Wednesday 7 December 2011

CarrierIQ - FOSS Wouldn't Have Stopped It!

There seems to be quite a bit of fuss going on around this whole CarrierIQ business. Specifically there seems to be some sort of misconception that a fully open source operating system would have some how prevented CarrierIQ from being used. What complete and utter nonsense. Lets consider how this software was discovered.

This thing was detected by security researchers. How many smart phone users out there are security researchers? How many smartphone users out there in the real world actually care what diagnostic software is installed on their "phone"? And now that we know about CarrierIQ, how many Android or Apple smartphone owners are going to do anything to remove it? Almost none is the answer to all questions. Just a teeny tiny minority of people using these devices understands the inner workings enough to even think to look for this sort of activity.

In deed one of the security researchers who discovered CarrierIQ, only found it because he was tracking down the source of some data packets moving across his companies networks that shouldn't have been there. The implication being if he hadn't noticed the rouge data packets. He wouldn't have found CarrierIQ.

Now lets consider how a fully open source OS would have helped. Could Google have reasonably stopped HTC, Samsung or Motorola from installing CarrierIQ? It's doubtful. If Google aren't involved in the installation of this rootkit then I see no way they could have stopped it. Even if it had been installed as a standard default app. Most people still wouldn't have noticed it. And even if they did. They likely wouldn't have done anything about it. The description would have read something like, "Reports performance metrics back to manufacturer for support purposes". Most folks would like then have considered it a necessary technical component and left it well alone. I mean I let my Ubuntu desktop report back to Canonical.

So in the end CarrierIQ would still be there. Most people would do nothing about it. As they are doing now.

If Google had created their own performance monitoring software could they have stopped this? Well no. Android is open source or at least mostly open source. And as with most general purpose operating systems today, Android is modular. That means any component can be changed out for an alternative part by those who have the know-how and will to do so. So Samsung and HTC could still be spying on you.

There is also another issue to look at. Data security on a network. How does open source software protect your data against monitoring once it leaves your phone? The phone companies know who their customers are and who's calling who, who's texting what etc. And it's not just the phone companies. Go talk about any subject or product on Facebook and then watch as the adverts you're served up on web pages match exactly what you were discussing ten minutes ago.

So what exactly is the fuss about? Are people still under the illusion they have some sort of privacy left in this world? Privacy died when the art of "data-mining" was discovered.

....

Just one more thing before the lights go out. I noticed a few folks crowing about how Windows Phone 7 devices don't have this rootkit. Well no they don't it seems however who needs a rootkit to ruin your day when Microsoft are involved. Sidkick, Office 365/BPOS, Windows, Xbox malware. Enough said.