This is very disturbing - I think? - where to post?

[Captain Brillo]

Found this thread about what I would call "spyware" on LinuxQuestions.org and wondering what to make of it:
https://www.linuxquestions.org/question ... ost5952234

[Mauser]

Post of the truth was edited and removed because it violates forum rules. Peace.

[j2mcgreg]

Found this thread about what I would call "spyware" on LinuxQuestions.org and wondering what to make of it:
https://www.linuxquestions.org/question ... ost5952234

That's not spyware. That's a hack.

[Auro Kumar Sahoo]

Please be assured if you are using MX linux. MX is the system you can trust.
If the post is right it may be due to some additional ppa the user may installed there in ubuntu and as of here in mx you are not to worry about it as mx is not supporting Ubuntu ppas and we at MX always say that to new users not to add any ubuntu ppa in MX.
addition to that i always say to install packages from mx repository and while browsing internet never install any add-on of Firefox blindly and enable GUFW firewall that comes with MX.

[Mauser]

Please be assured if you are using MX linux. MX is the system you can trust.
If the post is right it may be due to some additional ppa the user may installed there in ubuntu and as of here in mx you are not to worry about it as mx is not supporting Ubuntu ppas and we at MX always say that to new users not to add any ubuntu ppa in MX.
addition to that i always say to install packages from mx repository and while browsing internet never install any add-on of Firefox blindly and enable GUFW firewall that comes with MX.

I concur, but there are exceptions. I personally wouldn't trust Deepin. I added add-ons to Firefox with my eyes wide open.

[Bierhundt]

I never have been able to get a decent install of *buntus - and I tried a lot of them from back when they first started, they were giving away their CD/DVD's by the dozens (so you would hook others on their distro, I'd guess). They always crashed on me or fouled up something I had on my computer. The response from others was that it was the brand of computer I was using, but that changed several times, so I don't think that was the problem. I haven't tried out *buntus since, and that's been several years. Now, with that post on LQs, I'm glad I don't!

[wkr]

Found this thread about what I would call "spyware" on LinuxQuestions.org and wondering what to make of it:
https://www.linuxquestions.org/question ... ost5952234

Here is the explanation : https://www.omgubuntu.co.uk/2017/09/dis ... untu-17-10

[skidoo]

.
Without disparaging the LQ reporter, I'm explaining that s/he (and we) must not "blame" Ubuntu nor LinuxMint nor the "network-manager-config-connectivity" mechanism.

correlation should not imply causation

Based on the OP's description, yes, screenshotting malware is apparently piggybacking the root-permissioned "network-manager-config-connectivity" process, using that as an exfiltration vector, but...

You can (and I did) audit the sourcecode of the Ubuntu-supplied package
to confirm that Ubuntu ---------} does not "maliciously tamper with" {-----------
the network-manager-config-connectivity-ubuntu code provided by the upstream (gnome,RedHat) maintainers.
I have inspected the code for each of these versions
(FWIW, in case you're curious to inspect the patchesets firsthand ~~ it only involves a quick, ten-minute reading)
v1.10.6-2ubuntu1.1
v1.12.4-1ubuntu1.2
v1.12.6-0ubuntu3



.
You can audit the upstream-supplied "network-manager-config-connectivity" sourcecode
to learn, firsthand, that:

* it doesn't depend on gnome-screenshot
* it doesn't check whether gnome-screenshot is installed
* it doesn't know/care about gnome-screenshot, period

Although its code is a bloated 40MB bowl of spaghetti (and you're welcome to dig further), by skimming & grepping the codebase I found that its attention to assessing the runtime display environment is solely limited to checking available row/column dimensions prior to painting its TUI dialog(s). This functionality (calculation of available character columns, given a specified window width + font) would not be useful toward serving as a component within a screencapture mechanism (surreptitious, or otherwise).

re: the advice presented in the linked article, "turn off the captive-portal-detection mechanism when not needed"

Bear in mind that your modern "web browser" likely has its own, inbuilt "ping-a-server becuz captive-portal-detection" mechanism, as well as inbuilt screenshotting (and "sharing"!) functionality, and (v55 firefox onward) the browser can be launched "headless"... what could possibly go wrong, eh?