48

In a blog post in response to the Amazon privacy controversy, Mark Shuttleworth wrote:

Don’t trust us? Erm, we have root. You do trust us with your data already. You trust us not to screw up on your machine with every update. You trust Debian, and you trust a large swathe of the open source community. And most importantly, you trust us to address it when, being human, we err.

What does he mean by "we have root"? Surely Canonical doesn't have root access to every machine running Ubuntu?

HighCommander4
  • 1,182
  • 1
  • 10
  • 11
  • 6
    If they wanted it, they would have it. That's the implication here. If you don't trust them, you shouldn't be using Ubuntu. – Oli Oct 28 '13 at 01:32
  • 1
    @Oli: I believe you meant to say that he should actually write his own operating system from scratch! And while he is at it, he should also design and manufacture his own electronics. Just to be on the safe side ;) – Ivan Kovacevic Oct 28 '13 at 01:57
  • @IvanKovacevic I see what you're saying but in the context of trusting Canonical and Ubuntu, it doesn't really apply. – Oli Oct 28 '13 at 02:12
  • @Oli: yeah but, who should we trust? Is there a Linux distribution or any OS for that matter that can really be recommended for being good/trustworthy or better said more trustworthy, in this context? – Ivan Kovacevic Oct 28 '13 at 02:31
  • 3
    we have root = we have access. – Ebenezar John Paul Oct 28 '13 at 08:29

5 Answers5

65

The wording of that sentence may seem a bit worrying because in a way it implies that they have root access as a backdoor that is already installed and in use. The truth is that it was just bad wording from Mark and what he tried to explain is that, yes, they have potential root access to your machine because every package update runs as root and at that point they can do and install anything they want or anything that could potentially sneak in from some open source project.

If you also go through the comments on that blog post you will find Mark giving the answer to your question(his username in comments is 'mark')

Someone asked him:

Sebastian says: (http://www.markshuttleworth.com/archives/1182#comment-396204)
September 23rd, 2012 at 11:42 am
Ermm. You have root? Details please.

and then Mark replied:

mark says: (http://www.markshuttleworth.com/archives/1182#comment-396225)
September 23rd, 2012 at 1:00 pm
@Sebastian – Every package update installs as root.

Ivan Kovacevic
  • 2,119
  • 5
  • 20
  • 21
  • 29
    Among Unix/Linux sysadmins, this will not be regarded as *bad wording*, but as a common shorthand way of saying what you're saying here. – reinierpost Oct 28 '13 at 06:23
  • 19
    Remember, the Unix folks even abbreviated `move` to `mv`. They're always a bit terse. – MSalters Oct 28 '13 at 07:52
  • 42
    Me `root`, you `/usr/jane`, – LateralFractal Oct 28 '13 at 09:34
  • 1
    He ought to mention that kernel, which includes Ubuntu patches, runs in privileged mode. – vartec Oct 28 '13 at 11:29
  • 3
    @MSalters My favourite thing about that is that all the short unix commands were implemented to avoid having to regularly swap out ink ribbons on the teletypes :) they're quicker to type too of course. – lynks Oct 28 '13 at 12:02
  • 1
    Of course "common shorthand among sysadmins" and "bad wording" are not necessarily mutually exclusive. Especially if the wording sounds ominous to non-sysadmins who are onlookers in a public forum. – LarsH Oct 28 '13 at 21:02
36

You trust them because they distribute the software that runs your computer. Their processes run as root: you have to trust them because the computer is in their hands, more so than it is in yours. While you are the administrator of the machine, you use their tools to do your administrator tasks.

The point he's making is that you can only run an OS distributed by a vendor that you trust perfectly and completely, because the vendor has unlimited power with respect to the computers the OS runs on.

In this case, he's pointing out the apparent absurdity of cries that Canonical is invading the privacy of its users through Amazon integration. If the company wanted to invade your privacy, they could do so in much subtler and devious ways. But, he aruges, you do trust Canonical; you have from the beginning if you run Ubuntu on your computer as demonstrated by the fact that you run Ubuntu on your computer. So if you already trust them to do everything right, then you should trust them to do this right.

