

Ars tests Internet surveillance by spying on an NPR reporter - wglb
http://arstechnica.com/security/2014/06/what-the-nsa-or-anyone-can-learn-about-you-from-internet-traffic/?

======
Smerity
I really appreciated this story. It's so hard to make people care about
"small" data leaks when they have no idea what many "small" data leaks can
lead to. The bug the journalists discovered that revealed Skype's contact list
is the perfect example -- the programmer just did something completely
"reasonable" (grabbing avatars) that ended up leaking a vital set of
information. Imagine if surveillance was your full time job and you did more
than just grab the low hanging fruit.

I was also quite surprised by Google's HTTP Maps flaw in HTTPS search. I'd
have previously imagined this would be a standard security pentest that Google
products would need to go through. Given how pervasive and important Google is
to the digital ecosystem, even small flaws can have a profound impact.

I'll again state that this is why I feel so strongly that Google Analytics
should be updated to be HTTPS by default[1]. If you hit a non-HTTP site,
you're leaking all the information you would send to Google Analytics to
anyone that's listening -- it goes across the wire unencrypted. Considering
Google Analytics is on 60+% of the top 100,000 domains, this is a lot of
information leakage. Referrers, time on page, browser details, operating
system details, everything that Google shows a webmaster in Google Analytics
also ends up in the hands of the passive observer.

[1]:
[http://smerity.com/articles/2013/google_analytics_and_nsa.ht...](http://smerity.com/articles/2013/google_analytics_and_nsa.html)

~~~
panarky
This was a wake-up call for me. On my desktop browser, I can use SSL,
NoScript, etc. to control what's exposed.

But on my phone I'm powerless. How do I know what each app is capturing and
transmitting in the clear? If even Google searches don't use SSL, what hope is
there for other apps?

~~~
benologist
In your mobile browser at least Firefox Nightly supports extensions - I have
adblock, ghostery, etc. Aside from the privacy benefits it also makes a
significant performance difference on my kindle.

[https://nightly.mozilla.org/](https://nightly.mozilla.org/)

~~~
yaantc
You can use the stable version too, at least ABP, Ghostery and Self
Destructing Cookies works fine on it.

------
helper
Looks like the "Pwnie Express PwnPlug R2"[1] is just a Mirabox[2] with an
extra wireless card in the Mini PCIe slot and an external antenna. The PwnPlug
R2 sells for $1095; the Mirabox sells for $150.

[1]: [https://www.pwnieexpress.com/penetration-testing-
vulnerabili...](https://www.pwnieexpress.com/penetration-testing-
vulnerability-assessment-products/sensors/pwn-plug-r2/)

[2]: [https://www.globalscaletechnologies.com/p-58-mirabox-
develop...](https://www.globalscaletechnologies.com/p-58-mirabox-development-
kit.aspx)

~~~
ufmace
I only skimmed the description of it, presumably the cost is more about being
pre-loaded with a good software package for pen testing as opposed to having
to set it all up yourself. Could be a pretty decent expense, even for a bigger
pentest shop that has the resources to make a standard process for building
and setting up stuff like that.

~~~
helper
Right, you are paying an extra $945 for them to install a wifi card/antenna
and preload a bunch of open source software on it. I'm sure that for some
people it is totally worth it, and others would rather do it themselves.

I mostly pointed it out because I've used the Mirabox for a bunch of projects
and recognized it in the picture. Its a great little ARM box with 2 gigabit
ethernet ports (hard to find a on dev board)and 2 USB 3.0 ports.

~~~
voltagex_
Have you ever used the Dreamplug? I'm still hanging onto mine but it sounds
like the Mirabox might be a suitable upgrade. How's the kernel support? How's
uBoot? (On the Dreamplug, you have to upgrade uBoot via JTAG once you get past
a certain kernel version)

~~~
helper
Yes I have used the Dreamplug, the Mirabox is a logical upgrade from that. The
Mirabox uses a Marvell Armada 370 SOC. When I first got my Mirabox the kernel
support wasn't great. But Marvell has been contracting with an embedded Linux
contracting firm, Free Electrons, to get everything into the mainline. Free
Electrons has done a great job and now you can run a stock kernel fairly
easily.

The Mirabox comes with the Marvell fork of uBoot which is unfortunately quite
old. It doesn't have support for device-tree, for example. I'm not aware of a
newer working version from either Marvell or Globalscale. There was some
initial work to get Barebox working on the Mirabox, but it is very feature
limited.

On the plus side, you don't need a JTAG console to reflash the bootloader.
Lots of Marvell SoCs support booting over a UART connection using an Xmodem
protocol[1][2]. So you can reflash/unbrick your Mirabox using just the USB
serial port. (I think that the Dreamplug also supports this protocol, but I
have never tried to use it on one.)

[1]:
[http://git.pengutronix.de/?p=barebox.git;a=commit;h=0535713b...](http://git.pengutronix.de/?p=barebox.git;a=commit;h=0535713bbfa059c1bc20da24d33bb183c4f555dc)

[2]:
[http://git.pengutronix.de/?p=barebox.git;a=commit;h=6bb3a08c...](http://git.pengutronix.de/?p=barebox.git;a=commit;h=6bb3a08cd3864f3ee1b9f4becf26b55ac9c0a524)

~~~
voltagex_
>The Mirabox comes with the Marvell fork of uBoot which is unfortunately quite
old. It doesn't have support for device-tree, for example. I'm not aware of a
newer working version from either Marvell or Globalscale. There was some
initial work to get Barebox working on the Mirabox, but it is very feature
limited.

