Home NetinstallsAvast BugEmbed CodesF/OSS FolliesGlossy StuffInternet ExploderKeylogging You are here: Firealarms> Rants> Networked Installers
This was actually insinuated by a school project. Thanks projects!
This one is also fairly long and get's pretty angry. Although if you think this is angry you did not hear my conversation with a friend about it.
On the front page, I mentioned that words can, shall and will slip (or something to that effect). This is effectively your second warning; that statement applies HEAVILY to this particular page (and I don't feel like editing it all out. :P)
Not safe for children, work, or school. Read at your own risk.

Most people reading this page will have some clue as to what a keystroke logger is, or what the act of logging keystrokes is. For those that don't, a keystroke logger, or the act of, is basically what happens when, through software or hardware, a third party keeps a record of any and all keyboard button presses and saves them for later retrieval.
This can be done any number of ways. In hardware, there are overlays which record depressions, there can be a filter placed in line with the keyboard and computer, even a strategically placed surveillance camera can be used as a keylogger. In software, a program can run inside a virtual machine or "hypervisor", it can grab data input to web forms, or in extreme cases it can hook itself into the system kernel.

Keystroke logging, believe it or not, does actually have some kind of a positive kick back. It is used all the time in corporate environments to make sure that employees are using their computers to do legitimate work and are not abusing their privileges, and also to make sure that they aren't trying to gain access to restricted portions of networks or other resources. At home, it can be a good tool for parents to make sure their kids are staying clear of online hazards. It also enables the parent to save copies of any work done on the machine. Keystroke loggers can also help investigators obtain evidence and scan for unauthorized computer use.

However, there is an incredibly huge potential for abuse. And, here comes the rant.

So as you may or may not know, any half-way recent version of Ubuntu Linux uses the thing called the "Unity" desktop environment. Personally I think it looks pretentious, but let's not stray from the subject here. In this Unity desktop, there is a thing called the "Dashboard" which has completely replaced the traditional menus.

Ubuntu 12.04 Dash search
Since everything is all thrown together in some ridiculous hierarchy (or lack thereof), the dash features a handy search utility. Okay, the search blows since it's case sensitive and can't do partial searches, but you get the idea.

Ubuntu 12.10 Dash
This is a screenshot of the dashboard in Ubuntu 12.10. Can you spot the difference?

If you can't, good, that's my point. Obviously it's some legal notice, right? Let's take a look…

Ubuntu 12.10 Legal Notice
Now why isn't stuff like this illegal?

I guess I should fill you in. This legal notice is droning on and on about this new "online search" thing, which sounds great, right? Except it's a keystroke logger! It doesn't matter if you search or not, the dash works as an auto-searcher anyways so it doesn't matter. I would assume that it works such that it only records complete words, however if you let it sit there at a single letter for a second or two it will send that (some VM network traffic checking with Wireshark reveals that, indeed, this is the case) single letter anyways.
There is also zero encryption being done. Yes, I'm serious when I say that it's being sent over in plain text (or maybe that has to do with Wireshark, I'm not sure). Oh, and it's sending your IP address too.

Of all the dumb things I've seen...

Sending IP addresses over an unencrypted connection is just ASKING for trouble. Even though IP cannot be used as valid identity in the US, it can be in other places, AND it can also result in a potential Denial of Service attack on someone's network if a hacker gets ahold of that information.
And speaking of hacking, "Where is all of this crap going?" you may be asking. It's all being sent to a server owned by Canonical. OK, sounds well and good, but what kind of encryption is going on behind it? Since it's all being transferred in plain text I would assume not very much, and even at that I'm pretty sure Adobe had some kind of encryption going on, and look at where they ended up. Bookmark my words, at some point someone will figure out where the server is located and they will break into it. Nothing is 100% secure, ever.

Oh but it doesn't stop there. Canonical is not providing online search results themselves, no, instead they are selling (!!!) your data out to third-parties (and presumably your IP as well), so THEY can send you online results. If you want to get technical about it, that is stealing since I (and everyone else for that matter) never gave them permission to sell my data to anyone else. And besides, it's MY DATA, damn it! Not yours. BUT, since Canonical is a company no one cares.

Yuck.

Ubuntu 12.10 HAS NO FREAKING PRIVACY!
And this is the straw that broke the camel's back. This is the sole reason that I am writing this rant.
As plainly shown, this whole mess of a feature is enabled by default.

Which should be 100% illegal? I don't even CARE that you have some stupid online search feature that sends my IP address out in plain text, at least I can turn it off. But do you see it mention "logging" or "IP address" anywhere in that preferences option? I don't.
I know what you are thinking. "Oh, but it mentions it in the legal notice."
That isn't fucking good enough, who the bloody hell reads legal notices and EULAs these days? Hell I don't even read EULAs half the time!
And in any case, who is going to read a legal notice whose only link is some tiny ass information symbol in the lower-right corner of a massive window? My answer is next to no one. And I am pretty positive that I would be right.

The biggest problem I have here is the total cover-up of the REAL purpose behind the whole feature. Instead of calling it something meaningful that actually portrays the ENTIRE functionality of the feature, they cover it up by calling it "Show online search results". REALLY? They could have said "Send my search results to Canonical for a more personalized experience" but NO, that's too many words apparently. Actually it would make more sense, another reason why it won't happen ever.
You could have EASILY implemented an option that said "Send anonymously". Even I can do something like that, but again, that would make sense, which is why it's not there.
Does Canonical HONESTLY think people are going to disable this feature if it's called something that seems useful? I know they do. And that is the wrong mentality.

This is a BUG. FIX it.

Get off my god damn computer. I am not doing anything illegal with it, I don't want your stupid online search results, and I MOST CERTAINLY do NOT want you sending my keystrokes OR my IP address out in plain text. Come on, let's actually think about it for a second here.

Canonical, until you fix it and either encrypt the data, OR disable it by default, your dashboard mis-feature can go die in a fire for all I care.
And as for the rest of you people? Do yourself a favour and switch to Linux Mint.
Page created Wednesday February 19th, 2014, last modified Wednesday, February 19th, 2014
This page is validated to meet XHTML 1.0 Transitional and CSS standards.
Valid XHTML 1.0 TransitionalValid CSS!