f13.net

Uhm, what the fuck!?!?!  :ye_gods:



Any comment Quinton?

And I would love some of our more technically proficient posters telling me how to delete this.
Ive never considered myself technically proficient enough to root a phone, but would doing that get rid of this? Or is the program bundled with the Android OS, so running Android means running it?


Youtube video:
http://youtu.be/T17XQI_AYNo

Might want to try setting it to Cozy/Compact.  I think it's great though.  Also a fan of the new Reader interface though so it's probably just me.

I skipped around the video so maybe I missed it, but I don't see anywhere where he shows the data is being logged or sent anywhere.  It looks like when devices are in Debug mode it sends debug information out to the standard console, which in this case is through USB with a computer set to receive it.  Not sure what the big deal about that is, it's a standard device debugging system (again, unless I am missing something)

Start watching at 8:35.
The video producer is the one who turned on the debugger, purposely, in order to show what the CIQ was doing on the screen to show the audience.
CIQ does not equal debugger.

He demonstrates that CIQ is reading your text msgs, before the phone even tells you that you have a new message.
He even demonstrates that CIQ is logging HTTPS information which is supposed to be encrypted, and sending that out via text msgs to somewhere.



Edit-

I dont seem to have this program on my Samsung. But I am curious why a program I did find on my phone called "Network Location" which one assumes, uses nearby wifi networks in order to pinpoint a phone users location for maps or social networking apps, would need permission to:
Add or modify calendar events and send email to guests
Read calendar events
read contact data
write contact data
directly call phone numbers
read instant messages
write instant messages

I do remember updating the app but didn't see any visible changes.

I saw all that.  I'm not sure what your point is though.  I don't even understand how he is most likely sending debugging output to standard output, to help debug issues with it.  Nothing in that video shows it logging anything nor does it show sending any of that information over the network.  To me it looks like it's just sending debug information to standard output, and putting Android in debug mode is causing the standard output to be sent to a console hooked up via USB.

Unless I am missing something....

Agreed.

Read this story: http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/
Or this: http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha-apology/


But the video's producer quite clearly showed that the software was key logging everything you do and sending it off to Carrier IQ's servers.

You really have no idea what you are looking at do you?  Again, none of those articles show any proof that any information is getting permanently logged or sent abroad. 

It helps to research what you are talking about.  What he is using is a program called logcat (http://developer.android.com/guide/developing/tools/logcat.html), which allows you to read debug system messages (http://developer.android.com/guide/developing/debugging/debugging-log.html) for your phone onto your pc.  This is used for debugging purposes, so the developers of CarrierIQ (which admit to counting the number of text messages you read or write, but claim to not look at the contents) know that their code to know when a button is pushed or a text message is received, that it CarrierIQ is aware of it. 

So for example, when any event occurs (button press, SMS received or sent, etc..) CarrierIQ outputs the event to a debug message, so developers know that their system can catch these events for statistics gathering.  Just because they received your SMS message does not inheritable mean they actually look inside of it (they may, but nothing in that video shows that they do).

The HTTPS aspect could easily just be CarrierIQ receiving browser requests from the system itself (either from the browser or Android, depending on how the requests and HTTPS is handled) and outputting the event as an Android debug message prior to the URL being encoded via SSL when sending or after Android unencrypts the URL when receiving data.   Furthermore, not one bit of evidence in that video or articles shows any traffic going over the network. 

All those videos show it to be doing is CarrierIQ gets notified by events in the Android system and it sends event data to the Android debugging system.  It shows now evidence on how it is using the data it is receiving.  It could be malicious, but no one really knows.

I don't see any evidence of that in the articles or the videos, other than the one line in the Wired article, which could just as easily be an assumption from a journalist. 

That's what you get for buying subsidized phones.

Strange because both I and the writers at Wired seem to be able to see the same thing. Quote from their article:






:facepalm:
You're right. We should just trust that they arent doing anything with it we dont want them to.

Right, but you're sounding like Sand pulled this out of his posterior, when he didn't. Some clarification would be great, and it would be cool if Quinton could speak to the matter.

