Friday, February 22, 2013

Exposed If You Use Ubuntu - Amazon Monopoly Is Watching You!

ubuntu phone, 2013 mobile congress, top high tech mobile phones, canonical privacy

Privacy in Ubuntu 12.10: Full Disk Encryption

See part 1 of Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks.
Full Disk Encryption (FDE) is one of the best ways you can ensure all of the private information on your laptop stays private in case it's lost, seized, stolen, or if you choose to sell or give away your computer in the future. This feature has been built-in to many GNU/Linux distributions, including Ubuntu, for many years. But until the recent release of Ubuntu 12.10, it was hidden away in the "alternate" text-mode installer of Ubuntu that many non-technical users don't even know exists.

At EFF we believe that powerful encryption should be available to everyone, including people who want to use a computer that "just works," and that security should be turned on by default. So in May of 2011, we encouraged Ubuntu developers to build user-friendly FDE options into the graphical Live CD installer that they encourage everyone to download.

It took a year and a half, but the Ubuntu developers finally delivered, and they did an excellent job. When you install Ubuntu, now there's a checkbox to "Encrypt the new Ubuntu installation for security." Users who are new to GNU/Linux and just making the switch can easily have the same level of security against physical-access attacks as seasoned nerds.

It's important to pick a good passphrase that's hard to guess. If you have a weak passphrase, attackers will be able to guess it and access all your data anyway. But on the flip side, if you forget your passphrase yourself, all of your data will be lost. After setting up FDE for the first time, you might consider writing your passphrase down and keeping it somewhere safe, and only destroying it if you're certain you have memorized it. You'll need to type this passphrase each time you boot up your computer.

Ubuntu FDE is Good For Other Distributions Too

This is good news not just for Ubuntu users, but for users of all GNU/Linux distributions that are downstream from Ubuntu. The above screenshots come from ubiquity, the simple graphical live CD installer that Canonical developed. Every distribution that uses ubiquity as an installer will soon also make it easy for users to use FDE. The up-and-coming distribution Linux Mint, for example, is based on Ubuntu, but there is currently no simple way to install it with disk encryption. However, Linux Mint 14, scheduled for release at the end of this month, will be based on Ubuntu 12.10 and should include the new version of ubiquity, therefore making it easy for users of that operating system to use FDE as well.

How This Came to Be

For years, Ubuntu users have been hoping for FDE support in ubiquity, but not enough people were demanding this feature to make it a high priority for Ubuntu. In May of 2011, shortly after the release of Ubuntu 11.04, EFF wrote a blog post that encouraged people to upvote this feature request on the Ubuntu Brainstorm website. Thousands of users who wanted better security quickly upvoted this idea, making it one of the most popular feature requests ever on Ubuntu Brainstorm.

Ubuntu developers quickly responded by creating a blueprint for the feature on their bug tracker, ensuring that it would eventually make it into a release. They didn't start it in time for the Ubuntu 11.10 release, so they pushed it into 12.04 instead. But because 12.04 was a Long Term Support release they decided it was too large a feature, and finally pushed it back to the 12.10 release.

FDE support in ubiquity finally shipped last month when Ubuntu 12.10 came out. We would like to thank Canonical and the ubiquity team for listening to their users and helping to keep their private data private! We hope Canonical will also listen to their users and protect the privacy of their search terms by default.

Encryption for the People

Ubuntu had good timing with including FDE in this release too.

In the last few months there has been a resurgence in crypto-related activism and education, largely through local events called CryptoParties. According to the wiki, "CryptoParties are meetups to share and learn basic cryptographic tools such as PGP/GPG, Tor, OTR, TrueCrypt, etc. - the CryptoParty idea was a response to the Australian government passing new data retention laws - it has now become a global, decentralised movement." EFF activists sent a message of support to CryptoParty Melbourne, and EFF staff have spoken at CryptoParty Oakland and are helping organize CryptoParty San Francisco.

