Stock Ubuntu Linux was sending your Unity App / Doc search results to Amazon and embedding purchase recommendation affiliate links in the results for things you're trying to find on your system. Fortunately, you could actually turn that behavior off, but it was on by default.
It's only marginally more difficult to put sneaky shit into Open Source software than to get your malicious backdoors into closed source software. Microsoft is actively snooping though, so by default a Linux or BSD distro is going to have less backdoors in it.
Security from state actors or targeted attacks is practically zero for any OS on this planet (aside from
some Alternative / Experimental OSs which are small enough to actually audit but lack all the features you want). Security from malware thugs is better on Linux and BSD not only because you're a smaller target (less desktop users), but also because Linux is so fucking fast at fixing bugs. I submitted a critical vulnerability to Microsoft 5 years ago which is still not patched, and they've released two OSs since then and all OSs from Vista on up are vulnerable. I've submitted a dozen bugs this way to MS and only 3 have been fixed, the other 9 are still valid, but are going ignored because MS only really cares about their latest OS. I've sent over 20 security patches to the Linux Kernel and all but two have been accepted. Two were no longer bugs because something else changed the the codebase.
If I published my exploit code then MS would be forced to fix it when bad guys started using them to infect systems with malware. I won't publish the white paper and proof of concept code publicly in order to keep bad guys from using it. There's a "Responsible Disclosure" code to let vendors like MS have time to fix a bug after notifying them that white hats try to live by (esp. ones who aren't pressed for time to disclose vulns on their blogs for advert traffic; most security researchers are under pressure, but that's not my day job so I don't have such pressure).
On Linux and BSD most people don't use "Responsible Disclosure". All exploits are just bugs. If MS published their source code I would fix the vulnerabilities myself and they'd just have to review the patch and apply it and be done. That's how it works on Linux and BSD. I find a critical vulnerability that enables remote code execution and then I fix it and get another patch into the kernel, Apache server, or some other system. The FLOSS ecosystem is so much more hostile for viruses to live in because if there ever is malware crawling around, we disassemble it, find the bug it exploits, and get the patch out to everyone the same week or even the next day in some cases. Frequently I've seen a bug in the news and that morning my Linux OS updater had already patched it.
Microsoft only releases patches on the 2nd Tuesday of every month. This is GREAT! (for malware authors) because they know not to push their malware out until just before the 2nd Tuesday so that they have the most time to run amok before anyone even has a chance to get an update if it's deemed critical enough for MS to pay attention to.
Now, not everyone notifies the software vendors of the bugs they find. Some greyhat and blackhat hackers sell the vulnerabilities they find on the black market. There are several attack toolkits which allow you to add some boilerplate code to your exploit and package the vulnerability for use with whatever payload code a customer wants. I use them for penetration testing, but bad guys use them to attack systems. A script kiddie buys or make a malware payload in damn near anything, I've even seen malware as Python scripts (compiled into an executable with Cython). Then they simply buy one or more 0-day exploits on the market which have wrappers for the exploit toolkit the skiddie is using. Then they literally drag and drop the malware together, joining the exploit vector with the payload. You don't even have to know how to write code to be a "malware publisher" today.
As it turns out, there are FAR MORE exploits on the market for Windows than for Linux and even fewer for BSD. Mac and iOS and Android are steadily climbing though.
As I said, even though Linux / BSD etc. are somewhat more secure, it's still pretty easy to get shady backdoors into Free (Libre) Open Source software. Let's take the case of Heart Bleed. A bug in the OpenSSL library that many web enabled servers and applications use for their TLS / HTTPS security. The code has a "performance optimization" where they keep a memory pool of objects rather than calling free() and malloc() they get memory from the process's pool if it's available and return it to the pool when not in use. That memory pool is used by all sorts of code in the OpenSSL library, and can contain the private keys for your connections. When this is combined with a buffer overrun error which causes OpenSSL to fill a packet with "junk" data beyond the small response data you can leak some of thah memory pool and sometimes it can include parts of the server's key.
Now, the patch that introduced the buffer overrun bug which copies more data than should be sent was accepted to the OpenSSL codebase on New Years freakin' Eve while everyone in the world was getting shitfaced and not paying attention. This is the sort of thing that state actors do to introduce bugs.
Even a code audit isn't necessarily going to find the bugs because we're humans and our brains make us see things we expect to see even if it's not quite the right thing. This is why proofreading your own writing is near impossible. Well, with code it's even worse because it's following familiar patterns so we know what to expect even if we've never read the source before.
...
if ( command == UPDATE_ACCESS_TIME && user = root ) { return fstat( ... ); }
...
Some people might read past this in a block of code and think everything is on the up and up. In fact, if this was in a patch that was changing instances of the costant UPDATE_FILE_ACCESS to UPDATE_ACCESS_TIME then you especially might not notice that the '==' was changed to a '=' in the patch you just accepted. Now when the UPDATE_ACCESS_TIME function of this code is used it also sets the user's level to root rather than just checking if it's root level.
There are people who make a living selling malware or working for governments that are combing through code just looking for exploitable places like this, and if they find a spot that a small modification might make exploitable them they submit crazy patches, maybe on New Years holiday and have their inside guy accept the patches when everyone is distracted. Of course the maintainers have plausible deniability. "It looked good to me, shit happens". in the case of OpenSSL the maintainers were so fucking inept there were security bug-fixes in their issue tracker for years. They changed to another issue tracker and didn't put out a press release, and then they even stopped looking at the issue tracker they were supposed to be getting patch requests through. This for the most used SSL library on the planet? It reeks of a con job, and that's how "secure" open source software can be.
Just because everyone COULD look at the OpenSSL code and just see how shit it was (and many people had, and have been bitching about it for years) doesn't mean the bugs will get fixed at all, unless some serious shit like Heart Bleed goes down and everyone has to pay IT overtime to generate new SSL keys for their servers and test it all out to make sure no old keys are lingering about... You see, when that happens you're supposed to just be able to publish a revocation certificate and then browsers are supposed to check a certificate they have to make sure it hasn't been revoked.
Well! Chrome doesn't do that! Chrome and the open source Chromium it's based on uses it's own janky system where the browser keeps a list of the certificate revocation lists for the "top sites", but if you're not a "top site" (whatever that means), then Chrome / Chromium do not check to see if the cert is revoked at all and so crackers can use your old exposed invalid certificate and spoof connections even though your site is trying it's hardest to be secure. Why does Google do that? To save a few milliseconds on the first time you make a connection to a website in a day. Oooh, so much "faster" than Firefox... Yeah, because it cuts corners on security. And they get away with it because NO ONE CARES ABOUT SECURITY. "Secure" is just a marketing buzz word.
That's not even the half of it!
We have known bad actors with shit security policy as TRUSTED ROOT CERTIFICATE AUTHORITIES who get hacked by skiddies multiple times with no repercussions. Oh, and if you check your certificate list the fucking Hong Kong Post Office is a trusted root Certificate Authority! That means the Chinese government (and any other government that's in your root store, Saudis, India, Russia, USA, Turkey, anyone really) can insert themselves between any connection and you'll see a big green "this site is secure" bar and everything. Unless you manually check the certs you're using on each page load there's no way to know the connection is secure. And how are you even supposed to find out which CA is SUPPOSED to be granting the certs for the site in the first place? A web search over your possibly hijacked and intercepted connection?!
I say this to point out that there is really no such thing as "computer security". There's just relative levels of exploitability. Every damn OS and large software project is so full of holes that damn near any security researcher can crack it with the most minimal of application of force. I just lean on a library by throwing in some random values until it crashes (input fuzzing) and sure enough I'll find a way to make an exploit to break it. Even the damn libpng reference library had a fucking buffer overrun remote code execution vulnerability sitting in it for DECADES and no one noticed, even though EVERY implementation of PNG decoding involved reading the reference implementation code.
Writing and testing code to be very secure is hard. No one actually gives a fuck about security, and so you get as much security as you paid for: NONE. This is true for Microsoft, Linux, BSD, Mac, iOS, Android, Tails, Plan9, BEOS, and every other OS that will actually run on your damn insecure hardware! Yes, even the motherboard, hard disk drive, NIC and etc. firmware contains crap code full of holes. Everything you depend on for "security" is swiss cheese. That's the real reason Microsoft takes so damn long to patch exploits that aren't being used in the wild: They know the whole damn hardware / software stack is crap, and there will just be more exploits found tomorrow.
That said, at least Linux isn't OPENLY trying to spy on you, unlike Microsoft.
