On Apple’s Location Tracking

The controversy over Apple’s “Location Tracking” is quite interesting. It’s worth making clear that the nodes stored in the database are approximations of cell phone towers and WiFi hotspots you’re likely to encounter rather than your location(s) at any given point in time. It’s a way to “prime the well” when doing a GPS lookup to improve performance.

Apple notably failed in a few key ways which should serve as a lesson to others:

  1. Always disclose what you’re doing. – Never just assume what you’re doing with someone’s information is cool. Apple could have mitigated a lot of this had they disclosed what the phone was actually doing from day 1. Never transmit anonymous or personal information without letting the user know first.
  2. Never store more than you need – I can’t believe how many companies mess this up. Storing user information is a liability. A good business limits it’s liabilities to only what’s necessary to conduct business. Storing so much data, and not expunging was a very bad move and amplified the situation. On top of not letting users know what was going on, there was no way to purge information. This just made things much worse. Apple went as far as backing up what should be an expendable cache.
  3. Always be paranoid with information – Apple states “The local cache is protected with iOS security features, but it is not encrypted. Beginning with the next major release of iOS, the operating system will encrypt any local cache of the hotspot and cell tower location information.” in the response to Edward J. Markey. This should have been encrypted since day 1. Various tools existed for a few years that could read this data in the surveillance community. Apple undoubtedly knew people were using this data sometimes for illicit purposes. No company has gotten in trouble for being to secure with customer information with anyone other than the NSA or FBI.

It’s worth noting that their software update in response to this controversy is actually pretty good and pretty thorough. I’m surprised they couldn’t quickly shim some encryption around it. The iOS is loaded with enough DRM and crypto.

On another note, I fully expect some court cases to be reopened now that “cell phone records” are not quite as accurate as they were falsely billed to be. Also companies who marketed software are capable of showing a users location history may be liable as this wasn’t accurately vetted. If they did good testing they would have seen the extent of it’s “tracking”. It seems inevitable.

Lastly, I wonder how much battery life, and how much bandwidth this was utilizing. Some customers are on metered WiFi (especially some hotspots). To geo-tag one must turn on GPS, meaning battery life was being drained behind the scenes.

Apple’s full response can be found on Congressman Ed Markey’s website (copied here for perpetuity).

Quicken Security Theater

Quicken Password Confirmation

I don’t understand this one. The reason many (most) sites require you to confirm your password is to ensure you typed it correctly when creating your password, otherwise a typo would prevent you from logging back in correctly later. We’ve all “fat fingered” a password before. That simple confirmation step prevents it on creation. How does entering my password twice when logging in provide any additional security? If the password is compromised, the extra field does nothing.

I presume the reason is to make Quicken look/feel more secure than it really is.

I should note that I like Quicken. I like it enough that even though the native Mac version is so disappointing on paper that I never purchased it, I did I purchased the Windows version and continue to use it there. I think that demonstrates my not hating Quicken. It does however have its quirks that just make me wonder what they were thinking.

When The Laptop Watches You

Virtually everyone in the United States has now heard of the case in Lower Merion School District where administrators allegedly took thousands of pictures of students at home. They did this by using a school issued laptop that was equipped with a camera and software that could remotely access them. Kids often leave them in their bedrooms, and the rest is pretty self-explanatory.

The software LANrev (now renamed AbsoluteĀ® Manage) intends for the feature to be used by administrators for the purposes of theft recovery. That obviously leaves an avenue for abuse.

If you or someone you know has a laptop with a camera that is managed by a third party, always assume they could have control of that device. A simple piece of opaque tape (I’d suggest electrical tape) over the camera will prevent any abuse of the camera. You can put a small piece of paper between the camera glass and tape to help avoid damage and clean it when you remove the tape before returning it. Harmless fix. Someone could in theory still listen using the microphone and view what’s on the screen at any given moment, but that’s a much smaller invasion of privacy than someone watching you get undressed in your own home. Use the computer only for school work if possible, and the rest isn’t much of an issue.

Someone did some digging into the software and it’s implementation at this particular school district, and quite frankly it’s a bit disturbing.

