Steady Info to Google - hardcoded in Linux Mint ?!

[Mohr]

The softwareupdater of the Standard edition of Mint Mate (13.) is informing Google every 15 minutes of your current ping and the fact that your are online. If you consider the amount of fines they had to pay for good reasons during the last years in the US and Europe because of privacy violations, you might be a bit nervous. Also the fact that Google is a PRISM-Partner might be relevant for you.

It was for me. And therefore I tried to change the name of the domain that is constantly "pinged".

I saw: Whenever you change the target domain for the ping in the menue of the Mint - softwareupdater - it's seemingly not changed really. It's seemingly just a fake.

It is seemingly hard coded here:

Code: Select all

### /usr/lib/linuxmint/mintUpdate/mintUpdate.py 
# Lines 1705 - 1724
    if os.getuid() != 0 :        
        #test the network connection to delay mintUpdate in case we're not yet connected
        log.writelines("++ Testing initial connection\n")
        log.flush()
        try:
            from urllib import urlopen
            url=urlopen("http://google.com")
            url.read()
            url.close()
            log.writelines("++ Connection to the Internet successful (tried to read http://www.google.com)\n")
            log.flush()
        except Exception, detail:
            print detail
            if os.system("ping " + prefs["ping_domain"] + " -c1 -q"):
                log.writelines("-- No connection found (tried to read http://www.google.com and to ping " + prefs["ping_domain"] + ") - sleeping for " + str(prefs["delay"]) + " seconds\n")
                log.flush()
                time.sleep(prefs["delay"])
            else:
                log.writelines("++ Connection found - checking for updates\n")
                log.flush()

At the moment I feel like being cheated on.
And this by a system that I trusted much more than one of those of PRISM-Partners.

An ip-Adress is a sensible part of information according to privacy laws. For good reason.
Delivering it constantly to a famous datacollector is simply the worst case in terms of privacy.
And it's like money for Google because their profession is to combine all the other data collectable by your browser at the same time. And Google is often hidden on pages - you don't see it, if you don't use NoScript.

Can anybody confirm my findings regarding to the fake ?

[elverion]

We just found out yesterday that the NSA was behind some sort of MITM attack and was pretending to be Google.
http://news.cnet.com/8301-13578_3-57602701-38/nsa-disguised-itself-as-google-to-spy-say-reports/

Related? I don't know, but this certainly concerns me even though it doesn't look like this is anything malicious in intent.

And yes, I can confirm what you have posted.

[Bolle1961]

At the moment I feel like being cheated on.

No you're not

In LMDE and or SolydX updater you can change the url and the time interval for checking your internet connection. I don't know if that's possible in the ubutnu based Mint.

[Mohr]

Thank you for your info.
So I can strike all "seemingly"s up there.

I still cannot believe it that the Mint people are - at last - in a way "cheating" on their users:

Offering a possibility that many would like to use to get away from that datacraken called Google just for the "optics" and in fact you are still delivering 15-minute data to them?

If they did it here will there be more "fakes" in Mint?

Most people I know come to Linux because of "security" and many because of the Amazon Lens of Unity Ubuntu ....

[Mohr]

At the moment I feel like being cheated on.

No you're not

In LMDE and or SolydX updater you can change the url and the time interval for checking your internet connection. I don't know if that's possible in the ubutnu based Mint.

I tried it out in LMDE.
It's the same as in LM Mate.
You fallen into the trap: It looks "as if you could", but it doesn't work ...
Welcome to the club.

EDIT:
Ok - I don't have LMDE at hand again. I am not sure whether it's the same.
But: I still believe it.
And: I was only talking about the LM Mate Standard Edition (13). Why do you say it's not "cheatin"?

[Bolle1961]

Just checked LMDE MATE, if you change it at preferences the script will be unchanged ....
Changed google.com to ixquick.com -> it only changes in the preferences menu, not the script
That really sucks

[MishaSherpa]

Linux Mint14-KDE
same Google ping code. at /usr/lib/linuxmint/mintUpdate/mintUpdate.py

To the mint team: Can you please change this somehow? This data stream to Google is extremely objectionable.