Also, with the track record of US phone companies handing over data to DHS without so much as a by your leave due to the patriot act, etc, I don't think suspicion is unwarranted. It may be usage statistics analysis, or it may be marketing, or it may be big brother, but you have to admit that we live in a world where all bets are off in this department.

I don't really care who you trust or don't trust. I'd be suspicious too if I had an Android phone but I wouldn't be going all batshit crazy without actual evidence showing it.  I'm just pointing out that there is a lot of FUD in this article with no actual evidence to back it up, and while they do have some shady practices (not allowing you to uninstall it), there's no evidence showing that they do what the article/video claims they do.  

Logging means different things to different people.  The company is talking that their statistics don't write keystrokes, SMS details, etc.. into their statistics logs, which is fundamentally different than the what the video is talking about, which is the application passing any information it receives from Android and passing it to the Android debug log buffer, which (as far as I can tell) is not a permanent logging destination by default.


I could get a blog post published somewhere that showed PC anti-virus programs doing the same type of logging and blow it out of proportion too.  Clarification would be great, I just think the attitude of taking a random video/blog post on the internet and start going crazy about it without critiquing the evidence the original claim was made on is dumb.

Its the lead headline story on Huffington Post right now, not a "random blog post". Obviously some people have been able to see in the video what the creator claims to have seen as well, you seem to be the sole exception.

If it's in the news it must be true then. The media would never overreact about something.

Cause false news and FUD never spreads to legitimate news sources  :why_so_serious:

I have two legit news sources (Huffington and Wired) saying the video's producer has caught Carrier IQ logging and getting your info/data, versus you (random internet guy) saying he doesnt see it.
I will go with them over you.

Edit:
And Extreme Tech http://www.extremetech.com/mobile/107337-carrier-iq-is-the-best-reason-yet-to-switch-to-iphone
And Geek.com http://www.geek.com/articles/mobile/how-much-of-your-phone-is-yours-20111115/


Oh and the security researcher is the guy who found the first vulnerability on the HTC and forced the company to fix its bugs.

From the Geek.com article:



As to the final question, what are they doing with the info? Ignoring your civil rights. Here is a story of a carrier cooperating with law enforcement, who didnt have warrants as required by law, over 8 million times.
(And another carrier has already admitted to selling the information they get from you as a user to other third party companies.)
http://arstechnica.com/telecom/news/2009/12/sprint-fed-customer-gps-data-to-leos-over-8-million-times.ars

Stop asking Quinton for his opinion. This is current affairs lawyer shit and even with a gigantic disclaimer of "My views do not necesarially represent the views of my employer" it's just not PC.

One last thing. 

Depending on how obfuscated it is, if you really cared about this you could just unassemble the package and look at the Java source yourself to see if it's doing anything malicious (something no one writing these articles or the original video author has done).  Some comments sprawled around that I have seen from people who have attempted this have not seen anything malicious or outside of the scope of what the company claims to keep metrics of.

You havent actually read ANY of the articles have you?

What CarrierIQ does is sell the basic software package to the end users (carriers and phone manufacturers) what they do with it or how they manipulate the code from their is all up to them. They decide what information to gather and keep and what to do with it, not CarrierIQ.
Decompiling code isnt going to tell you what a corporation is going to do with your private info once they have it.

Also why look at the code when you can see what its doing in real time? The problem, which you cant seem to grasp, is that its collecting info on you with out your permission (or ability to opt out of) and you have no control over what the end company is doing with that info (including giving it to law enforcement or selling it).

From a comment thread on Hacker News regarding this story (http://news.ycombinator.com/item?id=3295341), with lots of smart posters (not to say there are not smart posters here also :)):

Some more reading… (https://docs.google.com/viewer?url=http://www.carrieriq.com/company/PR.LarryLenhartCEO.pdf&pli=1)


But, really, the logging/transmitting is not the real issue.

(1) An untrusted third party is able to record and report all keystrokes

(2) It was put there at the insistence of the carriers

(3) No easy way for users to turn off without voiding their warranty

oh naum you're just another drama queen ain't ya

Thanks for that link. I think this quote nailed the problem:



Image of CarrierIQ's client UI. Note column "Upload Reason" to include the particularly disturbing SMS_PullRequest_CS.


