> I don't think anyone uses a Canonical distro and is genuinely upset or surprised about this particular benign case.
I've had to use Ubuntu in an environment with high security needs/regulations. I've had to disable this exact feature because leaking OS versions, network information, etc. externally via that user agent string was unacceptable from a security standpoint.
I was upset that something as simple as a motd had been retooled to leak data.
> and my sense is that virtually nobody cares about this particular case of telemetry.
And in my real-world experience I've been paid to care. When forced to work with Ubuntu (which is everywhere these days) I have to "reign it in" with custom images/scripts/etc.
> I dislike the idea of tying particular political or economic philosophies together with a tech stack like Linux.
This isn't "political or economic philosophies" this is security 101. Leaking data like my OS version, IP addresses, when admins are doing their work, etc to the public internet is a hard "no" for anyone who's operating in any semblance of "best practices".
not doubting your experiences but just out of interest if you can tell, what security-relevant sector uses stock ubuntu and exposes themselves to the internet like this? I've never seen a setup like that before.
PCI environment for a household name ecommerce application with millions of users.
Also we didn't use stock Ubuntu - I/we had to get it to not phone-home... it was just extra layers of "we shouldn't have to do this" in regards to managing the OS.
I left the company when it was apparent that "security culture" were just buzzwords they would repeat in meetings to make themselves feel better vs. an actual core competency. They had more resources assigned to migrating our WordPress blog to K8s than they did for the credit-card handling infrastructure.
Honestly Ubuntu was one of the least of my worries, but after the experience of getting it to "shut up" and stop phoning home I made the decision to never recommend it moving forward as a security best practice.
I still consider originating IP address to be a leak - what about private intranets, processing-only infrastructure etc? Not everything is a traditional public-hosting model.
In the screenshot posted you can see the following data is being sent out:
I've had to use Ubuntu in an environment with high security needs/regulations. I've had to disable this exact feature because leaking OS versions, network information, etc. externally via that user agent string was unacceptable from a security standpoint.
I was upset that something as simple as a motd had been retooled to leak data.
> and my sense is that virtually nobody cares about this particular case of telemetry.
And in my real-world experience I've been paid to care. When forced to work with Ubuntu (which is everywhere these days) I have to "reign it in" with custom images/scripts/etc.
> I dislike the idea of tying particular political or economic philosophies together with a tech stack like Linux.
This isn't "political or economic philosophies" this is security 101. Leaking data like my OS version, IP addresses, when admins are doing their work, etc to the public internet is a hard "no" for anyone who's operating in any semblance of "best practices".