In a September 2009 post that may come to haunt this investigation, Perbix posted a scripting method for remote enable/disable of the iSight camera in the laptops. This post makes a lot more sense when Perbix puts it in context on an admin newsgroup, in a post which makes it clear that his script allows for the camera to appear shut down to user applications such as Photo Booth but still function via remote administration:

“what this does is prevent internal use of the iSight, but some utilities might still work (for instance an external application using it for Theft tracking”

This type of stuff should have set off some alarms. Good security doesn’t rely on obscurity or deceit.

The laptops have a light next to the camera that illuminates when the camera is activated, however the IT folks are alleged to have claimed the light appearing was a glitch according to the above link.

That said, school districts shouldn’t use laptops with cameras and microphones. Manufacturers should give those bulk purchasers the ability to have no camera installed. Alternatively they should be physically removed from the chassis by IT staff before being distributed to students. Disabling via software or policy isn’t going to stop this problem as long as the same people who control the laptops are the ones most likely to abuse it.

This is an interesting mix of hardware, software and policy security implications. The hardware worked correctly (it warned the user) but shouldn’t have existed. The software was abused and the policy was flawed. Lots of things can be learned here.

Fourth Amendment In The Cloud

The Fourth Amendment in the United States Constitution reads:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

James Madison slipped up and failed to account for advancements in technology like computers and the Internet. Are digital files considered “papers and effects”? Is law enforcement copying files considered “searches and seizures”? If your files live on a server is that considered your “house”? Of course back in his day, this wasn’t even comprehensible. The amendment is a bit dated.

Electronic Communications Privacy Act (EPICA) was an effort in 1986 to clarify how such laws applied to electronic communications. It too is somewhat outdated and heavily focused on the transfer than the storage aspect, something the modern SaaS model has completely disrupted. It’s also been weakened and contradicted by court rulings and things like the Patriot Act.

This creates enough of a legal quagmire to concern a seemingly bizarre list of companies and organizations to form the Digital Due Process Coalition to revise and clarify these laws. For companies like Google and Microsoft it makes sense. Their business relies on making companies and individuals feel comfortable trusting them with personal data. They are also increasingly stuck in odd positions thanks to contradictory and untested laws.

The outcome of this will possibly be as long-lasting and as iconic as the fourth amendment itself. Given our culture, information, and way of life is becoming increasingly digital it will impact a large part of how we function and will function in years to come. For anyone working in IT, this will impact the way you do business.

Plugin Check

Mozilla’s Plugin Check just launched. Considering 30% of Firefox crashes are plugin related, and they are often the source of security issues, it’s worth making sure you’re up to date.

It’s pretty simple to use. Just visit the page, and update the plugins that need to be updated. At the end of the day you want to see a string of green like this:

Plugin Check

An easy step for a faster, more stable, and most importantly more secure web browsing experience.

Google Chrome OS

The big news over the past 24 hours is the announcement of Google Chrome OS. Effectively Google Chrome OS is a stripped down Linux Kernel with just enough to boot Chrome/WebKit as it’s main UI. The exact UI paradigm hasn’t been reveled as of yet. Google claims:

Speed, simplicity and security are the key aspects of Google Chrome OS. We’re designing the OS to be fast and lightweight, to start-up and get you onto the web in a few seconds. The user interface is minimal to stay out of your way, and most of the user experience takes place on the web. And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don’t have to deal with viruses, malware and security updates. It should just work.

It’s an interesting and somewhat bold statement.

Continue reading

How To Be More Secure With Your Data & Identity

It’s amazing how on a daily basis there’s a story about someone’s identity or data being stolen, personal info being misused, or just getting screwed via the Internet. Most of the time it’s due to a complete lack of standards regarding how people treat their digital property and identity. It’s the electronic equivalent of leaving your home and not locking the door. Anyone can come in and take what they want.
Continue reading

Elvis Takes Off

The other day I mentioned that it’s possible to clone a RFID passport, a massive security risk that the government seemingly doesn’t care to much about. It’s no longer really a proof of concept. Elvis now has an accepted RFID passport. That’s right. Mr. dead in 1977 Elvis Aaron Presley. The hack was done in Amsterdam, but you can bet it will be done elsewhere as time progresses.

First CVE

I just found out the other day I found my first bug worthy of being a CVE (Common Vulnerabilities and Exposures) Candidate: CVE-2008-3747. Low profile, but I guess still a potential vulnerability.

I must admit I didn’t know that the database is funded by the National Cyber Security Division of the United States Department of Homeland Security. I did know US-CERT was.