If I didn't know better, I'd say it was looking for automatic updates for the installer. This could be very useful for Canonical to deal with new installation issues as they come up in the field.

Of course this is too dull to be a proper conspiracy theory, therefore what's REALLY happening is that Canonical are searching your hard drives for anything interesting they can sell to the NSA.

You've got it right Steve, at one end of the spectrum is the alarmist conspiracy theorist who screams, "The sky is falling!", and at the other end of the spectrum is the totally complacent linux user who believes that linux can do no wrong, and automatically trusts anyone who has anything to do with linux.

There's a wide space for middle ground between the paranoid and the naive.

Suffice it to say though, that its inappropriate for any software to establish unauthorized contact with the outside world without first doing two things: a) disclosing that the contact is about to be made, and b) asking for your approval prior to performing the contact.

Consider this -- I installed a copy of Ubuntu Server 10.04 on a testbed platform last week. I was considering using Ubuntu to set up an SMB server on a small LAN. During the course of the text mode install the software asked me what I wanted to do about updates. The choices were:

a) fully automatic updates
b) automatic security updates only
c) no automatic updates / manual updates only

I don't want my server performing any kind of unattended automatic updates, because I've had automatic updates break my server in the past. Its no fun having a server break for no obvious reason, and its not easy to trace the breakage to an automatic update. For reliability reasons, most IT people who set up a server follow the rule that says, "If its not broken, don't fix it." They won't tamper with them once they're up and running unless a problem crops up that needs to be addressed.

I have a good firewall to protect me from the outside world, so automatic / unattended security updates don't seem necessary to me. I'm happy to review the updates and make my own decisions about them. For me, no automatic traffic corresponds to a much higher level of security than blindly trusting someone I don't even know to perform regular, unsupervised communication with my server.

So I chose option (c), for fully manual, non-automatic updates. Having done that, I still caught the software trying to establish outbound connection with Canonical even though I told it never to update. My firewall logs for the server show the same type of entries that I posted above.

I don't think that undisclosed communication with the outside world is acceptable, especially after you've chosen the option to prohibit that sort of activity, and the software has told you that it's going to honor your decision.

Just to clarify the point that you were making about checking for automatic updates -- that's not what's happening. The Ubuntu CD is establishing contact with Canonical during the boot process -- at a time that this action cannot readily be detected, and prior to the time that it asks you whether you want to do a test drive or an install. Until you make the menu selection that says install, there's absolutely no reason for them to be "looking for updates" to the installer without asking your permission first.

I guess this constitutes a philosophical difference in outlook between the average home user who is used to an insecure, desktop OS and the professional user who is used to working with a bona-fide secure system. The hobbyist / home user won't see a problem, where the professional IT user will see this as a deal-breaker when it comes to auditioning secure software platforms.

I'm not trying to say that I'm a hardcore security nut, but I do have personal, non-public information on my hard disk that I don't want unauthorized people to be able to read. What's the point of encrypting a hard disk if a software vendor has complete access to your data once the OS is up and running? When that happens, your data isn't protected and you don't have security. You only have the illusion of security.

Funny that you should say that. I was just installing the software for my new Epson computer. It told me to turn off my anti-virus software which I did. At the end of the installation process it went on-line to the Epson site so that I could register my scanner. Hello? Is anybody home?

Thanks for the warning about Ubuntu. Have you posted your observation on any of the Ubunto forums? I think that the world needs to know!

Steve Ahola

Its funny that they told you to turn off your antivirus software. That's a dead giveaway that they're going to do something you don't like! I can't understand how in the world they can justify doing something like that.

When I built my own linux distribution and Live CD, I had thought about embedding a process to ping my server during the install process, just so I could get a feel for how many people were out there using the software. But I decided against it, as it was sure to be regarded as an invasion of peoples' privacy. So I never implemented any sort of tracking scheme. If I did it then I'm sure that my name would have become "Mudd" in the software community.

Funny thing is that Ubuntu is doing at least as much as I had decided not to do, and probably more.

I did post my concerns on the Ubuntu boards. I was called an "alarmist":

Ubuntu Server 10.04 LTS:
[ubuntu] Server 10.04: How to Eradicate the MOTD System? - Ubuntu Forums

I just noticed the same problem in the "Desktop" version:
[ubuntu] Lucid Lynx 10.04 Live CD -- No Boot Menus? - Ubuntu Forums

The funny thing Steve, is that I don't imagine this will go anywhere. People are either too trusting to care, too apathetic to care, or too unaware of the risks to care about backdoors being written into an operating system. Here's an interesting statistic: 1 in 3 Linux users is running Ubuntu. Its widely regarded as Linux for Dummies. My personal opinion is that it it an operating system that has been rendered insecure by intentional design.