(http://www.geek.com/wp-content/uploads/2011/11/ciqdevicelist.png)

Yeah, pretty much.  At best, when it's not likely give legal or PR heart attacks, I can talk a bit about what we (Google/Android) do and sometimes a bit about why.  Discussing the actions of third parties, legal matters, etc, etc, is a whole 'nother minefield.  Having been deposed a couple times related to various crazy legal actions, I'm not at all interested in repeating the process. ^^

That said, Google does not include or ship CarrierIQ on any lead Android devices (Nexus series phones, original Droid, original Xoom, G1, etc).

In general:

I do strongly encourage folks to bring concerns to the attention of carriers and OEMs who appear to be playing fast and loose with security and privacy.  Customer feedback trends (and/or outrage) is something that these entities pay attention to. 

Often, there is more incompetence than malice afoot.  There have been a couple cases of OEMs leaving debugging code active which drops data like keystroke information into the logs -- very common while debugging keyboard or touchpanel bringup -- and they usually get resolved pretty quickly.

Security researchers and tech bloggers do important work, but also thrive on attention -- it pays to check the details as sometimes things are misunderstood or sensationlized a bit.

You've already given all your contacts to Google. You've already given everything in your gmail to Google. They can do whatever the fuck they want with it, as long as no-one finds out.

That's Facebook and Apple's situation too. Everybody likes to think there are privacy safeguards, but you should assume all your shit is in their private backups of backups forever.

Carrier IQ is to smartphones as Paul McMullen is to News Of The World. Saying a bit too loudly that which is supposed to go unsaid.

Yeah, really.  While it can be a concern, the carriers shouldn't be your primary one.  If you positively do not want your data getting out in the wild, stop using electronics.

That's the route I went!  :grin:

Yes but they tell people what they are taking and you know this up front and have the option of opting out. No one was told about this and you dont have the option of not participating.


Seriously? You are okay with a company uploading a key logger on your phone and your willing to take their word for it that they arent going to do anything wrong with that info, nor will it ever get hacked and used against you? Because you know obvious security threats like this never ever get hacked or used by the wrong people (which include both hackers AND police with out warrants).

I know how to secure my communications against anyone up to (but not including) the NSA.  I don't do it often, because it's a PITA.  That doesn't mean I want my life to be an open book lying around where anyone might pick it up.

--Dave

Welcome to the dark side.

Change your name to John Smith and rotate through generic name change every decade or so, because with current trends even obsessive-paranoid people like me can no longer expect privacy, least everyone else.

I think long term solution (2+ generations away) would be assumed legal identities, until then be prepared for no privacy and get discriminated, targeted and such due to complete lack of privacy.

May be in iOS too:

http://www.theverge.com/2011/11/30/2601875/carrier-iq-references-discovered-apple-ios-iphone

Just one question.....does anyone here, or did anyone ever think anything on a cell phone was ever private?

Hell, I'm pretty sure landlines are insecure.

But, but, but.

ARG.

 :uhrr:

Silly Ironwood, the internet isn't electronics!  :grin:

Or am I posting via an elaborate proxy web using a carefully cultivated system of false IDs?

At the very least I know I'm not broadcasting my location everywehre via a cell phone, remote car start/ onstar/ lowjack system.

If I were as paranoid as Sinij I'd wonder how he drives anything built after 1994 what with the internal black boxes etc.

That shit gives the Rusty Shacklefords of the world fucking nightmares.  Once installed, they can remotely activate the microphones and listen to what's going on inside your car pretty much whenever they want, even long after you've discontinued the service.  I try to not be too  :tinfoil:, but I would sure as shit rather drive a car that didn't have that particular functionality hard-wired from the factory.

On the CarrierIQ shit, I'm pretty damned happy to hear that the Nexus devices don't come with it installed, now if Verizon ever actually fucking launches the thing, I can get rid of my big-brother compromised Incredible and go back about my illicit activities.  Don't worry though, I'll still leave the illegal arms dealing to mexican cartels up to the ATF.

