Is there spyware in Ubuntu? Answered.

Updated: June 13, 2015

A few weeks back, this very title was used by some fella out there, and then linked by Softpedia, creating a bit of an emotional and technological senstorm, designed probably to grab a bunch of clicks but also hopefully discuss a genuine concern that some people might have.

After having told you all you need to know about security, talked about NSA, the recent slew of software vulnerabilities promising bubonic plague in digital form, and some other topics that make us nerds sweat, it's time for another dose of Dedoimedo-laced xanaxing for you. In other words, let me help you calm down. Please, follow me.


Mark's photo was taken from Wikipedia; licensed under CC-BY 2.0.

The original piece

In a few quick sentences, the author believes Ubuntu is not a safe operating system because Canonical is headed by Jane Silber, who used to be a General Dynamics employee, which means she was involved in the intelligence and information gathering side of things, and this means Ubuntu has been compromised.

Then, the author goes into whether having open-source software means you're safe, whether you can trust the GCC compiler used by Canonical, and claims that there is no reason to assume that the compiled executables used in Ubuntu have actually been built from the same source code that Canonical makes publicly available. And that's where I'm going to focus my discussion.

Why this is not true

First, there is no reason to assume that the binaries come from a different source than the publicly available set. Scientists put down theories and then, they test them. For all practical purposes, the emotional piece of whether Ubuntu can or cannot be trusted is entirely beside the point, although I'd assume that if you want to blame someone for doing something wrong, you should prove it. In other words, if Zack or whoever feels Canonical is a baddie, bring on some evidence, lad.

In real life, the analogy would be saying that: There's no reason to assume Mark Shuttleworth hasn't murdered people with an axe. No. That's not how it works. And as long as his guilt has not been explicitly proven, he is innocent, and so is Canonical. Which is why this whole thingie is just unnecessary drama. To help you understand things a little better, let's go through the compilation thingie and how it works.

If you want to compromise a system with hidden backdoors, then you have two main options: 1) Easy, you can use sources that have extra code added in them 2) Hard, you can use a compromised compiler that appends its own garbage into the compiled code.

Why is the second so difficult, you may ask? Well, there are a billion reasons. GCC is an extremely complicated piece of code, and it matches the kernel in terms of how delicate things really are. Tiny changes can make all the difference in the world, especially if you are working with kernel modules.

How can you inspect code

Anyhow, let's be practical. Say you have some code, main.c. You want to compile it. You can use GCC explicitly, or you can use a Makefile. Either way, you will have a compiled binary as your output. There are several unique things about a compiled binary that you can inspect. To be fair, we've discussed this at great length and in great depth in my hacking articles number three and four. To wit:


Strings is a very useful command that can pull out all printable characters out of binary files. This can be quite useful if you need to know the would-be meta data, like compiler versions, compilation options, author, etc. Indeed, this is a first step in getting a unique signature for a compiled binary.


Binary symbols

Using a tool like nm, you can inspect different sections inside binaries, and get binary symbols. This tool is specifically designed to work with the executable file format that is typical on Linux.

For instance, -b flag lets you get symbols for uninitialized global variables in the data section, also known as bss. -C lets you query common symbols, or rather uninitialized data. In the example below, there are none available, because this shared library is stripped.

nm example

However, if you query with -D flag, you will get symbols in the initialized data section.

Global table

This gives you even more knowledge and information about what any compiled code contains. And since output comes as plain text, you can always use it to compare between suspicious and pristine files.


This tool is also quite powerful, as it lets you see the entire structure of a compiled binary, including all the symbols, sections, initialized and uninitialized variables, compilation flags, everything. In other words, you can really look into a binary, even if you do not know what it's supposed to be doing. And really, you get all the info you want.

readelf, all

Debuginfo not stripped


Likewise, objdump can be used to dump information from object files. We did this before, when we analyzed kernel crash memory dumps, and we were able to disassemble kernel objects and walk through the code. Again, even if you do not fully understand what the binary is supposed to be doing you can always compare two different objects for any differences, for any signs of tampering.


Now, the comparison piece

All right, let's assume you suspect Ubuntu is tainted. This means you can't really trust any binary running on the system, and the kernel is probably likely to provide false information. No worries. Copy the suspect files to a Fedora or an openSUSE box, and dump all the information you need. You will also get all the compilation flags this way.

Now, grab the sources and compile them the same way Canonical does it, using the same build environment. Presumably, you will need older versions of Ubuntu to be able to do this, which puts us in a bit of a tight spot, because we might want to assume these are compromised, too. However, we can replicate the said build environment in its entirety on a Debian box. It just takes a bit of work, but let's stay with Ubuntu.

But we can solve that. Normally, to compile one version of Canonical's operating system, you do it on an older one (N-1). For instance, Ubuntu Vivid was most likely compiled on Utopic, and in the same manner, Utopic was compiled on Trusty. We can go back all the way to the day when Ubuntu did not exist, and it was pure Debian. In fact, we can also check whether some of the Debian packages have been ported without any changes, since the two distros are largely binary compatible. In fact, this can save us some hard work and makes the chance of any naughty tampering on Canonical's side even lower.

Go back, then start compiling. In the end, you will have compiled Ubuntu or parts of it from sources in a pristine way. Compare the objects. Even a simple md5sum is enough. Are they any different? There you go. Problem solved, riddle answered, mystery demystified. As always, the most golden advice of them all, linked earlier, but I really had to:

Now, the real world

Ubuntu is used by millions of people. It's deployed in hundreds of data centers around the world, with a huge footprint of desktops, workstations, servers, and appliances. Thousands of engineers, scientists and highly experienced system administrators run Ubuntu daily. And yet for some reason, despite rigorous IT practices, network security and whatnot, all of them are dumbasses and not one of them has been able to find any trace of Ubuntu backdoor stuff, and yet a casual blogger has all the mighty data in his hands. That's possible but not likely. The law of large numbers mandates it.

Moreover, why no one has produced any compelling evidence that would incriminate Canonical? Think about it. Even a simple little network trace would be enough to start a discussion, a few misplaced system calls, and whatnot. You can always monitor traffic on the switch and router level, so even if the compromised system masks its activity from its users, it cannot do that with other devices around it.

More reading

Some more solid mythbusting, you'll feel like Rambo:

Using Linux for the wrong reasons

Windows malware claims

Flaming Retort thingie

Botnet exploits & ignorance


I don't mind a bit of controversy. It's a good mental exercise. Especially when people go wild over what Microsoft is doing, my favorite, and then Linux conspiracy theories, my even more favorite topic. However, as much as we want these little stories to be our Jason Bourne kind of thingie, they are really just empty, pointless tales that stem from emotion and lack of knowledge, which seems to be the case for pretty much all and any conspiracy theory out there, alien crap included.

You may say, Dedoimedo, look what NSA is doing, it means the conspiracies are true. Nope. There's no hacking involved, just a bunch of MITM appliances planted inside data centers with compliance from the hosts, which just shows how difficult it really is to obtain digital information on a large scale. Should make you feel relaxed and cozy inside. And the same applies to Canonical and Ubuntu. You may disagree with their business, you may not like the people involved, but at the end of the day, it's just Linux, compiled by people like you and me, who have no ulterior motives or Illuminati NWO agenda. Oh did I fail to mention that Canonical is NOT a US company? We're done. Enjoy your Internetz.


You may also like: