DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 13th March 2014
comet--berkeley comet--berkeley is offline
Shell Scout
 
Join Date: Apr 2009
Posts: 92
Thanked 1 Time in 1 Post
Default Big Brother OpenBSD

I recently discovered that I am being tracked while installing OpenBSD.

This is not new, but I am very annoyed and dismayed that there is no "opt out" feature in the OpenBSD installer. And that the collection of user data by OpenBSD is not openly discussed in the installation documentation.

http://jan.exss.de/openbsd-bb.html

Here is a script that retrieves some of the information stored at OpenBSD (129.128.5.191):
(Change the architecture, i386, to match your own system)

Code:
#! /bin/sh
# Show the info that OpenBSD collected on you during the last installation 
curl http://129.128.5.191/cgi-bin/ftplist.cgi?path=/pub/OpenBSD/5.4/i386
Reply With Quote
  #2   (View Single Post)  
Old 13th March 2014
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,893
Thanked 214 Times in 189 Posts
Default

Huh?

That link is just the list of OS distribution mirrors, showing URL and location for ease of mirror selection by users.

See http://www.openbsd.org/ftp.html for a list of download mirrors sorted by type (FTP, HTTP, RSYNC, and AFS).
Reply With Quote
  #3   (View Single Post)  
Old 13th March 2014
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,893
Thanked 214 Times in 189 Posts
Default

The history of the file you questioned is available from the www CVS repository -- here is its log:

http://www.openbsd.org/cgi-bin/cvsweb/www/ftplist
Reply With Quote
  #4   (View Single Post)  
Old 13th March 2014
comet--berkeley comet--berkeley is offline
Shell Scout
 
Join Date: Apr 2009
Posts: 92
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by jggimi View Post
The history of the file you questioned is available from the www CVS repository -- here is its log:

http://www.openbsd.org/cgi-bin/cvsweb/www/ftplist
The relevant code is in /usr/src/distrib/miniroot/install.sh and install.sub

http://www.openbsd.org/cgi-bin/cvswe...oot/install.sh

http://www.openbsd.org/cgi-bin/cvswe...ot/install.sub

During an install, (bsd.rd), ones ip address, timezone setting, last choice of openbsd
ftp server and architecture are sent to an OpenBSD website in Calgary.


http://article.gmane.org/gmane.os.op...+installations

Last edited by comet--berkeley; 13th March 2014 at 04:52 PM. Reason: add links to install.sh and install.sub
Reply With Quote
  #5   (View Single Post)  
Old 13th March 2014
roddierod's Avatar
roddierod roddierod is offline
Real Name: Rod Person
VPN Cryptographer
 
Join Date: Apr 2008
Location: Pittsburgh, Pa
Posts: 383
Thanked 13 Times in 13 Posts
Default

How exactly is that "Big Brother"? It's not anymore information than is gathered by the most web server on internet?
__________________
"The basic tool for the manipulation of reality is the manipulation of words. If you can control the meaning of words, you can control the people who must use the words." -Philip K. Dick
Reply With Quote
  #6   (View Single Post)  
Old 13th March 2014
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,893
Thanked 214 Times in 189 Posts
Default

Thank you, comet--berkeley. That improves my clarity of understanding, and to aid discussion, your concern is apparently this, from install.sh:
Code:
# If we managed to talk to the ftplist server before, tell it what
# location we used... so it can perform magic next time
if [[ -s $SERVERLISTALL ]]; then
    _i=
    [[ -n $installedfrom ]] && _i="install=$installedfrom"
    [[ -n $TZ ]] && _i="$_i&TZ=$TZ"
    [[ -n $method ]] && _i="$_i&method=$method"

    [[ -n $_i ]] && ftp -Vao - \
        "http://129.128.5.191/cgi-bin/ftpinstall.cgi?$_i" >/dev/null 2>&1 &
fi
and this from install.sub:
Code:
    install_files "$_url_base" "$_file_list"

