Yes, this is Slashdot. But it isn't the Slashdot from 10 years ago when you could assume that everyone in here understood basic IT concepts. Nowadays you more likely than not have to explain them.
Fewer kids participate in tackle sports! What are we going to do now that fewer kids get injured pointlessly? We have to do something, dammit, we can't have that!
What? No, kids still can't climb on trees or play tag outside, they could get hurt needlessly. But wholesome activities like smashing into each other during school activities that protects the revenue of the sports industry is something we have to protect and treasure.
That's pretty much what I said in another post. Trust, but verify. They're upfront and (as far as I can tell for now) honest with what they want to collect and for what reason. We can immediately find out what they collect by taking a look at the data that is being sent, this being OSS it's trivial to do.
I am willing to trust them that the data collected will be used in the way they claim. Of course I will register an email-address exactly for this operation and use an IP-Address that I dedicate to this machine to see what's going to happen. Will I get directed and targeted spam on the mail address used? That's the verify part.
The problem is that this is not the correct tool. You gain no safety because the criminals will simply move on while you eradicate the safety of your citizens by exposing them to hackers (both organized crime and foreign government sponsored) that get a hold of that backdoor.
"Government only backdoors" do not exist. If you create an entry point for a benign actor, you create an attack vector for a nefarious one.
If you implement backdoors in your software, you can as well close shop. Nobody, at least no company with at least a hint of self preservation, will buy your product. If I cannot trust my company trade secrets to be secret from espionage because your product is insecure (and yes, a backdoor makes a product insecure BY DEFINITION), I will not use your product.
No "government only" backdoor is "government only" for long. First of all, the mere existence of such a backdoor gets known at some point in time, as the past history of deliberate leaks or accidental blunders have shown. And no later than this, the company that actively and deliberately puts backdoors in its security software is done for, for the reasons aforementioned. Yes, even if they "fix" this immediately. Why should I trust you that you have no backdoors now? Fool me once and all that.
Second, a general key into the secrets of every company worldwide is prized. Not by hackers. By governments. And governments have WAY other options at their disposal as any basement dweller or even organized crime. You have seen what North Korea does with people that li'l Kim simply does not like? Now imagine what they do with people that could give them the key to the holy grail. You know the key? Well, you may be in for a decision who you love more, your country or your kids. Almost every person has a weak spot. There are very, very few people who cannot be at least blackmailed if they cannot be bribed. Your life, your freedom, your credit, your family... everyone breaks at some point.
And state actors, especially when acting for repressive regimes, don't mind cutting your unborn son out of your wife if that's what makes you hand over what you want.
What they want to do (allegedly, and until the audit I'll give them the benefit of doubt) is to determine what modules the users actually install and what hardware they use. If that's all they collect, the explanation that they wish to focus their resources on developing tools and packages that most of their users benefit from seems legit.
Yes, I am willing to actually give a company that much credit. If, and only if, it is upfront with its plans instead of resorting to clandestine patches to sneak in spying into their system, reactivating those spying bits with every single patch they deliver, reactivate and reinstall software that took some deep magic to get rid of because the normal uninstall routines cannot get rid of those packets (and nobody on this planet can tell me that a cloud service or a calendar are "system critical" OS parts that you must not uninstall for... reasons) and reset a bunch of other settings to whatever they deem the "default value" (like, say, changing the standard browser back to the clusterfuck they came up with for displaying webpages).
Honesty should pay off. Canonical was, at least as far as we can tell so far, honest by simply telling you what they plan to do instead of sneaking it into the product. I am actually willing to trust them. Because I can verify whether they are telling me the truth.
And that is also the difference between them collecting information and MS or Apple doing it. First, they can explain why they want it and the explanation is actually something that benefits the users. And second, I can find out if they're bullshitting me.
And trust is something that can easily be lost and is very, very hard to gain back.
The beauty is that you needn't trust them at all. You can audit them. Or wait 'til someone else does it, because you may rest assured that someone gets paranoid enough to do just that. If Is was MS, I'd do it, just to deflect some of the bad press Win10 gets for spying on its users.
Still Windows. I need my computer for work, leisure, communication and lots more. I need my phone to make friggin' phone calls with people I don't like.
So what we have is them threatening me with producing something that I'd actually want and a diffuse threat of "something bad could happen". Did I sum that up correctly?
The main difference between this and the shenanigans MS is pulling with Win10 is that in this case, you can fully audit what Canonical is getting about you. You can even change it if you so please by changing the underlying code. With Win10, you're facing a black box that sends data containing whatever information to its master.
