Read it and weep:

http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/

nb

-- 
vi ....the heart of evil!

On 2011-11-30, notbob <notbob@nothome.com> wrote:
> Read it and weep:
> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/

Speak for yourself. We don't all carry so-called "smart phones."

-- 
-----------------------------------------------------------------------------
  Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

  "Climate policy has almost nothing to do anymore with environmental
   protection... the next world climate summit in Cancun is actually
   an economy summit during which the distribution of the world's
   resources will be negotiated." -- Ottmar Edenhofer, IPCC
-----------------------------------------------------------------------------

Roger Blake wrote:
> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>> Read it and weep:
>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
> 
> Speak for yourself. We don't all carry so-called "smart phones."
> 
what's a smart phone? mines a scruffy phone.

I made a call on it Monday from a public toilet. Will I be arrested for 
cottaging?

It's been switched off ever since and I left it at home when I walked 
the dogs..can they still track me if its at homes and switched off? I 
only ask because the dog made a mess in someone field and they might 
want me to go an clear it up.

On 2011-11-30, Roger Blake <rogblake@iname.invalid> wrote:
> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>> Read it and weep:
>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>
> Speak for yourself. We don't all carry so-called "smart phones."

No, but some of us do.  This might be a good reason to not use passwords
to log in to remote services (like ssh).  But if it is a true keystroke
logger, we're basically screwed!  If we disallow root logins on our sshd
servers, we can use a key to log in as a user, but then need to input
the root password, which would be sniffed and sent back.

I haven't watched the entire video yet, so I don't know if it really
logs all keystrokes, but if it does that's incredibly bad for any
Android user who hasn't rooted and ripped out Carrier IQ.

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

The Natural Philosopher wrote:

> Roger Blake wrote:
>> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>>> Read it and weep:
>>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>> 
>> Speak for yourself. We don't all carry so-called "smart phones."
>> 
> what's a smart phone? mines a scruffy phone.
> 
> I made a call on it Monday from a public toilet. Will I be arrested for
> cottaging?
> 
> It's been switched off ever since and I left it at home when I walked
> the dogs..can they still track me if its at homes and switched off? I
> only ask because the dog made a mess in someone field and they might
> want me to go an clear it up.

You'll want to pull the battery out to remove all possibilities of being 
tracked (note that you left it at home)

-- 
Tim Watts

On 2011-11-30, Keith Keller wrote:
> On 2011-11-30, Roger Blake <rogblake@iname.invalid> wrote:
>> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>>> Read it and weep:
>>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>>
>> Speak for yourself. We don't all carry so-called "smart phones."
>
> No, but some of us do.  This might be a good reason to not use passwords
> to log in to remote services (like ssh).  But if it is a true keystroke
> logger, we're basically screwed!  If we disallow root logins on our sshd
> servers, we can use a key to log in as a user, but then need to input
> the root password, which would be sniffed and sent back.

  There's no need to type the root password: use sudo.

-- 
   Chris F.A. Johnson, <http://cfajohnson.com>
   Author:
   Pro Bash Programming: Scripting the GNU/Linux Shell (2009, Apress)
   Shell Scripting Recipes: A Problem-Solution Approach (2005, Apress)

On 2011-11-30, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:

> I haven't watched the entire video yet, so I don't know if it really
> logs all keystrokes, but if it does that's incredibly bad for any
> Android user who hasn't rooted and ripped out Carrier IQ.

It does.  

nb

On 2011-11-30, Chris F.A. Johnson <cfajohnson@gmail.com> wrote:
> On 2011-11-30, Keith Keller wrote:
>>
>> No, but some of us do.  This might be a good reason to not use passwords
>> to log in to remote services (like ssh).  But if it is a true keystroke
>> logger, we're basically screwed!  If we disallow root logins on our sshd
>> servers, we can use a key to log in as a user, but then need to input
>> the root password, which would be sniffed and sent back.
>
>   There's no need to type the root password: use sudo.

Okay, but then you either need to type in your own password, which
anyone reading the logs should be able to figure out will give them
root-equivalent access, or you need to configure sudo to allow
passwordless access, which could be a local security concern, and tells
the person reading the logs that your account has that privilege and is
therefore a suitable target.

Am I just being unjustifiably paranoid?  Is there a way to do sudo
without giving away the store to a keystroke logger?  Obviously, having
a keystroke logger on your box is bad news anyway, since it's much more
local access than (say) a packet sniffer, so it would make sense that
there would not be an easy way to get around it.

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

On 2011-11-30, Tim Watts <tw+usenet@dionic.net> wrote:
> You'll want to pull the battery out to remove all possibilities of being 
> tracked (note that you left it at home)

Mine's old and scruffy, though I still consider it futuristic since
it's from the year 2000. No GPS chip.