Or at least put a warning screen during installation that 'your PC will send packets to google constantly and no this menu doesn't work.'

Mohr, did you know firefox sends lots of data to Google as well?

https://bugzilla.mozilla.org/show_bug.cgi?id=474053

https://www.google.com/tools/firefox/sa ... g/faq.html

[MishaSherpa]

Mohr

This privacy problem of giving google all the mint users IPs came up in the summer of 2012

[url]http://forums.linuxmint.com/viewtopic.php?f=157&t=108859[/url]

The project leader for mint (Clem) replies in that thread and basically says people are being paranoid. Well, a lot has changed in a year. Read the news, for example.

Nothing has changed in the updater. It still pings google.

[MishaSherpa]

Here's how someone could fix this manually in KDE

use dolphin to get to the folder
/usr/lib/linuxmint/mintUpdate

right-click on mintUpdate.py and select Root Actions > Open as Text

Once in Kate, do a ctrl-F to find the word Google (there are 3 instances)
change them to whatever you want, such as Yandex.ru (this is Russia's top search engine)
save the file

The files permissions may have changed, so... in that same folder, right click and Actions > Open Terminal Here

In Konsole terminal type

Code: Select all

sudo chmod 0755 mintUpdate.py

Done.

A much BIGGER problem is google knowing every https site you visit in Firefox. In Firefox
Edit>Preferences>Security>"Block reported web forgeries"
That box is actually permission to let google examine every link you visit!

Some of these links are a bit older, but you learn what the terms are:
[url]http://www.leavegooglebehind.com/how-tos/how-to-eradicate-google-from-firefox/[/url]
[url]http://www.darkreading.com/privacy/google-safe-browsing-feature-could-compr/218800199[/url]
[url]http://www.wilderssecurity.com/showthread.php?t=284944[/url]

You've been warned

[WharfRat]

A little easier way to change it.

The file mintUpdate.py.bak will be created just in case.

I used msn so just replace it with whatever you're comfortable with.

Code: Select all

sudo sed -i.bak 's/google/msn/g' /usr/lib/linuxmint/mintUpdate/mintUpdate.py 

Good luck

[tdockery97]

And don't forget that if you check the news CNN will come knocking on your door.

[Mohr]

Thanks all for explanations, checking and answering. And taking privacy concerns as a serious matter.

It is a serious matter, but it's a bit abstract for some people because privacy violations don't hurt immediately. (It's more like radioactivity - doesn't smell, makes no sound and not everybody at every time has a noticeable damage. And those who want a tin-foil-hat against it .... ok, won't help. ) .

Yes, there is time to excuse for someone because it takes a frustrating time to find these things out and even more frustrating is when you see yourself disappointed with the outcome: The mask to allow a change from Google is just a fake! Well, it takes your choise "into regard", but only AFTER Google was informed. The normal intention would be NOT to inform Google - I am quite sure that is clear as water can be.
It is a bigger damage to those who mingled with the system to install it and improve it over months. And those who recommended it as a serious and secure operation system. And all those developers who helped you.

And whatever you think about your privacy - it's about the privacy of others. Not yours.

And you can even say it's not about privacy: It's about false declaration of functionalities to users.

And you went to LM because you trusted them: The spirit of open code is truthfulness. The fascinating feeling of that your Computer does again what YOU want him to do - not what Microsoft or Apple or Google wants.

This all reminds me A LOT of the Safari-Trick that did cost Google roughly a 22,5 Million USD as a fine.

[url]http://news.cnet.com/8301-1023_3-57490035-93/ftc-hits-google-with-$22.5-million-fine-for-safari-tracking/?_escaped_fragment_=#![/url]

In the meantime you shouldn't call it "Linux Mint" but "Linux Google"?

What a shame that it is promoted by http://www.prism-break.org because Google is a Prism-partner who signed - according to the Guardian-Documents (Snowden) in January 2009. One should inform prism-break.org. (Whereas Larry Page, head of Google, says he didn't know about that in June 2013 - http://googleblog.blogspot.de/2013/06/what.html. How should he know what contracts he signed with the US-government!)

I will probably stop using Linux Mint because of this like - obviously John Doe stopped in March 2013. But I will not simply do so if there is no excuse.

As a matter of trust.

[tdockery97]

The bottom line is this: If you go on the internet, at all, even once, you cannot ever expect privacy. There is absolutely no such thing in this technological age. There is no guaranteed protection of privacy, so you may as well get over it. Harsh, but true.

[Mohr]

That sound very fatalistic to me. And it sounds as if technology in its status quo is always - at any given time - the best and cannot evolve to the better. I have enjoyed technology throughout my life getting better and better. You didn't ?

And - most important - you don't adress the main topic here: There is a functionality that - for most people - means more privacy and it turned out to be a fake.

[HoppityBob]

Why on earth should the software updater be pinging Google constantly, I'm failing to see the reason for it? It's actually a package I uninstall immediately anyway but I'm be very unhappy about hearing this kind of behaviour.

[tdockery97]

Why on earth should the software updater be pinging Google constantly, I'm failing to see the reason for it? It's actually a package I uninstall immediately anyway but I'm be very unhappy about hearing this kind of behaviour.

To function properly, the Update Manager must have access to the repositories, via the internet. Therefore, it must check periodically to determine that it has access. Pretty simple, really. You've done the logical thing in disabling or uninstalling the Update Manager if you don't want it to ping. Just do the updates manually from time to time.

[Mohr]

Why, tdockery97, don't you adress the main topic here of false declaration of functionalities / cheating on users?

Once again: The entry field where you find "google.com" can be edited but it doesn't change the fact you obviously want to change - the continious ping to Google.

[MishaSherpa]

Why, tdockery97, don't you adress the main topic here of false declaration of functionalities / cheating on users?

Once again: The entry field where you find "google.com" can be edited but it doesn't change the fact you obviously want to change - the continious ping to Google.

+1

To tdockery97, CLEM and others...

Mohr is 100% right here.
People trust LM because they heard from many people that "Linux is more secure than Windows," etc.
When you look at the code, though, it sends data from your computer without asking.
You say it's harmless. Baloney.

The fact is, there are two types of people: 1)those who feel that Google are basically good guys, and 2) those that find disturbing trends in their behavior. Unfortunately, many smart people, including very talented programmers, are part of group 2. Group 2 is very mistaken.

Google Street View WiFi data if just one CLEAR example that they want to be big brother. They say the vacuumed up wifi data from peoples homes by accident. Boloney. They wrote a PATENT about how to vacuum up the data a year prior. So the engineer and the patent guys and the implementation guys all coincidentally made the same mistake? Wow, amazing! Then to avoid heavy fines, they said, "We'll delete it all." An audit came along a year later, and... the data was still there. They said, "Oops, we FORGOT to delete it."

C'mon guys.
Google has a long track record of creepy behavior (analyzing your personal email for profit, anyone?) To suggest that users on this forum should just give up and expect no privacy is silly. All-or-none, get-over-it, and nothing-to-hide answers are not helping users, like us, who are not experts, but would like to have some balance and control over what is happening by using the powers of choice and software tuning.

Mint dropped the ball here, and I'll explain why.

Programing principle #1 - The USER has control over the USER'S data and communications, this includes IP address. If ANY program is going to go onto the internet, it should have a pop-up box saying, "Would you like to allow MintUpdate to sent a packet to Google to verify connectivity?.... check here to not be asked this in the future."

Programming principle #2 - Messages and Interface with the user should be accurate, not misleading!
The mint update menu EDIT > PREFERENCES > UPDATE METHOD > Internet Check (domain name or IP address) is MISLEADING. It does not change the updater.

Many people chose Linux Mint because of the widespread opinion that... 1)linux, and it's developers, value your privacy, 2)that they try to minimize connections to large for-profit companies, 3)that they don't build back doors into the systems, 4)that they care about transparency and open source code, 5)that they want systems and their data to be under control of the user.

