Re: [Fed-Talk] ABC WNN reports the iPhone has Carrier IQ software installed
Re: [Fed-Talk] ABC WNN reports the iPhone has Carrier IQ software installed
- Subject: Re: [Fed-Talk] ABC WNN reports the iPhone has Carrier IQ software installed
- From: Dave Schroeder <email@hidden>
- Date: Thu, 01 Dec 2011 18:07:44 -0600
On Dec 1, 2011, at 5:38 PM, Jeffrey Walton wrote:
> I believe past performance is indicative of future expectations
> (apparently we disagree here). "lack of truthfulness" - I should have
> called a pot and kettle black - it was a lie.
Yes, but I disagree Apple "lied" with its past performance on these topics. In the last location debacle, there was no evidence Apple used the data for anything beyond what it said, which was anonymous improvement of the Wi-Fi location database. Whether or not someone sees this as a big deal or a privacy concern does not make it a lie. Further, Apple's claim that the fact the phone stored data beyond a few days was an error was borne out by the facts, since such improvement would not need more than a brief snapshot of data at any given point.
>> Since location data is still not sent when Location Services is disabled,
> Perhaps I missed something:
> https://www.google.com/#sclient=psy-ab&q=iphone+unauthorized+collection+of+data
I thought we were talking about Carrier IQ:
http://blog.chpwn.com/post/13572216737
> It does access a reasonable amount of information, however:
>
> [...]
> • CoreLocation
> • your location (Only, however, if Location Services are enabled.)
>
> [...]
>
> From my examinations, Apple’s recent statement on the issue appears to be entirely accurate:
http://allthingsd.com/20111201/apple-we-stopped-supporting-carrieriq-with-ios-5/
So how is Apple being less than truthful here?
>> and since this is opt-in (not opt-out), and since nothing nefarious was ever shown to have occurred during any of the other episodes of inordinate attention only iOS received, what is your point?
> I work application security, and I'm paid to be suspicious. And I
> don't suffer from fanboi tunnel vision.
Nor do I. But I predict this issue blows up in the mind of the public with one easy target -- Apple -- in the mix more than it would had the issue been limited to Android. I also predict Apple's above statement -- and the CIQ "discoverer's" confirmation -- will be utterly glossed over.
> Random numbers are hard to come by. If someone were using location
> data as an entropy source (after extracting the entropy), this would
> be a big problem.
>
> I've never met any of my attackers, but it does not mean they don't
> exist. If I followed logic asserted in this thread, there would be no
> attackers, no need for encryption, and no need for premier code
> breaking agencies such as the NSA.
I don't disagree with anything you've said here. So is your issue not that the data is being collected and not sent, but that it could be exploited?
If a device is exploited for such data, couldn't the attacker exploit anything about the device? Yes, I know there's all sorts of arguments about making it "easier" and such, but Apple's CIQ implementation is a far cry from what's been demonstrated on Android.
- Dave
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden