[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Ubuntu decided to remove uptime from motd-news' data leak (exfiltration) via User-Agent: and move /etc/default/motd-news conffile to the motd- news-config package and switch from curl to wget. Remove uptime from the motd-news user agent https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1886572 motd-news: use wget instead of curl https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888572 -- I hope they will stop launched it as root as well see https://github.com/curl/curl/issues/5557 Split motd-news config into a new package https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888575 To Be Continued ---> -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
On my point of view, it's NOT enough to implement a legal notice https://ubuntu.com/legal/motd with technical errors and it is not possible to verify that Canonical does not store the IP address of Ubuntu users in Apache log (the default) and/or database without an external auditor (PwC, EY, KPMG, etc.). Nothing has been done regarding the consent of the user. I except one of the following two options to be implemented by Canonical. (A) Ask for consent during the installation of the operating system Ubuntu and before sharing my personal information via the motd-news software used for Telemetry, Tracking, Advertising purpose instead of providing meaningful "security messages or other news" on a daily basis. (B) Or disable it by default via ENABLED=0 in the file /etc/default/motd- news and move motd-news software outside "base-files" package and make it user removable. If Canonical doesn't takes data protection seriously by implementing technical measures such as stop calling motd-news during installation and after automatically without consent and implement an easy way to opt out for people without technical knowledge in linux shell then ICO will need to evaluate the choice of Canonical of enforcing Telemetry hidden in motd-news's User-Agent without asking user consent and not respecting "No, don't send system info" choice of the user during the installation wizard, sending beacons with IP address, system info twice a day, every day from all Ubuntu Desktop and Ubuntu Server installations worldwide. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I added https://ubuntu.com/legal/motd to Archive.org's Internet Wayback Machine https://web.archive.org/web/20200713070037/https://ubuntu.com/legal/motd ** Attachment added: "canonical-legal-motd.pdf" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5392271/+files/canonical-legal-motd.pdf -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
https://ico.org.uk/make-a-complaint/your-personal-information-concerns/ To: ICO Dear Information Commissioner’s Office, I confirm that I want to proceed with the creation of the case about Canonical's motd-news as Canonical don't want to remediate the privacy issue of sending by default hardware details and public IP of all Ubuntu Desktop and Ubuntu Server twice a day, every day of the year. Next to this message, you will find the final answer from Canonical. https://ubuntu.com/legal/motd The following are my comments on their legal information. "The purpose of sending the system information is so that Canonical can tailor the message returned by https://motd.canonical.com.; This is wrong motd.canonical.com does not exist and is part of motd-news. The server used by Ubuntu is https://motd.ubuntu.com lynx -mime_header https://motd.canonical.com Looking up motd.canonical.com Unable to locate remote host motd.canonical.com. Alert!: Unable to connect to remote host. The evidence is part of the Ticket https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png "None of this data can be used to identify a machine or user." "Along with this data, the IP address and other network information is transmitted to facilitate communication on the internet from the Ubuntu machine to Canonical. This information is not stored by Canonical." This is wrong as Canonical is using Apache and the default is to store IP address in the access log https://httpd.apache.org/docs/current/logs.html Common Log Format (%h) This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine. lynx -mime_header https://motd.ubuntu.com HTTP/1.1 200 OK Date: Mon, 13 Jul 2020 06:05:38 GMT Server: Apache/2.4.18 (Ubuntu) Last-Modified: Mon, 13 Jul 2020 06:00:50 GMT Accept-Ranges: bytes Content-Length: 215 Vary: Accept-Encoding Connection: close Content-Type: text/plain * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on- macos/ "You can disable this service as follows:" "/etc/default/motd-news has an ENABLED=1 setting that if set to 0 will turn off this functionality." I assume 80% of Ubuntu Desktop users will not know how to disable motd-news because they need a Terminal and sudo access. A regular editor running a default user will not allow to edit this file as super user. So this doc is useless. On top of that Canonical send motd-news information before the user can even opt out during the installation of Ubuntu Desktop and during the first boot of the Ubuntu Desktop operating system so setting it is only useful to stop it but the harm is already done and data already sent to Canonical. Evidence https://launchpadlibrarian.net/487031151/ubuntu- desktop-2004.png For more information read https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424 Please also note that https://ubuntu.com/legal/motd title is not searchable in their search engine and is not part of the legal notice during the installation of Ubuntu Evidence (picture in attachment) and https://launchpadlibrarian.net/487031391/ubuntu-desktop-2004-legal.png "No, don't send system info" is not respected https://launchpadlibrarian.net/487031210/ubuntu-desktop-2004-optout.png https://launchpadlibrarian.net/487032881/ubuntu-desktop-2004-motd-news.png Privacy does not have an option to opt out from motd-news https://launchpadlibrarian.net/487031529/ubuntu-desktop-2004-privacy.png Forwarded Message Subject: Re: Unremovable motd-news used as Telemetry and Advertising tool without explicit consent Date: Fri, 10 Jul 2020 12:00:29 +0100 Dear Guy Thank you for your patience. Please now see the legal notice for MOTD on Canonical's website: https://ubuntu.com/legal/motd I can assure you that no access to or storage of IP address data is made. Canonical takes data protection compliance very seriously and we continue to review how we can improve this and other services. Many thanks Director of Legal & Company Secretary Canonical Blue Fin Building, 5th Floor 110 Southwark Street, SE1 0SU Ubuntu - Linux for Human Beings www.canonical.com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu.
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
https://news.softpedia.com/news/canonical-under-fire-for-putting-ads-in-the-ubuntu-motd-530372.shtml Article like "Canonical Under Fire for Putting Ads in the Ubuntu MOTD" miss the point that motd-news is not only displaying Advertising in the login prompt but it a Privacy Nightmare because it has an hidden Telemetry feature which is enabled by default Without Consent and leak IP Address, System critical informations (Kernel Version, Uptime, CPU Vendor, CPU Model, Idle Time, Uptime) every 12 hours via User-Agent from curl on all Ubuntu Desktop and Ubuntu Server including the current version of Ubuntu. On top of that, motd-news is also a security nightmare as it runs curl as root which can be exploited to gain root on any servers, laptops etc. I recommend that all Ubuntu users open a Terminal and execute the following sudo sed -i -r 's/(ENABLED)=.+/\1=0/' /etc/default/motd-news sudo apt-get -qq -y purge curl N.B. curl is not installed if you explicitly select Ubuntu Minimal during the installation of Ubuntu Desktop so motd-news cannot contact motd.ubuntu.com without curl even if ENABLED=1 by default GDPR : EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https://gdpr.eu/eu-gdpr-personal-data/], in particular with respect to Recital 30 [https://gdpr.eu/recital-30 -online-identifiers-for-profiling-and-identification/] Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer. Canonical Ltd. has handled my personal information without concent. By collecting twice a day the following informations: - The public IP address where Ubuntu system is used (part of the log of the HTTPS server) - Date / Time when collected (part of the log of the HTTPS server) - Harware info such as CPU Vendor and Model (via /proc/cpuinfo) - The distribution version (via /etc/lsb-release) - The operating system (via uname -o) - The Linux kernel release (via uname -r) - The computer architecture aka machine hardware name (via uname -m) - Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init) - Total number of seconds the system has been up (via /proc/uptime) - The sum of how much time each core has spent idle in seconds (via /proc/uptime) - Version of curl software (launched as root which is a bad IT practice and a security risk) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd.ubuntu.com current Advertising for Canonical Products" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389475/+files/ubuntu-desktop-2004-translate.