[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMZ4ocv5bkDK0S9PPL9Y6jrdhaEurKC21h53o2RawQJ2Tnmbgw@mail.gmail.com>
Date: Wed, 7 Dec 2011 09:55:53 -0300
From: Pablo Ximenes <pablo@...en.es>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: OMIGOD CIQ HACKING THE WORLD.
Hi All,
Based on what I read from the post, basically Rosenberg recognises he has
no clue about what happens with the rest of affected phone models: *
"One important thing to note is that this represents the metrics that are
submitted to the CarrierIQ application by the code written by Samsung. The
list of available metrics are carrier specific, but will remain constant on
a given handset model. The subset of this data that is actually recorded
and collected is at the discretion of the carrier, and is based on the
profile installed on the device.**"* (Dan Rosenberg)
So the eavesdropped data with respect to the rest of affected phones could
be anything for all he knows, including contents of SMS's and visited pages.
And about collecting every URL (even https ones) that is visited. Forget
about the legality, let's go directly to the privacy implications.
For instance, if you do that for a simple Facebook session, there's a huge
amount of very private information being collected (fixed URLS that reveal
photos, etc; ajax URLs that reveal juicy IDs, among other things). Also,
I don't think anybody would want to have their complete web history in the
hands of anyone without their express consent.
Going back to the legality, even if the URL is just the begining of an HTTP
negotiation process, it doesn't mean that URLs are not payloads legally. In
many countries only layers 4 (transport) and bellow (TCP info, IP data,
etc) would be considered header information and all the rest would be
considered payload, incluing the URL. If what Rosenberg claims is that a
URL is not considered payload to the law, I thing he might have to review
his concepts. In Brazil, for instance, capturing the URL alone in this
scenario would constitute a crime of illegal wiretapping.
Regards,
Pablo Ximenes
2011/12/6 Christian Sciberras <uuf6429@...il.com>
> Or not...
>
> http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/
>
> On the other hand, where that l33t hacker Drew (aka xD 0x41)?
> Thought he'd enlighten us with more of his awesome hacking powers on this
> issue.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists