Somebody knows all about you

...but hey, do what you want...you will anyway.

Brave New World

[T]he New York Times reported earlier this month that a company called Securus Technologies was offering a service that allowed users to track people’s whereabouts in real time, using data obtained from the wireless companies through a pair of intermediaries. The Times reported that a Missouri sheriff had been using the service to keep tabs on 11 people, including fellow officers and a judge, without their knowledge and without a warrant. He’s now facing state and federal charges.

That’s just the beginning. Motherboard reported last week that Securus had been hacked, with the credentials of 2,800 authorized users stolen, most or all of them presumably working in law enforcement or at prisons. (Securus’ main business involves helping prisons crack down on inmates’ cellphone use.) It’s a safe bet that some of those users had access to the same location-tracking tools that the Missouri sheriff abused.

[...]

The big U.S. wireless carriers—AT&T, Verizon, Sprint, and T-Mobile—were all working with LocationSmart, sending their users’ location data to the firm so that it could triangulate their whereabouts more precisely using multiple providers’ cell towers. It seems no one can opt out of this form of tracking, because the carriers rely on it to provide their service.

It gets worse. A Carnegie Mellon researcher poking around on LocationSmart’s website found that he could use a free trial service to instantly pinpoint the location of, well, just about anyone with a mobile phone and wireless service from one of those major carriers. He did this without any permission or credentials, let alone a warrant.

[...]

LocationSmart subsequently shut down the service and told security blogger Brian Krebs that the vulnerability had not been exploited before Robert Xiao, the Carnegie Mellon researcher, did so.

  Slate

Riiiiiiiight.

[T]he wireless companies are still doing it, and as of Monday, Ars Technica has reported that not one had expressly pledged to stop working with LocationSmart.

Sen. Ron Wyden, the tech-savvy Oregon Democrat, has reacted furiously, sending a May 8 letter to the FCC demanding an investigation of Securus and letters to the wireless carriers calling on them to secure users’ location data.

[...]

The threats to Americans’ security are grave—a hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cell phone to know when they were alone. The dangers from LocationSmart and other companies are limitless. If the FCC refuses to act after this revelation then future crimes against Americans will be [on] the commissioners’ heads.

[...]

The FCC told Ars Technica on Friday afternoon that it’s taking preliminary steps to look into the matter. That’s all the action we’ve seen so far from the government.

The reaction from the mainstream media and the public has been as muted as the reaction to Cambridge Analytica was explosive. Even tech sites have devoted relatively little coverage to the story.

[...]

Privacy abuses and slip-ups by major tech companies have become so numerous, and the prospect of containing them seems so hopeless, that the public and much of the media have become nearly numb to them.

We're becoming numb to every kind of abuse we're experiencing. Half of it we don't even understand.  It's beyond obvious that if not for whistleblowers and the ACLU, we'd already be slaves to a fascist autocracy.  Almost there anyway.

...but hey, do what you want...you will anyway.

Drip, Drip, Drip

According to internal NSA documents from the Edward Snowden archive that SPIEGEL has been granted access to, the US intelligence service doesn't just bug embassies and access data from undersea cables to gain information. The NSA is also extremely interested in that new form of communication which has experienced such breathtaking success in recent years: smartphones.

[...]

For an agency like the NSA, the data storage units are a goldmine, combining in a single device almost all the information that would interest an intelligence agency: social contacts, details about the user's behavior and location, interests (through search terms, for example), photos and sometimes credit card numbers and passwords.

[...]

The material contains no indications of large-scale spying on smartphone users, and yet the documents leave no doubt that if the intelligence service defines a smartphone as a target, it will find a way to gain access to its information.

[...]

The results the intelligence agency documents on the basis of several examples are impressive. They include an image of the son of a former defense secretary with his arm around a young woman, a photo he took with his iPhone.

[...]

All the images were apparently taken with smartphones. A photo taken in January 2012 is especially risqué: It shows a former senior government official of a foreign country who, according to the NSA, is relaxing on his couch in front of a TV set and taking pictures of himself -- with his iPhone. To protect the person's privacy, SPIEGEL has chosen not to reveal his name or any other details.

[...]

Under the heading "iPhone capability," the NSA specialists list the kinds of data they can analyze in these cases. The document notes that there are small NSA programs, known as "scripts," that can perform surveillance on 38 different features of the iPhone 3 and 4 operating systems. They include the mapping feature, voicemail and photos, as well as the Google Earth, Facebook and Yahoo Messenger applications.

[...]

According to several documents, the NSA spent years trying to crack BlackBerry communications, which enjoy a high degree of protection, and maintains a special "BlackBerry Working Group" specifically for this purpose.

[...]

In March 2010, the problem was finally, according to the internal account. "Champagne!" the analysts remarked, patting themselves on the back.

[...]

If it now becomes apparent that the NSA is capable of spying on both Apple and BlackBerry devices in a targeted manner, it could have far-reaching consequences.

Those consequences extend to the German government. Not long ago, the government in Berlin awarded a major contract for secure mobile communications within federal agencies. The winner was BlackBerry.

