The findings of a Connecticut-based systems administrator have sparked alarm in millions of smartphone users, after security researcher Trevor Eckhart published a video showing how a cellphone software company has the ability to log users’ Web searches and keystrokes.

The technology, made by Carrier IQ, is currently deployed on more than 150 million devices worldwide.

Research In Motion and HTC — the maker of the phone targeted in the security demo — have issued statements denying that Carrier IQ is preinstalled on their devices. Meanwhile, U.S. Sen. Al Franken (D-Minn.) has sent a letter to Carrier IQ seeking more information on what the software does.

Carrier IQ has told AllThingsD that while its software has the ability to receive a tremendous amount of information, some of which could be relayed to a carrier for diagnostics purposes, the company doesn’t log keystrokes and the software is not being used to gather intelligence about the phone’s user.

But while we wait for more answers, what’s a smartphone user to do?

Google Android Phones: If you’re wondering whether your Google Android phone might have Carrier IQ installed on it, Eckhart, the researcher behind all of this, points people to a Logging Test app that he claims can be used to verify “what logging is being done on your phone and where the data is going to.” If successfully installed — which we hear may take some finagling, including emailing the app link to yourself to access it, and “rooting” your phone first — the $1 app is meant to detect Carrier IQ and remove it.

According to his blog post, Eckhart has tested this app on the HTC Evo 3D phone; he believes it works on the Sprint Evo 4G and HTC Thunderbolt, as well.

But since the Google Android operating system runs on devices from multiple manufacturers, it is not known at this point which models could be running Carrier IQ and which ones are not.

It should be noted that some manufacturers have denied responsibility for the app; HTC, for example, has put the blame on wireless carriers, and basically advises HTC phone owners to contact their carriers. The company did add it was looking into an option for allowing its customers to opt out of the Carrier IQ application, but no further details were given beyond that.

Sprint has not yet responded to my inquiry as to whether the wireless company was actively involved in the installation of Carrier IQ, or how users might disable such applications on Sprint. AT&T said it uses Carrier IQ solely to improve its network performance; Verizon claims not to use it at all, although my colleague John Paczkowski reports that may not be the case.

RIM BlackBerrys: While RIM hasn’t explicitly pointed to wireless carriers as HTC did, the BlackBerry maker also denies any involvement with Carrier IQ, stating “RIM does not pre-install the CarrierIQ app on BlackBerry smartphones or authorize its carrier partners to install the CarrierIQ app before sales or distribution.”

However, the next part of RIM’s statement on the BlackBerry developers forum indicates that it’s possible Carrier IQ could live on a BlackBerry device.

According to BlackBerry Development Advisor Mark Sohm: “If the Carrier IQ application is present on a BlackBerry smartphone, it does not mean that the Carrier IQ application has ‘hacked’ the BlackBerry platform. It means that either the BlackBerry smartphone user or the user’s BlackBerry Enterprise Server admin explicitly installed the application and authorized it to run.”

In other words, if it’s on your phone, you may have granted it access in some way, shape, form or click of your Qwerty keypad.

Apple iPhones: Apple has issued a statement to AllThingsD declaring that the company stopped supporting Carrier IQ with iOS 5, its latest version of mobile software, and plans to remove it from future mobile software updates, too.

But what if you’re running an earlier version of iOS on your iPhone and are worried about where your data is going? Apparently, you can opt out of having your usage data submitted for diagnostics. To do that, go to to Settings → General → About → Diagnostics & Usage. Select “Don’t Send.”

More info to come as I get it.

Related Posts on Carrier IQ:

• Exclusive Interview: Carrier IQ Gets Transparent About Its Mobile Monitoring
• Carrier IQ: How to Hack Back Your Phone
  
• Carrier IQ Speaks: Our Software Monitors Service Messages, Ignores Other Data
• Apple: We Stopped Supporting Carrier IQ With iOS 5
• RIM, HTC, Google on Carrier IQ: Blame the Carriers
• Carrier IQ Improves My Wireless Service by Logging My Keystrokes? Please Explain.

