Date: Tue, 6 Apr 2021 10:27:35 -0400 From: Shawn Webb <shawn.webb@hardenedbsd.org> To: Stefan Blachmann <sblachmann@gmail.com> Cc: secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> In-Reply-To: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--mhc3sfjligbmwixk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 06, 2021 at 03:11:31AM +0200, Stefan Blachmann wrote: > Hello, >=20 > I had a very distressing experience today. > I installed a package to view its scripts (and *not* to run them!). >=20 > I was shocked when pkg told me that my system configuration, including > which packages and their versions are installed on my system, has been > sent to an external entity, without asking for my content. >=20 > This is a security leak as well as a breach of EU data protection > rules, but above all, it is a breach of trust of the unsuspecting > FreeBSD users. >=20 > Read this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 > And read my experience in this and the following forum posts: > https://forums.freebsd.org/threads/toplist-freebsd-usage-per-1m-inhabitan= ts.79669/post-504430 >=20 > If this does not get fixed in short time, I will contact ArsTechnica, > TheRegister and some other reputed IT news outlets, to create public > pressure to get the issue resolved. >=20 > So please get this fixed and report back. 1. BSDStats isn't run/maintained by the FreeBSD project. File the report with the BSDStats project, not FreeBSD. 2. You install a package that is made to submit statistical data. 3. You're upset that it submits statistical data? lolwut, --=20 Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A= 4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc --mhc3sfjligbmwixk Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEA6TL67gupaZ9nzhT/y5nonf44foFAmBsb9QACgkQ/y5nonf4 4fqJKw/+Ka6325Pk6m4RZpdXLjkqYsIliPqPnK1eYFS+I0tBQbZTf4w8T/mRM1nQ j31dirVLvIuac2/VWlQTMKNWmpshLgC/gcu6CdSPj+LF0Uc6s0N/uzTMFa1ZP2Un +BcXHO3GHkx9PgiPLmlD/zvNQEwik5X1zhI6vxQOnUuGNF+wvcq3e0H1+lpVF9B8 3QJgbLT+5mlrV9HPWZo0xaDGSa7xTMtaai7E+tHWHnvG2ShMSORIWA+aZ355g2ol PdiJs+e5qroG0O9OYGc7+9AsWau3Z8HqD7fJhHBPuT6JUW15+M8InVUj7S6uDTh7 eFJY+GuBu0HkZe6k8tNQuGI/In+iQoDbGAQiWX8Q1kuLiYSO0B8OmJDkL7ZxAt7c O6+U7gXanpKL8hoUikOUxfblH6Jh8HpGZ0WMd+JAIMwNEuGb7cVtvsTcZ0MFx+j8 GPDoSEZ9FoFqXlzjDtEJgShTVAYpG0k+ftLFkMgezebMja8OK0hAMqN9v1KlFJYp xwMgI0EiZh7k3h7XaylGd7uP6+wSjizp/Oaj8lZhZJaXnt0Y3Rokom1M0Xw8Vv9u 9As9uoI53F3RsJzNGp95D1oxHREcldFqhcQos1XYPb2WfWH3kQKwXVZiWVy7FvsH wM0dBCmMHXTzq8KxgfbnXF9+U8Sh4TWhkOrLvyky+WHq+jGUpnw= =+cPv -----END PGP SIGNATURE----- --mhc3sfjligbmwixk--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210406142735.nbearpqiqz3wyrmd>