Open source
  • Bandwidth benchmark
  • TouchWidgets UI lib
  • Diviner big number math
  • Documentation
  • x86 instructions ref
  • GIT quick ref
  • GPG quick ref
  • Avoid Ubuntu
  • Android malware risks
  • iOS malware risks
  • OS/X security tips
  • Who blocks Tor
  • Software engineering
  • BASH aliases
  • I.B. pro/con
  • Nutrition
  • Other apps
  • Contact
    1 at zsmith dot co

    Is There Spyware in Ubuntu?

    Revision 23.
    © by
    All rights reserved.

    The Problem with Ubuntu

    In 2009, Jane Silber became the CEO of Canonical. Canonical makes Ubuntu.

    Jane Silber's previous job was within the US Military Industrial Complex, specifically at the C4 Systems division of General Dynamics. It turns out that C4 Systems focuses on using computers for spying.

    From their website: "General Dynamics C4 Systems is a trusted leader in the development of intelligence and information gathering systems for national defense and homeland security. These systems are designed to receive, process, exploit and disseminate information -- in different forms and often from different networks -- and distribute relevant information to operators, both in the field and at higher headquarters."

    Link: The Register story about Jane Silber.
    Link: C4 systems website.

    Why did Canonical hire Silber? When searching for a CEO, Canonical surely had many candidates to choose from. What work experiences had Jane Silber built up that made her appear to Canonical's leadership to be the best candidate? It's reasonable to deduce that her having created spyware was her main selling point and the reason why she was hired. Looking at her CV, nothing else stands out. Another factor might have been any connections she made with potential clients while doing her spyware gig.

    Does open-source mean safe?

    No. There is no reason to assume that the compiled executables and libraries that comprise most of Ubuntu are built from the same source code that Canonical makes publicly available. It may have had patches added that provide spying capability. Any spyware in the object code only needs to behave stealthily.

    A related example: Trojanized open source SSH software PuTTY used to steal information.

    To be perfectly safe, you should compile Ubuntu (or any GNU/Linux) from sources yourself.

    1. Obtain the original source code.
    2. Inspect the source code for clear spyware. (E.g. grep it for networking system calls or manually review it.)
    3. Inspect the source code for vulnerabilities e.g. which take the form of mistakes like the 2014 Apple SSL goto bug.
    4. Compile the source code yourself using a non-corrupted compiler on a non-corrupted system that is itself built from sources (e.g. Gentoo). NOTE: A compiler that is of a simple design is more likely to be secure than one that is complex like GCC or LLVM.
    5. Package the compiled software in the same safe environment.
    6. Install the OS on a safe computer e.g. one whose hard drive firmware has not be replaced with spyware.
    7. Keep all source code patched with the latest security fixes.
    But above all, if you want to be safe, don't beat a path directly to a company or CEO that has a history of creating spyware. It is obviously unwise to do so.

    In addition, don't assume open source means that code is proven to be secure, nor that open source implies the code has received a proper security audit or even a code review.

    A related lecture about the security of binaries: CCC 2014: Reproducible Builds.

    Properly framing the discussion

    There is no grading system that describes the risk of surveillance when using various operating systems. Perhaps there should be.

    Yes, we should be concerned about malware and exploits by obvious criminals, but we really need to be wary of OS providers as well since they may have business connections to nefarious government and corporate entities and can be easily influenced.

    Here is an easy, fun color-coded scheme that I designed to warn users:

    High risk of backdoors and spyware Examples: Microsoft Windows; Ubuntu; Android; iOS & OS/X with iCloud
    Medium risk of backdoors and spyware Examples: Slackware; OS/X & iOS without iCloud.
    Low risk of backdoors and spyware Examples: Debian; Gentoo GNU/Linux
    Safe enough for daily use Examples: ReactOS; Haiku; 32-bit MenuetOS; FreeDOS
    Entirely secure No known examples.

    My revised rating point system (up to 10 points):

    • If a connection to a cloud service is enabled (iCloud, Windows 10) add 1 point.
    • If the OS provider is known to have held back zero day vulnerability information from the public but not the NSA (Microsoft), it is high risk (7) add 1 point.
    • If a computer has an Intel or AMD processor, add 1 point because of Intel Management Engine (ME). This is a second CPU that exists in all modern Intel processors and has been called a rootkitter's dream. The AMD CPUs are suspected to have an equivalent secondary processor.
    • If the OS provider is a part of the NSA PRISM program, the risk is higher (+1).
    • Complexity: The more lines of code, the higher the risk (+1). Complex software generally has more security holes than simple software.
    • If the OS is closed source or it cannot be feasibly compiled by a technically adept user, the risk is higher (+1).
    • If the OS provider has inserted backdoors in the past (Windows 98 etc.), the risk is higher (+1).
    • If the OS provider is an individual and therefore vulnerable to coercion (Slackware), the risk is higher (+1).
    • If the OS provider pedigree includes a history of specifically making spyware, add 1 point.
    • If the OS is not build from source code during installation, add 1 point.

    Obviously these various security problems don't deserve equal weighting, and should not be thought of as anything but unweighted points.


    Name Cloud 0 day ME PRISM complex closed backdoor individual spying !source
    Win 10 on x86 1 1 1 1 1 1 1 0 0? 1
    Slackware on x86 0 0 1 0 1 0 0 1 0 1
    Debian on x86 0 0 1 0 1 0 0 0 0 1
    OS/X no iCloud 0 0 1 1 1 1 0 0 0 1
    OS/X with iCloud 1 0 1 1 1 1 0 0 0 1
    iOS no iCloud 0 0 0 1 1 1 0 0 0 1
    Ubuntu on x86 1 0 1 0 1 0 0 0 1 1
    Gentoo on x86 0 0 1 0 1 0 0 0 0 0
    Gentoo on ARM 0 0 0 0 1 0 0 0 0 0
    MenuetOS on x86 0 0 1 0 0 0 0 0 0 0


    Name Negative points
    Win 10 on x86 8
    Slackware on x86 4
    Debian on x86 3
    OS/X no iCloud 5
    OS/X with iCloud 6
    iOS no iCloud 4
    Ubuntu on x86 5
    Gentoo on x86 2
    Gentoo on ARM 1
    MenuetOS on x86 1


    Nothing to see here, move along...

    What is it called when a person becomes anxious about an idea that conflicts with what he wants to believe?
    Cognitive dissonance.

    What is the typical result of cognitive dissonance?
    Irrational rejection of the offending idea regardless of its merits. The person may also cease inquiry into related topics.

    What is such a prejudiced rejection of different ideas called?
    Confirmation bias.

    Does anyone have a political, financial, or personal interest in suppressing concerns about spyware-laden operating systems?
    Yes, for instance the US government and the military-industrial complex have an interest in making sure there is spyware in Linux. The NSA's mandate is to obtain all data, so there must not be any island of privacy.

    Where would such parties dispel public concern about spyware in Ubuntu or other OSes?
    Online forum postings, comment-area postings, tech news punditry, etc.

    Do online forums or comment-areas ever have fake commenters trying to manipulate public opinion?
    The existence of paid commenters and automated commenter bots (social bots) in some online forums is proven. However they are probably outnumbered by fanboys.

    What terms describe this practice of manipulation?
    ♦ Astroturfing: which means creating a fake grassroots operation.
    ♦ Sock-puppetry: which means creating fake personas online.

    What expressions are used to discourage public speculation, while conveniently avoiding debate and investigation of facts?
    Conspiracy theorist, tinfoil hat.

    How to understand the Ubuntu-China connection?

    It was announced in early 2013 that Ubuntu would become the official provider of GNU/Linux OS in China, with China deeming Ubuntu Kylin their reference OS. Engadget story.

    China is a police state. When political protests happen, they literally crush human beings under tanks and farm equipment (google it). The Chinese leadership has demonstrated by prefer software that permits them to engage in surveillance on their citizens. The fact that Ubuntu Kylin is going to be used in China suggests that Kylin at least contains spyware. If Kylin did not contain something very useful in addition to GNU/Linux then the Chinese would just create their own distro, which in fact they did by developing the previous Kylin, which was based on FreeBSD. China also created Red Flag Linux.

    Ubuntu Kylin is expected to have integration with an array of Chinese services including banks and music providers, and to include popular Chinese apps like WPS, and to provide customized Chinese data entry. However Ubuntu Kylin is described as a continuation of the previous FreeBSD-based Kylin OSes, and it is not clear that previous Kylin OSes did not already have these features. Canonical is not an expert on the Chinese market. China does have programmers already who can perform those customizations. So what did Ubuntu add? I posit they provided spyware, specifically spyware that is better than what China itself can devise.

    Any spyware could come from C4 due to the Silber connection, or perhaps Silber brought a spyware-writing team with her to Canonical. It most likely wouldn't be open-source software, because after all why would the Chinese government respect an open-source license to begin with? So it is a piece of closed-source software that quietly exfiltrates information to cloud servers that are running other closed-source software from Ubuntu. Presumably China will attempt to decompile and reverse engineer the closed-source spyware.

    © Zack Smith