This was the situation with the Dreamplug before it got mainline uBoot
support. Is there any hope for the Mirabox?

------
adamfeldman
Scary that Google Maps wasn't encrypting significant amounts of its traffic
(at least for the reporter in this article, since I know Maps has HTTPS
support). Location data can be the most revealing of all.

~~~
schoen
One of the nicest things about this article is seeing that the Ars reporter
(Sean Gallagher) reported at least _three_ information leakage bugs upstream,
and the responsible parties have addressed them. How many news organizations
can claim to have gotten security flaws fixed so directly?

~~~
adamfeldman
Ah, I was interrupted as I read the article and that info was a couple
paragraphs later.

That is awesome! Hopefully it also nudges Google to audit their properties for
similar leakages to plug....and everyone else for that matter.

------
ojilles
At this point, should we not just drop non-SSL traffic on the web completely?

~~~
lsh123
Even SSL trafic leaks information about websites you are visiting, how much
data you download (e.g. for email), how much time you spend, when do you do
it, etc. More importantly, it doesn't protect you from the website (and any
owner of any 3rd party plugin/widget/js/css/img on the website) from
collecting data about your online behavior based on your browser signature or
simple cookies.

------
exelius
None of this is shocking except for maybe how unavoidable sharing all this
information online actually is. The default settings on most devices are not
designed with privacy in mind. In order to avoid this type of data collection,
you'd have to walk around with a dumbphone, avoid using any bank-connected
services and basically only log on to the Internet via a VPN. Ironically, this
usage pattern is so far out of the ordinary that it would make you stick out
like a sore thumb.

In the decade between this type of data collection becoming possible and the
mass populace becoming concerned about it, I fear we've passed a threshold we
can't un-cross. This type of technology is so intertwined in our daily lives
that avoiding it isn't a realistic option.

Things like Apple using random MAC addresses to scan for Wi-Fi APs are a
start; but too many devices (Android included) use default settings that are
far from secure. But it's up to the companies that make usable, mass-market
devices to ratchet up the security, and I fear that they have little incentive
to do so when their own ambitions include the same type of data collection.

~~~
sroerick
> In order to avoid this type of data collection, you'd have to walk around
> with a dumbphone, avoid using any bank-connected services and basically only
> log on to the Internet via a VPN. Ironically, this usage pattern is so far
> out of the ordinary that it would make you stick out like a sore thumb.

Have you considered trying this, or some implementation of it?

I, for one, would like to see websites that didn't install any tracking
software. Specifically, I mean no Google metrics. If there was a news website
that didn't install any tracking software, but instead just offered pages with
cryptocurrency addresses, I would switch to that as my default news source in
a second.

~~~
rev_bird
Google metrics aren't always used for spying on people -- news sites in
particular drool over every possible metric to measure popularity, referrals,
etc. to better tailor their online marketing (and sometimes story selection).
It sounds weird, but I'm not sure a website without tracking would be as good.

~~~
sroerick
No, I don't think it would be. For a company to announce that they were
forgoing tracking would be a brave step. I understand that analytics is a
really really useful thing for a company.

But, as a corrolary, what if Google Analytics alters the content in a way that
makes it less useful? The obvious example here is clickbait articles (See,
Clickhole), but I think there's other more subtle problems here. Isn't the job
of a reporter to report what _they_ think is news, rather than what people
want to read?

Beyond that, I am troubled by the spying on people. It occurs to me that even
if I remove Google Analytics from my website, anyone coming to or going from
my website will be subject to monitoring by Google. It's not exactly opt out.

Microtransactions are hard, though, that problem still hasn't been solved.

------
TeMPOraL
I wonder how much sensitive data from governments and companies leaks this
way. It doesn't sound unrealistic for an attacker (a spy, a competitor, an
inside trader) to pick a coffee shop frequented by low-level government
officials and set up a fake Wi-Fi access point. I doubt people doing mundane
administrative tasks are security-conscious enough not to leak important data
this way.

------
lsh123
Realistically, it is _really_ hard to protect your privacy online unless you
decide to stop using 3rd party services like email, calendar, file sharing,
social networks, etc. All these services collect enormous amounts of
information about everyone. The internet protocols (TCP/IP, HTTP) have not
been designed with privacy in mind and the only way to ensure real privacy for
internet users is to start from scratch and rethink the whole stack.
Unfortunately, it is not going to happen thus users pretty much have a
tradeoff: either to accept privacy violations from various parties or to
(significantly) limit the use of internet services.

------
jessaustin
_We contacted both AT &T and Apple for comment; Apple pointed us to AT&T, but
AT&T didn't respond._

I'm shocked.

------
coffeecheque
How far would an always on VPN go to solving parts of these problems? At least
it'd be encrypted to the VPN data centre.

I suppose from there it'd be in the clear, but at least it'd stop snooping at
an ISP level. Or am I missing something, and would it be useless?

~~~
lsh123
VPN is a tunnel. Your computer is on one end and there will be another
computer on another end. The ISP or cloud provider on the other end will be
able to spy on you even if you use VPN. And of course the website you are
visiting has all the information in any case.

~~~
yen223
Yeah. What happens is that you are giving one more party - the VPN provider -
access to your data.

------
Bassetts
Are there any guides on how to get started on penetration testing yourself?
I'd quite like to run this experiment on myself and see just how much
information I actually leak online.