Regarding these points
1) Why should Google know every time your computer was turned on (via mintupdate script) be a default setting on a fresh Mint install? Read in the news the revelations about "real-time event monitoring". Inform yourself, please.
2) Why not choose a non-profit linux server instead of Google, a known data aggregator? Interesting choice of domain...
3) Why is openssh-server installed by default, allowing any fresh mint install with a weak password to be compromised?
4) Why is the updater menu misleading to the user?
5) Why isn't there a pop-up or other notification whenever mint wants to make outgoing connections?

Again to those who dismiss privacy concerns of others, you might want to inform yourself a bit more:

IDG News Service - When it comes to protecting the privacy of its users, Google Inc. ranks worse than any other Internet company, according to an interim report by Privacy International. The international watchdog group also accused Google of engaging in a smear campaign in response to its findings, and demanded an apology.

Privacy International's findings (PDF format), based on six months of research, placed Google at the bottom of 23 Internet companies examined by the group. Google was the only company to earn the bottom ranking, for "comprehensive consumer surveillance and entrenched hostility to privacy."

Other companies, such as Microsoft Corp. and Yahoo Inc., rated slightly better that Google. Microsoft was given a rating of four out of six, for "serious lapses in privacy practices." Yahoo was given a ranking of five of six, one better than Google, for "substantial and comprehensive privacy threats."

"We are aware that the decision to place Google at the bottom of the ranking is likely to be controversial, but throughout our research we have found numerous deficiencies and hostilities in Google's approach to privacy that go well beyond those of other organizations," Privacy International said.

Hopefully, mint will clear up its ambivalence to good code and privacy.

[MishaSherpa]

I signed up at Github to make my opinion known there about mintupdate

https://github.com/linuxmint/mintupdate/issues

[clem]

Thanks for doing that MishaSerpa,

I agree on the fact that we should use the preference "ping_domain" rather than have google.com hardcoded, so this is fixed in https://github.com/linuxmint/mintupdate ... d6df6c1786

Now, about the controversy itself:

- The idea of the ping is to make sure you're connected to the Internet before mintupdate starts working. Typically, when you log in, mintUpdate checks your connection... if it's ON, it continues and checks for updates. If it's OFF it delays itself, and waits for a little while.

- The reason we ping google.com isn't because we're evil. It's not because we get billions of dollars for selling your personal information to them and tell them where everyone of you sleep and what you like to eat for breakfast (which.. unless we make a survey, we don't actually know much about), it's simply because they're always online (you know how many clusters they have right?). Ideally we'd ping linuxmint.com by default, but we've more users than money and you guys would bring our server down... not to mention that we experience way more downtime than google.com.

- The reason we check google.com BEFORE pinging ping_domain.... that I can't actually remember. If it's done like this there's a reason, and with the commit above I hope I didn't break anything. Now, you all know how pragmatic I am... on one side I need mintUpdate to be stable by the time Mint 16 comes out, on the other side I've got people who call us cheaters and liers and need to be reassured before they stop spreading security FUD RIGHT NOW. So what do I do? I remove google.com. Does it make sense to do so for mintUpdate and is it better technically with this commit in place than it was before? I'm not sure... I guess I'll check that between now and the end of November.

- You know, we've been called liars by OMGUbuntu before, when they accused us of hiding away the fact that we got money out of Banshee. They accused of us of hiding the info away in a changelog... you know, that piece of text which describes the change, for everybody to see. As some of you mentioned, mintUpdate is open-source. I don't assume at any moment that people spreading FUD here are litterate when it comes to source code, but at the very least they could have checked the logs. MintUpdate CLEARLY mentions what it does, or more so, what it did... because you see, it no longer tries to check things twice, it's focusing on not being the target of yet another ridiculous controversy right now.

So there you have it. You got all worried and all. I've no interest in educating any of you about ping, icmp and networking. If you don't trust us don't trust us, if you spread FUD about us selling data for commercial concerns and playing a part into nasty things like PRISM you'll get banned, and when it comes to mintUpdate, it no longer "FORCES" you to report to Google, as some of you liked to think it did.

You're very welcome to feel cheated like that, we care about selling your online presence to billion dollar companies we don't even partner with way more than making you happy... get real. Yes, I'm a bit irritated and yes that was insulting. Enjoy the code fix and have fun applying it yourself between now and Mint 16.