Full Carrier IQ Coverage »

Yahoo spokeswoman Dana Lengkeek just emailed a statement saying that some Yahoo users were required to reset their passwords. “As part of our ongoing security measures we issued a password reset to some users. Yahoo! does this periodically to ensure the security of users.” She didn’t specify whether or not this was in direct response to the Gawker incident, but it’s not hard to conclude that it was, given the timing. I’ll update if Yahoo says anything further.

I have a Yahoo account and was required to change my password today, and yes, I also had a Gawker commenting account, so at this point it’s safe to say they certainly seem connected.

Meanwhile, Blizzard Entertainment (developer of World of Warcraft and provider of the Battle.net gaming service) was abundantly clear about the connection in an email to its customers. “We’ve recently been informed that several Gawker Media websites have been compromised…To help minimize the effects of this compromise and help keep your Battle.net account safe and secure, we’ve reset your account password,” it said.

Other Web incidents–perhaps connected to Gawkergate, perhaps not–have occurred during the past few days as well. For instance, McDonald’s disclosed that a database containing email address and birthdates of people who had signed up to receive promotions was compromised. It notified those customers on Monday. Again, it’s not clear what connection, if any, there may be to the Gawker incident, but the timing certainly makes it seem possible. I’ve asked McDonald’s for a comment and will update if I get one.

In another incident, drugstore chain Walgreens disclosed on Friday that a database of email address belonging to its customers had been breached. Given the timing–the Gawker incident happened over the weekend–it’s probably not connected, though it’s hard to be sure, as the folks at Anonymous Gnosis, the group that attacked the Gawker sites, say they’ve had access to the database for about a month. I’ve asked a Walgreens spokesman for a comment, and as with all the other cases above will update if I hear back.

This comes on top of other related forced password changes at Twitter and LinkedIn, as my colleague Peter Kafka reported earlier today.

Meanwhile, our friends at Digits have a fascinating graphic on the Top 50 passwords used on Gawker. Topping the list: “123456,” “password” and “12345678.” The two lessons in all this? Make your passwords complex, and don’t use the same password for multiple sites.

On Sunday night, hackers posted online a trove of data from Gawker Media’s servers, including the usernames, email addresses and passwords of more than one million registered users. The passwords were originally encrypted, but 188,279 of them were decoded and made public as part of the hack. Using that dataset, we found the 50 most-popular Gawker Media passwords.

How do Gawker Media users express themselves when no one is watching? While many of their passwords are common phrases like “qwerty,” others appear distinctive to the Gawker community. Where else would “f—you,” “blahblah” and “whatever” rank among the most popular passwords? And why, oh why, is “monkey” in the top 10?

Read the rest of this post on the original site

Denton being Denton, he made his mea culpa in a relatively obscure corner of his blog network–an open comments thread with Gawker readers. And if you had a bit too much of the wrong kind of skepticism, you might think that this photo Denton posted to the thread was a bit cavalier:

But nope, says Denton. That’s real contrition: “Okay, here you go. That’s me on the left and Tom Plunkett, our CTO, on the right. We’re looking appropriately glum. It didn’t take any acting.” (Also worth noting that Denton was responding directly to a reader request for “a photo of yourself wearing a dunce cap or something of that nature. With a big ‘I’m sorry’ sign.”)

In more important news: Denton’s sites, which stopped posting yesterday afternoon as a result of the attack, are now back up again. And if you’ve ever left a comment on one of the sites, you should go there and change your password, then do the same at any other site where you’ve used the same login/password combo.

A few other notes:

• Gawker Media says that readers who used Twitter or Facebook logins to leave comments on the blog network haven’t been affected. But people who used the same login on Gawker as they have on Facebook or Twitter may very well be in trouble. Which may be one reason so many Twitter users I know are now promoting a bogus weight-loss berry.
• There’s a Google document that contains some of the hacked email/login info, and something called Hint has been emailing some hacked commenters with a reminder to change their passwords. (Who are they? Why do they want to associate their yet-to-launch site with a security breach? Anyone?) But not finding your info on the document and not getting an email doesn’t mean you don’t have a security problem. Play it safe and change your password now, regardless.

“What we don’t quite understand as seriously as we should is the extent of malicious cyberactivity that grows, that is growing now at unprecedented rates, extraordinary sophistication,” Blair told the House Intelligence Committee in the course of delivering his annual threat assessment. “And the dynamic of cyberspace, when you look at the technological balance, right now it favors those who want to use the Internet for malicious purposes over those who want to use it for legal and lawful purposes.” 

Sadly, the former seem to be far more on top of their game these days than the latter, which makes defending our financial, commercial and physical infrastructure all the more difficult.

“Attacks against networks that control the critical infrastructure in this country…could wreak havoc,” Blair continued. “Cyber defenders right now, it’s simply the facts of the matter, have to spend more and work harder than the attackers do, and our efforts frankly are not strong enough to recognize, deal with that reality.” 

Now Twitter, which has suffered multiple security breaches in the past, has been punctured again. Someone has gotten into the personal Web services accounts of co-founder Evan Williams, his wife and at least one other Twitter employee, and used that access to make off with a pile of confidential company documents. He’s now distributing them on the Web, and TechCrunch promises to publish many of them.

The media ethics colloquy is well underway and will go on for a while (Boomtown’s Kara Swisher is holding her session, appropriately enough, via Twitter). Beyond that, I’m pretty sure Twitter is going to be okay when this dies down.

Based on Williams’s description of the attack (see the bottom of this post), as well as both TechCrunch’s and the hacker’s descriptions of what got pilfered, this looks roughly akin to having your underwear drawer rifled: Embarrassing, but no one’s really going to be surprised about what’s in there.

The hack certainly will be worrisome for people who are using, or thinking about using, any kind of “cloud computing,” whereby work data/documents are stored on servers accessed via the Web. Google (GOOG) in particular is going to get some scrutiny, both because it’s Google and because it appears that a lot of this stuff was stolen after the hacker used Google’s “password recovery” system to root around. UPDATE: Twitter is now going out of its way to say that the attack isn’t Google’s fault, but Twitter’s fault for using passwords that are easy to guess.

Albert Wenger, a partner at Twitter investor Union Square Ventures, says in a post that his shop is currently considering moving its systems to Gmail and Google Docs, but notes the big problem: “The threat of access by a third party increases exponentially with the move to the cloud, because the machines that now contain the documents and the links to those documents (as sent by email) are accessible to the Internet at large.”

But cloud computing isn’t going away, so someone’s going to need to figure out how to make security better, yet still practical. There’s a reason no one follows the standard advice about having a different, impossible-to-remember password for every account you have. Wenger takes a stab at it in post–he suggests something tethered to a mobile phone. But whoever figures it out is going to have a lot of fans.

Williams’s description of the hack, via TechCrunch:

Yes, we did suffer an attack a few weeks ago and are familiar with this list of stuff. This is unrelated to the hack of twitter where someone gained access to user’s accounts. This had nothing to do with the security of twitter.com, and there were no user accounts compromised here.

Some notes:

- He did not actually gain access to my @ev Twitter account (or any Twitter accounts) nor any administrative functions of the site.
- There is also no evidence that he gained access to my email. There was one administrative employee who’s email was compromised, as was my wife’s Gmail account, which is where he got access to some of my credit cards and other information.
- He also successfully targeted a couple other employees personal accounts (Amazon, AT&T, Paypal…)

In general, most of the sensitive information was personal rather than company-related. Obviously, this was highly distressing to myself, my wife, and other Twitter employees who were attacked. It was a good lesson for us that we are being targeted because we work for Twitter. We have taken extra steps to increase our security, but we know we can never be entirely comfortable with what we share via email.

[Image credit: Wikimedia Commons]

Some 52,000 households in Santa Clara County were expected to be without phone and Internet until at least late Thursday night, according to a county spokesman. Other counties experienced outages as well. Cellphones were also impacted since the cables that were cut handled all voice and data traffic in and out of the area.

Read the rest of this post

A man who reportedly believed Republicans were conspiring to steal today’s election entered an Allentown polling site, signed in and proceeded to smash the screen of one of the electronic voting machines with a metal cat paperweight, poll volunteers said.

‘He smashed it with the cat’s ears,’ said volunteer Jim Govostis.”

