When Rich isn’t around to take up most of the time, Zach can actually be pulled out of his shell to talk for a little while.  Or maybe it’s just when there are two hosts on the podcast there’s more time to talk.  In any case, Martin and Zach went a little long this week as well as deep into paranoia land.  And there’s so much in the news right now to push us there.  It’s kind of scary when you start to realize that as much communication as modern technologies allow, they also allow a lot of very deep surveillance.  Which we as a society seem to be okay with.

Network Security Podcast, Episode 261, December 6, 2011
Time: 42:13

Show Notes:

Posted by martin, filed under Podcast. Date: December 6, 2011, 6:18 pm | 3 Comments »

3 Responses

  1. chuck Says:

    http://threatpost.com/en_us/blogs/insecure-applications-we-are-84-percent-120611

  2. smc Says:

    The CarrierIQ question of “can” vs “does” is the entire point.

    It does intercept usernames, passwords, session tokens, https parameters, voicemail pins (Murdoch, anyone?), and a whole bunch of other things that would put you or me in jail for many decades if WE intercepted those things.

    Of particular merit is that they intercept credentials for private enterprise properties; if you tunnel into your enterprise and touch an internal server, CIQ will harvest all keyhits.

    People seem confused by the difference between “intercept” and “keep”. If you, a pro consulting IT vendor, secretly throw keyloggers on every workstation at a client site, you do not avoid jail when you claim to only “keep the odd numbered characters”. If you, standard cashier at a typical large retail, secretly throw keyloggers onto every workstation in the building, you’ll go to jail even faster – regardless of if you’re only “collecting random keyhits for an artwork project”.

    If you throw a skimmer onto an ATM, it does not become “legal” if you promise to only “keep” the even-numbered digits. It does not become “legal” if you never collect the skims (“keep none”), either – the act of interception is the crime. If you park outside of a Home Depot and harvest payment data from their wide-open wifi – you go to jail, regardless of what you do with the result. The intent to intercept secrets is a crime, and then there’s other crimes for what you DO with that intercepted data. The Home Depot wifi-bandits are not anecdotal to the CIQ applet – specifically because the wifi was wide-open, and specifically because Home Depot had an expectation of secrecy. Home Depot’s incompetence did not factor into the prosecution, nor did it prove viable for the defense.

    CIQ’s product *does* intercept proprietary information that is expected to be secret – secret to the point that you or I would go to jail if we attempted such interception. We demonstrate this intention of secrecy by using SSL, tunnels, WPA, and other ciphered communication tactics. This is compounded by the FACT that CIQ’s interception is NOT incidental to providing any service; it is spurious interception.

    Then there’s the other half of that equation – the enterprise. In no way, shape, or form would the typical enterprise consent to having credentials for it’s assets intercepted, and the user does not have the authority to allow CIQ to do so.

    CIQ’s statements indicate that intercepted data is sent to a CIQ owned property, not the carrier’s. Per their statements, the data is intercepted, sent to CIQ, and is then made anonymous and aggregations are performed, and THAT is then sent to a subscribing carrier. Note that for the purpose of “interception”, the interception takes place at the device – it does not matter if the result is transmitted elsewhere (e.g. for an ATM, if the skimmer is never collected).

    Note that CIQ is held-harmless if any intercepted data is “leaked”, “lost”, or “exposed” by them, or caused by them (bugs in their code / systems). They are also not required to notify anyone of any such events, nor mitigate such events.

    Personally, I’m hoping that CIQ’s hooks do NOT constitute “interception”. I’ll be having a field day with credit card readers everywhere. “The card numbers are stored securely on a WindowsNT4 server, then aggregated and made anonymous before forwarding on to the Russians.” Almost sounds ludicrous in that context, eh?

    -smc

  3. Network Security Podcast, Episode 261 | Consulting & Business Intelligence Services Private Limited Says:

    [...] Network Security Podcast [...]

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.