It's not even January 2014 yet, and already Canonical faces another media flare-up about its Ubuntu Linux operating system. But this time, the negative stories about the open source vendor -- which critics accuse of storing WiFi passwords in an insecure way via NetworkManager -- are not fair.
A few days ago, someone figured out that NetworkManager, the networking interface installed by default in Ubuntu and virtually every other major desktop Linux distribution, saves passwords for wireless networks in an unencrypted part of the file system. Now, the press is calling this "another potentially negative story about Ubuntu and Canonical," and asking whether Ubuntu "goofed."
To be sure, Canonical has made its share of poor PR decisions in recent years. From integrating Amazon.com search features into Ubuntu, to pushing drastically new interfaces into Ubuntu before they are ready for users (and users are ready for them), Canonical has sometimes displayed a tendency toward rash behavior -- although it generally does a decent job of fixing its misteps sooner or later.
Don't Blame Ubuntu
In this case, though, the password issue in NetworkManager is no fault of Canonical's. The company doesn't write that software; on the contrary, it's part of GNOME, a project from which Ubuntu has grown increasingly distant in recent years. And there is no real alternative to NetworkManager, which is by far the most advanced and user-friendly networking interface available for Linux.
More importantly, the security concern with NetworkManager is not unique to Ubuntu. It affects all Linux distributions, as the media started noting after fingers were already pointing squarely at Canonical.
By the way, the fact that NetworkManager has been in widespread use on so many Linux platforms for over a half-decade, yet the password issue came to light only now, makes one wonder how crucially serious the vulnerability really is. Aren't there much more important passwords to protect than those for wireless networks that users probably already know, since they've connected to the networks in the past? Sure, on multi-user systems, this information could be exploited in nasty ways, especially in enterprise settings where a particular user's WPA password might also be used for other resources. But it's hard to envision this being a huge problem for most users.
So on this occasion, Canonical deserves a break. There are plenty of valid criticisms of decisions made by the developers of Ubuntu -- as of any operating system -- but this is not one.