Ubuntu decided to remove uptime from motd-news' data leak (exfiltration)
via User-Agent: and move /etc/default/motd-news conffile to the motd-
news-config package and switch from curl to wget.
Remove uptime from the motd-news user agent
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/18
On my point of view, it's NOT enough to implement a legal notice
https://ubuntu.com/legal/motd with technical errors and it is not
possible to verify that Canonical does not store the IP address of
Ubuntu users in Apache log (the default) and/or database without an
external auditor (PwC, EY, KPMG,
I added https://ubuntu.com/legal/motd to Archive.org's Internet Wayback
Machine
https://web.archive.org/web/20200713070037/https://ubuntu.com/legal/motd
** Attachment added: "canonical-legal-motd.pdf"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5392271/+files
https://ico.org.uk/make-a-complaint/your-personal-information-concerns/
To: ICO
Dear Information Commissioner’s Office,
I confirm that I want to proceed with the creation of the case about
Canonical's motd-news as Canonical don't want to remediate the privacy
issue of sending by default hardwar
https://news.softpedia.com/news/canonical-under-fire-for-putting-ads-in-the-ubuntu-motd-530372.shtml
Article like "Canonical Under Fire for Putting Ads in the Ubuntu MOTD"
miss the point that motd-news is not only displaying Advertising in the login
prompt but it a Privacy Nightmare because it ha
** Attachment added: "motd.ubuntu.com current Advertising for Canonical
Products"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389475/+files/ubuntu-desktop-2004-translate.png
--
You received this bug notification because you are a member of Ubuntu
Touch seed
** Attachment added: "Sample motd.ubuntu.com Ads from 2017"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389478/+files/ubuntu-desktop-2004-waybackmachine3.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, whic
** Attachment added: "motd-news force to run via motd-news.service and
motd-news.timer"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389472/+files/ubuntu-desktop-2004-terminal3.png
--
You received this bug notification because you are a member of Ubuntu
Touc
** Attachment added: "Privacy has not opt-out for motd-news hidden telemetry in
User-Agent"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389470/+files/ubuntu-desktop-2004-privacy.png
--
You received this bug notification because you are a member of Ubuntu
To
** Attachment added: "No, don't send system info NOT RESPECTED BY MOTD-NEWS"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389468/+files/ubuntu-desktop-2004-optout.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packag
** Attachment added: "Sample motd.ubuntu.com Ads from 2020"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389477/+files/ubuntu-desktop-2004-waybackmachine2.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, whic
** Attachment added: "motd-news ENABLED by default with telemetry every 12h
Without Consent"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389471/+files/ubuntu-desktop-2004-terminal2.png
--
You received this bug notification because you are a member of Ubuntu
** Attachment added: "motd-news is unremovable"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389480/+files/ubuntu-desktop-2004-system-failure1.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscri
** Attachment added: "motd.ubuntu.com is up since 2017"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389476/+files/ubuntu-desktop-2004-waybackmachine.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is
** Attachment added: "motd-news exfiltrate system information via User-Agent
and IP Address every 12 hours Without Consent"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389482/+files/ubuntu-desktop-2004-motd-news.png
--
You received this bug notification bec
** Attachment added: "motd.ubuntu.com hosted in the Amazon EC2 cloud in Dublin,
Leinster, Ireland"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389474/+files/ubuntu-desktop-2004-terminal4.png
--
You received this bug notification because you are a member of
** Attachment added: "Legal Notice DOES NOT COVER "motd-news" sending IP
address, Uptime, Idle time every 12h motd-news.service started during
installation Ubuntu Desktop 20.04 Without Consent"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389469/+files/ubuntu
** Attachment added: "Sample motd.ubuntu.com Ads from 2019"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389479/+files/ubuntu-desktop-2004-waybackmachine4.png
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, whic
** Attachment added: "Trying to remove motd-news via base-files will kill
Ubuntu"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389481/+files/ubuntu-desktop-2004-system-failure2.png
--
You received this bug notification because you are a member of Ubuntu
Touc
No updates from Canonical's legal departement
"A picture is worth a thousand words"
** Attachment added: "motd-news.service started during installation Ubuntu
Desktop 20.04 Without Consent"
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+attachment/5389467/+files/ubuntu
I too, would like to see this fixed. I initially reported something very
similar in https://bugs.launchpad.net/ubuntu/+source/base-
files/+bug/1701068 back in 2017.
This is unacceptable, especially for EU users. It needs to be an option
top opt-in at install time. By default I believe this should
FYI Canonical's legal departement is reviewing motd-news "feature" (such as
telemetry)
and will provide updated information next week.
All motd-news related tickets
https://bugs.launchpad.net/ubuntu/+source/base-
files/+bugs?field.searchtext=motd-
news&orderby=-datecreated&search=Search&field.st
I will first contact the Data Protection Officer (DPO) of Canonical Group
Limited
dataprotect...@canonical.com
https://ubuntu.com/legal/data-privacy
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https
I have decided to contact ICO (Information Commissioner's Office).
Because Canonical Ltd. has handled my personal information
(IP address, Hardware CPU, Choice of Cloud Hosting, and various meta-data)
and the one of the company I work for without concent.
The same apply to all users of Ubuntu (
Best practices by Dustin Kirkland
https://manpages.ubuntu.com/manpages/focal/en/man5/update-motd.5.html
- No mention of curl running as root
- No mention of the exfiltration of private data done via User-Agent
- No mention of the novel concept of advertising via motd
- No mention of using motd-ne
And don't tell me that the fact that Canonical use motd as Telemetry was done
transparently,
with clear documentation... most users complain only about the advertising but
don't realize
that the motd-news is used as telemetry tool but seems to act as a advertising
/ news purpose
and the risk of
By the current design, you don't give choice to the Ubuntu users as they cannot
opt-out BEFORE
the laptop or server contacts motd.ubuntu.com sending the telemetry. By
implementing it as
essential package, you don't let user remove it but only disable it when it is
too late.
The same apply to la
Well, it is disappointing that you choose to close this as “won’t fix”.
As pointed out in the initial bug report, this “feature” is implemented without
notice or consent.
In other words, and to rephrase, this was done transparently in an hidden way.
Which is, to say the least, not corresponding
Maybe as manager of the Ubuntu Server team, you should ask to improve motd-news
software
to not curl as root.
You should also improve landscape and landscape on premises level of access so
any users
cannot list all processes and reboot any servers or execute shell script as
root.
Good luck, I
https://github.com/curl/curl/issues/5557
** Bug watch added: github.com/curl/curl/issues #5557
https://github.com/curl/curl/issues/5557
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.la
Thank you for taking the time to report this issue. As you note, this is
a long-standing feature of Ubuntu that Canonical leverages to help
understand our user base and improve and prioritize work that makes
Ubuntu better for all. I can assure you that all information is GDPR
compliant and that we
Privacy:
Ubuntu users don't have the opportunity to opt-out from motd-news before all
the private infos
and telemetry are sent via User-Agent. So even if people change ENABLED=1 to
ENABLED=0
in /etc/default/motd-news they only stop future leaks but the initial leak has
already been
done in back
All messages received over a year (Ubuntu 18.04):
* Congrats to the Kubernetes community on 1.16 beta 1! Now available
* Kata Containers are now fully integrated in Charmed Kubernetes 1.16!
* Keen to learn Istio? It's included in the single-package MicroK8s.
* Kubernetes 1.18 GA is now available!
The usage of motd-news as Advertising media for Canonical products is well
documented.
Now we need to know if Canonical share the crafted User-Agent with sensible
info in it with third party and use it for telemetry like Microsoft Windows 10.
Samples output of motd-news mirrored in both login pr
I don't think it was safe decision to link the security of Ubuntu
base OS to curl running as root every 12 hours via motd-news just
to display Ads for products and not important security messages
like suggested in the original ticket (1637800).
Just imagine the consequence of https://motd.ubuntu.
I recommend the following action points to restore a bit of trust in Ubuntu
Product
after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at
Canonical)
- Run all motd scripts including motd-news AND curl as non privileged
account -- not as root
- Move motd-news functionality f
** Tags added: rls-ff-incoming
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitting private hardware data without consent or
knowledge
The original request for motd-news came from Dustin Kirkland on
2016-10-30
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1637800
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.l
motd-news is present in Nvidia Jetson Nano (derived from Ubuntu)
and Ubuntu for Raspberry Pi. It is enabled by default and also calling Home
Ubuntu via Amazon Cloud.
motd-news is also present in Ubuntu Core 18 for embedded systems (like Tesla
Car)
but unlike Ubuntu Server and Desktop Distro it is
This is more than just a Telemetry, It as a Trojan in Ubuntu Distro.
A remote code-execution (RCE) vulnerability
in all Ubuntu of the world! Why?
Simple
curl is launched as root (not the best practice!),
and Ubuntu Distro fetch https://motd.ubuntu.com multiple times per day
if someone (like 3-
Thanks Canonical for this great Telemetry master piece
hidden in a Daily "News" (Message of the Day) deep inside
the core of Ubuntu.
I found it active on all the Ubuntu laptop of my friends
and coworkers, all Ubuntu servers from local ISP and my
work. As well as on all Ubuntu flavours and Ubuntu d
Please give the Message of the Day (MOTD) every time I get online on the
Internet
or I reboot my Ubuntu computer ...
Hold on, connecting to Amazon Cloud (Amazon Data Services)
motd.ubuntu.com ...
Your message of the day is
Building Trust is Hard, Breaking Trust is Easy
In exchange, please giv
Part of the base OS ... resistance is futile
dpkg -L base-files | grep motd-news
/etc/default/motd-news
/etc/update-motd.d/50-motd-news
/lib/systemd/system/motd-news.service
/lib/systemd/system/motd-news.timer
sudo grep news /var/log/syslog
Jun 4 04:44:22 mbx 50-motd-news[94986]: * MicroK8s get
Well known...
https://twitter.com/search?q=ubuntu%20motd-news&src=typed_query&f=live
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitti
Thanks security-conscious Dustin Kirkland for this great bash script
("I've insisted on shell here for transparency! - Dustin ")
and other contributions like NSA's SELinux or security sensible
software like Pollinate (Entropy-as-a-Service in the cloud) via
https://entropy.ubuntu.com
Packing so m
Anyone privacy-conscious using any version of Ubuntu should do this in a shell
ASAP
sudo sed -i -r 's/(ENABLED)=.+/\1=0/' /etc/default/motd-news
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://b
This ticket should be updated to Security issue +250 points
I highly doubt that this Motd News "feature" is compliant with EU's
General Data Protection Regulation since daily reporting of computer's
infos are proceeded without the user's consent. Cf. GDPR application
comments [https://gdpr.eu/eu-g
** Tags added: bionic cosmic disco
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launchpad.net/bugs/1867424
Title:
motd-news transmitting private hardware data without consent or
knowl
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: base-files (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.launc
** Also affects: base-files (Ubuntu)
Importance: Undecided
Status: New
** No longer affects: ubuntu-mate
** Tags added: eoan focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to base-files in Ubuntu.
https://bugs.
50 matches
Mail list logo
