Slashdot Mirror
Ubuntu Founder Pledges No Back Doors In Linux (eweek.com)
Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.
Is this like the WMDs in Iraq??!
Shuttleworth is like any other citizen: a visit from the polite but scary government people will make him see the light.
Since Mark Shuttleworth is not in charge of Linux, I don't see how he can make this pledge.
Nothing drives me further from Microsoft and Blackberry than their CEOs being wishy-washy about if your device is secure, even against "lawful interception" or whatever the gentle euphemism for backdoor is these days. But my only qualm here is that Mark Shuttleworth isn't currently the CEO of Canonical, perhaps the company itself should make a strong statement to this effect?
Did you even read the summary?
His quote was:
"We will never backdoor Ubuntu; we will never weaken encryption,"
He never made any promises about Linux as a whole. Equating Ubuntu to Linux as a whole was a mistake of the editors here - not Shuttleworth.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
"We don't do encryption to hide things; we do encryption so we can choose what to share"
As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted. when you recontext my privacy in terms of what im willing to "share" with people it debases the very real need for encryption to circumvent things like warrantless wiretaps, blanket government surveillance, and invasive advertising. stop treating me like a toddler for using cryptography.
"We will never backdoor Ubuntu; we will never weaken encryption"
maybe you will, maybe you wont, but again, the point of linux is that I dont need a 60 million dollar corporation to reassure me about privacy. if you do it --like you screwed developers with contributor agreements and the UI-- ill just switch to a different distro or ill fork yours.
Good people go to bed earlier.
Whoppee doo. He just said that Ubuntu won't mess with any of the Debian packages that they rebrand.
So what, it's the same thing.
Now, a real pledge would be that Ubuntu would actively audit security-critical packages from upstream providers to prevent disasters like the real-life backdoor that Debian added to OpenSSL when they screwed up the PRNG: https://freedom-to-tinker.com/...
Was it evil NSA conspiracy? No, but it was a real backdoor added to an open source project!
AntiFA: An abbreviation for Anti First Amendment.
Shuttlecock already frontdoored Ubuntu when they decided to send the user's LOCAL queries to amazon without permission or notification. I never recommend anyone use Ubuntu for any reason after that incident.
Did you even read the summary?
Did you even read the headline?
Did you even read the comment? GP acknowledged the error and blamed Slashdot already.
systemd is Roko's Basilisk.
What are you going to do about the secret courts that you didn't know about making all those legal decisions you cannot tell us about?
You cannot even believe your parking tickets when that system exists.
Full transparency of the legal process is what must be enforced. How is the founder of some distro going to ensure that?
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
Exactly...he didn't try to hide it, and it's easy enough to disable. Yes, I know these kinds of things should be opt-in, but the difference between Ubuntu and, for example, Windows, is your getting a polished OS at zero financial cost to you - and to add insult to injury, in after paying for Windows it's nearly impossible to stop all the spying on you (especially for an average to newer user)... And I say that as someone who actually likes Windows 10, too.
No, the problem with CEOs and Presidents making claims like "no back doors" is that he can't control every employee, and while an employee might suffer the repercussions of an indiscretion like leaving a back-door in a program, so does the CEO and the company.
Stupid sexy Flanders.
Ever bother looking at that code?
Good luck proving there's no back door in that.
sudo apt-get remove backdoor
sudo apt-get remove backdoor-lib
and
sudo apt-get remove --purge NSA-spy-lib.4
After that you want to reboot and then do a update and upgrade.
Do not look at laser with remaining good eye.
S/he likes Windows 10.
I comment occasionally so that I can mod others -1 overrated or -1 offtopic.
Ultimately, I can configure the Linux kernel to block all outgoing traffic except to a proxy server, and only the web browser would use that, so any other programs on the machine will not be able to phone home. Windows, who knows what is phoning home, and where. The only way I can ensure a Windows box isn't yapping to unknown people is to place it on its own subnet/VLAN and use a proxy server for applications like Firefox that have a separate credential/proxy storage.
Still in use on Fedora and RHEL. Ubuntu and SUSE both use AppArmor instead.
Valid complaint. But I think you should give some credit to Canonical because it's no longer the default in 16.04. They learned from their errors.
Newsflash: Linux has "sold out". Even slackware is being forced to go down that path, recently allowing pulse audio to infect their system becuase (get this) bluetooth won't work without it. (Are you kidding me?)
If you want pure and clean today, what you want is BSD.