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Sample motd.ubuntu.com Ads from 2017" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389478/+files/ubuntu-desktop-2004-waybackmachine3.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd-news force to run via motd-news.service and motd-news.timer" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389472/+files/ubuntu-desktop-2004-terminal3.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Sample motd.ubuntu.com Ads from 2020" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389477/+files/ubuntu-desktop-2004-waybackmachine2.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd-news ENABLED by default with telemetry every 12h Without Consent" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389471/+files/ubuntu-desktop-2004-terminal2.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd-news is unremovable" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389480/+files/ubuntu-desktop-2004-system-failure1.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Privacy has not opt-out for motd-news hidden telemetry in User-Agent" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389470/+files/ubuntu-desktop-2004-privacy.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "No, don't send system info NOT RESPECTED BY MOTD-NEWS" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389468/+files/ubuntu-desktop-2004-optout.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd.ubuntu.com is up since 2017" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389476/+files/ubuntu-desktop-2004-waybackmachine.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd-news exfiltrate system information via User-Agent and IP Address every 12 hours Without Consent" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389482/+files/ubuntu-desktop-2004-motd-news.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "motd.ubuntu.com hosted in the Amazon EC2 cloud in Dublin, Leinster, Ireland" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389474/+files/ubuntu-desktop-2004-terminal4.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Legal Notice DOES NOT COVER "motd-news" sending IP address, Uptime, Idle time every 12h motd-news.service started during installation Ubuntu Desktop 20.04 Without Consent" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389469/+files/ubuntu-desktop-2004-legal.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Sample motd.ubuntu.com Ads from 2019" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389479/+files/ubuntu-desktop-2004-waybackmachine4.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Attachment added: "Trying to remove motd-news via base-files will kill Ubuntu" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389481/+files/ubuntu-desktop-2004-system-failure2.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
No updates from Canonical's legal departement "A picture is worth a thousand words" ** Attachment added: "motd-news.service started during installation Ubuntu Desktop 20.04 Without Consent" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389467/+files/ubuntu-desktop-2004.png -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I too, would like to see this fixed. I initially reported something very similar in https://bugs.launchpad.net/ubuntu/+source/base- files/+bug/1701068 back in 2017. This is unacceptable, especially for EU users. It needs to be an option top opt-in at install time. By default I believe this should be opted out. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
FYI Canonical's legal departement is reviewing motd-news "feature" (such as telemetry) and will provide updated information next week. All motd-news related tickets https://bugs.launchpad.net/ubuntu/+source/base- files/+bugs?field.searchtext=motd- news=-datecreated=Search%3Alist=NEW%3Alist=OPINION%3Alist=INVALID%3Alist=WONTFIX%3Alist=EXPIRED%3Alist=CONFIRMED%3Alist=TRIAGED%3Alist=INPROGRESS%3Alist=FIXCOMMITTED%3Alist=FIXRELEASED%3Alist=INCOMPLETE_WITH_RESPONSE%3Alist=INCOMPLETE_WITHOUT_RESPONSE "Canonical has launched the Ubuntu Appliance initiative which aims to transform Raspberry Pi devices or personal computers into secure, self- updating solutions" (source 9to5linux). I checked nextcloud- core18-pi.img (and core18_1753.snap), motd-news is still present but turned off by default -- Good! ENABLED=0 in the file /etc/default/motd- news. I hope Canonical will apply "Secure by design" motto to the rest of Ubuntu products https://ubuntu.com/appliance -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I will first contact the Data Protection Officer (DPO) of Canonical Group Limited dataprotect...