One of EFF's missions has been to encrypt as much of the web as possible, and with the browser extension HTTPS Everywhere for Firefox and Chrome we have been encrypting the connections to thousands of websites for millions of users. We also created a Surveillance Self-Defense site to educate the public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.
We think encrypting your hard drive is a fundamental privacy safeguard. In fact, we think it's so important that we challenged Internet users to make a New Year's resolution for 2012 to encrypt their devices.

Now that Ubuntu has made disk encryption more accessible and user-friendly, we're hoping all Ubuntu users will encrypt their hard drives. Many other GNU/Linux distributions also support FDE in their installers. If you're using Windows, you can encrypt your hard drive with TrueCrypt or the builtin but proprietary BitLocker (only available in Windows 7 Ultimate and Enterprise, and in Windows 8 Pro and Enterprise). If you use Mac OS X Lion or newer you can encrypt your hard drive by turning on FileVault, which is also proprietary.

We also hope that users will install HTTPS Everywhere in their web browser, start using Off-the-Record to encrypt their instant messages, and use Tor if they wish to protect their anonymity online. Open source encryption tools are getting easier to use and more widespread all the time. Strong encryption is one of our main hard-fought tools that we can use to protect our:
  • Data in case our hard drives end up in other people's hands (particularly important when bringing a laptop across the U.S. border)
  • Privacy against warrantless wiretapping, deep packet inspection, session hijacking, and other types of attacks
  • Free speech rights and open access to information
When you use encryption you're not only improving your security, you're also asserting your rights. Let's make encryption ubiquitous.

Privacy in Ubuntu 12.10: Amazon Ads and Data Leaks

See part 2 of Privacy in Ubuntu 12.10: Full Disk Encryption.
Earlier this month the eagerly awaited free software operating system Ubuntu 12.10 was released, and it includes a slew of new features (YouTube link), some of which have infuriated users because of privacy concerns.

Over the last couple of years Canonical Ltd, the company that develops Ubuntu, has been pushing the Ubuntu desktop in new directions with the desktop environment called Unity. A key feature of Unity is Dash, a single place to search for apps, documents, music, and other data on your computer. Starting with the latest release of Ubuntu, Dash is also starting to search the Internet for you. While some people find this convenient, others find it a violation of their privacy. Luckily, Ubuntu makes it easy to turn this off. Scroll down to "How to Disable Amazon Ads and Data Leaks" to learn how.

The first thing you'll notice about the new Dash is that when you search for something, you not only see local files but also Amazon-affiliated advertisements for products. There has been a massive outcry of complaints from the Ubuntu community about this, as well as a bug reports, both serious ("Don't include remote searches in the home lens", "Direct data leaking to Amazon") and tongue in cheek ("grep -R doesn't automatically search amazon", "Spyware coverage incomplete - limited to Dash"). Mark Shuttleworth, the founder of Ubuntu, defended the decision to include Amazon ads in Dash:
We are not telling Amazon what you are searching for. Your anonymity is preserved because we handle the query on your behalf. Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err.
Technically, when you search for something in Dash, your computer makes a secure HTTPS connection to, sending along your search query and your IP address. If it returns Amazon products to display, your computer then insecurely loads the product images from Amazon's server over HTTP. This means that a passive eavesdropper, such as someone sharing a wireless network with you, will be able to get a good idea of what you're searching for on your own computer based on Amazon product images.
Searching Dash for "porn"
It's a major privacy problem if you can't find things on your own computer without broadcasting what you're looking for to the world. You could be searching for the latest version of your résumé at work because you're considering leaving your job; you could be searching for a domestic abuse hotline PDF you downloaded, or legal documents about filing for divorce; maybe you're looking for documents with file names that will gave away trade secrets or activism plans; or you could be searching for a file in your own local porn collection. There are many reasons why you wouldn't want any of these search queries to leave your computer.

It's Not Just Amazon

The new version of Dash that comes with Ubuntu 12.10 introduces more than just Amazon ads. It includes a new legal notice that you can see by clicking the "i" in the corner of Dash that states that by using Dash, you automatically agree to send your search term and IP address to a number of third parties.
Unless you have opted out, we will also send your keystrokes as a search term to and selected third parties so that we may complement your search results with online search results from such third parties including: Facebook, Twitter, BBC and Amazon. Canonical and these selected third parties will collect your search terms and use them to provide you with search results while using Ubuntu.
Ubuntu's Third Party Privacy Policies page lists all of the third parties that they may send your search term and IP address to, and states: "For information on how our selected third parties may use your information, please see their privacy policies." In other words, once they give your data away, it's no longer their problem.
Canonical is not clear about which third parties it sends data to and when, but it appears that many of these third parties only get searched in certain circumstances. Ubuntu's new Online Accounts feature lets you authorize Ubuntu to use your accounts from Facebook, Twitter, Google, Flickr and other services for Ubuntu apps. Dash will likely search these services for photos, documents, and other content only after you've authorized Ubuntu to use them.

Canonical has been listening to feedback from Ubuntu users and they are working on improvements to Dash, such as loading Amazon images over HTTPS to prevent eavesdroppers from learning what users search for, and NSFW filters so that pornography doesn't appear in Dash. These changes are great, but it doesn't change the fact that users' search queries automatically get sent to third party companies without giving users a chance to opt-in.

Even loading Amazon product images over HTTPS instead of HTTP, the fact that they are loaded directly from Amazon's servers instead of from Canonical's means that Amazon has the ability to correlate search queries with IP addresses. One way to fix this would be if Canonical proxied all third party images and other content for Ubuntu users.

How to Disable Amazon Ads and Data Leaks

You can uninstall Dash's Amazon integration by removing the package called unity-lens-shopping from your computer. If you are currently using Ubuntu 12.10, you can click here to open unity-lens-shopping in Ubuntu Software Center, and then click the "Remove" button on the right. You can also uninstall it by opening the Terminal app and typing:
sudo apt-get remove unity-lens-shopping
If you want Dash to only search your local computer and not search the Internet at all, you can open the Privacy app and switch "Include online search results" from on to off, as pictured below.

Finally, if you don't like the direction that Unity is going but you still like the Ubuntu operating system, you can switch to a different desktop environment altogether such as GNOME 3, KDE, or Cinnamon.

You can get GNOME 3 by installing the package called gnome-shell. You can get KDE by installing the package called kde-full. And you can get Cinnamon by adding the Cinnamon PPA to your repositories and then installing the package called cinnamon. Once you have installed a new desktop environment, you can choose which one you want to use from your login screen. Click the Ubuntu logo next to your username to change your desktop environment.

What EFF Wants From Ubuntu

Ubuntu is the third most popular desktop operating system, and it's the most popular free software one. Many of EFF's employees run Ubuntu on their own computers. Here is what we would like to see from future versions of Ubuntu.
  • Disable "Include online search results" by default. Users should be able to install Ubuntu and immediately start using it without having to worry about leaking search queries or sending potentially private information to third party companies. Since many users might find this feature useful, consider displaying a dialog the first time a user logs in that asks if they would like to opt-in.
  • Explain in detail what you do with search queries and IP addresses, how long you store them, and in what circumstances you give them to third parties.
  • Make the Search Results tab of the Privacy settings let users toggle on and off specific online search results. Some users might want Amazon products in their search results, but never anything from Facebook.
  • We love that Ubuntu is bold enough to break new ground and compete directly with the large proprietary operating systems, but please make sure that you respect your users' privacy and security while you're doing it. Windows and Mac users are used to having their data sent to third parties without their express consent by software companies that are trying to maximize profits for their shareholders. Let's make sure Ubuntu, like the GNU/Linux operating system at its heart, remains an exception to this.
Stay tuned for part two of Privacy in Ubuntu 12.10, where we will talk about new Ubuntu privacy features that we really like.


Richard Stallman Talks About Ubuntu & its privacy invasing (according to EFF and FSF) Features.

Download And Try Another Free Operating System Here:

1 comment:

  1. There's a chance you are eligible to get a free $1,000 Amazon Gift Card.


Related Posts Plugin for WordPress, Blogger...