Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Founder Pledges No Back Doors In Linux (eweek.com)

Posted by msmash on from the that's-a-promise dept.

Mark Shuttleworth, founder of Canonical and Ubuntu Foundation, gave an interview to eWeek this week ahead of Ubuntu Online Summit (UOS). In the wide-ranging interview, Shuttleworth teased some features that we could expect in Ubuntu 16.10, and also talked about security and privacy. From the report: One thing that Ubuntu Linux users will also continue to rely on is the strong principled stance that Shuttleworth has on encryption. With the rapid growth of the Linux Foundation's Let's Encrypt free Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate platform this year, Shuttleworth noted that it's a good idea to consider how that might work in an integrated way with Ubuntu. Overall, he said, the move to encryption as a universal expectation is really important. "We don't do encryption to hide things; we do encryption so we can choose what to share," Shuttleworth said. "That's a profound choice we should all be able to make." Shuttleworth emphasized that on the encryption debate, Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.

15 of 107 comments (clear)

  1. Yeah, right by Anonymous Coward · · Score: 2, Insightful

    Shuttleworth is like any other citizen: a visit from the polite but scary government people will make him see the light.

    1. Re:Yeah, right by KGIII · · Score: 2, Informative

      The headline is misleading and contradicts what the summary says. Mark has no such authority nor say. He's got no control over Linux. He uses the Linux kernel in Ubuntu and, rightfully, he spoke specifically about Ubuntu.

      The Ubuntu founder did not say what the headline claims. I was really kind of curious as to why he'd say such a thing and then I realized the summary actually told the truth. That's disappointing Slashdot. Disappointing indeed. Then again, I haven't checked to see if the submitter was the one to insinuate that - they may also share culpability.

      I was kind of annoyed until I read the summary (then I was annoyed for other reasons). I mean, hell, I'm a pretty happy Lubuntu user and even I know that Mark's authority and control ends with Ubuntu. I also know that Ubuntu hasn't the manpower nor the expertise to review every line of code. It seemed a rather bizarre claim for him to have made. Fortunately, he said no such thing. He's said some odd things before but nothing like that. The latest oddity was the mention of the name for the next version of Ubuntu. Yakity (x8) yak. Of course.

      --
      "So long and thanks for all the fish."
  2. Canonical should make an official statement by LichtSpektren · · Score: 4, Interesting

    Nothing drives me further from Microsoft and Blackberry than their CEOs being wishy-washy about if your device is secure, even against "lawful interception" or whatever the gentle euphemism for backdoor is these days. But my only qualm here is that Mark Shuttleworth isn't currently the CEO of Canonical, perhaps the company itself should make a strong statement to this effect?

    1. Re:Canonical should make an official statement by Anonymous Coward · · Score: 5, Informative

      Agreed. When Linus was directly confronted about whether he has been approached about backdoors in Linux, he said no, but while nodding his head. What a trustworthy guy!

      Are you familiar with the concept of national security letters
      Saying yes is the kind of action that makes you end up in a secret court where you aren't allowed to disclose any information to your lawyer.
      By saying no while nodding he has given us the information we need without breaking the gag-order.

  3. Re:Not For Him to Promise by Anonymous Coward · · Score: 2, Insightful

    What he's saying is that he will not willingly or knowingly allow or permit anything to be included in the userland, tool chains, and libraries that make Ubuntu what it is. The kernel is still open source and "given enough eyeballs, all bugs are shallow" (ESR). Anyone can take a look at the kernel sources given the skill and time. I agree with Mark. While Canonical does contribute to the kernel, as do Red Hat and others, FLOSS needs to ensure it's own playground is clean.

  4. Re:Well Duh Shuttleworth by MBGMorden · · Score: 2

    Did you even read the summary?

    His quote was:

    "We will never backdoor Ubuntu; we will never weaken encryption,"

    He never made any promises about Linux as a whole. Equating Ubuntu to Linux as a whole was a mistake of the editors here - not Shuttleworth.

    --
    "People who think they know everything are very annoying to those of us who do."-Mark Twain
  5. but that was the whole point. by nimbius · · Score: 3, Insightful
    the whole point of Linux was that you didnt have to make any fucking pledges. Linux is about choice and freedom, something that after your UI fiat to developers and branding ecosystem pitch im sure you know nothing about. Further, the nature of open source code itself discourages the kinds of back-doors and underhanded application programming that most Linux users are familiar with in proprietary closed source operating systems. operating systems that are beginning to seem a lot like Ubuntu.

    "We don't do encryption to hide things; we do encryption so we can choose what to share"

    As a greybeard, Fuck your cloud and the sharing economy it rolled in on. When i choose what to share, I make it explicitly publically available in a format that may, or may not be encrypted. when you recontext my privacy in terms of what im willing to "share" with people it debases the very real need for encryption to circumvent things like warrantless wiretaps, blanket government surveillance, and invasive advertising. stop treating me like a toddler for using cryptography.

    "We will never backdoor Ubuntu; we will never weaken encryption"

    maybe you will, maybe you wont, but again, the point of linux is that I dont need a 60 million dollar corporation to reassure me about privacy. if you do it --like you screwed developers with contributor agreements and the UI-- ill just switch to a different distro or ill fork yours.