    # Remember where we installed from
    installedfrom=$_url_type://$_server_ip/$_server_dir

    # Bake a package path if we installed from a mirror
    if [[ -n $_mirror ]]; then
        PACKAGE_PATH=$(print -r -- "$installedfrom" |
            sed -E "/\/(snapshots|[0-9]\.[0-9])\/($ARCH)\/*$/!d
                s!!/\1/packages/$(arch -s)/!;q")
    else
        PACKAGE_PATH=
    fi
This capability was added in May, 2009, for inclusion in OpenBSD 4.6. From http://www.openbsd.org/plus46.html:
Quote:
Various installation script updates and fixes, and a new ftplist backend that tries to provide a good ftp server for you to use.
I couldn't find a public discussion in mailing list archives from that time period. That doesn't mean it did not occur.
Personally, I'm not too concerned that there is a recording of my public facing IP addresses that shows that I've run an OpenBSD installation script; anyone querying my bastion firewalls will discover I'm running the OS; I don't run services in "stealth" mode -- I use PF block rules with the return option -- and don't fear the fingerprints the OS and its services provide.
I expect all of the mirror servers log accesses locally but that is data stored by each mirror and not consolidated as in this collection.

I find myself thinking that this collection of metadata might have been better publicized, and that an "opt out" capability should be implemented. This data could be interpreted as PII in many jurisdictions, and the Project therefore acting in the dual roles of Data Collector and Data Processor.

We can certainly discuss this, and if there is consensus, perhaps one (or more) of us can develop a patch that provides both notification and "opt out" capability, for consideration by deraadt@ and the other developers who implemented and support the feature.

Last edited by jggimi; 13th March 2014 at 05:42 PM. Reason: typo
Reply With Quote
  #7   (View Single Post)  
Old 14th March 2014
comet--berkeley comet--berkeley is offline
Shell Scout
 
Join Date: Apr 2009
Posts: 92
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by comet--berkeley View Post
During an install, (bsd.rd), ones ip address, timezone setting, last choice of openbsd
ftp server and architecture are sent to an OpenBSD website in Calgary.
http://jan.exss.de/openbsd-bb.html


Quote:
Originally Posted by roddierod View Post
How exactly is that "Big Brother"? It's not anymore information than is gathered by the most web server on internet?
I'm doing an install, not browsing the web.

Why should I expect that my information is being gathered in the first place?

Last edited by comet--berkeley; 14th March 2014 at 03:48 PM. Reason: add link to jan.exss.de page
Reply With Quote
  #8   (View Single Post)  
Old 14th March 2014
comet--berkeley comet--berkeley is offline
Shell Scout
 
Join Date: Apr 2009
Posts: 92
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by jggimi View Post

I find myself thinking that this collection of metadata might have been better publicized, and that an "opt out" capability should be implemented. This data could be interpreted as PII in many jurisdictions, and the Project therefore acting in the dual roles of Data Collector and Data Processor.
Thanks jggimi.

There actually is a work-around way of "opting out".
  1. Only install from a full installxx.iso or installxx.fs image
  2. Do not configure a network device during the install. (unplug the ethernet too?)

Last edited by comet--berkeley; 14th March 2014 at 04:10 PM. Reason: suggest unplugging the ethernet
Reply With Quote
  #9   (View Single Post)  
Old 14th March 2014
angryfirelord angryfirelord is offline
Port Guard
 
Join Date: Jul 2008
Posts: 21
Thanked 0 Times in 0 Posts
Default

There was one thread about it in @misc: http://marc.info/?t=126645269500001&r=1&w=2

Chances are it's not going anywhere as Theo sees it as a useful feature. I don't think it's a bad thing, but a little bit of disclosure would have been nice. Debian does something similar for packages where the installer asks you if you want to submit statistics for the packages you've installed on your system.

http://popcon.debian.org/README
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Brother MFC-5895CW driving me crazy jggimi OpenBSD General 21 1st July 2012 12:47 AM
Freebsd and Brother HL-2032 laser printer da1 FreeBSD General 6 12th March 2009 03:09 AM


All times are GMT. The time now is 02:06 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick