

Getting a little tired of 'security researcher' bluster - jgrahamc
http://blog.jgc.org/2011/11/getting-little-tired-of-security.html

======
freddealmeida
So from what I gather, John is upset because the 'researcher' doesn't show
specific network information, only that CIQ is capturing and logging
information about EVERYTHING on the phone? The most striking is it is breaking
even the HTTPS handshake and that doesn't bother him?

CIQ is up to something sinister. Period.

To think that the work is flawed because you don't have a network analysis
requires you to ignore that a system you have no control over has access to
everything you do, say, type, search, anything on your phone. without your
explicit permission.

CIQ and every manufacturer that uses the system to root your phone is breaking
countless laws in the EU, the US, and in Asia. It's nefarious and needs to be
addressed.

~~~
sharkbot
To be fair, there is no evidence that CIQ is "breaking the HTTPS handshake".
The article I read implied that the software had access to keystrokes, which
could be used to infer data that would be encrypted on the wire, not that it
was breaking HTTPS.

It's possible that CIQ is getting keystroke information, but only storing
metadata (character counts, number of corrections, etc). But, without more
evidence, it's best to be wary. I think John raises a valid point; crack open
a debugger, disassemble the .dex, start a network sniffer. Find out what is
happening, don't just assume.

Edit: fixed minor typo.

~~~
jgrahamc
And my reward for making a valid point is to be downvoted and have my
submission flagged. It is really tiresome that people on Hacker News would
rather continue in a circle jerk fashion with a narrative that excites them
rather than using their heads to examine what's really happening.

And if it does turn out that my keystrokes are being sent to some third-party
company in the US then I'll be the first to sign up for the class action
lawsuit.

~~~
mukyu
Your blog post is basically content-free and makes more sense as the comment
you already made on a submitted story.

I actually upvoted your other post on the story as it was too grey for my
taste (making an honest attempt at on-topic discussion), but downvoted the
comment I'm reply to as it is strictly noise.