@canonical.com https://ubuntu.com/legal/data-privacy -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I have decided to contact ICO (Information Commissioner's Office). Because Canonical Ltd. has handled my personal information (IP address, Hardware CPU, Choice of Cloud Hosting, and various meta-data) and the one of the company I work for without concent. The same apply to all users of Ubuntu (persons, companies, governements) worldwide on a daily basis. By collecting twice a day the following informations: - The public IP address where Ubuntu system is used (part of the log of the HTTPS server) - Date / Time when collected (part of the log of the HTTPS server) - Harware info such as CPU Vendor and Model (via /proc/cpuinfo) - The distribution version (via /etc/lsb-release) - The operating system (via uname -o) - The Linux kernel release (via uname -r) - The computer architecture aka machine hardware name (via uname -m) - Cloud Hosting: cloud identifier such as aws, gce, azure, lxd (via cloud-id part of cloud-init) - Total number of seconds the system has been up (via /proc/uptime) - The sum of how much time each core has spent idle in seconds (via /proc/uptime) - Version of curl software (launched as root which is a bad IT practice and a security risk) On top of that by making motd-news unremovable in the core of Ubuntu's base-files (like it was the case for Internet Explorer in Windows or the Telemery in Windows 10), they enforce the telemetry before you can disable it or opt-out from it. Fell free to fill your own complaint or contact your local information commissioner as this ticket is marked as Won't Fix by the manager of the Ubuntu Server team. https://ico.org.uk/make-a-complaint/your-personal-information-concerns /personal-information-complaint/ -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Best practices by Dustin Kirkland https://manpages.ubuntu.com/manpages/focal/en/man5/update-motd.5.html - No mention of curl running as root - No mention of the exfiltration of private data done via User-Agent - No mention of the novel concept of advertising via motd - No mention of using motd-news as telemetry - No mention that motd-news is part of core Ubuntu "base-files" and cannot be removed Feel free to guide me to the correct info on your website or update your documentation. Additional discussions on Twitter https://twitter.com/lusis/status/880446088083329024 https://twitter.com/astarrb/status/880170781841514496 https://twitter.com/lelff/status/1210619413885575168 https://twitter.com/hessu/status/1269994718018056199 https://twitter.com/nikitonsky/status/1073714951104184320 https://twitter.com/wamdamdam/status/1044197012353298433 https://twitter.com/marcodavids/status/1245054456955314178 ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
And don't tell me that the fact that Canonical use motd as Telemetry was done transparently, with clear documentation... most users complain only about the advertising but don't realize that the motd-news is used as telemetry tool but seems to act as a advertising / news purpose and the risk of the bad design decision of running curl as root. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
By the current design, you don't give choice to the Ubuntu users as they cannot opt-out BEFORE the laptop or server contacts motd.ubuntu.com sending the telemetry. By implementing it as essential package, you don't let user remove it but only disable it when it is too late. The same apply to landscape, you don't give choice to disable some dangerous features like executing very powerful script, list all processes, etc. This is why, we decided to stop using landscape (both in the cloud and on premises). It will be your responsibility as Ubuntu Server manager, if motd.ubuntu.com gets compromised and motd-news is exploited because it runs curl as root and all Ubuntu servers could get compromised at the same time within 12 hours. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Well, it is disappointing that you choose to close this as “won’t fix”. As pointed out in the initial bug report, this “feature” is implemented without notice or consent. In other words, and to rephrase, this was done transparently in an hidden way. Which is, to say the least, not corresponding to standard usage and best practices, let alone the security aspect by running it as root. This is definitely not very reassuring for users who are left with the suspicion, confirmed by the manager of the Ubuntu Server team, that Ubuntu is comfortable implementing (and might implement in the future) this kind of “features” and data collection without further notice or consent from the users. As professional users we have already our share of burden to protect our assets from all kinds of threats, being obliged to add to that list the base OS leaves us with no other choice but to reconsider Ubuntu as a (un)trusted provider. Sad. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Maybe as manager of the Ubuntu Server team, you should ask to improve motd-news software to not curl as root. You should also improve landscape and landscape on premises level of access so any users cannot list all processes and reboot any servers or execute shell script as root. Good luck, I think we are done with Ubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
https://github.com/curl/curl/issues/5557 ** Bug watch added: github.com/curl/curl/issues #5557 https://github.com/curl/curl/issues/5557 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Thank you for taking the time to report this issue. As you note, this is a long-standing feature of Ubuntu that Canonical leverages to help understand our user base and improve and prioritize work that makes Ubuntu better for all. I can assure you that all information is GDPR compliant and that we implement all policies as far as accessing any such data. For example, as the manager of the Ubuntu Server team, I’ve never seen the IP address of any Ubuntu user and am unable to map the installs out there. As you note, this feature was done transparently, with clear documentation, and is trivial to disable if anyone is uncomfortable. I am marking this bug as “Won’t Fix” as it’s a design decision, and while there are some that do not agree with it and I respect those feelings, it’s also not something we’re currently planning on changing. This allows us to make Ubuntu better for everyone and make sure that we’re doing the best that we can. Thanks. ** Changed in: base-files (Ubuntu) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Won't Fix Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Privacy: Ubuntu users don't have the opportunity to opt-out from motd-news before all the private infos and telemetry are sent via User-Agent. So even if people change ENABLED=1 to ENABLED=0 in /etc/default/motd-news they only stop future leaks but the initial leak has already been done in background after the boot via systemd/motd-news service. I repeat, this doesn't look GRPD-compliant at all. There is no prior consent ever asked for. The GDPR was adopted on 14 April 2016, and became enforceable beginning 25 May 2018. motd-news has been designed in 2017 and is enabled by default on all Ubuntu Server, Ubuntu Desktop, Ubuntu Flavors (such as Mate, Raspberry), Ubuntu derived such as Nvidia Jetson Nano without prior consent. Security: Run curl as root every 12h are you serious? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
All messages received over a year (Ubuntu 18.04): * Congrats to the Kubernetes community on 1.16 beta 1! Now available * Kata Containers are now fully integrated in Charmed Kubernetes 1.16! * Keen to learn Istio? It's included in the single-package MicroK8s. * Kubernetes 1.18 GA is now available! See https://microk8s.io for docs or * Latest Kubernetes 1.18 beta is now available for your laptop, NUC, cloud * MicroK8s 1.15 is out! It has already been installed on more * MicroK8s 1.15 is out! Thanks to all 40 contributors, you get the latest * MicroK8s passes 9 million downloads. Thank you to all our contributors! * Multipass 1.0 is out! Get Ubuntu VMs on demand on your Linux, Windows or * Multipass 1.1 adds proxy support for developers behind enterprise * Overheard at KubeCon: "microk8s.status just blew my mind". * 'snap info' now shows the freshness of each channel. * Ubuntu 20.04 LTS is out, raising the bar on performance, security, * Ubuntu's Kubernetes 1.14 distributions can bypass Docker and use containerd None of them are about security and none of them are customized using uptime, ubuntu version, kernel version, curl version, ip, ... Why do pack all this into User-Agent which can be linked to public IP every 12 hours? ** Attachment added: "motd-news.txt" https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5381565/+files/motd-news.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
