Blog

Friday Summary: Big Changes and Carrier IQ

By Rich

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments.

Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format).

We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community.

Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week.

So I think it’s time to shake up the Summary a bit and switch its format.

Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet.

Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated.

The Story of the Week: Carrier IQ

The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine.

The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off.

From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy:

  • Your phone carriers already log all your calls, text messages, and web URLs you visit.
  • Google and all the ad tracking networks work hard to log everything you do on the Internet.

As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff:

@adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning

@davienthemoose: google logs my keystrokes on my banking site? :o

While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker.

So I stand corrected. Thanks to Twitter.

Webcasts, Podcasts, Outside Writing, and Conferences

Securosis Posts

Favorite Outside Posts

Research Reports and Presentations

This week we will be making a donation to Brad “theNurse” Smith.

No Related Posts
Comments

I will third the comments here.

Although we could all scan the many other tweets and blogs available on the Internet, it’s great to have a source that highlights the significant ones.  I never miss the news stories summary (which don’t seem random at all) - you should reconsider (please).

By AT


Thanks for the info. as always. I can plug my phone into my laptop and see all files, even hidden through command line. Can we just delete these files that make everything logged, or would it disable our phones? Maybe we should all spoof our ip address everytime we go online!?
I personally think it is about to late for anyone to have privacy, all our info. is out there somewhere, and the wrong people with the right knowledge can get it.

Doug

By Doug Welsh


I like the Favorite Outside Posts list. It gives me a chance to see what you guys are looking at, and a taste of other news sources that maybe I don’t already follow but should.

I like the idea of reviewing the top stories, but would rather have the separate Incites if there were a choice.

Strangely, I never really looked at your lists of top news posts. I figure if it’s big news, I’ll have seen it. And I think there’s just something I like more about seeing a news post with a summary or your thoughts on it, rather than just a list of headlines/links.

Like Sripathi, if I read anything in a week, it’ll be the Securosis Incite and Summaries. (No lie!)

I like the donation mention, as it gives some exposure to good ideas to help others. I do also like the highlighted comment and like to see which gets it, but it certainly is not important and any good comments should probably have positive praise attached to them anyway in the form of replies. I think part of the attachment is just the “game” part of it. Gosh, which post won? I think you get the same effect with a “top news story of the week” sort of thing. At least, I bet it scratches that same underlying itch in a blog visitor/reader…

By LonerVamp


Rich,

I have been a lurker on your blog for a long time now. I am a developer by profession, and security is a small but important part of what I do. Consequently, I do not spend much time on twitter or other ‘new media’ to stay up to date on this field.

Friday Summary and the Incite give me a great perspective and insight on this field. ‘Read these two columns, and you will not miss anything significant’ has been my attitude.

I would definitely miss the random list of articles. Please don’t exclude that.

I know you have been complaining that people don’t leave comments. I am guilty of that. Hopefully, this comment of mine can influence you to not change the Friday summary too much.

Thanks for the great work!

By Sripathi Krishnan


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.