  Der Spiegel

Und ve now haff effidence zat Assad did not gas his own people. You really vant to play ziss game?

...but hey, do what you want...you will anyway.

SmartPhone Review

I really like my new Samsung Galaxy S2 Epic Touch.  So lightweight.  Nice, large screen.  Easy, fast operations.  LOVE the Swype keyboard.

Until now, I have not wanted to participate in text messaging, nor use a cell for internet access.  Particularly the latter.  I barely wanted to use my cell for a phone.   This is an exceptionally nice device.

Thanks to Jean and Clay.

If you're in the market for a smartphone, you should at least check this one out.

...but hey, do what you want...you will anyway.

Carrier IQ Update

Carrier IQ’s secret mobile phone tracking software is headed to court. Three separate class-action lawsuits have been filed against the company and some of its business partners as of Friday, including mobile giants Samsung and HTC.

  TPM

Totally expected.

Mobile phone intelligence company Carrier IQ’s self-named tracking software doesn’t record the contents of a user’s data and is being unfairly targeted by the media and hysterical users, according to several security researchers who have conducted further analysis on the software.

“It records the fact that a keystroke occurs, not the specific key the user entered,” Becky Bace, a former National Security Agency computer engineer and founder and CEO of security consulting firm Infidel, Inc., told TPM via email. “Any keystrokes monitored are limited to the user interactions with the numeric keypad, not the alphanumeric keyboard, and are filtered on input for specific sequences that trigger specific diagnostic actions.”

  TPM

Sounds kinda fishy to me.

“The Carrier IQ app simply doesn’t meet the requirements in terms of functionality or intent to be classified as a ‘keylogger,’” Jon Oberheide, a co-founder of Ann Arbor, Mich.-based Duo Security, said in an e-mail to CRN News.

“The application does not record and transmit keystroke data back to carriers,” Dan Rosenberg, a security consultant at Virtual Security Research, told CNET on Friday. “They’re not recording keystroke information, they’re using keystroke events as part of the application.”

Am I supposed to understand that?

“After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data,” Rosenberg wrote in a post on Pastebin on Wednesday.

Or that?

That said, Rosenberg also added that “the fact that there are hooks in these events suggests that future versions may abuse this type of functionality, and CIQ should be held accountable and be under close scrutiny so that this type of privacy invasion does not occur.”

Now that, I understand.

...but hey, do what you want...you will anyway.

Even Faster Than I Expected

The Carrier IQ scandal has drawn the ire of at least one lawmaker. U.S. Senator Al Franken (D-MN) published a letter to Carrier IQ on Thursday saying he’s “very concerned” about reports of the company’s software tracking a staggering amount of user information.

Franken also demands that the company and its CEO, tech veteran Larry Lenhart, provide answers to a list of 11 questions about just how Carrier IQ operates, what information it collects and to whom the information is transmitted. Franken wants answers within two weeks, by December 14.

  TPM

Al must be using an Android system cell.

...but hey, do what you want...you will anyway.

UPDATE

In the Land of the Free

I just bought an Android system smartphone.  Ooops.

An alarming new video published to YouTube this week by a 25-year-old security researcher seems to reveal a piece of hidden software included on virtually all new Android smartphones that records every last keystroke users make, sending the data back to its creator in secret later on.

Called “Carrier IQ,” the software is supposedly meant to help mobile carriers monitor and diagnose problems with their devices. The company that makes the software insists it does not log keystrokes, but 25-year-old Trevor Eckhart seems to have proved that claim quite wrong.

Not only did he demonstrate the software capturing his keystrokes from a text message, it was being recorded even before the message he typed was displayed.

“It should be noticed that, if we scroll down a little further [in the logs], here’s where the message is actually being displayed in the end user’s inbox,” he explained. “So, all of the IQ agent processes is happening before the end user even sees the [text].”

Eckhart also demonstrated how the software can read Internet searches over secure connections, meaning that not even encrypted communications are completely private on Android phones.

“We can see that Carrier IQ is querying these strings over my wireless network [using] no 3G connectivity, and it is reading [a secure communication],” Exkhart explained.

He also showed how, even after opting out of using location identification services, Carrier IQ still sends phone location data to its creators. Additionally, Eckhart illustrates how the software keeps itself hidden, is impossible to remove through stock toolsets, and gives the user no choice in whether it may run in the background.

[...]

“Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart,” the company later said. “We sincerely appreciate and respect EFF’s work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.”

All of the above was enough for Wired magazine to call Carrier IQ one of the top reasons to “wear tinfoil hats” this holiday season.

  Raw Story

I guess I won’t be contacting Venezuela on my cell.

Android, however, is not the only smartphone operating system with security concerns. Earlier this year, researchers Alasdair Allan and Pete Warden discovered that Apple’s iPads and iPhones contain a database with thousands of location points that gets downloaded every time the device syncs with a PC or Mac.

[...]

It includes latitude, longitude, a time stamp, and the IP address for the wireless network the phone was currently accessing.

And as we all know, criminals use burn phones, so what’s the point? Uh-huh. Brave New World.

...but hey, do what you want...you will anyway.

UPDATE:  Al Franken to the rescue