–Morning Call, Nov. 7, 2006

Fantastic. Here we are, just two weeks before the 2008 presidential election and the integrity and accuracy of some of the electronic voting machines that will determine its outcome are in question.

Again.

According to new research from the Princeton University Center for Information Technology Policy, the Sequoia AVC Advantage machines used throughout New Jersey and Louisiana, and in a few counties in Colorado, Virginia, Wisconsin and Pennsylvania as well, can be hacked in eight minutes to manipulate vote tallies.

From the Princeton report:

The AVC Advantage contains a computer. If someone installs a different computer program for that computer to run, it can deliberately add up the votes wrong. It’s easy to make a computer program that steals votes from one party’s candidates, and gives them to another, while taking care to make the total number of votes come out right. It’s easy to make this program take care to cheat only on election day when hundreds of ballots are cast, and not cheat when the machine is being tested for accuracy. This kind of fraudulent computer program can modify every electronic ‘audit trail’ in the computer. Without voter-verified paper ballots, it’s extremely hard to know whether a voting machine (such as the AVC Advantage) is running the right program.”

Damning allegations and ones which Sequoia categorically denied after unsuccessfully attempting to suppress them. According to Sequoia, its voting machines are vulnerable only in a classroom setting. In real-life election scenarios, they’re just fine. “…Simple, established, and previously used accuracy and security protections–removed from the Advantages studied in the report published by the plaintiffs–make the items in their report next to impossible,” Sequoia said in rebuttal to Princeton researchers’ claims. “In fact, many of the scenarios painted by plaintiffs depend on the existence of crooked, malicious, and corrupt pollworkers, while the success of some scenarios depends on both corrupt pollworkers and inattentive voters.”

How reassuring.

Well, at least they’re not switching votes between candidates like some of those touchscreen systems in West Virginia, right?

PREVIOUSLY:

• Got a “Verifiable Paper Trail” for Those Phantom Voters?
• Premier Continues Proud Tradition of Diebold E-Voting Screw-Ups
• Make the E-voting System’s Password “1,2,3,4,5,6,7,8″? That’s so Obvious It’s Genius!
• Diebold: A New Beginning (to the First Step in E-Voting Terror)
• AccuVote? Bit of an Oxymoron, Don’t You Think?
• What Did You Expect? They All Run Windows…

[Image Credit: Diebold Variations]

A man who reportedly believed Republicans were conspiring to steal today’s election entered an Allentown polling site, signed in and proceeded to smash the screen of one of the electronic voting machines with a metal cat paperweight, poll volunteers said.

‘He smashed it with the cat’s ears,’ said volunteer Jim Govostis.”

–Morning Call, Nov. 7, 2006

Fantastic. Here we are, just two weeks before the 2008 presidential election and the integrity and accuracy of some of the electronic voting machines that will determine its outcome are in question.

Again.

According to new research from the Princeton University Center for Information Technology Policy, the Sequoia AVC Advantage machines used throughout New Jersey and Louisiana, and in a few counties in Colorado, Virginia, Wisconsin and Pennsylvania as well, can be hacked in eight minutes to manipulate vote tallies.

From the Princeton report:

The AVC Advantage contains a computer. If someone installs a different computer program for that computer to run, it can deliberately add up the votes wrong. It’s easy to make a computer program that steals votes from one party’s candidates, and gives them to another, while taking care to make the total number of votes come out right. It’s easy to make this program take care to cheat only on election day when hundreds of ballots are cast, and not cheat when the machine is being tested for accuracy. This kind of fraudulent computer program can modify every electronic ‘audit trail’ in the computer. Without voter-verified paper ballots, it’s extremely hard to know whether a voting machine (such as the AVC Advantage) is running the right program.”

Damning allegations and ones which Sequoia categorically denied after unsuccessfully attempting to suppress them. According to Sequoia, its voting machines are vulnerable only in a classroom setting. In real-life election scenarios, they’re just fine. “…Simple, established, and previously used accuracy and security protections–removed from the Advantages studied in the report published by the plaintiffs–make the items in their report next to impossible,” Sequoia said in rebuttal to Princeton researchers’ claims. “In fact, many of the scenarios painted by plaintiffs depend on the existence of crooked, malicious, and corrupt pollworkers, while the success of some scenarios depends on both corrupt pollworkers and inattentive voters.”