The usage of motd-news as Advertising media for Canonical products is well documented. Now we need to know if Canonical share the crafted User-Agent with sensible info in it with third party and use it for telemetry like Microsoft Windows 10. Samples output of motd-news mirrored in both login prompt via motd and syslog - MicroK8s gets a native Windows installer and command-line integration. https://ubuntu.com/blog/microk8s-installers-windows-and-macos - How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow, Keras & React Native on Ubuntu - Overheard at KubeCon: "microk8s.status just blew my mind". https://microk8s.io/docs/commands#microk8s.status https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I don't think it was safe decision to link the security of Ubuntu base OS to curl running as root every 12 hours via motd-news just to display Ads for products and not important security messages like suggested in the original ticket (1637800). Just imagine the consequence of https://motd.ubuntu.com being compromised starts to redirect to a TFTP URL and send private memory contents from root account every 12 hours or if curl has a new vulnerability such as buffer overflow discovered automatically by Google's OSS-Fuzz and not yet patched within 30 days by curl maintainers or by Ubuntu Security Team. https://curl.haxx.se/docs/CVE-2017-1000100.html A malicious HTTP(S) server could redirect a vulnerable libcurl-using client to a crafted TFTP URL (if the client hasn't restricted which protocols it allows redirects to) and trick it to send private memory contents to a remote server over UDP. https://bugs.chromium.org/p/oss- fuzz/issues/list?q=curl=1=-reported ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-1000100 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
I recommend the following action points to restore a bit of trust in Ubuntu Product after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical) - Run all motd scripts including motd-news AND curl as non privileged account -- not as root - Move motd-news functionality from base-files to a removable package called motd-news - Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent (during install and later with cloud-init) - Remove private information from User-Agent (uptime, kernel version, curl version, type of cloud) and stop using HTTPS Header such User-Agent as proxy to exfiltrate sensible infos from Ubuntu - Make the code behind https://motd.ubuntu.com auditable, signed and open source - Check the logs of https://motd.ubuntu.com if it has been compromised the last 3 years if it is the case report it so people can reinstall their Ubuntu Server, Desktop, Laptop to restore trust Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it and any software update of base-files could bring back the security issue. Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in theory execute code on any Ubuntu if a serious vulnerability in curl has been found or if the user did not update curl. Running curl as root, reporting the curl version and the kernel version give all the information needed to implemented a persistent backdoor in any Ubuntu worldwide. sudo apt-get purge base-files WARNING: The following essential packages will be removed. This should NOT be done unless you know exactly what you are doing! base-files bash 0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded. After this operation, 4,525 kB disk space will be freed. You are about to do something potentially harmful. To continue type in the phrase 'Yes, do as I say!' ?] -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Tags added: rls-ff-incoming -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
The original request for motd-news came from Dustin Kirkland on 2016-10-30 https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1637800 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
