

1. phone-home shit like this is evil and companies like ubuntu should just STOP. FUCKING. DOING. IT.

2. it's a bit fucking rich for hackernoon to complain about this when you can't even view their web site without enabling javascript from at least 6 different sites. They should just stop fucking doing that shit too.

Re:

[packrat0x]

Blocking sites with firewall hardware is the only reliable method to stop programs phoning home. I have a Mint machine, and Mint (and related sites) are on my block list. When I add or update program, I manually unblock them.

Re:

[drinkypoo]

1) You can turn it off. And by off, I mean off, not Microsoft's definition of off.

DEFAULT OFF, ASSHOLE.

Why is this so hard? Phone home features MUST default off. If you do not ask the user for permission during install, then TURN THAT SHIT OFF. This is not complicated!

2) Your browser or an extension is broken.

If you don't permit scripts and you run ublock origin with fairly boring settings you get the text but you don't get images, which are central to the article.

Re:

[tepples]

It's hard because downloading security updates phones home that a device needing updates for a particular set of packages is connected to the Internet. Would you go without security updates to hide your existence from the operating system's publisher? If so, you're potentially exposing other Internet users to computer intrusions perpetrated through your machine as a proxy.

Re:

[cas2000]

here's a thought:

maybe there's some way to do updates that don't require phoning home for completely unrelated purposes?

sounds really hard, but i bet they could manage it if they really tried.

perhaps by just not fucking doing it. like they used to.

in case that's too subtle for you: phoning home and software updates (security updates or not) are two completly different things.

Re:

[tepples]

maybe there's some way to do updates that don't require phoning home for completely unrelated purposes?

It doesn't have to be "for completely unrelated purposes". An operating system publisher can discern a lot about a user's habits solely from what packages' updates the user's devices download.

perhaps by just not fucking doing it. like they used to.

Not intercoursing doing what? Do you mean not downloading updates? We have seen in the case of WannaCry that this leads to wormable ransomware.

phoning home and software updates (security updates or not) are two completly different things.

I fail to see how. If your PC downloads updates, you disclose to the update provider that your PC exists and requires updates. You also disclose what packages you have installed

Re:

[cas2000]

An operating system publisher can discern a lot about a user's habits solely from what packages' updates the user's devices download.

That's unavoidable. Downloading a file inherently tells the remote site what file you want.

It's also irrelevant because any OS worth running has multiple mirror sites for upgrades run by completely unrelated entities that don't share that information with each other, and even allow you to run your own mirror...download all packages to your local repo reveals nothing about w

Re:

[cas2000]

1. should be off by default. acquiring ANY information from or about users should **always** be opt in. opt-out is for spammers and other filthy vermin.

2. my browser is not broken, nor are any of my browser extensions. I use umatrix to block javascript by default (and enable ONLY the js I want) and ublock to block ads and spy beacons etc.

in fact, umatrix is how I knew that hackernoon required js from at least 6 different sites - umatrix shows me and allows me to selectively enable js from some or all of

Time to consider other Linux?

[AHuxley]

Or BSD?
Or Haiku Project https://www.haiku-os.org/ [haiku-os.org]

Like windows

[allo]

People don't like their OS to make network connections without a good reason. When I install a system, i expect it to make NO traffic at all, when I am not doing anything with it.
We can talk about stuff like NTP and update checks, IF I explicitely enabled it possibly automatic updates. But no fetching of random messages. What's next? Fetching new wallpapers? Sending telemetry data?

Re:

[allo]

try apt-get install popcon ;-)

Ehh?

[AlanObject]

Went through this thread several times. I fail to see the crisis that has people pounding on their keyboards red faced and bulging bloodshot eyes.

I guess this never would have happened if we hadn't allowed systemd into the ecosystem.

I would have never even noticed

[unhooked]

My .hushlogin is 25 years old.

Fortune cookie

[ebvwfbw]

Just set fortune cookie to overwrite /etc/motd every day.

Can lead to really funny stuff and some fun with admins.