I recommend the following action points to restore a bit of trust in Ubuntu Product after the introduction of motd-news by Dustin Kirkland (Ex- VP Product at Canonical)
- Run all motd scripts including motd-news AND curl as non privileged account -- not as root - Move motd-news functionality from base-files to a removable package called motd-news - Set ENABLED to 0 by default on all Ubuntu Distos or at least ask the user consent (during install and later with cloud-init) - Remove private information from User-Agent (uptime, kernel version, curl version, type of cloud) and stop using HTTPS Header such User-Agent as proxy to exfiltrate sensible infos from Ubuntu - Make the code behind https://motd.ubuntu.com auditable, signed and open source - Check the logs of https://motd.ubuntu.com if it has been compromised the last 3 years if it is the case report it so people can reinstall their Ubuntu Server, Desktop, Laptop to restore trust Currently Ubuntu users are trapped as they can only disable motd-news but not uninstall it and any software update of base-files could bring back the security issue. Anyone who has access to motd.ubuntu.com (or via DNS + MITM) could in theory execute code on any Ubuntu if a serious vulnerability in curl has been found or if the user did not update curl. Running curl as root, reporting the curl version and the kernel version give all the information needed to implemented a persistent backdoor in any Ubuntu worldwide. sudo apt-get purge base-files WARNING: The following essential packages will be removed. This should NOT be done unless you know exactly what you are doing! base-files bash 0 upgraded, 0 newly installed, 5 to remove and 26 not upgraded. After this operation, 4,525 kB disk space will be freed. You are about to do something potentially harmful. To continue type in the phrase 'Yes, do as I say!' ?] -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1867424 Title: motd-news transmitting private hardware data without consent or knowledge in background Status in base-files package in Ubuntu: Confirmed Bug description: In package base-files there is a script /etc/update-motd.d/50-motd- news that harvests private hardware data from the machine and transmits it in the background every day. There is no notice, no consent, no nothing. This should be by default disabled until there is informed consent. This solution is simple: 1. Change ENABLED=1 to ENABLED=0 in the file /etc/default/motd-news and 2. Place a comment in the file disclosing the fact that the 50-motd-news script will harvest private hardware data and upload it to motd.ubuntu.com daily if the end-user enables it. Creating databases that maps ip address to specify hardware is a threat to both privacy and security. If an adversary knows the specific hardware and the ip address for that hardware their ability to successfully attack it is greatly increased. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1867424/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
