I really appreciated this story. It's so hard to make people care about "small" data leaks when they have no idea what many "small" data leaks can lead to. The bug the journalists discovered that revealed Skype's contact list is the perfect example -- the programmer just did something completely "reasonable" (grabbing avatars) that ended up leaking a vital set of information. Imagine if surveillance was your full time job and you did more than just grab the low hanging fruit.
I was also quite surprised by Google's HTTP Maps flaw in HTTPS search. I'd have previously imagined this would be a standard security pentest that Google products would need to go through. Given how pervasive and important Google is to the digital ecosystem, even small flaws can have a profound impact.
I'll again state that this is why I feel so strongly that Google Analytics should be updated to be HTTPS by default[1]. If you hit a non-HTTP site, you're leaking all the information you would send to Google Analytics to anyone that's listening -- it goes across the wire unencrypted. Considering Google Analytics is on 60+% of the top 100,000 domains, this is a lot of information leakage. Referrers, time on page, browser details, operating system details, everything that Google shows a webmaster in Google Analytics also ends up in the hands of the passive observer.
This was a wake-up call for me. On my desktop browser, I can use SSL, NoScript, etc. to control what's exposed.
But on my phone I'm powerless. How do I know what each app is capturing and transmitting in the clear? If even Google searches don't use SSL, what hope is there for other apps?
In your mobile browser at least Firefox Nightly supports extensions - I have adblock, ghostery, etc. Aside from the privacy benefits it also makes a significant performance difference on my kindle.
I haven't done this personally but you can minimize the risk of interception without really changing anything by going through a VPN. This way all unencrypted traffic is strictly on wired networks.
Yes, that's true. That's what the situation in the article was, a hostile WiFi access point. I'd say that running a modern platform countermeasures are only useful up to the point that you trust your OS maker and telco. So if you can get your data encrypted until it reaches a major telco's network, then you are almost as safe as if it were all encrypted.
> That's what the situation in the article was, a hostile WiFi access point.
The point of the article was not the hostile AP, but to simulate a pervasive threat:
we would create a pint-sized version of the Internet
surveillance infrastructure used by the National
Security Agency... Porcello would become our one-man
equivalent of the NSA’s Special Source Operations
department
Which misses the point of NSA surveillance. Ars knew who they were looking at, and could have multiple people look at that one person's history for whatever they wanted.
The broad surveillance of any practical intelligence apparatus only bothers to do that to target actual subjects of interest, and don't have infinite leeway to not produce results while doing it - i.e. if the NSA produces no useful intelligence on Al Qaeda for a few months, they're looking at budget cuts.
Or to put it another way: how many man hours did they expend on this effort, and how many people do they actually think work for the NSA? It's certainly not "millions".
The NSA does this full-time, with a large staff. They have very elaborate systems designed to automatically pull all this information and organise it into databases for easy lookup.
These guys were manually viewing wireshark dumps. Obviously they're going to spend a lot more time to get the same info when working at such a low level, with no access to any of the automation tools the NSA uses.
You can put on an firewall to block certain apps (requires rooting) but it's true that the measure won't help with "mostly respectable" ones that aren't using https.
On Android, iptables packet filter can be used to control what network connections apps are allowed to make. It is, however, an increased maintenance burden. Recent versions of CyanogenMod also have Privacy Guard pre-installed, which can be used to set granular permissions for apps, such as restricting access to geolocation data.
> I'll again state that this is why I feel so strongly that Google Analytics should be updated to be HTTPS by default[1]. If you hit a non-HTTP site, you're leaking all the information you would send to Google Analytics to anyone that's listening
I fully agree with you but one small little issue here, wouldn't that violate the 'everything over https or nothing over https' rule for what's displayed on a page? In other words, wouldn't your browser balk at this if it were implemented?
Browsers tend to only complain if doing so breaks security, such as using Javascript from a HTTP source on a HTTPS page: the JS could be swapped out by a man-in-the-middle. If you use or communicate using HTTPS on a HTTP page, there's no real issues.
You can actually force Google Analytics to use HTTPS on a HTTP page[1] with _gaq.push(['_gat._forceSSL']) but it's not the default. If it's not the default, it's not going to be used heavily across the hundreds of thousands of pages using Google Analytics. Privacy death by a thousand cuts.
Generally, however, the problem is concern over leaking sensitive data to insecure connections (e.g. load an HTTPS URL but your HTTP referer header on all your insecure HTTP requests tells people your URL).
I don't see any issue with loading an HTTP site and then making an HTTPS request to Google Analytics. It's better to secure part of an insecure page than to leak part of a secure one.