Oh like there are not orbiting satellites recording everything you are doing.

CityID popped up again last night after the update on monday. I installed Cyanogen 7 on my incredible and now the phone is faster and better than it was before.

Welp, this should prove of additional interest to the topic:

Wikileaks docs reveal that governments use malware for surveillance (http://arstechnica.com/business/news/2011/12/wikileaks-docs-reveal-that-governments-use-malware-for-surveillance.ars)

Sample paragraph from the Ars article:


The actual wikileaks stuff. Interesting interactive map detailing alleged companies per-country (http://wikileaks.org/The-Spyfiles-The-Map.html)

Since my wreck, I'll never have a car that doesn't have onstar or similar service. Pretty goddamn amazing response.

Apple sez: We are using Carrier IQ in most devices and iOS versions but only if the phone is in diagnostic mode we swearz!

http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/

Carrier IQ sez: We're not sending any personal info to ourselves, we swearz!

http://allthingsd.com/20111201/carrier-iq-speaks-our-software-monitors-service-messages-ignores-other-data/

This would be a lot more believable if there wasn't a ton of money to be made with the ignored data.

They updated the article and it sounds like Apple only has it there for debugging and it doesn't pull the same amount of information.

CarrierIQ and most of the carriers responded today about the concerns.
http://www.huffingtonpost.com/2011/12/01/carrier-iq-verizon-apple-google-microsoft-att_n_1124779.html#s513545&title=Sprint

Problem is we already know, based on their responses, that some of them are blatantly lying.

For example Sprint says:

When we already know, for a fact, that Sprint provides a web based browser program that allows members of the law enforcement community to log in at any time and find the location of any active Sprint customer. They can do this without a warrant.
http://www.wired.com/threatlevel/2009/12/gps-data/

The example you cite is faulty.

They said they don't offer a feed of "messages, photos, vidoes, etc." basically, phone contents, to anyone outside of sprint.

This may be true, while simultaneously offering the GPS coords of the phone itself. That isn't really lying.


Of course, they really should not be collecting that information in the first place, but I still felt the need to correct. We don't need hyperbole when the truth is plenty horrifying.

They don't need CarrierIQ to get your GPS data.  They can get your position at any time using their own broadcast towers.  Also I'm pretty sure all carriers are legally supposed to be able to give GPS coords to law enforcement for 911 emergency circumstances.

From Engadget (http://www.engadget.com/2011/12/02/some-android-phones-fail-to-enforce-permissions-exposed-to-unau/)


*edit* Source was this Ars Technica article (http://arstechnica.com/tech-policy/news/2011/11/researchers-find-big-leaks-in-pre-installed-android-apps.ars?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+Featured+Content%29)

From the paper:

Looks like the stock system might be able to be fooled into removing apps via this one.  Definitely needs fixing, but not exactly the end of times.

The paper has a nice chart of the specific issues they identified, which devices were impacted, etc.

Interesting research and a nice writeup about their analysis techniques.

Carrier IQ's VP of marketing has given an interview (http://www.theregister.co.uk/2011/12/02/carrier_iq_interview/) to The Register including lots of technical information that's been checked out by an Android security researcher, which seems to show that the data being collected is debugging information that's dropped again almost immediately and not sent anywhere except in case of a bug or software failure.

I don't know enough about the technical side of this to draw my own conclusions but I have a lot of respect for The Register with things of this nature.

Apart from the whether or not they retain or transmit stuff like keystroke data, they *really* should not inject it into the system logs where it can be scraped by other apps with the "read logs" permission.  OEMs have done this from time to time (typically a failure to disable debugging print chatter in the keyboard or touch drivers) as well.  This is the sort of thing that CTS (the Android Compatibility Test Suite) tries to catch, but is difficult to do automatically due to the variety of ways people can format this data.

New article on ArsTechnica on FBI use of IQ info

http://arstechnica.com/tech-policy/news/2011/12/fbi-using-carrier-iq-info-for-law-enforcement-purposes-refuses-to-release-records.ars

Im shocked! Quite shocked! Completely and utterly shocked!

(no Im not really)