How reassuring.

Well, at least they’re not switching votes between candidates like some of those touchscreen systems in West Virginia, right?

PREVIOUSLY:

• Got a “Verifiable Paper Trail” for Those Phantom Voters?
• Premier Continues Proud Tradition of Diebold E-Voting Screw-Ups
• Make the E-voting System’s Password “1,2,3,4,5,6,7,8″? That’s so Obvious It’s Genius!
• Diebold: A New Beginning (to the First Step in E-Voting Terror)
• AccuVote? Bit of an Oxymoron, Don’t You Think?
• What Did You Expect? They All Run Windows…

[Image Credit: Diebold Variations]

And, yes, he’s a Democrat.

Seems it may have been Kernell’s son who posted these messages under the alias “rubico” to 4chan.org claiming to have hacked to Palin’s email by using Yahoo’s (YHOO) password reset feature.

rubico 09/17/08(Wed)12:57:22 No.85782652
Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

>> rubico 09/17/08(Wed)12:58:04 No.85782727
this is all verifiable if some anal /b/tard wants to think Im a troll, and there isn’t any hard proof to the contrary, but anyone who had followed the thread from the beginning to the 404 will know I probably am not, the picture I posted this topic with is the same one as the original thread.

I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family
I then started a topic on /b/, peeps asked for pics or gtfo and I obliged, then it started to get big

Earlier it was just some prank to me, I really wanted to get something incriminating which I was sure there would be, just like all of you anon out there that you think there was some missed opportunity of glory, well there WAS NOTHING, I read everything, every little blackberry confirmation… all the pictures, and there was nothing, and it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this shit ever got to the FBI I was fucked, I panicked, i still wanted the stuff out there but I didn’t know how to rapidshit all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

Then the white knight fucker came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch , all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things.”

“THIS internet is serious business.”

Heh. Yes, it certainly is–especially when you’re hiding behind a single proxy. But not nearly as serious as hacking an email account, which is illegal under the Stored Communications Act and carries a maximum penalty of five years in prison.

[Image Credit: goopymart/Flickr]

And, yes, he’s a Democrat.

Seems it may have been Kernell’s son who posted these messages under the alias “rubico” to 4chan.org claiming to have hacked to Palin’s email by using Yahoo’s (YHOO) password reset feature.

rubico 09/17/08(Wed)12:57:22 No.85782652
Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

>> rubico 09/17/08(Wed)12:58:04 No.85782727
this is all verifiable if some anal /b/tard wants to think Im a troll, and there isn’t any hard proof to the contrary, but anyone who had followed the thread from the beginning to the 404 will know I probably am not, the picture I posted this topic with is the same one as the original thread.

I read though the emails… ALL OF THEM… before I posted, and what I concluded was anticlimactic, there was nothing there, nothing incriminating, nothing that would derail her campaign as I had hoped, all I saw was personal stuff, some clerical stuff from when she was governor…. And pictures of her family
I then started a topic on /b/, peeps asked for pics or gtfo and I obliged, then it started to get big

Earlier it was just some prank to me, I really wanted to get something incriminating which I was sure there would be, just like all of you anon out there that you think there was some missed opportunity of glory, well there WAS NOTHING, I read everything, every little blackberry confirmation… all the pictures, and there was nothing, and it finally set in, THIS internet was serious business, yes I was behind a proxy, only one, if this shit ever got to the FBI I was fucked, I panicked, i still wanted the stuff out there but I didn’t know how to rapidshit all that stuff, so I posted the pass on /b/, and then promptly deleted everything, and unplugged my internet and just sat there in a comatose state

Then the white knight fucker came along, and did it in for everyone, I trusted /b/ with that email password, I had gotten done what I could do well, then passed the torch , all to be let down by the douchebaggery, good job /b/, this is why we cant have nice things.”

“THIS internet is serious business.”

Heh. Yes, it certainly is–especially when you’re hiding behind a single proxy. But not nearly as serious as hacking an email account, which is illegal under the Stored Communications Act and carries a maximum penalty of five years in prison.

[Image Credit: goopymart/Flickr]