Linux telemetry, which involves gathering and sending data from a Linux-based system to an external server or service, raises concerns about Linux telemetry and privacy. The purpose of this process is often to monitor system performance, provide diagnostics, enable analytics, or improve system functionality. The collected data may encompass system performance indicators, usage patterns, hardware specifications, error logs, and other relevant information. In this article, we are going to discuss why telemetry can be seen as a potential threat to privacy, even when used for legitimate purposes. We will also explore methods to make the system more secure than before.

Table of Contents

• Secure OS Installation
• Removing the packages
• Settings in ubuntu
• Disable diagnostics reporting
• Disable lock screen notifications
• Disable tracking of recent files
• Turning off the problem reporting
• Turning off the screen blank
• Disable automatic screen locking
• Permanently delete option
• Show hidden files
• BleachBit
• KeePassXC
• Virus Scanner
• Metadata removal
• Firefox profilemaker
• Flatpak
• LibreWolf
• VeraCrypt
• Tor Browser
• Proton VPN
• NextDNS
• Conclusion

Secure OS Installation

Ideally we should consider the POP!_OS by System76 for installation, it is based on Ubuntu but redesigned for privacy and security. However, here we are considering the Ubuntu 22.04.4 version. We are considering this version of Ubuntu because the versions which begin with an odd number or end with the 0.10 are interim releases with a short support cycle and we will be needing a version which has the Long Term Support (LTS). Hence only versions which begin with an even number and end with 0.04 should be considered. We will discuss the steps to make it secure from the installation itself.

Steps:

1: Download the ubuntu-22.04.4-desktop-amd64.iso image from the following URL: https://old-releases.ubuntu.com/releases/22.04/

2: Create a new virtual machine in VMware workstation PRO.

3: Select the path of the installer disc.

4: Enter the Full name, User name, Password and Confirm.

5: Select the Normal installation and select both options in the Other options.

6: Select Erase disk and install Ubuntu, click on Advanced features.

7: Inside Advanced features, use the following options: Use LVM with the new Ubuntu installation and Encrypt the new Ubuntu installation for Security.

8: Enter the Security key and click on Install now.

9: Select Continue for the Write the changes to disks? Option.

10: Enter the details in the Who are you? Installation option.

Once the installation is complete, you will see an ubuntu login screen like the one shown below.

Removing the packages

After login into the ubuntu machine, we can remove all those packages, which some how transfer the user/system information to an outside source either for improvement, feedback, or diagnostic purpose.

Starting with the whoopsie package, it is a crash reporting daemon designed to capture application crashes and send anonymized reports to the Ubuntu servers.

The command to remove its entire content is:

sudo apt purge apport apport-symptoms popularity-contest ubuntu-report whoopsie

We will also remove the motd-news package, it is responsible for delivering dynamic news messages as part of the Message of the Day (MOTD) system.

The command to remove its entire content is:

sudo rm /etc/update-motd.d/50-motd-news

Settings in ubuntu

After removing the packages, we can now proceed with the essential settings in ubuntu, which can help us to be more secure. Here we are going to show it using the terminal and how the same can be done on the GUI.

Disable diagnostics reporting

Apport is a crash reporting tool found in Ubuntu and other Linux-based operating systems. Its primary function is to identify when programs crash, gather detailed information about the error, and create reports that assist in diagnosing and troubleshooting the problem.

Setting the app crash report to false does not gives the apport crash pop-up notifications.

gsettings set com.ubuntu.update-notifier show-apport-crashes false

Disable lock screen notifications

Lock screen notifications can disclose various things which might be private to the user. So, we need to disable the lock screen notifications.

gsettings set org.gnome.desktop.notifications show-in-lock-screen false

Disable tracking of recent files

To disable the tracking of recently opened files in the ubuntu machine, we can set the remember-recent-files to false.

gsettings set org.gnome.desktop.privacy remember-recent-files false

Turning off the problem reporting

Open the Privacy setting in the GUI and inside Diagnostics set the Send error reports to Canonical to Never. By doing this no error reports will be shared to the Canonical and a privacy can be maintained.

Turning off the screen blank

To disable the automatic screen blanking or locking due to inactivity, first open the Power options. Then, set the Screen Blank option to Never and Automatic Suspend to Off. This way, the display stays on indefinitely because the inactivity action never triggers.

gsettings set org.gnome.desktop.session idle-delay 0

Disable automatic screen locking

To disable the automatic lock when the system remains idle, click the Privacy option, then click Screen and disable all options.

gsettings set org.gnome.desktop.screensaver lock-enabled false
gsettings set org.gnome.desktop.screensaver ubuntu-lock-on-suspend false

Permanently delete option

If we want to permanently delete an object without moving it to the trash, we can run the following command to get a permanently delete option for every file.

gsettings set org.gnome.nautilus.preferences show-delete-permanently true

After running the above command, we can now see that we have Delete permanently option available for all the files.

Show hidden files

To permanently enable the view hidden files option, we can run the following command:

gsettings set org.gnome.nautilus.preferences show-hidden-files true

BleachBit

BleachBit is an open-source application that functions as a system cleaner and privacy tool. It optimizes disk space and safeguards user privacy by eliminating unwanted files and data from your computer.