motd-news is present in Nvidia Jetson Nano (derived from Ubuntu) and Ubuntu for Raspberry Pi. It is enabled by default and also calling Home Ubuntu via Amazon Cloud. motd-news is also present in Ubuntu Core 18 for embedded systems (like Tesla Car) but unlike Ubuntu Server and Desktop Distro it is not enabled by default. I don't have a Tesla car to verify if it is enabled or not. unxz ubuntu-core-18-amd64.img.xz sudo mount -o loop,offset=$((106496*512)) ubuntu-core-18-amd64.img /mnt/ sudo unsquashfs -d /tmp/core18 /mnt/system-data/var/lib/snapd/seed/snaps/core18_1668.snap /tmp/core18/etc/default/motd-news /tmp/core18/etc/update-motd.d/50-motd-news /tmp/core18/lib/systemd/system/timers.target.wants/motd-news.timer /tmp/core18/var/lib/systemd/deb-systemd-helper-enabled/motd-news.timer.dsh-also /tmp/core18/var/lib/systemd/deb-systemd-helper-enabled/timers.target.wants/motd-news.timer sudo grep ENABLED /tmp/core18/etc/default/motd-news ENABLED=0 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
This is more than just a Telemetry, It as a Trojan in Ubuntu Distro. A remote code-execution (RCE) vulnerability in all Ubuntu of the world! Why? Simple curl is launched as root (not the best practice!), and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day if someone (like 3-letters or 4 letters) controls this Amazon Web server knowing the version of curl (provided by the script) exploit any local known vulnerability present in curl or use a curl zero day it will have "root" access to any Ubuntu Server or Desktop, Laptop of the world! Proof of Concept Add the following before the for calling curl in /etc/update-motd.d/50 -motd-news date +'%Y-%m-%d %H:%M:%S' >> /tmp/test whoami >> /tmp/test echo $USER_AGENT >> /tmp/test wait 12 hours... or 12:00 / 00:00 or reboot cat /tmp/test 2020-06-05 12:00:00 root curl/7.68.0-1ubuntu2 Ubuntu/20.04/LTS GNU/Linux/**-generic/x86_64 Intel(R)/Core(TM)/i7-**/CPU/@/*GHz uptime/70.55/921.20 cloud_id/unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Thanks Canonical for this great Telemetry master piece hidden in a Daily "News" (Message of the Day) deep inside the core of Ubuntu. I found it active on all the Ubuntu laptop of my friends and coworkers, all Ubuntu servers from local ISP and my work. As well as on all Ubuntu flavours and Ubuntu derived Linux distros. It is also present in cloud-init images of major cloud providers, and all Docker images from Docker Registry based on Ubuntu. What a (s)hell for transparency! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Please give the Message of the Day (MOTD) every time I get online on the Internet or I reboot my Ubuntu computer ... Hold on, connecting to Amazon Cloud (Amazon Data Services) motd.ubuntu.com ... Your message of the day is Building Trust is Hard, Breaking Trust is Easy In exchange, please give me your User-Agent will all your private informations so I know who you are (IP, Ubuntu Cloud ID, Linux Kernel Version, Curl version, etc.) GET /bionic/x86_64 HTTP/1.1 Host: motd.ubuntu.com User-Agent: curl/7.58.0-2ubuntu3.8 Ubuntu/18.04.3/LTSGNU/Linux/4.15.0-72-generic /x86_64 Intel(R)/Core(TM)/i5-8500B/CPU/@/3.00GHz uptime/108266.13/21 2047.71 cloud_id/unknown Accept: */* https://ma.ttias.be/what-exactly-being-sent-ubuntu-motd/ [Unit] Description=Message of the Day After=network-online.target Documentation=man:update-motd(8) [Service] Type=oneshot ExecStart=/etc/update-motd.d/50-motd-news --force -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Part of the base OS ... resistance is futile dpkg -L base-files | grep motd-news /etc/default/motd-news /etc/update-motd.d/50-motd-news /lib/systemd/system/motd-news.service /lib/systemd/system/motd-news.timer sudo grep news /var/log/syslog Jun 4 04:44:22 mbx 50-motd-news[94986]: * MicroK8s gets a native Windows installer and command-line integration. Jun 4 04:44:22 mbx 50-motd-news[94986]: https://ubuntu.com/blog/microk8s-installers-windows-and-macos Jun 4 04:44:22 mbx systemd[1]: motd-news.service: Succeeded. Jun 4 08:57:00 mbx systemd[1]: motd-news.timer: Succeeded. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Well known... https://twitter.com/search?q=ubuntu%20motd-news=typed_query=live -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Thanks security-conscious Dustin Kirkland for this great bash script
("I've insisted on shell here for transparency! - Dustin ")
and other contributions like NSA's SELinux or security sensible
software like Pollinate (Entropy-as-a-Service in the cloud) via
https://entropy.ubuntu.com
Packing so many sensible info inside User-Agent sent daily by default
from all Ubuntu to https://motd.ubuntu.com is brillant!
less /etc/update-motd.d/50-motd-news
```
#50-motd-news - print the live news from the Ubuntu wire
#Copyright (C) 2016-2017 Canonical Ltd.