-- 
-----------------------------------------------------------------------------
  Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

  "Climate policy has almost nothing to do anymore with environmental
   protection... the next world climate summit in Cancun is actually
   an economy summit during which the distribution of the world's
   resources will be negotiated." -- Ottmar Edenhofer, IPCC
-----------------------------------------------------------------------------

On 2011-11-30, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
> On 2011-11-30, Chris F.A. Johnson <cfajohnson@gmail.com> wrote:
>> On 2011-11-30, Keith Keller wrote:
>>>
>>> No, but some of us do.  This might be a good reason to not use passwords
>>> to log in to remote services (like ssh).  But if it is a true keystroke
>>> logger, we're basically screwed!  If we disallow root logins on our sshd
>>> servers, we can use a key to log in as a user, but then need to input
>>> the root password, which would be sniffed and sent back.
>>
>>   There's no need to type the root password: use sudo.
>
> Okay, but then you either need to type in your own password, which
> anyone reading the logs should be able to figure out will give them
> root-equivalent access, or you need to configure sudo to allow
> passwordless access, which could be a local security concern, and tells
> the person reading the logs that your account has that privilege and is
> therefore a suitable target.
>
> Am I just being unjustifiably paranoid?  Is there a way to do sudo
> without giving away the store to a keystroke logger?  Obviously, having
> a keystroke logger on your box is bad news anyway, since it's much more
> local access than (say) a packet sniffer, so it would make sense that
> there would not be an easy way to get around it.
>
> --keith
>
Probably the best way to guard against a key logger is to use one-time
passwords.  


-- 
We've had 30 years of center-right to extreme-right governance and the
country has gotten steadily worse.  The triumph of politics is that at
least half the country blames the Democrats for this.

On Wednesday, November 30th, 2011 at 22:39:28h +0000, Roger Blake explained:

> Mine's old and scruffy, though I still consider it futuristic since it's
> from the year 2000. No GPS chip.

2000 is last millenium.

2001 is futuristic  ;)

Roger Blake wrote:

> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>> Read it and weep:
>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
> 
> Speak for yourself. We don't all carry so-called "smart phones."

How are you sure your so called dumb phone isn't also logging your every 
action?


Rui Maciel

Roger Blake wrote:

> On 2011-11-30, Tim Watts <tw+usenet@dionic.net> wrote:
>> You'll want to pull the battery out to remove all possibilities of being
>> tracked (note that you left it at home)
> 
> Mine's old and scruffy, though I still consider it futuristic since
> it's from the year 2000. No GPS chip.

A phone doesn't need to have GPS chips to be trackable.

http://en.wikipedia.org/wiki/Mobile_phone_tracking


Rui Maciel

On 2011-12-02, Rui Maciel <rui.maciel@gmail.com> wrote:
>
> How are you sure your so called dumb phone isn't also logging your every 
> action?

You can't, but the posted URL was specifically about Android and an
application actually found to be doing logging (though it's still not
clear if it's sending data out).

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

From: "Rui Maciel" <rui.maciel@gmail.com>

> Roger Blake wrote:
>
>> On 2011-11-30, Tim Watts <tw+usenet@dionic.net> wrote:
>>> You'll want to pull the battery out to remove all possibilities of being
>>> tracked (note that you left it at home)
>>
>> Mine's old and scruffy, though I still consider it futuristic since
>> it's from the year 2000. No GPS chip.
>
> A phone doesn't need to have GPS chips to be trackable.
>
> http://en.wikipedia.org/wiki/Mobile_phone_tracking
>
>
> Rui Maciel

Cell tower triangulation.


-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp 

On 2011-12-02, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:

> application actually found to be doing logging (though it's still not
> clear if it's sending data out).

Not clear to who?  

The video specifically shows his HTC smart phone disconnected from its
primary service provider and being packet sniffed on a wifi
connection.  Whether or not you believe what he's showing you and/or
whether or not anyone is actually paying attention to individual
keystrokes and unencrypted data being transmitted is an entirely
different issue.  The fact remains, it appears keystrokes are being
transmitted, as are clear text messages prior to their being sent
encrypted via SSL.  What's the point of SSL if another application is
sending the same data, unencrypted?

Perhaps CIQ is, in fact, all nice guys and will never do anything bad
with your data.  Howzabout if some criminal types hack this software
and tap into your transmissions while yer logging into your bank acct
or sending a credit card number for an online purchase?  

nb

On 2011-12-02, notbob <notbob@nothome.com> wrote:
> On 2011-12-02, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:
>
>> application actually found to be doing logging (though it's still not
>> clear if it's sending data out).
>
> Not clear to who?  
>
> The video specifically shows his HTC smart phone disconnected from its
> primary service provider and being packet sniffed on a wifi
> connection.