Installation of BleachBit can be performed using the following command:

sudo apt install bleachbit

KeePassXC

KeePassXC is an open-source tool for password management. It helps users securely store and manage their passwords and sensitive information. Therefore, it plays a crucial role in maintaining Linux telemetry and privacy.

Installation of KeePassXC can be performed using the following command:

sudo apt install keepassxc

Virus Scanner

In this section, we will install ClamAV, an open-source antivirus that scans for malware and malicious files. The GUI of ClamAV is called ClamTK, and to fetch the latest malware detection updates, we must enable freshclam.

apt install clamav clamav-daemon
apt install clamtk
sudo systemctl stop clamav-freshclam
sudo systemctl enable clamav-freshclam --now

Metadata removal

Sometimes, when transferring files, metadata containing private information also transfers along with the file. To prevent this, we will use MAT2 (Metadata Anonymisation Toolkit 2) to remove metadata from files and enhance privacy.

To install the MAT2 tool, we can use the following commands:

sudo apt install mat2

Firefox profilemaker

To download a customized browser setup tailored to your needs, use Firefox Profilemaker. It offers a variety of configurations, which you can set and then download as a profile or preference file. Finally, you can import it into the browser, ensuring full customization and enhancing Linux telemetry and privacy.

The profile setup can be performed using the following URL:

https://ffprofile.com/

Flatpak

Flatpak installs and runs applications within a sandboxed environment. Applications installed via Flatpak run in isolation. This prevents apps from interfering with the system or accessing unauthorized resources, increasing security.

Following are the commands to install the flatpak:

sudo apt install flatpak
sudo apt install gnome-software-plugin-flatpak
flatpack remote-add --if-not-exists flathub https://dl.flathub.org/report/flathub.flatpakrepo

LibreWolf

LibreWolf is a web browser focused on privacy; it comes with improved security settings by default. It eliminates Linux telemetry and privacy risks, data collection, and tracking features found in standard Firefox, offering a more private browsing experience. By using LibreWolf, users can mitigate issues surrounding Linux telemetry and privacy and maintain greater control over their data.

To run the lLibreWolf using the flatpack we can use the following command:

flatpack run io.gitlab.librewolf-community

VeraCrypt

To create a virtual encrypted disk or encrypt the entire partition or storage devices, we can use VeraCrypt. To perform its installation, we need to add the unit193/encryption repository in the PPA (Personal Package Archive) and then update the system and install VeraCrypt.

sudo add-apt-repository ppa:unit193/encryption -y
sudo apt update
sudo apt  install veracrypt

After installation we can launch the VeraCrypt.

Tor Browser

To maintain complete anonymity, Tor browser is an amazing browser to search for things. It directs the traffic through the Tor network making it difficult to track.

It can be downloaded from the following website:

https://www.torproject.org/download/

After downloading, extract the file and start the browser. Use the –register-app flag to launch the Tor browser from the applications menu.

./start-tor-browser.desktop --register-app

After successful installation, the browser can be launched from the applications menu.

Proton VPN

Proton VPN is a widely used VPN which gives 3 locations as a free service. It helps to remain anonymous and perform the tasks. It can be downloaded from the following link: https://protonvpn.com/support/official-linux-vpn-debian/ 

Following are the steps to install the Proton VPN:

sudo wget https://repo.protonvpn.com/debian/dists/stable/main/binary-all/protonvpn-stable-release_1.0.4_all.deb

sudo dpkg -i ./protonvpn-stable-release_1.0.4_all.deb && sudo apt update

echo "62a9d849835de8a5664cf95329458bf1966780b15cec420bf707b5f7278b9027  protonvpn-stable-release_1.0.4_all.deb" | sha256sum --check -

sudo apt update && sudo apt upgrade
sudo apt install proton-vpn-gnome-desktop

After the installation is complete, we can launch the Proton VPN.

After connecting with the Netherlands location, we can check the public IP.

NextDNS

NextDNS is a cloud-based DNS solution which helps to perform content filtering and many more things. It serves as an alternative to the DNS provided by the ISP. Sometimes, we want to block access to certain websites in our system and check which websites the user visited.

The profile can be setup using the DNS address given at the following link:

https://my.nextdns.io/2f7664/setup

After copying the systemd-resolved addresses, we can add this in the /etc/systemd/resolved.conf file.

sudo nano /etc/systemd/resolved.conf
cat /etc/systemd/resolved.conf

After adding the addresses to the configuration file, navigate to Settings in the browser and select DNS over HTTPS. It should be set to Max Protection. Inside Max Protection select the custom DNS and enter the NextDNS URL shown in the DNS over HTTPS.

After the configuration is complete, the NextDNS setup will show a All good! status.

We can also restrict websites from visiting by adding them in the Parental Control list.

The user is no longer able to visit the website.

There is also a feature to check the logs, which can help in tracking the websites visited before in the Logs option.

Conclusion

As we become aware of the effects of Linux telemetry and privacy, we can make choices that lead to a safer and more private computing environment. By using the above methods and tools, we can safeguard users’ privacy and significantly reduce our exposure to unwanted data collection, including Linux telemetry and privacy concerns.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here