Is There Spyware in Ubuntu?

Revision 24
© 2012-2018 by Zack Smith. All rights reserved.

The Problem with Ubuntu

In 2009, Jane Silber became the CEO of Canonical. Canonical makes Ubuntu.

Jane Silber's previous job was within the US Military Industrial Complex, specifically at the C4 Systems division of General Dynamics. It turns out that C4 Systems focuses on using computers for spying.

From their website: General Dynamics C4 Systems is a trusted leader in the development of intelligence and information gathering systems for national defense and homeland security. These systems are designed to receive, process, exploit and disseminate information -- in different forms and often from different networks -- and distribute relevant information to operators, both in the field and at higher headquarters.

The Register story about Jane Silber C4 systems website

Why did Canonical hire Silber? When searching for a CEO, Canonical surely had many candidates from which to choose. It is fair to ask, what work experiences had Jane Silber built up in her career that made Canonical's leadership think she was the best candidate? It's reasonable to deduce that her having managed the creation of spyware was a major selling point and the reason why she was hired, because looking at her CV, nothing else stands out. Another factor might have been any connections she made with potential clients while doing her spyware gig, which could open up new revenue streams for Canonical.

Does open-source mean safe?

No. Why would it? For one thing, there is no reason to assume that the compiled executables and libraries that comprise most of Ubuntu are built from the same source code that Canonical makes publicly available. Canonical may have a set of secret patches that they add that provide spying capability. Any spyware in the object code only needs to behave stealthily.

A related example: Trojanized open source SSH software PuTTY used to steal information.

To be perfectly safe with Ubuntu, you should compile Ubuntu (or any GNU/Linux) from sources yourself.

  1. Obtain the original source code.
  2. Inspect the source code for clear spyware. (E.g. grep it for networking system calls or manually review it.)
  3. Inspect the source code for vulnerabilities e.g. which take the form of mistakes like the 2014 Apple SSL goto bug.
  4. Link
  5. Compile the source code yourself using a non-corrupted compiler on a non-corrupted system that is itself built from sources (e.g. Gentoo). A compiler that is bare-bones and without optimizations is more likely to be safe than one that is complex like GCC or LLVM.
  6. Package the compiled OS in the same safe environment.
  7. Install the compiled OS on a safe computer e.g. one whose hard drive firmware has not be replaced with spyware and whose Intel ME vulnerabilities have been mitigated.
  8. Keep all source code patched with the latest security fixes.

But above all, if you want to be safe, don't beat a path directly to a company or CEO that has a history of creating spyware. It is obviously unwise to do so.

In addition, don't assume open source means that code is proven to be secure, nor that open source implies the code has received a proper security audit or even a code review.

A related lecture about the security of binaries: CCC 2014: Reproducible Builds.

How to rate insecurity

There is no grading system that describes the risk of surveillance when using various operating systems. Perhaps there should be.

Yes, we should be concerned about malware and exploits by obvious criminals, but we really need to be wary of OS providers as well since they may have business connections to nefarious government and corporate entities and can be easily influenced.

A color-coded system

Here is an easy and super fun color-coded scheme that I designed to warn users:

f00 High risk of backdoors and spyware Examples: Microsoft Windows; Ubuntu; Android; Cloud platforms.
f90 Medium risk of backdoors and spyware Examples: Slackware; OS/X & iOS; Raspbian.
0f0 Low risk of backdoors and spyware Examples: Debian; Gentoo GNU/Linux.
00f Safe enough for daily use Examples: ReactOS; Haiku; 32-bit MenuetOS; FreeDOS.
808 Entirely secure No modern examples.

A point system

A more laborious approach is to assign points for various risks. My revised rating point system (up to 10 points) is as follows:

  • If a connection to a cloud service is enabled (iCloud, Windows 10) add 1 point.
  • If the OS provider is known to have held back zero day vulnerability information from the public but not the NSA (Microsoft), it is high risk (7) add 1 point.
  • If a computer has an Intel or AMD processor, add 1 point because of Intel Management Engine (ME). This is a second CPU that exists in all modern Intel processors and has been called a rootkitter's dream. The AMD CPUs are suspected to have an equivalent secondary processor.
  • If the OS provider is a part of the NSA PRISM program, the risk is higher (+1).
  • Complexity: The more lines of code, the higher the risk (+1). Complex software generally has more security holes than simple software.
  • If the OS is closed source or it cannot be feasibly compiled by a technically adept user, the risk is higher (+1).
  • If the OS provider has inserted backdoors in the past (Windows 98 etc.), the risk is higher (+1).
  • If the OS provider is an individual and therefore vulnerable to coercion (Slackware), the risk is higher (+1).
  • If the OS provider pedigree includes a history of specifically making spyware, add 1 point.
  • If the OS is not build from source code during installation, add 1 point.

Obviously these various security problems don't deserve equal weighting and should not be thought of as anything but unweighted points.


Name Cloud 0 day ME PRISM complex closed backdoor individual spying !source
Win 10 on x86 1 1 1 1 1 1 1 0 0? 1
Slackware on x86 0 0 1 0 1 0 0 1 0 1
Debian on x86 0 0 1 0 1 0 0 0 0 1
OS/X no iCloud 0 0 1 1 1 1 0 0 0 1
OS/X with iCloud 1 0 1 1 1 1 0 0 0 1
iOS no iCloud 0 0 0 1 1 1 0 0 0 1
Ubuntu on x86 1 0 1 0 1 0 0 0 1 1
Gentoo on x86 0 0 1 0 1 0 0 0 0 0
Gentoo on ARM 0 0 0 0 1 0 0 0 0 0
MenuetOS on x86 0 0 1 0 0 0 0 0 0 0


Name Badness points
Win 10 on x86 8
OS/X with iCloud 6
OS/X no iCloud 5
Ubuntu on x86 5
Slackware on x86 4
iOS no iCloud 4
Debian on x86 3
Gentoo on x86 2
Gentoo on ARM 1
MenuetOS on x86 1


Windows Vista found to be sending information to Department of Defense, Homeland Security, Halliburton Whitedust.net original detailed account with screenshots of Vista spying

The whitedust page was curiously removed from Archive.org.

Questions and answers

What is it called when a person becomes anxious about an idea that conflicts with what he wants to believe?

Cognitive dissonance.

What is the typical result of cognitive dissonance?

Irrational rejection of the offending idea regardless of its merits. The person may also cease inquiry into related topics.

What is such a prejudiced rejection of different ideas called?

Confirmation bias.

Does anyone have a political, financial, or personal interest in suppressing concerns about spyware-laden operating systems?

Yes, for instance the US government and the military-industrial complex have an interest in making sure there is spyware in Linux. The NSA's mandate is to obtain all data, so there must not be any island of privacy.

Where would such parties dispel public concern about spyware in Ubuntu or other OSes?

Online forum postings, comment-area postings, tech news punditry, etc.

Do online forums or comment-areas ever have fake commenters trying to manipulate public opinion?

The existence of paid commenters and automated commenter bots (social bots) in some online forums is proven. However they are probably outnumbered by fanboys.

What terms describe this practice of manipulation?

  • Astroturfing: which means creating a fake grassroots operation.
  • Sock-puppetry: which means creating fake personas online.

What expressions are used to discourage public speculation, while conveniently avoiding debate and investigation of facts?

Conspiracy theorist, tinfoil hat.

Where does the term conspiracy theory originate from?

According the Sharyl Attkission in her book Smear in 1974 the CIA put out a memo directing its operatives to build relationships with the media to promote this term in order to discourage evidence-based theorizing about JFK's assassination.