I usually like when the software I'm installing actually installs. I guess to each his own.

Oftentimes antivirus software will restrict other software from writing to certain directories and/or the registry. It's pretty common place to have to disable antivirus software when installing.

don't MS OS "phone home" when you boot (if you are online)? They have a bunch of info don't they? From hotmail, sign-on IPs, date, time. Not just them but google, yahoo must have mountains.

Ubuntu has a way of shipping/using broken packages. I have a friend that's responsible for a LOT of machines and when Ubuntu started doing that he went to Fedora. No problems since then!

jamie

You're right. I'm certainly too trusting to care and too apathetic to care. Ubuntu is still my favourite distro. (Well, my second favourite after MacOS ) Canonical are commercially sponsored, so there'll be a strong incentive for them to collect usage statistics: that's a second possible explanation.

If you want it to go somewhere, then instead of doing a Chicken Little, I suggest you use Wireshark to capture and analyze what is actually getting sent back to the mothership, and post the results for us, and the rest of the blogosphere, to see. Maybe you'll find something interesting and catch Canonical with their pants down.

Steve, my curiosity got the better of me and I wasted a lot of time trying to determine how to disable canonical's MOTD functionality, just so I wouldn't have to deal with the SPAM messages that get printed onscreen every time that he performs a TTY logon. If you're an X user you'd never see them; they would just add to your boot-up time. If you're a console user you get spammed with an ad for canonical services every time that you log on.

Its annoying. Every time that a user logs onto the system via the console or via SSH there is a SPAM advertisement for canonical. On my boxes it causes an 8-second pause between the time that you enter the password and the time that you get to the command line. On every other distro I've ever used, there has been zero lag between password and command prompt. The lag in logon time is very annoying.

Just about every other distribution uses a user-configurable text file (such as /etc/motd) to display the message of the day. If you don't want an MOTD you just erase the text file. the Ubuntu system is quite different. Its very complex. There are a series of nested scripts that get executed every single time that a user logs onto the system. This happens regardless of whether the user logs onto a console (runlevel 3) or via a GUI (runlevel 5).

the problem is that none of this functionality can be disabled by the system administrator. its hard-coded into the system. these scripts will run and there is nothing that an ubuntu user can to do stop them, short of removing the offending source code and recompiling. instead of just putting the content into /etc/motd, the ubuntu system is so obfuscated that there's no practical way for a user to stop what's happening. essentially, you're given the choice of doing it canonical's way and liking it, or going somewhere else.

from a perspective of fundamental respect for the user, that's just plain wrong. linux is about choice, isn't it? with ubuntu the user isn't offered any choice about what happens on his computer, canonical's phoning home just happens whehter he likes it or not, and it happens in the dark, behind the user's back. the problem isn't so much that this is happening -- the problem is that this activity goes on behind the user's back with no disclosure. to be fair, ubuntu should disclose to the user that his computer is going to be used to disclose information to the outside world, and he should be given the opportunity to opt-in or to opt-out.

i can understand complacency among desktop users. normally this wouldn't be a big deal, but life is very different on a desktop OS than it is on a server OS. i first encountered this problem when i was performing a proof of concept test install for ubuntu server 10.04. i had set up a number of different server distros side by side to see which one we were going to deploy. only in troubleshooting this problem with 10.04 did i come to realize that this has been going on in ubuntu desktop for a long time.

more...

another problem is that the OS is forced to execute a non-essential disk bound process every time that any user logs on. having a unix-type system force itself into a disk-bound process every time that a user logs on is inherently dangerous from the standpoint of system reliability. it takes fault tolerance to an all-time low.

suppose that your server is acting up and the sysadmin has to log on from remote to diagnose the problem. then he can correct a software error remotely or dispatch the hardware team to go to the data center. the sysadmin makes a remote logon via a VPN or SSH... and before he gets taken to the command line, ubuntu proceeds to execute a number of disk-bound script processes. these processes don't have anything to do with server maintenance, they just collect statistical information for canonical. because one of the hard disks is down on this machine, the logon process fails on the disk bound scripting task. the sysadmin can't log on from remote and someone has to make a trip into the datacenter. all of this happens only because the server is performing non-essential tasks in collecting statistical data for canonical. of course, this kind of system failure is a disaster for everyone involved, except for the company that bills for the trip in to fix the system.

this wouldn't be a big problem if this kind of script execution only happened for the superuser. but these scripts get executed every time that ANY USER logs onto the system. this kind of setup is inherently unstable and just isn't tolerable in a linux distro that's attempting to market itself as an enterprise class server.

ubuntu's stand on this is that the MOTD system is there for the convenience of the sysadmin. during every logon, the system checks for updates and provides up-to-date statistics for review. as a sysadmin, I don't want to see update info every time that i log onto a box. and i certainly don't want to have to wait for an update check every time that i log onto a box. that's just a waste of my time that happens over and over and over again. i don't want to wait 8 seconds every time that i perform a logon. over the course of years, that wastes a lot of time. even worse is that in addition to doing this for the superuser, the system does this for every user account. there's just no need to look for updates every time that any user logs onto the system. its a waste of time. And there's no reason to present this kind of system information to every non-privileged user. what's the point of telling users that an update is available if they're not authorized to perform them? its a waste of user time. computers are supposed to work for us and make out lives easier. instead of having machines wait on (serve) people, now we've got people waiting on machines -- to perform tasks that should be done in the background. what a stoopid design.

more

your wireshark idea is a good one. but i'm not going to put in the effort as a crusader for the blogosphere, and our ubuntu installations have already been purged. unfortunately, i let my curiosity get the better of me, and i wasted a lot of time troubleshooting an installation that just wasn't suitable for deployment. rather than wasting more time polishing a turd, i chose the easy way out -- i gave Ubuntu Server a FAIL and went with a real enterprise-class system instead.

this is not to say that i'm down on ubuntu -- they are pushing linux development forward (sort of) and they make a really nice desktop setup and it makes linux very accessible to the n00b. unfortunately their support of the "Long Term Support" versions is a joke. there's a problem in the LTS version of the desktop that causes lockups on shutdown if you've got mounted samba shares. they found the problem and rather than fixing the code in the LTS release, they just fixed it in the STS release and advised everyone to migrate to the short term release. such failure to fix problems in an LTS release just isn't acceptable, and it indicates that even ubuntu's LTS offerings are nothing more than an amateur/hobbyist OS that can't be deemed as reliable for serious use.

i only mention this phoning home problem in relation to the desktop distro because i think its important for people to know what's going on behind their backs so that they can make an informed decision about their software choice.

ubuntu's server distribution just isn't an enterprise class offering. it turns out that this is a pretty well-recognized fact in the IT industry. other people here have suggested fedora. if you're willing to commit to a desktop OS that's so bleeding edge that it forces you into a 6 month lifecycle, its a good option. for deployment servers that are expected to run with 100% reliability for years, there's a reason that everyone prefers RHEL / CentOS.

Yeek! OK Bob, you win. I didn't know any of that

The last time I installed Ubuntu Server was 8.x and they hadn't started the Spam Of The Day console thing.

At my old university research group, they started to embrace Linux about the time I joined. By the time I left, they were installing Red Hat on the Sun workstations to avoid paying the Solaris maintenance contract.

Its just about what works best for your personal preferences. I'm just trying to find a tool that makes the job easy, does what I want it to do, and doesn't do anything that I don't want it to do.

To be fair, I have to admit that I'd been using Ubuntu on the desktop for several years, ever since I stopped using Gentoo. Ubuntu did offer lots of functionality, ease of use, and not that many headaches. It was a welcome change after years with Gentoo.

For me Ubuntu has some deal breakers that made me want to look elsewhere -- like the lack of centralized control over developers and the crappy support for LTS releases. I'm willing to trade off the bells and whistles that come with a bleeding edge distro in order to obtain stability. Right now RHEL/Centos is looking really good from the stability standpoint. For servers its great, For the desktop its good, though its not bleeding edge like Fedora.

Personally, I spend too much time maintaining stuff to be able to tolerate high maintenance installations. I'm just looking for stuff that you can install and let it run for years without any problems. To me, there's a lot to be said for an OS that is stable, doesn't require frequent updates, and will be fully supported for 5-7 years.

In that case I strongly recommend that you try out Vista.

Steve Ahola