Big privacy scandal for Android phones

ExtremeTech: Carrier IQ-gate is best reason to buy an iPhone
[Via Brainstorm Tech: Technology blogs, news and analysis from Fortune Magazine » Apple 2.0]

A cellphone eavesdropping scandal casts a shadow on Apple’s competitors

Caught red-handed: Carrier IQ logging Eckhart’s keystrokes

Have you heard that every text message, every e-mail, every phone number, every keystroke made on a Google (GOOG) Android phone may be secretly recorded, logged and sent to your cellular provider by a tracking service called Carrier IQ?

No? That’s a surprise, because it’s a scandal that’s been brewing for several weeks — ever since security researcher Trevor Eckhart discovered Carrier IQ’s analytics app on HTC phones running Android. The app comes pre-installed on more than 140 million handsets, including phones made by Samsung, Nokia (NOK) and Research in Motion (RIMM) — but not Apple (AAPL).

Carrier IQ’s first response was to have its lawyers send Eckhart a cease-and-desist letter (since withdrawn, with an apology). Its second was to issue a statement that its software does not record keystrokes and that any information it gathers is “encrypted and secured.”

It didn’t take long for Eckhart to put the lie to those claims. On Monday he posted a 17-minute YouTube video that takes viewers step by step through the set-up and then, at the 13:45 mark, shows Carrier IQ recording his keystrokes — in clear text — as he performs a supposedly encrypted HTTPS Google search.

[More]

Looks like almost everyone who bought an Android has seen a tremendous amount of persona, private data sent, unbeknownst to the, to a private company who seems to be in a position to sell that data.

It records all your keystrokes – like passwords – and transmits them in the clear, with no encryption.

This is about the largest security meltdown one could imagine with mobile devices. Yet we have heard little about it in the press.

But iPhone has no such app.  Here is what one of the few tech guys reporting on this said:

“The CIQ software, as it currently functions,” he writes, “blatantly violates both privacy agreements and security best practices. It’s also the best reason to buy an iPhone that we’ve heard in months. Given the choice between a closed software ecosystem and an open phone that spies on its user, we’ll take closed software every time.”

This could be about as damaging to Google and Android as one could imagine. We shall see how this turns out.

Why you should be very careful of who you friend on Facebook

Researcher shows how to “friend” anyone on Facebook within 24 hours
[Via Ars Technica]

If there’s any doubt how social networks have presented hackers with a wealth of social engineering tools, a Brazilian security researcher recently demonstrated how he could “friend” even allegedly more wary Facebook users in less than 24 hours. At the Silver Bullet security conference in São Paulo, UOLDiveo chief security officer Nelson Novaes Neto showed how he leveraged LinkedIn, Amazon, and Facebook to convince a target—a Web security expert he called “SecGirl” using social engineering.

Novaes created a fraudulent Facebook account, “cloning” the identity of the manager of the target. He then sent friend requests to friends of friends of the manager from the cloned account—sending out 432 requests. In just one hour, 24 of those requests were accepted, even though 96 percent of them already had the legitimate account of the manager in their contact list. He moved on to 436 direct friends of the manager, using his connections from LinkedIn—getting acceptances from 14 of them in an hour. Seven hours into the experiment, his cloned account’s friend request was granted by SecGirl.

With the information obtained by friending someone, it’s possible, Neto said, to then take over a legitimate Facebook account using Facebook’s “Three Trusted Friends” password recovery feature. Through the password recovery tool, a hacker can change both the password and the contact e-mail address for an account. The hacker could then use that hacked account for social engineering attacks on other accounts.

In an interview with Brazil’s UOL Noticias, Neto said, “People have simply ignored the threat posed by adding a profile without checking if this profile is true. Social networks can be fantastic, but people make mistakes. Privacy is a matter of social responsibility.”

[More]

Social engineering is the easiest way to break any security. Be careful who you friend in any online social system.

Good article with background on the collapse of the XMRV hypothesis

by kevin dooley

Feature: How a collapsing scientific hypothesis led to a lawsuit and arrest
[Via Ars Technica]

In 2006, scientists announced a provocative finding: a retrovirus called XMRV, closely related to a known virus from mice, was associated with cases of prostate cancer. But other labs, using different sets of patients, found no evidence of a viral infection. Before the controversy could be sorted out, another research group published a 2009 paper containing an even more intriguing claim. XMRV, it said, was associated with chronic fatigue syndrome (CFS), a disorder that some had claimed was purely psychosomatic.

Reaction came quickly. The CFS community, viewing a viral cause as a validation of their malady, embraced the finding. One author of the XMRV/CFS paper, Judy Mikovits, landed a position as research director of a private foundation dedicated to CFS. A company associated with the foundation started offering tests for infections.

Then the story took a strange turn. A long chain of events led not only to the collapse of the XMRV hypothesis, but it landed Mikovits in jail—and brought death threats upon some of the researchers who debunked her ideas.

[More]

Perhaps XMRV will follow the same trajectory as cold fusion – continuing work by a small group of believers mostly outside the purview of mainstream research. But current research have greatly damaged it as a viable hypothesis for an extremely frustrating disease.

One part of the article stood out:

These features are all necessary parts of scientific self-correction. Frequently, non-scientists view the corrective process as one where people question some results and attempt to perform an exact reproduction of the experiments that generated them. That’s not what usually happens. Instead, the best questions usually focus on the consequences of the result—what should we be seeing if this is right?

Much of scientific research falls into the rhetorical “If true, then what?” It is a valuable logical tool called modus tollens. If we assume something is true, it should lead to known consequences. If those consequences are not found, then the assumption is weakened if not outright disproved.

Do this enough times, then add in alternative assumptions whose consequences CAN be found, and virtually any scientific hypothesis will collapse.

Feynman, as usual, has something to say about this, from his 1974 commencement address:

We’ve learned from experience that the truth will come out. Other experimenters will repeat your experiment and find out whether you were wrong or right. Nature’s phenomena will agree or they’ll disagree with your theory. And, although you may gain some temporary fame and excitement, you will not gain a good reputation as a scientist if you haven’t tried to be very careful in this kind of work. And it’s this type of integrity, this kind of care not to fool yourself, that is missing to a large extent in much of the research in cargo cult science.

It appears that this has happened here. It would be nice to hope that the increased focus this hypothesis has brought to this disease might enhance the chances that a solution would be more rapidly reached.

But harassment and death threats make it likely that fewer people will want to touch such a controversial subject.

The instrument is called a Hang

Very nice to listen to.

In a non-realistic setting, your sperm might be harmed

by euthman

Laptop Wi-Fi said to nuke sperm, but caveats abound | Reuters
[Via Reuters]

The digital age has left men’s nether parts in a squeeze, if you believe the latest science on semen, laptops and wireless connections.

In a report in the venerable medical journal Fertility and Sterility, Argentinian scientists describe how they got semen samples from 29 healthy men, placed a few drops under a laptop connected to the Internet via Wi-Fi and then hit download.

Four hours later, the semen was, eh, well-done.

[More]

I’ll bet some caveats. They simply placed sperm samples under the laptop.

But in reality, sperm are inside tissue underneath clothes. Do WiFi transmissions get that far in? There is no evidence that they penetrate much deeper than the skin.

If they were powerful enough to penetrate into the testicles, I’d expect your skin would be pretty damaged also. Even in these experimental conditions, 75% of the sperm were motile compared with 86% of the control. And 91% showed no DNA damages compared with 96% of the control. I’d be willing to say that Wifi would have even less effect in a real setting.

This is like hitting the sperm with a hammer and stating that wearing tight pants could cause sperm to be harmed due to the increased pressure.