> an eSurv employee explained in a resume publicly available through his LinkedIn page that as part of his job at the company, he developed “an ‘agent’ application to gather data from Android devices and send it to a C&C server”
Not just "shady" jobs! Any company including the large tier one's doing "big data" are harvesting data by various questionable means for questionable purposes.
After working temporarily in big data at a large unnamed telco who has a monopoly my home internet is locked down, vpn'd, dns going out over vpn + over tls and the ISP provided modem straight in the bin as it's untrusted where ISP's can push updates when they want with what they want. One prototype may be performing a network scan for unknown to the telco mobile phones who are on a different provider so they can up sell mobile+bradband packages!
Likewise your insurance company offering health monitoring devices for free discounts or car tracking devices to reduce premiums is not for your benefit! The only benefit is to a) Figure out a way not to pay out or increase a premium, b) re-sell the data to other 3rd party companies for further $$$.
Big data is the most soul destroying, meaningless job i've worked in, often going own questioning the meaning of life!
“It is legal to manufacture firearms, it’s what people do with them that matters.”
“It is legal to promote the use of firearms, it’s what people do with them that matters.”
“It is legal to use political donations to influence firearm control policy, it’s what people do with firearms that matters.”
And just like that, you're the NRA. All perfectly legal, it’s what you think of yourself that matters. Some people don’t care, others think it’s their patriotic duty, and yet others think it’s a stain on humanity.
Way to go, you just brought in a whole different topic to the discussion at hand.
It would be morally dubious to use such software, but we are hackers. We talk about how we create and modify; like code-craftsmen of yore. We could start another one on ethics; I would probably side with your arguments then.
And just as with NRA, you have to acknowledge the fact that people with the opposite opinion don't hold it because they're just stupid, or immoral, or comically evil – they just have different ideas about what's important for the society, and have a lot of very good arguments on their side.
Do you draw any line in relativism, or is it a holy value everybody should share?
And what if I don't acknowledge it? My reason not to acknowledge it is as valid as your reason to acknowledge it by that standard.
So really, nobody has to acknowledge or respect anything as long as there is some reason for it. And there are plenty of reasons not to share your opinion here.
Let me put it this way: in any modern political debate, on any side you could be on, do you think that your side is OBVIOUSLY right, and the other side doesn't have a SINGLE argument that just moves you to stop, and think, and doubt your position?
Yup, you need to word it the right way! It's not device-generated data, it's "telemetry". And why call it a C&C server when you can sell it as a "centralized device management solution"?
This could be an R&D Proof-Of-Concept, and not necessarily a bad intented software. The fact that the employee publicized it shows that they are transparent about it, so I see no wrong doing here.
Man, I yearn for a return to computers we could trust - or at least, had the tools onboard to establish, easily, whether that trust was warranted or not - i.e. compiler, dev tools, open access, and so on.
The more I think about where we've arrived after the last 20 years the more I realise the OS vendors betrayed us.
We got fat on the sugarcandy of framework-obsession - they got rich on the meat of our data.
If only there were OS vendors out there who wanted to really innovate again and bring the power back to the users...
There is no direct profit in Operating Systems now. I blame it squarely on MS for it's corporate practices; and the rise of linux, which negated any motivation to build other oses for profit like in BeOS and Amiga days.
You just have to do what you always had to do. Check the reputation of whoever made the apps you install.
Blindly downloading things from the appstore isn't quite as bad as downloading blindly from the internet, but it's not great either.
Oh and permissions. Sure they help a bit, but everything asks for everything and their are ways to infer data you didn't ask for so it's not a complete solution.
We could also use the web of trust. An app already downloaded by people you trust is maybe-probably more secure.
Google Play Store could allow third party audit badges on the apps store page, so different agencies could give an official rating or an approbation level for the app. Basically a "verified" badge ala FB and Twitter, but more organizations than just the app-store owner could give their checks.
You would have "Google-approved" badge, "Open-source-approved" badge, "Mozilla-approved" badge, and even "Government-approved" badge.
Then you let the user makes his/her own decision based on what entities or friends he/she trusts.
There definitely are vendors out there who want to really innovate in the OS field. Huawei for example is working on next-gen microkernel leveraging hardware-software co-design [1]. That's not about to bring the power back to the users mainly due the fact it doesn't seems to be particularly profitable.
It's not about about the computers, but about pervasive network connectivity.
IMHO assuming the trustable computing problem is never actually solved, a few decades from now we'll see unfettered network connectivity as a security problem, and firewalls will be based around type systems over PDUs.
It's hyperbolic but Google has moved many basically-required system services into the Play Store, and they randomly push updates to them. A little while ago they pushed a broken Play Services update out to everyone on a friday night and it rendered a bunch of phones basically unusable. The only way to opt out of these consent-free updates is to disable all app updates, and then some things won't work. There's no way to uninstall those services.
Not hard to use that same update pathway to put a back door or snooping stuff into an update. (I find it unlikely they would, of course)
Here the apps were "fake" random ones that users had to download from Google Play.
But... the Official Carrier Apps (those signed with a key stored in the SIM card [0]) are also definitely being used to push government malware.
There's an official price list set by the government for "services towards authority" in the same country this eSurv is based in. [1]
That list includes mandatory things carriers must do when asked (hopefully with a valid court order, but not always...), such as auto-installing backdoored apps via provisioning text messages (handled by the Carrier App); or increasing the data bundle allowance in order to avoid that a data-hungry malware could be detected by the user...
Always try to avoid unnecessary apps; the Carrier App can usually be avoided by using the carriers mobile website in the phone browser, or by using USSD/SMS codes to get line info such as bundle counters, prepaid credit amount, and so on.
Unfortunately sometimes a ROM change is needed; some phones in some conditions (eg. official ROM with carrier branding) will have the Official Carrier App pre-installed as system app...
Sometimes in other official ROMs (even unbranded ones) there's a pre-loaded "Carrier Updater" that will auto-install the Official Carrier App for the inserted SIM card (again, as system app)...
34 comments
[ 1.4 ms ] story [ 80.0 ms ] threadYikes. Not something I’d want on my resume…
After working temporarily in big data at a large unnamed telco who has a monopoly my home internet is locked down, vpn'd, dns going out over vpn + over tls and the ISP provided modem straight in the bin as it's untrusted where ISP's can push updates when they want with what they want. One prototype may be performing a network scan for unknown to the telco mobile phones who are on a different provider so they can up sell mobile+bradband packages!
Likewise your insurance company offering health monitoring devices for free discounts or car tracking devices to reduce premiums is not for your benefit! The only benefit is to a) Figure out a way not to pay out or increase a premium, b) re-sell the data to other 3rd party companies for further $$$.
Big data is the most soul destroying, meaningless job i've worked in, often going own questioning the meaning of life!
“It is legal to promote the use of firearms, it’s what people do with them that matters.”
“It is legal to use political donations to influence firearm control policy, it’s what people do with firearms that matters.”
And just like that, you're the NRA. All perfectly legal, it’s what you think of yourself that matters. Some people don’t care, others think it’s their patriotic duty, and yet others think it’s a stain on humanity.
It would be morally dubious to use such software, but we are hackers. We talk about how we create and modify; like code-craftsmen of yore. We could start another one on ethics; I would probably side with your arguments then.
And what if I don't acknowledge it? My reason not to acknowledge it is as valid as your reason to acknowledge it by that standard.
So really, nobody has to acknowledge or respect anything as long as there is some reason for it. And there are plenty of reasons not to share your opinion here.
https://www.computerworld.com/article/2989037/iphone-malware...
https://motherboard.vice.com/en_us/article/qvakb3/inside-nso...
The more I think about where we've arrived after the last 20 years the more I realise the OS vendors betrayed us.
We got fat on the sugarcandy of framework-obsession - they got rich on the meat of our data.
If only there were OS vendors out there who wanted to really innovate again and bring the power back to the users...
Blindly downloading things from the appstore isn't quite as bad as downloading blindly from the internet, but it's not great either.
Oh and permissions. Sure they help a bit, but everything asks for everything and their are ways to infer data you didn't ask for so it's not a complete solution.
Google Play Store could allow third party audit badges on the apps store page, so different agencies could give an official rating or an approbation level for the app. Basically a "verified" badge ala FB and Twitter, but more organizations than just the app-store owner could give their checks.
You would have "Google-approved" badge, "Open-source-approved" badge, "Mozilla-approved" badge, and even "Government-approved" badge.
Then you let the user makes his/her own decision based on what entities or friends he/she trusts.
[1] https://fosdem.org/2019/schedule/event/hardware_software_co_...
IMHO assuming the trustable computing problem is never actually solved, a few decades from now we'll see unfettered network connectivity as a security problem, and firewalls will be based around type systems over PDUs.
Not hard to use that same update pathway to put a back door or snooping stuff into an update. (I find it unlikely they would, of course)
https://twitter.com/CianMW/status/1111345551969304576
But... the Official Carrier Apps (those signed with a key stored in the SIM card [0]) are also definitely being used to push government malware.
There's an official price list set by the government for "services towards authority" in the same country this eSurv is based in. [1]
That list includes mandatory things carriers must do when asked (hopefully with a valid court order, but not always...), such as auto-installing backdoored apps via provisioning text messages (handled by the Carrier App); or increasing the data bundle allowance in order to avoid that a data-hungry malware could be detected by the user...
Always try to avoid unnecessary apps; the Carrier App can usually be avoided by using the carriers mobile website in the phone browser, or by using USSD/SMS codes to get line info such as bundle counters, prepaid credit amount, and so on.
Unfortunately sometimes a ROM change is needed; some phones in some conditions (eg. official ROM with carrier branding) will have the Official Carrier App pre-installed as system app...
Sometimes in other official ROMs (even unbranded ones) there's a pre-loaded "Carrier Updater" that will auto-install the Official Carrier App for the inserted SIM card (again, as system app)...
[0] https://source.android.com/devices/tech/config/uicc
[1] https://motherboard.vice.com/it/article/9k89j3/ecco-il-listi...