7

If you install some kind of Linux distributions on your computer, is their a possibility that their owners may spy on you?

For example, can Ubuntu, Kali or Arch linux send data to its owners on what you are doing? Speaking about Kali, I guess it would be interesting for NSA or any other corporation to know why do you need it and what are you doing with it... It is just the matter of security for them...

Alex
  • 105
  • 1
  • 1
  • 3
  • 4
    Of course they could. They created the distro. – Polynomial Aug 20 '15 at 10:54
  • But why is Linux considered a such secure system? And keeping in mind that it is open-source, why can't people discover that problem and try t block it out-loud? – Alex Aug 20 '15 at 10:55
  • 8
    @Alex Linux is considered safe because you can inspect the code. And you can inspect who contributed what. This makes it harder to put nasty things in Linux. Much harder than it is to put nasty things in propietary software. It's not impossible, it's just your best bet. – S.L. Barth Aug 20 '15 at 11:04
  • 11
    @S.L.Barth: There is code that you run, and there is code that you can inspect. But unless you compiled everything yourself, you cannot know that the code you are running is the code that you are inspecting, even though it may be published in the distro's official repos. – dotancohen Aug 20 '15 at 12:07
  • 10
    @dotancohen - even worse, you can't be sure that the compiler isn't malicious. – Deer Hunter Aug 20 '15 at 12:08
  • 2
    Many Linux distros ship with Firefox (rebranded or not). Let's say it isn't fully privacy-cognizant. – Deer Hunter Aug 20 '15 at 12:10
  • 2
    Do you count Android as Linux? – CodesInChaos Aug 20 '15 at 12:18

3 Answers3

26

Any time you execute code acquired from someone that you haven't fully reviewed and it runs on an Internet connected system, there is a risk that the person who wrote or deployed that code could transmit data about your usage to another system. That's true regardless of the OS. So yes it's possible.

The question then becomes "has this happened in the past", and "is it likely to happen in the future". The only case that springs to mind where people may have been sending data form a linux distro to 3rd parties inadvertently was the ubuntu linux Shopping Lens which could be regarded as spyware and was by some.

Outside of that, I'm not aware of any instances of large-scale spying from the mentioned linux distros. As you say pentest distros like kali are obviously an inviting target, but then their users are more likely to notice an indiscriminate transmission of data from their systems.

Ultimately it comes down to trust. By executing code belonging to someone else you are trusting them (think of trust in this context as "the power to betray") with any data you enter into that system.

How you establish trust in a system is a really good question and one which, as far as I can see, is far from answered.

Community
  • 1
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • 3
    I’d also point out that simply discovering data transfers is quite easy using a packet sniffer (e.g. Wireshark). Of course if the data is only transferred rarely, hidden (i.e. during a periodic software update) or uppon command/request by the author it gets harder. – Michael Aug 20 '15 at 13:46
2

To answer your question, I need mention an other opensource product (OpenSSL) in order to make a parallel with Linux and other opensource projects; so let me introduce you a short story about it and hopefully you understand the logic:

HeartBleed is a vulnerability that was first introduced by Stephen Henson just an hour before 2011 new year's Eve. To be more accurate it's Robin Seggelmann, who was then a Ph.D. student at Duisburg-Essen University who developed the HeartBeat extension for OpenSSL (HeartBeat was already present in SSL2.0 specification) and suggested it to the OpenSSL lead developer project Stephen Henson who failed to find the bug and committed it on its repository. Others suggest that this vulnerability was known and exploited long time ago before it is announced publicly.

But why do I mention this? To let you know that with open source software at least you can always check by yourself, especially if you are working in this security field, if there is something wrong. HeartBleed bug has always been seen publicly so theoretically speaking any interested person could detect it before that Google Security researcher on April 7th, 2014. But in practice no one did (or may be the ones who discovered it did not disclose it and preferred to take advantage of it for their personal goals).

This short story applies on all open source software: theoretically it offers to you the possibility to check everything by yourself or with your team and nothing can prevent you from that. That is already a big advantage and so many security vulnerabilities have been prevented by the benevolent communities. But in practice: how many people (I am talking about the ones who are working in the security field) have time and required skills to do that? And in case someone discovers a security vulnerability in an open source project: would he/she have the will to disclose it or just take the advantage of it? However, there is one thing important to mention about HeartBleed: Only Stephen has been a permanent developer, 11 other members of OpenSSL project have nothing to do with computer science, and only one other developer has been helping him from time to time directly, unlike other big opensource project such as Ubuntu you mentioned, so theoretically such nature of risks are may be less in this case.

Community
  • 1
  • 1
    A better example IMHO would have been the [Debian weak keys](https://www.debian.org/security/2008/dsa-1571) issue (Debian + all derivative generating predictable keys, including the ones used for SSH authentication, for about two years), which generated a great fuss, a lot of suspicions, and great analysis approach to get back to the original commit and determine [whether or not the error could be intentional](https://freedom-to-tinker.com/blog/kroll/software-transparency-debian-openssl-bug/). – WhiteWinterWolf Aug 20 '15 at 14:37
  • 1
    Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/27196/discussion-on-answer-by-begueradj-is-linux-spying-on-its-users). – Rory Alsop Aug 20 '15 at 16:11
2

There are lots of Linux distributions with different business models. While most of them probably don't actively spy on their users some deliberately do it:

North Korea's Red Star Linux inserts sneaky serial content tracker

ERNW security analyst Florian Grunow says North Korea's Red Star Linux operating system is tracking users by tagging content with unique hidden tags....

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424