I could actually see some value in this for the customer. Knowing what your user base uses in hardware helps focusing your resources on the problems they may have. Personally, I'd hope that most of their users have nVidia cards so they could FINALLY justify throwing some manpower behind fixing that annoying "blank screen during install" problem (yes, I know the workaround, but how many people who never installed Ubuntu know it?).
I think it's also a pretty good tool to find out what people who don't know a lot about Linux want to do with it. I.e. why they are installing it in the first place. Just curiosity? Or did they hear that you can finally play on Linux and want to switch to it for gaming now, too? Or is it more an office thing?
Of course, anyone who knows a lot about Linux can configure it. But people new to the OS don't necessarily have the skill or the time to acquire it. And Canonical doesn't have limitless manpower to work on all jobs at the same time. Knowing what their users want to do with their system and putting their effort behind making this a priority is sensible.
Nah, who would be that stupid to call it something that sounds like you sign up for something? Would you execute something that deals with "registry"? I would expect this to actually make contact with some place and sign me up for something I don't want.
It's reasonable to make "on" the default. First, anyone who installs Linux for the first time will not know what to choose and will probably rather go with the default than change something that might break something. And these are the people that, if I was the developer, I want to know the most about. Because first impressions and all that. If I notice that people install my system for the first time and I never hear from them again while there are others that continue using it, I want to know what caused the latter to stay and decide that the system is good. I want to know what modules they use and thus improve my default for those that do not know what modules will likely be interesting or useful to them.
Anyone who knows enough about Linux can easily identify that option and disable it if they so please, or they can even rewrite the installer for an automated installation without this being checked.
As long as it's prominently featured in the installation process and not hidden in some user config without a sensible user interface and given some cryptic name, it isn't that big a difference. Anyone who values his privacy will uncheck that box, and anyone who doesn't doesn't care either way anyway.
Our DRMs will be cracked in seconds.
Since when do you need aliens for that?
Yes, this is Slashdot. But it isn't the Slashdot from 10 years ago when you could assume that everyone in here understood basic IT concepts. Nowadays you more likely than not have to explain them.
Fewer kids participate in tackle sports! What are we going to do now that fewer kids get injured pointlessly? We have to do something, dammit, we can't have that!
What? No, kids still can't climb on trees or play tag outside, they could get hurt needlessly. But wholesome activities like smashing into each other during school activities that protects the revenue of the sports industry is something we have to protect and treasure.
Actually, usually you have the second worst government because people were afraid that the even worse one could become it if they don't vote for him.
"If you create an entry point, even if it was for a benign actor, you create an attack vector for a nefarious one."
Better?
That's pretty much what I said in another post. Trust, but verify. They're upfront and (as far as I can tell for now) honest with what they want to collect and for what reason. We can immediately find out what they collect by taking a look at the data that is being sent, this being OSS it's trivial to do.
I am willing to trust them that the data collected will be used in the way they claim. Of course I will register an email-address exactly for this operation and use an IP-Address that I dedicate to this machine to see what's going to happen. Will I get directed and targeted spam on the mail address used? That's the verify part.
And once I know that the data is pseudonymized, I'll leave it checked.
What we'd need today is a government protecting us from our government.
The problem is that this is not the correct tool. You gain no safety because the criminals will simply move on while you eradicate the safety of your citizens by exposing them to hackers (both organized crime and foreign government sponsored) that get a hold of that backdoor.
"Government only backdoors" do not exist. If you create an entry point for a benign actor, you create an attack vector for a nefarious one.
If you implement backdoors in your software, you can as well close shop. Nobody, at least no company with at least a hint of self preservation, will buy your product. If I cannot trust my company trade secrets to be secret from espionage because your product is insecure (and yes, a backdoor makes a product insecure BY DEFINITION), I will not use your product.
No "government only" backdoor is "government only" for long. First of all, the mere existence of such a backdoor gets known at some point in time, as the past history of deliberate leaks or accidental blunders have shown. And no later than this, the company that actively and deliberately puts backdoors in its security software is done for, for the reasons aforementioned. Yes, even if they "fix" this immediately. Why should I trust you that you have no backdoors now? Fool me once and all that.
Second, a general key into the secrets of every company worldwide is prized. Not by hackers. By governments. And governments have WAY other options at their disposal as any basement dweller or even organized crime. You have seen what North Korea does with people that li'l Kim simply does not like? Now imagine what they do with people that could give them the key to the holy grail. You know the key? Well, you may be in for a decision who you love more, your country or your kids. Almost every person has a weak spot. There are very, very few people who cannot be at least blackmailed if they cannot be bribed. Your life, your freedom, your credit, your family... everyone breaks at some point.
