You may have been hearing about a Linux distrobution that’s been talked about recently known as “Wubuntu” (Shortened from Windows Ubuntu) As I know of some “Download first, ask questions later” people on this forum, I wanted to make this post to warn you against installing it.
Of course, i’m no lawyer or cybersecurity expert. Everything said here is collated off of research. If i’m wrong, let me know peacefully.
The Origins
Let’s start about the origins. Wubuntu is derived (Or is a rebranding of) LinuxFX. For the people who don’t know, LFX was a reskin of KDE that was designed to imitate Windows as closely as possible. Remember my Windows install I themed to look like macOS? Kinda like that. An OS pulling a ditto to look like the other. Unfortunately it doesn’t stop from the visuals. LinuxFX sold licenses for a professional edition of the operating system (Yep, literally paywalling linux). Here is where the LinuxFX “Company” has their horrible security practices begin to slip through the cracks.
The Database
All the “licenses” were stored on a database that was very easy to crack. This resulted in a ton of user information getting leaked, it included IP addresses. One “Kernal” reported this discovery here.
Once the news started getting around, LinuxFX decided to “increase” their security…
…by simply relocating the database to a different URL. Of course it got cracked yet again. Here’s Kernal’s post about it.
The Immaturity
The LinuxFX team still had a use for the old URL, however… The database would get replaced by a plaintext. This text would contain lines such as “Kernalisdumb” and “Kernalislammer” (Yes it is an incorrect spelling)
…These are some bad-ass insults, am I right?
LinuxFX may be compromised.
Later, this text file would again be replaced. The text file would now read “Linux896_hacked”.
What was in the database?
According to Kernal:
There was an “FXKeys” table. This contains information on all the registered professional licenses, The information consists of things like the client’s E-Mail addresses, the license expiration date, and the quantity of the machines that were licensed etc.
There was a “Machines” table too. It consists of information of LinuxFX installs where E.T (referring to the activator) has phoned home. This table includes IP Addresses of the machines, and some other data ripped from an IP Geolocation service. If it was activated, it would also contain the license key. According to Kernal, there are over 20,000 entries in this file. Which is far away from the 1 Million users claimed by the company.
In Wubuntu
All this got carried over into Wubuntu. The activator now checks for the presence of sudo, stap (SystemTrap) and anything containing bp. If it finds these, the activation will fail purposely. A work around was of course quickly found. The new activator also calls to 2 sites using curl. URL 1 contains the database and its type, port, host and the username. The second URL contains the password. This means that there are no credentials stored in the program’s binary, but it resides on non-encrypted HTTP endpoints.
Not only do the “developers” not learn from their mistakes, but they literally are breaking so many laws, including the UK’s Data Protection act (Though it most likely doesn’t count here)
The data protection act 1998 is violated in these three examples.
- Storage
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
Some stuff in the database isn’t needed to be required for activation purposes. After activation, they have no use for it.
- Security
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Little to no attempt has been made to secure the databases, even after the breach. “Security through obscurity” is not a valid security method. Changing a URL does nothing.
- Data minimalisation
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Data collected in the database is excessive.
It may entice you due to how close it looks to Windows. You may think it serves as a “bridge” to the world of linux. Absolutely not. It claims to be able to “Run any EXE and MSI” file. This is false. It uses wine, which can run most apps pretty well, there is still a lot of apps that prove too much of an obstacle for wine. My advice is going for a more reputable distribution such as Ubuntu, Linux Mint, Manjaro or Arch Linux (Though Arch may not be good for a linux beginner)
Sources
- Kernal Post 1
- Kernal Post 2
- Mutahar’s video about it on SomeOrdinaryGamers. Some suggestive language is used when talking about possible lawsuits from Microsoft.
- Michael MJD’s video on Wubuntu
- Action Retro’s Video on Wubuntu
EDIT: I have made it in Microsoft Word form if you want to share it.
Analysis On The Wubuntu Operating System.zip (24.2 KB)