It's not a perfect arugment, and I'm not sure it's even a valid argument. But that's his argument.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 1
    It might not be perfect, but the idea that people think that Canonical is spying on them with their OPEN SOURCE OPERATING SYSTEM is stupid, and needs to be pointed out as stupid. – Warren P Oct 28 '13 at 00:43
  • 6
    @WarrenP , nope, with the scopes you are sending your search data straight to their servers. This means that you don't know how they're storing/using every single character that you write in the dash, hence the privacy concerns. – Francisco Presencia Oct 28 '13 at 01:01
  • 8
    The idea that Canonical is *spying* is probably a little silly. They have the means, but not the motive. Spying won't earn Canonical a penny. But what *will* earn them money is putting Amazon affiliate ads in your application menu, which is precisely what they've done. Crying foul is arguably appropriate, but "*spying*" is the wrong foul to call. – tylerl Oct 28 '13 at 01:22
  • 5
    @tylerl: You can't possibly be saying that there's no way to profit from espionage, selling data, etc. . . . – ruakh Oct 28 '13 at 01:25
  • 2
    @ruakh - there's money to be made in selling data, no doubt. But you have to have the right data to sell. Nobody is going to buy the list of applications I type in to unity. Nobody cares. The privacy scare is based in this absurd notion that because **some** personal data is valuable then therefore **all** personal data is valuable. Unless the data is directly actionable by a buyer, *nobody cares*. – tylerl Oct 28 '13 at 08:46
  • 3
    You are incredibly naive if you think nobody cares about the list of applications you type into unity. – orlp Oct 28 '13 at 09:10
  • 2
    @nightcracker When malware infects a user's workstation, it typically will intercept browser sessions, export saved password, carry out further attacks, and dozens of other activities. But one thing no malware does is export your search history. Even though it can. There's no market for illegally obtained behavioral history. No buyers. Even though the incremental cost of the data for the hacker is zero, there's no money to be made. No analytics or advertising company can buy black-market data, so it's worthless. You call me "incredibly naive", but have you really thought this through? – tylerl Oct 28 '13 at 09:32
  • 2
    @tylerl There might be some confusion here, I was talking about a legitimate source here. If a company can legitimately get their hands on your search history, they will definitely want to. – orlp Oct 28 '13 at 09:48
  • 1
    @nightcracker In order to *legitimately* get their hands on query data, they'd have to do it with permission, which is why the financial incentive for *spying* isn't there. Which brings us back to the original statement that started this discussion: **Spying won't earn Canonical a penny.** – tylerl Oct 28 '13 at 18:30
11

Basically, every disto has it's own repository servers, which are the default option for the installed system to fetch packages from. This means that when you install a new package or download updates these are downloaded from those repositories.

You (we) trust the repo maintainers that the packages they upload are not malicious. Most of the official repositories offer the sources to the available packages, so you could theoretically download the sources see what it does and compile it yourself. But nobody does that.

Some time ago most package repositories implemented a package signing feature. Each package uploader has a personal signing key with which he signs his packages before he uploads them to the repo. That stops a malicious attacker (who has broken into the repository server) from serving his altered packages. It does not affect the actions of the uploader though, who could if he wanted serve a modified package.

The way the package management in most distos work is for a package to be installed system-wide it has to be installed with root privileges. Each package has hooks that must be run before and after installation for it's correct setup, and these too run with root privileges.

So you could, again theoretically, update you system, download a malicious package without even knowing it.

The point that Shuttleworth was trying to make is that if they, as Canonical, wanted to run something malicious on our systems they already have a way.

trouble
  • 111
  • 3
7

Ubuntu's installer and package manager run as root. They have to: that's the only way it can install an operating system. It also installs programs that run as root. Other Linux distributions (and other operating systems, for that matter) are no different, even though the exact particulars may change a little: Ubuntu just happens to be in scope for this discussion. There is basically no way around this, because part of the point of having a root account is so that nobody else can do these things, but somebody has to be able to do them.

Because of this, it would be trivial for the maker of an operating system to slip in a backdoor, and odds are, you would never even notice. For practical purposes, there is no way around this. You could get kind of close if you built your system yourself using Linux From Scratch, but this requires building your system yourself, and everything that entails (and actually, the LFS method requires you to do this twice). This is not something most people have the time, money, or expertise to do, and even if they did, it is still not a foolproof method of addressing this concern. The end result is that you have basically no choice but to trust the maker of your operating system.

The corollary to this is that you need to make sure that the maker of your operating system is someone you can trust. This part is where Shuttleworth's argument doesn't hold up so well. His stance reads far more like a confrontational "you have to trust us anyway so you should just deal with this" instead of an attempt to actually address, or even acknowledge, people's concerns.

The Spooniest
  • 1,647
  • 9
  • 11
7

Whenever you run sudo apt-get upgrade you're downloading a .deb package from the Ubuntu repositories and letting the installer run under root (you know, sudo) to install it. If Ubuntu wanted to manipulate one of the packages and include a backdoor, they can, and you probably will never know it.

You, implicitly, trust Ubuntu not to include a backdoor in these packages.

Adi
  • 43,953
  • 16
  • 137
  • 168