404
Comment:
|
3577
move version checks to a separate section, add gmic
|
Deletions are marked like this. | Additions are marked like this. |
Line 1: | Line 1: |
<<TableOfContents>> |
|
Line 5: | Line 7: |
* gnome-calculator - fetches currencies when started | There are some common categories of phoning home: * version checks: DebianPackage:gmic, DebianPackage:basex These packages either don't fit those categories or do lots of them and more: * gnome-calculator - [[https://gitlab.gnome.org/GNOME/gnome-calculator/issues/34|fetches currencies]] * Firefox - [[Firefox#Automatic_connections|multiple issues]] * Chromium - phones home in various ways, e.g. DebianBug:792580, [[https://lwn.net/Articles/648392/|binary blob downloads]], [[https://www.chromium.org/developers/design-documents/site-engagement|site engagement profiles]], [[https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/|Google login tied-in with the browser]] * syncthing - [[https://blog.harterrt.com/syncthing_data.html|data transfer volume, unique ID submission, version check and lots more]], [[https://data.syncthing.net/|public data report]] * cura - [[https://github.com/Ultimaker/Cura/issues/2810|phones home]] in various ways, [[https://salsa.debian.org/3dprinting-team/cura/blob/master/debian/patches/2001-no-default-telemetry.patch|patched out in Debian]]. == Phone elsewhere == * systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in [[https://manpages.debian.org/stretch/systemd/resolved.conf.5.en.html|systemd-resolved manpage]] == Data sharing == * remmina - shares the clipboard with remote hosts over RDP by default * pidgin - shares typing notifications with remote peers by default * hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports == Data storage == * web and other servers of various kinds default to logging information about requests over the network from external entities = Detection tools = * DebianPackage:wireshark * [[https://github.com/evilsocket/opensnitch/|opensnitch]] * [[https://github.com/jonasdn/nsntrace/|nsntrace]] * [[https://github.com/kushaldas/unoon/|unoon]] = Reports = * [[https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-devel@lists.debian.org;tag=privacy|usertagged under debian-devel]] * [[https://debtags.debian.org/reports/facets/privacy|Debtags privacy facet]] * lintian privacy-breach tags: [[https://lintian.debian.org/tags/privacy-breach-generic.html|generic]] [[https://lintian.debian.org/tags/privacy-breach-donation.html|donation]] [[https://lintian.debian.org/tags/privacy-breach-facebook.html|facebook]] [[https://lintian.debian.org/tags/privacy-breach-google-adsense.html|google-adsense]] [[https://lintian.debian.org/tags/privacy-breach-google-cse.html|google-cse]] [[https://lintian.debian.org/tags/privacy-breach-google-plus.html|google-plus]] [[https://lintian.debian.org/tags/privacy-breach-logo.html|logo]] [[https://lintian.debian.org/tags/privacy-breach-piwik.html|piwik]] [[https://lintian.debian.org/tags/privacy-breach-statistics-website.html|statistics-website]] [[https://lintian.debian.org/tags/privacy-breach-twitter.html|twitter]] [[https://lintian.debian.org/tags/privacy-breach-uses-embedded-file.html|uses-embedded-file]] [[https://lintian.debian.org/tags/privacy-breach-w3c-valid-html.html|w3c-valid-html]] |
Line 11: | Line 50: |
- cleartext - TLS |
* cleartext * TLS |
Line 14: | Line 53: |
* privacy defaults - optin - optout |
* privacy defaults * optin * optout |
Contents
Privacy issues in Debian packages
Phone home
There are some common categories of phoning home:
These packages either don't fit those categories or do lots of them and more:
gnome-calculator - fetches currencies
Firefox - multiple issues
Chromium - phones home in various ways, e.g. 792580, binary blob downloads, site engagement profiles, Google login tied-in with the browser
syncthing - data transfer volume, unique ID submission, version check and lots more, public data report
cura - phones home in various ways, patched out in Debian.
Phone elsewhere
systemd - Uses Google DNS resolvers as internal default, not explicitly documented: See "FallbackDNS" in systemd-resolved manpage
Data sharing
- remmina - shares the clipboard with remote hosts over RDP by default
- pidgin - shares typing notifications with remote peers by default
- hw-probe - includes truncated salted hashes of MAC addresses and serial numbers in hardware probe reports
Data storage
- web and other servers of various kinds default to logging information about requests over the network from external entities
Detection tools
Reports
lintian privacy-breach tags: generic donation facebook google-adsense google-cse google-plus logo piwik statistics-website twitter uses-embedded-file w3c-valid-html
Issue categories
logging & verbose logging
- homephoning without user consent
- cleartext
- TLS
- featurebug: when a bug is also a feature
- privacy defaults
- optin
- optout
- traceability
- no deletion of config files when uninstalling a package