If you don't like PulseAudio, uninstall it. If you have some pathological need to avoid it in your default install, use Gentoo.
Ubuntu Founder Pledges No Intentional Back Doors In Linux; Lots of Unintentional Back Doors.
If you're really concerned about security, you are likely running OpenBSD or a heavily-modified linux kernel by now.
Linus Torvalds was asked during a LinuxWorld keynote two years back if he was told by government agents to put hardware backdoors in linux. he said no, while nodding yes. His father, Nils Torvalds, a member of EU parliament, put it on the record that his son was approached by government agents requesting backdoors.
There is a known issue with the random number generator being _forced_ to do hardware-based (known to be broken on Intel/AMD chipsets) random number generation. under Open/Net/FreeBSD, there's an intermediary (software) random number generator that ensures actual randomness. Linus uncharacteristically led this charge to keep the RDRAND weakened, even resorting to calling others stupid for thinking otherwise. a prominent developer resigned due to it.
There is at least one recent Intel Management Engine talk at last year's Chaos Communication Congress. There was a similar talk the year before about AMD chipsets and their secret undocumented internal firmware. If you enjoy strong encryption, you would be wise to apply the proposed RDRAND patches that Linus rejected.
Now that all the major distributions have adopted systemd, there's now a full RPC backdoor to not only the GPL's linking requirements, but a backdoor to run "Approved" (by whom? we'll get to that) code automatically. Many people have pubatlicly posited that systemd will be the cause of "The Big One" vulnerability that eventually comes out of Linux and ruins its reputation.
Now, for the Ubuntu side: Canonical is incorporated in City of London, which means they are under the jurisdiction of GCHQ. Anyone who has watched/read a talk by Moxie Marlinspike will know that SSL/TLS is easily-spoofable by nation states. They will probably also know how exploitable SSL/TLS is today. All the draconian crap the GCHQ has jurisdiction over can easily be extended to a corporation registered under their governance. If Canonical refuses, they will be forced to, the way Google is forced to comply in the United States under similar framework. End result is that you cannot trust anything beyond your initial install CD, if you can even trust that.
You will likely never look through the custom patches compiled into your binaries, let alone think about Ken Thompson's "Trusting Trust" essay. You will just download your updates, and assume everything is A-OK. You are an end-user, and that's okay. Just don't think Shuttleworth's words are anything but a big fat placebo to keep his stock value afloat.
systemd is open source.
It's got systemd to keep the front door open all day long.
Since you're so confident that there's a backdoor in systemd, perhaps you could help us millions of plebs on it and show us for our own safety?
Running Gentoo. Full KDE5 desktop.
Never installed PulseAudio or Network Manager. doing great with WPA_GUI and Jack2/Cadence. Bluetooth doesn't depend on either, and my wiimotes/speakers work great with the bluetooth stack.
Jack allows me to take a WebRTC audio stream, pipe it into FL Studio (Under WINE!) for effects, and then pipe that output into Skype/Audacious/Audacity/VLC/ffmpeg/Carla at the same time, to as many different sound outputs as I want (even on different PC's!), in _realtime_. PulseAudio is a toy.
Was it evil NSA conspiracy? No, but it was a real backdoor added to an open source project!
Which was duly found and exposed, which is the point with open source. I certainly won't claim that no one will ever try something shady. What I do claim is that it will inevitably be brought to light. Can you say that about closed proprietary systems?
As should every F/OSS endeavor; from CLI utility to OS.
Oh sure, Windows 10 *looks* pretty, works reasonably well, but if you take into account the spyware aspects of it, it comes out being an "attractive nuisance", or as I like to call it, a CTD, a computer-transmitted disease, not unlike an STD
THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
... I don't believe a word he says. Yes, Ubuntu is far and away the best OS choice today. And yes, Ubuntu is almost certainly already backdoored. Canonical does lawful business in anti-freedom countries like the United States and China. Therefore Canonical's software must be compromised.
Isn't it like saying 'I will never be a serial killer'? It's not like lying is worse than doing the act, so what would make a malicious actor even hesitate to make the same claim?
This is nothing about Canonical, just an observation on the pointlessness of such statements in general.
XML is like violence. If it doesn't solve the problem, use more.
With likely over 10,000 distinct authors of code, most without any type of mandated review process... Dude, I wouldn't be worried about 007 and Edward Snowden spying on you with Ubuntu. I'd be worried about your neighbor's anti-social looking teen having a trojan somewhere. Use Fedora. The NSA does :P
Go read the EULA then shut your trap.