A warning against the "Wubuntu" operating system

You may have been hearing about a Linux distrobution that’s been talked about recently known as “Wubuntu” (Shortened from Windows Ubuntu) As I know of some “Download first, ask questions later” people on this forum, I wanted to make this post to warn you against installing it.

Of course, i’m no lawyer or cybersecurity expert. Everything said here is collated off of research. If i’m wrong, let me know peacefully.

The Origins

Let’s start about the origins. Wubuntu is derived (Or is a rebranding of) LinuxFX. For the people who don’t know, LFX was a reskin of KDE that was designed to imitate Windows as closely as possible. Remember my Windows install I themed to look like macOS? Kinda like that. An OS pulling a ditto to look like the other. Unfortunately it doesn’t stop from the visuals. LinuxFX sold licenses for a professional edition of the operating system (Yep, literally paywalling linux). Here is where the LinuxFX “Company” has their horrible security practices begin to slip through the cracks.

The Database

All the “licenses” were stored on a database that was very easy to crack. This resulted in a ton of user information getting leaked, it included IP addresses. One “Kernal” reported this discovery here.

Once the news started getting around, LinuxFX decided to “increase” their security…
…by simply relocating the database to a different URL. Of course it got cracked yet again. Here’s Kernal’s post about it.

The Immaturity

The LinuxFX team still had a use for the old URL, however… The database would get replaced by a plaintext. This text would contain lines such as “Kernalisdumb” and “Kernalislammer” (Yes it is an incorrect spelling)
…These are some bad-ass insults, am I right?

LinuxFX may be compromised.

Later, this text file would again be replaced. The text file would now read “Linux896_hacked”.

What was in the database?

According to Kernal:
There was an “FXKeys” table. This contains information on all the registered professional licenses, The information consists of things like the client’s E-Mail addresses, the license expiration date, and the quantity of the machines that were licensed etc.

There was a “Machines” table too. It consists of information of LinuxFX installs where E.T (referring to the activator) has phoned home. This table includes IP Addresses of the machines, and some other data ripped from an IP Geolocation service. If it was activated, it would also contain the license key. According to Kernal, there are over 20,000 entries in this file. Which is far away from the 1 Million users claimed by the company.

In Wubuntu

All this got carried over into Wubuntu. The activator now checks for the presence of sudo, stap (SystemTrap) and anything containing bp. If it finds these, the activation will fail purposely. A work around was of course quickly found. The new activator also calls to 2 sites using curl. URL 1 contains the database and its type, port, host and the username. The second URL contains the password. This means that there are no credentials stored in the program’s binary, but it resides on non-encrypted HTTP endpoints.

Not only do the “developers” not learn from their mistakes, but they literally are breaking so many laws, including the UK’s Data Protection act (Though it most likely doesn’t count here)
The data protection act 1998 is violated in these three examples.

  1. Storage

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

Some stuff in the database isn’t needed to be required for activation purposes. After activation, they have no use for it.

  1. Security

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

Little to no attempt has been made to secure the databases, even after the breach. “Security through obscurity” is not a valid security method. Changing a URL does nothing.

  1. Data minimalisation

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Data collected in the database is excessive.

It may entice you due to how close it looks to Windows. You may think it serves as a “bridge” to the world of linux. Absolutely not. It claims to be able to “Run any EXE and MSI” file. This is false. It uses wine, which can run most apps pretty well, there is still a lot of apps that prove too much of an obstacle for wine. My advice is going for a more reputable distribution such as Ubuntu, Linux Mint, Manjaro or Arch Linux (Though Arch may not be good for a linux beginner)

Sources

EDIT: I have made it in Microsoft Word form if you want to share it.
Analysis On The Wubuntu Operating System.zip (24.2 KB)

2 Likes

Appreciate the well written researched post :slight_smile:.

It’s a bit baffling to think anyone can put together such software and still think it’s reasonable to access a SQL database directly, never mind retrieving credentials for said server from a HTTP URL. This is a pretty basic failure and it isn’t too much work to do it properly.

More baffling is the possible income made. At least right now, a license costs $35 USD. If the 20,000 licenses are to be believed, that’s $700,000. I guess the previously publicity helped with that.

2 Likes

What’s worse is that it still got fame, despite it literally being LinuxFX, which everyone knew was bad news.

When I’ve heard of Wubuntu I thought; wait, doesn’t a different distro does the same thing?

1 Like

Nice summary and well research!

I feel this project is made with ChatGPT with zero competence just for getting some money.

I feel some weird things as well from this website. First of all, where is the EULA and the Privacy Statement from the website? As far as I know if you collect data and you giving a service you must put these documents to your website. Secondly, where’s the tax number? :stuck_out_tongue:

And I am not sure about the licenses. Do they have even right to use Ubuntu’s name? Because the Ubuntu name is belong to Canonical Ltd, even if they put a w to their name. Moreover, website says they’re in the Microsoft ecosystem, but that’s 100% Microsoft didn’t give them permission.

I’ve just clicked on Desktop documentation button and it redirects to Plasma’s wiki, and ehm… excuse me? :stuck_out_tongue: So basically they charge some dollars for a KDE desktop with a pre installed Windows skin, mixing with some bloatware? I don’t know exactly what is this operation system and why is it getting more popular.

And why they use a Windows laptop images for describing their Linux distribution? :stuck_out_tongue: It’s a scam. Plus a brasil contact number in an international website was very cute.

I’m pretty sure they don’t as it’s a legal trademark. Doubt Canonical even knows about this.

This entire OS gives a big finger to the copyright laws and MS themselves. Don’t even think they can do anything either.

5 month bump
As someone who lives in Brazil (where this “company” is located) and understands our (very few) internet and privacy laws, let me clear some things up.

Yes, it is 100% illegal even here, Brazil has had a slightly worse ripoff of GDPR (LGPD) and all the things you mentioned are absolutely illegal.

Doubt it. I’ve known LinuxFX since 2019 (Thanks to shitty Brazilian tech youtubers) but i absolutely agree it is a shitty cashgrab by skid developers.

Illegal as well. Selling anything in Brazil legally (including to international customers) needs a Nota Fiscal (basically a govt tax receipt), which requires a CNPJ (which as far as i can tell, they don’t have).

Absolutely. Canonical has said a while back that if you want to use the “Ubuntu” name for your distro it requires that it’d be an official flavor, which Wubuntu obviously is not. This also forced a few unofficial flavours i used to use (Ubuntu Unity and some other i don’t remember right now) to become official.

May i remind you this is from one of the worst tech markets in the world. If you’re stuck with Portuguese (as with the grand majority of our population) you’ll only learn dogshit from dogshit creators/companies, and even if you do learn English, good luck making international quality stuff. Doesn’t help that most websites here are so overly localized it’s basically impossible to find anything foreign on there (I downloaded TikTok on my phone for this screenshot. You’re welcome)

Agreed. and Brazil contact number is to be expected from a Brazilian “company”

I may make an video over on my YouTube (and possibly on this forum) about why the Brazilian tech market sucks. Ironically this is one of the very few technologies that originate from here that has gotten any meaningful international coverage, atleast that i have personally seen. Most Brazilians (even those into tech spaces like me) can’t name a single significant tech advancement that originates from here. No hate against Brazil as a country, but as a tech/cybersecurity enthusiast. Brazil is a horrible country. (Each word is a different example why)