Differences between revisions 2 and 22 (spanning 20 versions)
Revision 2 as of 2018-07-31 08:14:32
Size: 404
Editor: UlrikeUhlig
Comment:
Revision 22 as of 2020-01-27 00:06:19
Size: 3450
Editor: PaulWise
Comment: cura
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
<<TableOfContents>>
Line 5: Line 7:
 * gnome-calculator - fetches currencies when started  * gnome-calculator - [[https://gitlab.gnome.org/GNOME/gnome-calculator/issues/34|fetches currencies]]
 * Firefox - [[Firefox#Automatic_connections|multiple issues]]
 * Chromium - phones home in various ways, e.g. DebianBug:792580, [[https://lwn.net/Articles/648392/|binary blob downloads]], [[https://www.chromium.org/developers/design-documents/site-engagement|site engagement profiles]], [[https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/|Google login tied-in with the browser]]
 * DebianPackage:basex - phones home to find out the latest version
 * syncthing - [[https://blog.harterrt.com/syncthing_data.html|data transfer volume, unique ID submission, version check and lots more]], [[https://data.syncthing.net/|public data report]]
 * cura - [[https://github.com/Ultimaker/Cura/issues/2810|phones home]] in various ways, [[https://salsa.debian.org/3dprinting-team/cura/blob/master/debian/patches/2001-no-default-telemetry.patch|patched out in Debian]].

== Phone elsewhere ==

 * systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in [[https://manpages.debian.org/stretch/systemd/resolved.conf.5.en.html|systemd-resolved manpage]]

== Data sharing ==

 * remmina - shares the clipboard with remote hosts over RDP by default
 * pidgin - shares typing notifications with remote peers by default
 * hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports

== Data storage ==

 * web and other servers of various kinds default to logging information about requests over the network from external entities

= Detection tools =

 * DebianPackage:wireshark
 * [[https://github.com/evilsocket/opensnitch/|opensnitch]]
 * [[https://github.com/jonasdn/nsntrace/|nsntrace]]
 * [[https://github.com/kushaldas/unoon/|unoon]]

= Reports =

 * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-devel@lists.debian.org;tag=privacy|usertagged under debian-devel]]
 * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]]
 * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]]
Line 11: Line 45:
   - cleartext
   - TLS
   * cleartext
   * TLS
Line 14: Line 48:
 *  privacy defaults
   - optin
   - optout
 * privacy defaults
   * optin
   * optout

Privacy issues in Debian packages

Phone home

Phone elsewhere

  • systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in systemd-resolved manpage

Data sharing

  • remmina - shares the clipboard with remote hosts over RDP by default
  • pidgin - shares typing notifications with remote peers by default
  • hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports

Data storage

  • web and other servers of various kinds default to logging information about requests over the network from external entities

Detection tools

Reports

Issue categories

  • logging & verbose logging

  • homephoning without user consent
    • cleartext
    • TLS
  • featurebug: when a bug is also a feature
  • privacy defaults
    • optin
    • optout
  • traceability
  • no deletion of config files when uninstalling a package