Friday Summary: Big Changes and Carrier IQBy Rich
Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments.
Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format).
We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community.
Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week.
So I think it’s time to shake up the Summary a bit and switch its format.
Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet.
Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated.
The Story of the Week: Carrier IQ
The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine.
The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off.
From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy:
- Your phone carriers already log all your calls, text messages, and web URLs you visit.
- Google and all the ad tracking networks work hard to log everything you do on the Internet.
As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff:
@adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning
@davienthemoose: google logs my keystrokes on my banking site? :o
While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker.
So I stand corrected. Thanks to Twitter.
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian quoted on Oracle database patching.
- Liquidmatrix Cyber Expert Interviewed (on TV). See one of our favorite Canadians, our own contributor Dave Lewis, on TV to discuss the Anonymous threats against the Toronto Government.
- Incite 11/30/2011: An Introverted Thanks.
- Changing Focus through the Holidays.
- Fundamentals of Crowd Management.
- Occupy Work.
- Mobile Payments without Credit Cards.
- Index of Posts: Security Management 2.0.
- Incite 11/16/11: Blockage.
- FireStarter: Looking the other way.
Favorite Outside Posts
- Mike Rothman: Are you positive? Jack Daniel discusses the Achilles’ heel of any detection technique: the false positive. Read it.
- Adrian Lane: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists. Hacks, fraud, money mules, and DDoS – this story has it all.
- Gunnar: Best statistics question ever. See if you can find the right answer.
Research Reports and Presentations
- Security Management 2.0: Time to Replace Your SIEM?
- Fact-Based Network Security: Metrics and the Pursuit of Prioritization.
- Tokenization vs. Encryption: Options for Compliance.
This week we will be making a donation to Brad “theNurse” Smith.