#Copyright (C) 2016-2017 Dustin Kirkland
##
# This program could be rewritten in C or Golang for faster performance.
# Or it could be rewritten in Python or another higher level language
# for more modularity.
# However, I've insisted on shell here for transparency!
# - Dustin
##
# Curl browser version, for debug purposes
curl_ver="$(dpkg -l curl | awk '$1 == "ii" { print($3); exit(0); }')"
# Distribution version, for messages releated to this Ubuntu release
. /etc/lsb-release
lsb=$(echo "$DISTRIB_DESCRIPTION" | sed -e "s/ /\//g")
codename="$DISTRIB_CODENAME"
# Kernel version and CPU type, for messages related to a particular revision or
hardware
platform="$(uname -o)/$(uname -r)/$(uname -m)"
arch="$(uname -m)"
cpu="$(grep -m1 "^model name" /proc/cpuinfo | sed -e "s/.*: //" -e
"s:\s\+:/:g")"
cloud_id="unknown"
if [ -x /usr/bin/cloud-id ]; then
/usr/bin/cloud-id > "$CLOUD" 2>/dev/null
if [ $? -eq 0 ]; then
# sanitize it a bit, just in case
cloud_id=$(cut -c -40 "${CLOUD}" | tr -c -d '[:alnum:]')
if [ -z "${cloud_id}" ]; then
cloud_id="unknown"
fi
fi
fi
# Some messages may only be pertinent before or after some amount of uptime
read up idle < /proc/uptime
uptime="uptime/$up/$idle"
# Piece together the user agent
USER_AGENT="curl/$curl_ver $lsb $platform $cpu $uptime cloud_id/$cloud_id"
...
# Fetch and print the news motd
if curl --connect-timeout "$WAIT" --max-time "$WAIT" -A "$USER_AGENT"
-o- "$u" >"$NEWS" 2>"$ERR"; then
```
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitting private hardware data without consent or
knowledge in background
Status in base-files package in Ubuntu:
Confirmed
Bug description:
In package base-files there is a script /etc/update-motd.d/50-motd-
news that harvests private hardware data from the machine and
transmits it in the background every day. There is no notice, no
consent, no nothing. This should be by default disabled until there
is informed consent.
This solution is simple:
1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and
2. Place a comment in the file disclosing the fact that the 50-motd-news
script will harvest private hardware data and upload it to motd.ubuntu.com
daily if the end-user enables it.
Creating databases that maps ip address to specify hardware is a
threat to both privacy and security. If an adversary knows the
specific hardware and the ip address for that hardware their ability
to successfully attack it is greatly increased.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Anyone privacy-conscious using any version of Ubuntu should do this in a shell ASAP sudo sed -i -r 's/(ENABLED)=.+/\1=0/' /etc/default/motd-news -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
This ticket should be updated to Security issue +250 points I highly doubt that this Motd News "feature" is compliant with EU's General Data Protection Regulation since daily reporting of computer's infos are proceeded without the user's consent. Cf. GDPR application comments [https://gdpr.eu/eu-gdpr-personal-data/], in particular with respect to Recital 30 [https://gdpr.eu/recital-30-online-identifiers- for-profiling-and-identification/] Internet protocol (IP) addresses; information that is related to an individual’s tools, applications, or devices, like their computer. Daily report of computer's private infos without the users consent It affects Ubuntu Servers and Desktop (including roaming computers like laptops) since at least 18.04 LTS and also the current 20.04 LTS Sensible data sent - IP address of the computer running Ubuntu - Date of the HTTPS query - Kernel Version - CPU Vendor and Model - Uptime - Cloud identifier - Version of Curl so version of Ubuntu running ... $curl_ver $lsb $platform $cpu $uptime $cloud_id Sample from our PC Engines running Ubuntu 18.04 LTS: ``` curl/7.58.0-2ubuntu3.8 GNU/Linux/4.15.0-101-generic/x86_64 AMD/GX-412TC/SOC uptime/692518.54/2755023.47 cloud_id/unknown ``` https://motd.ubuntu.com/ ``` * MicroK8s gets a native Windows installer and command-line integration. https://ubuntu.com/blog/microk8s-installers-windows-and-macos ``` The perfect opportunity to map all Ubuntu Linux users worldwide on a daily basis? https://gdpr.eu/eu-gdpr-personal-data/ https://gdpr.eu/checklist/ See also https://askubuntu.com/questions/1105825/why-lubuntu-18-04-calls-amazon-servers-motd-ubuntu-com -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Tags added: bionic cosmic disco -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: base-files (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1867424] Re: motd-news transmitting private hardware data without consent or knowledge in background
** Also affects: base-files (Ubuntu) Importance: Undecided Status: New ** No longer affects: ubuntu-mate ** Tags added: eoan focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: New Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