My apologies--I have not yet watched the full video, so was repeating
what I'd read, which was that he'd hooked up the app to a debugger.

Verizon claims not to use CarrierIQ:

http://money.cnn.com/news/newsfeeds/gigaom/articles/2011_12_01_verizon_no_carrieriq_no_way.html

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

On 2011-12-02, Rui Maciel <rui.maciel@gmail.com> wrote:
> How are you sure your so called dumb phone isn't also logging your every 
> action?

Given the level of technology and features available in 1st-generation
digital phones it is pretty unlikely.

-- 
-----------------------------------------------------------------------------
  Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

  "Climate policy has almost nothing to do anymore with environmental
   protection... the next world climate summit in Cancun is actually
   an economy summit during which the distribution of the world's
   resources will be negotiated." -- Ottmar Edenhofer, IPCC
-----------------------------------------------------------------------------

On 2011-12-02, David H. Lipman <DLipman~nospam~@Verizon.Net> wrote:
> Cell tower triangulation.

Not as precise as GPS, and only works when the phone is actually turned on.
Older phones lack the features that would be necessary for the type of
tracking and logging that is being referred to.

-- 
-----------------------------------------------------------------------------
  Roger Blake (Change "invalid" to "com" for email. Google Groups killfiled.)

  "Climate policy has almost nothing to do anymore with environmental
   protection... the next world climate summit in Cancun is actually
   an economy summit during which the distribution of the world's
   resources will be negotiated." -- Ottmar Edenhofer, IPCC
-----------------------------------------------------------------------------

From: "Roger Blake" <rogblake@iname.invalid>

> On 2011-12-02, David H. Lipman <DLipman~nospam~@Verizon.Net> wrote:
>> Cell tower triangulation.
>
> Not as precise as GPS, and only works when the phone is actually turned on.
> Older phones lack the features that would be necessary for the type of
> tracking and logging that is being referred to.
>
Non-Smart Phones as mentioned in the Wired article, No - not applicable.

All cell phones through Cell Tower Triangulation, yes.  But as you noted there are 
caveats.



-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp 

On 11/30/2011 10:22 AM, notbob wrote:
> Read it and weep:
>
> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>
> nb
>
When I was growing up, back in the Dark Ages, our landline phone (the 
only kind there was back then) was on a party line, because that was all 
we could afford. For those who are unfamiliar with the concept, that's 
when several "parties" share a single phone line, and any of the parties 
could listen in on the other's conversation just by picking up the phone.

One of the first things we learned as kids was to never, never, never do 
anything with the phone that you didn't want the world to know about. It 
was easy in turn to apply the same caution to the Internet, and now to a 
cell phone.

So let them log away. I don't do anything with my cell phone I don't 
want the world to know about.

TJ

On 2011-12-03, TJ <TJ@noneofyour.business> wrote:

> When I was growing up, back in the Dark Ages, our landline phone (the 
> only kind there was back then) was on a party line

BTDT.

> One of the first things we learned as kids was to never, never, never do 
> anything with the phone that you didn't want the world to know about. 

Granted, that's best security practices.  While I agree, to a point,
it's not always practical in this day and age.  I live in a pretty
remote area of the CO Rockies.  Closest metro area is 100 miles away.
I do some ordering and banking, online, both because it's cost
effective and sometimes it's my only option.  Keeping best security in
mind, I do this on a very secure linux desktop box in which I've set
up strict security practices and I'm pretty damn sure no one is
listening in.  No way would I do this on even a Windows box, let alone
a cellphone.  I'm not even real wild about cordless phones on land
lines and will occasionally drag out an old fashioned Bell System
manual phone if I see fit.

> So let them log away. I don't do anything with my cell phone I don't 
> want the world to know about.

Again, good idea.  OTOH, why should these corporations be given a pass
to do something illegal?  If I did it, I'd be thrown in jail for
hacking.  If they are, in fact, doing this, they should be prosecuted,
or at the very least, forced to stop.

Actually, the very real danger is not the carriers or cellphone
companies, it's hackers!  I don't give a crap if Sprint knows I
visited macys.com.  If this data IS being transmitted, hackers can
access it.  If SSL encryption is being passed, unencrypted, or hackers
hack in and get ahold of the CIQ client apps, users are at very real
risk of $$$ loss and identity theft.  Again, not only bad mojo, but
highly illegal.

nb

On 2011-12-02, notbob <notbob@nothome.com> wrote:
>
> The video specifically shows his HTC smart phone disconnected from its
> primary service provider and being packet sniffed on a wifi
> connection.