And state actors, especially when acting for repressive regimes, don't mind cutting your unborn son out of your wife if that's what makes you hand over what you want.
Well, with a hint of luck, in 60 years the days of us fossil burners may be numbered...
So ... Soylent Green isn't people?
Not bit by bit but with a big bang
MAGA!
What they want to do (allegedly, and until the audit I'll give them the benefit of doubt) is to determine what modules the users actually install and what hardware they use. If that's all they collect, the explanation that they wish to focus their resources on developing tools and packages that most of their users benefit from seems legit.
Yes, I am willing to actually give a company that much credit. If, and only if, it is upfront with its plans instead of resorting to clandestine patches to sneak in spying into their system, reactivating those spying bits with every single patch they deliver, reactivate and reinstall software that took some deep magic to get rid of because the normal uninstall routines cannot get rid of those packets (and nobody on this planet can tell me that a cloud service or a calendar are "system critical" OS parts that you must not uninstall for ... reasons) and reset a bunch of other settings to whatever they deem the "default value" (like, say, changing the standard browser back to the clusterfuck they came up with for displaying webpages).
Honesty should pay off. Canonical was, at least as far as we can tell so far, honest by simply telling you what they plan to do instead of sneaking it into the product. I am actually willing to trust them. Because I can verify whether they are telling me the truth.
And that is also the difference between them collecting information and MS or Apple doing it. First, they can explain why they want it and the explanation is actually something that benefits the users. And second, I can find out if they're bullshitting me.
And trust is something that can easily be lost and is very, very hard to gain back.
The beauty is that you needn't trust them at all. You can audit them. Or wait 'til someone else does it, because you may rest assured that someone gets paranoid enough to do just that. If Is was MS, I'd do it, just to deflect some of the bad press Win10 gets for spying on its users.
Or an attempt to get out and tack the free falling coins onto someone else before it's too late.
Still Windows. I need my computer for work, leisure, communication and lots more. I need my phone to make friggin' phone calls with people I don't like.
Primarily? No. But I enjoy gaming. And my privacy. What now?
So what we have is them threatening me with producing something that I'd actually want and a diffuse threat of "something bad could happen". Did I sum that up correctly?
The main difference between this and the shenanigans MS is pulling with Win10 is that in this case, you can fully audit what Canonical is getting about you. You can even change it if you so please by changing the underlying code. With Win10, you're facing a black box that sends data containing whatever information to its master.
I do hope you understand the difference.
Yup. And that was a reply to this having been yet another "smart" move by MS.
Great, now I'm hungry...
I could actually see some value in this for the customer. Knowing what your user base uses in hardware helps focusing your resources on the problems they may have. Personally, I'd hope that most of their users have nVidia cards so they could FINALLY justify throwing some manpower behind fixing that annoying "blank screen during install" problem (yes, I know the workaround, but how many people who never installed Ubuntu know it?).
I think it's also a pretty good tool to find out what people who don't know a lot about Linux want to do with it. I.e. why they are installing it in the first place. Just curiosity? Or did they hear that you can finally play on Linux and want to switch to it for gaming now, too? Or is it more an office thing?
Of course, anyone who knows a lot about Linux can configure it. But people new to the OS don't necessarily have the skill or the time to acquire it. And Canonical doesn't have limitless manpower to work on all jobs at the same time. Knowing what their users want to do with their system and putting their effort behind making this a priority is sensible.
Nah, who would be that stupid to call it something that sounds like you sign up for something? Would you execute something that deals with "registry"? I would expect this to actually make contact with some place and sign me up for something I don't want.
Call it something sensible, will ya?
It's reasonable to make "on" the default. First, anyone who installs Linux for the first time will not know what to choose and will probably rather go with the default than change something that might break something. And these are the people that, if I was the developer, I want to know the most about. Because first impressions and all that. If I notice that people install my system for the first time and I never hear from them again while there are others that continue using it, I want to know what caused the latter to stay and decide that the system is good. I want to know what modules they use and thus improve my default for those that do not know what modules will likely be interesting or useful to them.
Anyone who knows enough about Linux can easily identify that option and disable it if they so please, or they can even rewrite the installer for an automated installation without this being checked.
As long as it's prominently featured in the installation process and not hidden in some user config without a sensible user interface and given some cryptic name, it isn't that big a difference. Anyone who values his privacy will uncheck that box, and anyone who doesn't doesn't care either way anyway.