Security

Dev creeped out after he fired up Ubuntu VM on Azure, was immediately approached by Canonical sales rep

I always feel like somebody's watching me


Updated An Azure customer was outraged after finding himself on the receiving end of an unexpected LinkedIn message from Ubuntu maker Canonical last night.

The user, Luca Bongiorni, had spun up an instance of the Linux distro on an Azure corporate subscription in order to evaluate some tooling. Sensibly, the subscription is used as a sandbox for the purpose of testing.

Upon clicking "Add new VM", the first option was Ubuntu 18.04, according to Bongiorni, which he selected in order to get his Linux kicks. Shortly after, however, a message turned up from an Enterprise Development representative at Ubuntu with the ominous phrase: "I saw that you spun up an Ubuntu image in Azure," and offering to be a point of contact.

I would not have deployed that if I knew someone would stalk me outside corporate channels

Was Canonical somehow aware of what an Azure customer was doing on the dashboard?

The Register spoke to Bongiorni, who confirmed the sequence of events and noted that "Azure Portal's UI didn't provide any insight on whether that Template was coming with a specific ToS" as he cheerfully chose Ubuntu.

It's a reminder to always check the small print (and icons) as, indeed, the implications of the orange icon were not clear to him. Particularly not that his data would be shared.

"The creepiest thing," he said, "[was] the direct contact on my private LinkedIn account" – which he noted did not share "the same corporate email. Which means that Canonical sales hunted my name down into social medias to reach me directly."

Microsoft and Canonical are certainly good chums. The companies recently boasted of the one-year anniversary of "a partnership that delivers the best and most secure open source for customers" and a co-sell model launched back 2019 that was step up from mere passive engagement.

Certainly, a cold-call message out of the blue would not come under the description of "passive".

While the thought of Canonical's engineers peering over one's virtual shoulder with the tacit approval of Microsoft might appeal, the explanation is likely a little simpler. A look at the terms for the Azure Marketplace throws up this sentence: "If you purchase or use a Marketplace Offering, we may share with the Publisher of such Offering your contact information and details about the transaction and your usage."

A hunt around Ubuntu's legals (as noted by Twitter user @dezren39) shows a whole section giving the company the green light "To market our products or services to you."

Bongiorni reckoned that the sharing of data was "in some ways" understandable when spinning up a third party's template on Azure, but added: "Make it very clear when you are going to pick a specific VM from the Azure Portal UI.

"I would not have deployed that if I knew someone would stalk me outside corporate channels."

Certainly, something a bit clearer than a little orange icon would be useful to indicate the imminent deployment of the stalkerbots. Or maybe just not doing it at all, hmm?

We asked Microsoft and Canonical for comment but have yet to receive an explanation from either. AWS commentator Corey Quinn reacted in colourful fashion:

And Bongiorni? He told us he was considering a switch to a different provider, likely based in Europe, "just to be sure there will be more transparency and more GDPR openness."

He also highlighted a further wrinkle in the story. If Canonical, as an Azure Marketplace Publisher, are handed information about anyone using its templates, could a hypothetical malicious publisher also receive similar?

"I am very curious to know what else these 'publishers' are getting from Microsoft about me and the machines I spun over the time that relied on their templates."

Updated at 1000 UTC on 12 February to add

Following publication of this article, Canonical responded to our calls for comment with a written statement:

"As per the Azure T&Cs, Microsoft shares with Canonical, the publisher of Ubuntu, the contact details of developers launching Ubuntu instances on Azure. These contact details are held in Canonical’s CRM in accordance with privacy rules.

"On February 10th, a new Canonical Sales Representative contacted one of these developers via LinkedIn, with a poor choice of word. In light of this incident, Canonical will be reviewing its sales training and policies."

Microsoft also sent us a canned remark:

"Customer privacy and trust is our top priority at Microsoft. We do not sell any information to third-party companies and only share customer information with Azure Marketplace publishers when customers deploy their product, as outlined in our Terms and Conditions. Our terms with our publishers allow them to provide customers with implementation and technical support for their products but restricts them from using contact details for marketing purposes." ®

Send us news
125 Comments

Prisons transcribe private phone calls with inmates using speech-to-text AI

Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

Continue reading

<i>Battlefield 2042</i>: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

Another terrible launch, but DICE is already working on improvements

The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

Continue reading

American diplomats' iPhones reportedly compromised by NSO Group intrusion software

Reuters claims nine State Department employees outside the US had their devices hacked

The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

"Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

Continue reading

Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

All together now - R, A, N, S, O...

A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

"We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

Continue reading

Feds charge two men with claiming ownership of others' songs to steal YouTube royalty payments

Alleged scheme said to have netted $20m since 2017

The US Attorney's Office of Arizona on Wednesday announced the indictment of two men on charges that they defrauded musicians and associated companies by claiming more than $20m in royalty payments for songs played on YouTube.

The 30-count indictment against Jose Teran, 36, of Scottsdale, Arizona, and Webster Batista, 38, of Doral, Florida, was returned by a grand jury on November 16, 2021. It accuses the two men of conspiracy, wire fraud, transactional money laundering, and aggravated identity theft in connection with a scheme to steal YouTube payments.

"In short, Batista and Teran, as individuals and through various entities that they operate and control, fraudulently claimed to have the legal rights to monetize a music library of more than 50,000 songs," the indictment [PDF] alleges.

Continue reading

Hot not-Spot-bot spot: The code behind Xiaomi's CyberDog? Ubuntu

Your four-legged open-source friend? CIMON says 'Maybe'

Linux fans rejoice: the smarts running behind Xiaomi's Not-Spot, CyberDog, emanate from none other than Ubuntu 18.04.

The Register asked Canonical why not something a little fresher, such as 20.04, and were told by robotics product manager, Gabriel Aguiar Noury, that "the operating system is running 18.04 rather than 20.04 because they are using Jetson, and 18.04 is more compatible for the approach the team had in mind."

The CyberDog bounded onto the global stage in August and represented the company's first foray into the world of quadruped robotics.

Continue reading

What will life in orbit look like after the ISS? NASA hands out new space station contracts

The end is coming, and nobody wants a homeless 'naut

NASA has splashed the cash on design contracts for space stations and a multibillion-dollar job for more Artemis boosters.

With the days of the International Space Station (ISS) numbered, NASA is looking to maintain an uninterrupted US presence in low-Earth orbit. Although Axiom Space has plans to build from the ISS, the $415.6m award is about developing space station designs and "other commercial destinations in space."

Blue Origin, which has partnered with Sierra Space to develop the Orbital Reef, received $130m. Nanoracks, which is working on a commercial low-Earth orbit destination called "Starlab" (with Voyager Space and Lockheed Martin), received $160m, and Northrop Grumman's Cygnus-based station received $125.6m. The Cygnus currently does duty as a freighter for the ISS.

Continue reading

Why your external monitor looks awful on Arm-based Macs, the open source fix – and the guy who wrote it

Q&A with the developer of BetterDummy: from macOS secrets to his motivations

Interview Folks who use Apple Silicon-powered Macs with some third-party monitors are disappointed with the results: text and icons can appear too tiny or blurry, or the available resolutions are lower than what the displays are capable of.

It took an open source programmer working in his spare time to come up with a workaround that doesn't involve purchasing a hardware dongle to fix what is a macOS limitation.

István Tóth lives in Hungary, and called his fix BetterDummy. It works by creating a virtual display in software and then mirroring that virtual display to the real one, to coax macOS into playing ball. The latest version, 1.0.12, was released just a few days ago, and the code is free and MIT licensed.

Continue reading

Chill out to the sounds of an expert typing on a variety of mechanical keyboards

A truly rare groove

Discerning writers and programmers know that keyboards matter. It's mostly the feel, but the best feel tends to come from mechanical key switches and they make a noise as they activate.

That feeling goes hand in hand with a chorus of soft clicks… and thanks to custom keyboard guru Taeha "Nathan" Kim and weirdo label Trunk Records, you can relax to 43 minutes and 24 seconds of soothing sounds from 13 rare and limited-edition mechanical keyboards.

Your correspondent is a bit of a fan of devices like this (this piece was typed on a 1991 IBM Model M; accept no substitute) – but no such brash, commonplace kit features on the album. Instead you can luxuriate to the Alps switches of a 1987 Apple Standard (why, yes, I do happen to have one of those too, but the linear cursor keys hinder daily use), and an M0110A from a Mac Plus, as well as more exotic kit.

Continue reading

Netgear router flaws exploitable with authentication ... like the default creds on Netgear's website

Don't just install the patch, change your router passwords too

Two arbitrary code execution vulnerabilities affecting a number of Netgear routers aimed at small businesses have been patched following research by Immersive Labs.

The vulns rely on authenticated access to affected devices so aren't an immediate threat. They do, however, allow someone with remote access to the router to pwn the device's underlying OS, threatening the security of data passing through the router.

Helpfully, Netgear itself publishes default login credentials for "most" of its products on its website. If you haven't been into your Netgear router's admin panel and changed these default creds, you're at increased risk.

Continue reading

Not only was the UK Financial Ombudsman Service's Workday system months late, 38 IT workers' jobs are at risk

Questions remain over data warehouse dependencies and redundancies

The UK's Financial Ombudsman Service (FOS) has gone live on Workday finance and HR systems around three months later than planned, drawing questions over an interdependent data warehouse project.

At the same time, the process has seen IT roles marked for redundancy and set to be transferred to a service supplier.

The watchdog was set up by Parliament in 2001 to resolve complaints between financial businesses and their customers. This week, Workday published a statement boasting that the implementation of its software at the FOS had gone live.

Continue reading