Wednesday, March 04, 2015

No, your iPhone/Android thing is not secure.

And its not secure because = government.

Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker "export-grade" products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook "Like" button.

The problem illuminates the danger of unintended security consequences at a time when top U.S. officials, frustrated by increasingly strong forms of encryption on smartphones, have called for technology companies to provide "doors" into systems to protect the ability of law enforcement and intelligence agencies to conduct surveillance.

Yes, simply recording every packet on the internet is not enough. Big Kahunas in the US government want a backdoor into your smart-phone and desktop PC. Like, a hardware one.

I think what some of these guys would really like is all citizens living in work camp dormitories with cameras in every room, two in the bathroom. Because they need to be SURE you're not a terrorist, see?

The Phantom

4 comments:

Occam said...

Big Brother has been the intended "super user" in consumer software and O/S since windoze 4.

All were built with an undefined administrator port access - my sources tell me it was demanded by those who hold the business licences of the development firms.

Big Gov dot com wants to know the number of skid marks in your grundies and how much you grunt when you kak - it's what they do, they're psycho, and the sooner we all realize it and act accordingly the better.

They put you under life long claim and surveillance from cradle to grave - like cattle - Gummint is NOT your friend.

The Phantom said...

I don't know about the undefined port thing, that sounds a little bit sketchy to me.

BUT, I do know there's about a zillion hacks that can let a determined guy get root on my consumer-grade PC, plus there's probably hardware issues that we just don't know about yet.

I assume that anything that goes on my computer will be known to the Authorities if they really, really, REALLY want to know it. As in, they want to know bad enough to send some guy around to my house. That's always an option, know what I mean?

Just don't be a dick in life, and most likely it'll all be good. If not, its going to take more than good encryption to save your ass.

Occam said...

“I don't know about the undefined port thing, that sounds a little bit sketchy to me..”

I can only speak for the programmable firmware on subscriber/consumer mobile phones for the last 4 gens. Back in the day when I worked for a major mobile phone mfg. concern, I was responsible for final hardware config. – I was concerned that the ASIC system controller always had 1 or 2 extra com ports. I asked software eng. why the redundance – I was told that the ports are for a “super user” (I.E. someone other than the owner/consumer, who can make changes to the phone remotely with a special key kernel sent over the handshake signal – so the potential to hijack a phone was proprietary from day 1.

The excuse I got was that this was for “special features” in future revisions – to update the OS, or patch a firmware glitch, or as a safety thing where network admin could find a “lost phone” and/or person – or they could erase the operating system or turn off on a stolen phone. I said it was a non feature that was going to cost us on the cell site end to guard that open admin port access from being toggled by bad guys – the reply was don’t concern yourself, the government requires it if we were going to sell into the US market. I never saw these “special safety features” come about so I let it rest.
Now that phones have been fully integrated with a PC that super user port can be used to gather a shit load of personal data stored on or sent by the phone –it can be used to turn off individual or all phones in select locations – recent revelations show it is not the network owners snooping your data to sell to marketers, it’s big brother – so all cell phone com/info/signal flow is collectable/controllable by an self-appointed 3rd party admin.

OK so that may not set your security/privacy alarm off – so they spy on you , so what . As you say, “Just don't be a dick in life, and most likely it'll all be good.” – Well the people flooded out in High River were not “dicks”, did that buy them a pass from being gooned and robbed by Big Brother’s cowboys? How about those gooned by the IRS for their “politics”? Government is no longer just nosey Phantom – it’s malicious and it’s paranoid of us – that makes it dangerous, and the less a dangerous sociopath this big knows about me the better. Use every device regulated by the FCC as if you were on a party line to spook central.

The Phantom said...

Occam, see the post today on StingRay, I think this may be the name of the thing that uses those ports you mention.

I asked around a little, it seems your report on open phone ports is quite credible. Amazingly unsubtle, too. I found it hard to believe they'd be so obvious, I guess they're just that arrogant eh?

It also seems that local police departments have access to this stuff now, not just super spy federal US agencies.

I also agree with you that anything we say or do online or within range of a phone is potentially recorded. The details of who is doing that and exactly how are slowly emerging. Not a pretty picture.

Good behavior is of course its own reward as they say, so living a moral life is at present a sufficient defense and not particularly burdensome. At present being the operative part I think, given the likes of AlGore who wants to make breathing a Federal offence. CO2, you know.