Is Ubuntu Linux spying on you?

6 points by anticristi 1 year ago | 4 comments
  • LinuxBender 1 year ago
    Is Ubuntu Linux spying on you?

    It has in the past but I would be somewhat surprised if they did not learn from the blow-back unless they have entirely new leadership.

    One small suggestion, instead of creating a systemd unit file on the host your are monitoring I would suggest doing your captures on your router and also force all DNS through that router using the nat table to capture 53, 853 and blackhole all the commonly used DoH/DoT servers. Despite theories suggested on here in the past none of the common DoH servers use shared CDN IP's. After blocking those IP's then reboot the host to clear application DNS cache.

    Boot up all the mainstream distributions to see which ones are being chatty. Another one that may be fun to play around with is the latest Fedora beta. No [Spoilers]. Have fun with it, don't just use tcpdump. Instead give bogon IP's for some of the names you see being requested after rebooting the VM and watch what breaks then add that to your blog. Some apps may have hard coded IP's to fall back on like Windows has done since at least XP. QubesOS is one good way to try each of them out including their beta versions and release candidates. The testing should be after a clean installation from the ISO and then again after a OS update and reboot otherwise it could be applications you installed creating red herrings. The reason for testing after ISO and then again after OS update is to see if someone changed their minds about telemetry or to see if people are playing cat-and-mouse when people document findings.

    • anticristi 1 year ago
      Indeed, the test you suggest would be a lot more thorough. Cool description, thanks!

      I feel like my test somewhat assumes that the OS plays by the rules and doesn't desperately hide its communication.

      In contrast, your test assumes like the OS is somewhat adversarial, e.g., the vendor of the OS ships it with a malware ... or AdTech partnership of some kind. :)

      • LinuxBender 1 year ago
        your test assumes like the OS is somewhat adversarial

        This, and it makes the testing easier to reproduce for multiple images. This is useful if one has to perform forensics in dirty sandboxes on a dirty-net on a daily basis but is also useful for comparing the behavior of multiple releases of an OS to see "which one of these is not like the other". Sometimes changes are subtle so it can help to have an external method/device to diff DNS and firewall logs. I find this useful for finding changes that are not clearly documented in git. I should add in fairness to the OS developers it is rarely malevolent but rather they quietly fixed something embarrassing.

        DNS logging can also be useful for finding applications that are lazy-coded to not cache results for the TTL specified by the record. I fought many battles ages ago with Java itself, not developer apps on top of Java on this matter.

    • elesiuta 1 year ago
      I created picosnitch which may be of interest if you also want to see the executable behind each request, this way you wouldn't need to disable NextCloud, Dropbox, Slack, etc (the UI doesn't have negative filtering, yet, but everything is just an entry in a sqlite db).

      It also gets the hash of each executable, which can be useful if you're running any containers with different versions of the same executable which would otherwise appear to have the same path.