    --
    Good people go to bed earlier.
    1. Re:but that was the whole point. by KGIII · · Score: 2

      This is more a reminder than a personal question but I'm going to phrase it as a question - albeit a rhetorical one.

      When was the last time you returned some of those resources to the people you're relying on - such as donating to the various projects who write the source you use or maintain the distro that you use?

      --
      "So long and thanks for all the fish."
  6. Re:Not For Him to Promise by aethelrick · · Score: 2

    Nobody made any promises regarding Linux. As per the quote in the summary...

    Canonical and Ubuntu are crystal clear. "We will never backdoor Ubuntu; we will never weaken encryption," he said.

  7. Re: That must mean... by gfxguy · · Score: 4, Insightful

    Exactly...he didn't try to hide it, and it's easy enough to disable. Yes, I know these kinds of things should be opt-in, but the difference between Ubuntu and, for example, Windows, is your getting a polished OS at zero financial cost to you - and to add insult to injury, in after paying for Windows it's nearly impossible to stop all the spying on you (especially for an average to newer user)... And I say that as someone who actually likes Windows 10, too.

    No, the problem with CEOs and Presidents making claims like "no back doors" is that he can't control every employee, and while an employee might suffer the repercussions of an indiscretion like leaving a back-door in a program, so does the CEO and the company.

    --
    Stupid sexy Flanders.
  8. Re: That must mean... by Anonymous Coward · · Score: 4, Insightful

    Ultimately, I can configure the Linux kernel to block all outgoing traffic except to a proxy server, and only the web browser would use that, so any other programs on the machine will not be able to phone home. Windows, who knows what is phoning home, and where. The only way I can ensure a Windows box isn't yapping to unknown people is to place it on its own subnet/VLAN and use a proxy server for applications like Firefox that have a separate credential/proxy storage.

  9. A complete sham by mushroom+blue · · Score: 3, Interesting

    If you're really concerned about security, you are likely running OpenBSD or a heavily-modified linux kernel by now.

    Linus Torvalds was asked during a LinuxWorld keynote two years back if he was told by government agents to put hardware backdoors in linux. he said no, while nodding yes. His father, Nils Torvalds, a member of EU parliament, put it on the record that his son was approached by government agents requesting backdoors.

    There is a known issue with the random number generator being _forced_ to do hardware-based (known to be broken on Intel/AMD chipsets) random number generation. under Open/Net/FreeBSD, there's an intermediary (software) random number generator that ensures actual randomness. Linus uncharacteristically led this charge to keep the RDRAND weakened, even resorting to calling others stupid for thinking otherwise. a prominent developer resigned due to it.

    There is at least one recent Intel Management Engine talk at last year's Chaos Communication Congress. There was a similar talk the year before about AMD chipsets and their secret undocumented internal firmware. If you enjoy strong encryption, you would be wise to apply the proposed RDRAND patches that Linus rejected.

    Now that all the major distributions have adopted systemd, there's now a full RPC backdoor to not only the GPL's linking requirements, but a backdoor to run "Approved" (by whom? we'll get to that) code automatically. Many people have pubatlicly posited that systemd will be the cause of "The Big One" vulnerability that eventually comes out of Linux and ruins its reputation.

    Now, for the Ubuntu side: Canonical is incorporated in City of London, which means they are under the jurisdiction of GCHQ. Anyone who has watched/read a talk by Moxie Marlinspike will know that SSL/TLS is easily-spoofable by nation states. They will probably also know how exploitable SSL/TLS is today. All the draconian crap the GCHQ has jurisdiction over can easily be extended to a corporation registered under their governance. If Canonical refuses, they will be forced to, the way Google is forced to comply in the United States under similar framework. End result is that you cannot trust anything beyond your initial install CD, if you can even trust that.

    You will likely never look through the custom patches compiled into your binaries, let alone think about Ken Thompson's "Trusting Trust" essay. You will just download your updates, and assume everything is A-OK. You are an end-user, and that's okay. Just don't think Shuttleworth's words are anything but a big fat placebo to keep his stock value afloat.

    1. Re:A complete sham by Anonymous Coward · · Score: 2, Informative

      Theo Tso fixed it back in 2012 by just using it as an additional (but not sole) source of entropy:

      https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c2557a303ab6712bb6e09447df828c557c710ac9

  10. Re:Your getting? by LVSlushdat · · Score: 2

    Oh sure, Windows 10 *looks* pretty, works reasonably well, but if you take into account the spyware aspects of it, it comes out being an "attractive nuisance", or as I like to call it, a CTD, a computer-transmitted disease, not unlike an STD

    --
    THANK YOU, Edward Snowden!! Americans owe you a debt of gratitude (whether they know it or not..)
  11. Re:Ubuntu Is Already Frontdoored by F.Ultra · · Score: 2

    There was notification, for fricking sake it was one of the selling points of the new search lens that you could get results from Amazon back. Also they didn't send it directly to Amazon, they routed all traffic by their own servers so that Amazon not could collect source ip for each query. While the setting to disable it might have been changed you could always just apt-get remove the shopping lens and get rid of it that way. And as of 16.04 the lens is not opt in as it should have been from the start.