Okay, so I take back my apology: the video does *not* clearly show what
you think it's showing.  Eckhart is browsing over a wifi connection, but
he is detecting CarrierIQ activity using the USB debugger from the phone
to his desktop.  As far as I could tell he didn't actually do any wifi
packet sniffing.  (This was starting at about 8:40 in his video, which
is the point where he actually turns on USB debugging on his phone.)  So
it is possible that the phone's CarrierIQ app is collecting the
information but not actually doing anything with it.  Of course it's
also possible that CarrierIQ is sending its data only when it has a
cellular data connection, which would be extremely difficult to detect.

--keith


-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

On 2011-12-03, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:

> Okay, so I take back my apology: the video does *not* clearly show what
> you think it's showing.  Eckhart is browsing over a wifi connection, but
> he is detecting CarrierIQ activity using the USB debugger from the phone
> to his desktop.  As far as I could tell he didn't actually do any wifi
> packet sniffing.  (This was starting at about 8:40 in his video, which
> is the point where he actually turns on USB debugging on his phone.)  So
> it is possible that the phone's CarrierIQ app is collecting the
> information but not actually doing anything with it.  Of course it's
> also possible that CarrierIQ is sending its data only when it has a
> cellular data connection, which would be extremely difficult to detect.

Yeah.  This tempest in the toilet bowl is starting to stink.  I
thought he said (someone did) he was linked via wifi.  OTOH, I'm not
seeing any viable disputes to his claims.  Some guy tossed in the ring
by CNET!?  There's a real pillar of integrity.

What really scares me, is, this will blow over and the drone masses
will carry on as usual, like Windows and Facebook and Google are not
already harvesting tons of data on every 2 legged paying consumer on
the planet.

nb

On 2011-12-03, notbob <notbob@nothome.com> wrote:
>
> Yeah.  This tempest in the toilet bowl is starting to stink.  I
> thought he said (someone did) he was linked via wifi.

He said in the video that his browser link was over wifi but that his
debugger connection was over USB.  It was the debugger that found
CarrierIQ.

--keith

-- 
kkeller-usenet@wombat.san-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://www.therockgarden.ca/aolsfaq.txt
see X- headers for PGP signature information

On 2011-12-04, Keith Keller <kkeller-usenet@wombat.san-francisco.ca.us> wrote:

> He said in the video that his browser link was over wifi but that his
> debugger connection was over USB.  It was the debugger that found
> CarrierIQ.

Regardless, it's there.  As Andrew Coward, VP of marketing, Carrier
IQ, states: 

"a developer could go and read that record and figure out
what went wrong. That's very different from the application actually
recording that information and sending it off to the carrier?"

Say what!?  How the Hell does a developer "read that record" if the
application is not actually recording it??  Not only is it shades of
1984, but it comes complete with doublethink and Newspeak.  

This whole thing is rapidly approaching the theater of the absurd.
CIQ is now claiming it's not their fault, but the carriers that
installed the software, as if the carriers somehow modified CIQ's
software to do something illegal and CIQ is the innocent.  

I can't wait for the next installment.  ;)

nb  

bruce.sinclair writes:
> you can carry a phone ? ... but ... why would you want to ? :)

I used to see telephone linemen with phones hanging from their tool
belts...
-- 
John Hasler 
jhasler@newsguy.com
Dancing Horse Hill
Elmwood, WI USA

In article <jb9boa$imq$2@speranza.aioe.org>, rui.maciel@gmail.com wrote:
>Roger Blake wrote:
>> On 2011-11-30, notbob <notbob@nothome.com> wrote:
>>> Read it and weep:
>>> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>> 
>> Speak for yourself. We don't all carry so-called "smart phones."
>
>How are you sure your so called dumb phone isn't also logging your every 
>action?

... you can carry a phone ? ... but ... why would you want to ? :)

In article <87iplvx6n0.fsf@thumper.dhh.gt.org>, John Hasler <jhasler@newsguy.com> wrote:
>bruce.sinclair writes:
>> you can carry a phone ? ... but ... why would you want to ? :)
>
>I used to see telephone linemen with phones hanging from their tool
>belts...

... with a big dial on one end ? Sounds familiar. :)

On Monday, December 5th, 2011, at 00:20:00h +0000, Bruce Sinclair asked:

> .. you can carry a phone ? ... but ... why would you want to ? :)

So that the authorities can keep track of where you are and
your travel patterns.

Leave town without a travel permit and you will be in trouble.

On Nov 30, 9:22=A0am, notbob <not...@nothome.com> wrote:
> Read it and weep:
>
> http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
>
> nb
>
> --
> vi ....the heart of evil!

Read it and weep? I think that's a pretty strange response for most of
the merry gentlemen in comp.os.linux.misc. What do we have to hide,
other than the fact that some of us might be closet Unity fans? That
might be a little more appropriate for alt.2600, but I personally
don't care how much "the Man" knows about me.