Ah ok neat, I got bitten by that once in the past, did not realize that the other way around is fine. Now that I think about it that's kind of logical because you can't really give more away than you are suggesting to the user, only less. Thank you.
> I'll again state that this is why I feel so strongly that Google Analytics should be updated to be HTTPS by default
That's an incredible waste of bandwidth for no improvement in privacy whatsoever. If HTTPS pages were including GA over HTTP, then yes, this would be an issue, but you're already requesting the page over HTTP, if you're getting GA over HTTP. There's simply no advantage whatsoever -- for privacy, security, or anything else -- to using HTTPS for this script. It doesn't make any attack harder in any way, shape, or form -- it just makes pages slower and more expensive to load.
The only significant overhead that TLS imposes is in the initial (public-key) handshake, and even then the overhead is primarily for high-traffic servers. Once a TLS (HTTPS) session has been established, it's essentially free to continue using it. Given that Google Analytics is basically everywhere on the web (and thus you can imagine your session would be fairly persistent as you're surfing around) and that Google can afford the server overhead of establishing TLS connections, I think your objections are unfounded.
Of course, you may still be right in that it adds no privacy, but I wouldn't call it an "incredible waste" (particularly not of bandwidth), since the cost is really quite low.
The cost is quite low for a single connection, but given that Google Analytics is on a huge portion of sites, that adds up really, really quickly. In addition, the additional roundtrips required for the TLS handshake is killer on a high-latency connection, seriously slowing things down for mobile devices.
Given that there really is no privacy benefit, I can't imagine why you would take on that overhead; Google clearly agrees, or they would've turned on HTTPS by default.
There is a major improvement to privacy in the larger scale: the Google Analytics servers are a funnel for a substantial percentage of all web traffic. Read the write-up I linked to, specifically "How does that help the NSA?".
Usage of unencrypted Google Analytics + Google cookies[1] means that you don't need to eavesdrop on individual connections, just one small set: the endpoints to the Google Analytics servers.
Hence, the NSA or other large entities have an economical way to tap a large portion of web traffic.
> Usage of unencrypted Google Analytics + Google cookies means that you don't need to eavesdrop on individual connections, just one small set: the endpoints to the Google Analytics servers.
Admittedly, it is a smaller number of endpoints than monitoring every site in the world (that much is obvious), but it's not one or two -- they're all over the place.
But even ignoring that, it really comes down to one thing: Google Analytics can't possibly make an HTTP site any less secure or less private -- you're sending a postcard with your personal details on it a million times a second! It may in some situations make it slightly (very slightly) easier for someone to snoop on a tiny bit of info about your traffic, but the fix for this isn't to make that harder, it's to make it harder to snoop on your traffic entirely. We already have a solution for this: ubiquitous TLS.
IMO, this is slapping a band-aid where your arm used to be; trying to increase the privacy of HTTP sites is a fool's errand and a complete and utter waste of time.
Looks like the "Pwnie Express PwnPlug R2"[1] is just a Mirabox[2] with an extra wireless card in the Mini PCIe slot and an external antenna. The PwnPlug R2 sells for $1095; the Mirabox sells for $150.
I think for the particular purposes of this investigation, the Pineapple would have made a fine substitute for the PwnPlug R2.
Depending on your wifi card and drivers, it would also be possible to run something like Jasager or Karma on a laptop instead of a specialized wifi base station (although then you have to dedicate your laptop to the surveillance function instead of using it for your own regular laptoppy purposes).
I don't begrudge them, they assembled it and created a simple to use interface for administration, created docs and bundled it for one price. It's worth the money for some people.
I only skimmed the description of it, presumably the cost is more about being pre-loaded with a good software package for pen testing as opposed to having to set it all up yourself. Could be a pretty decent expense, even for a bigger pentest shop that has the resources to make a standard process for building and setting up stuff like that.
Right, you are paying an extra $945 for them to install a wifi card/antenna and preload a bunch of open source software on it. I'm sure that for some people it is totally worth it, and others would rather do it themselves.
I mostly pointed it out because I've used the Mirabox for a bunch of projects and recognized it in the picture. Its a great little ARM box with 2 gigabit ethernet ports (hard to find a on dev board)and 2 USB 3.0 ports.
Have you ever used the Dreamplug? I'm still hanging onto mine but it sounds like the Mirabox might be a suitable upgrade. How's the kernel support? How's uBoot? (On the Dreamplug, you have to upgrade uBoot via JTAG once you get past a certain kernel version)
Yes I have used the Dreamplug, the Mirabox is a logical upgrade from that. The Mirabox uses a Marvell Armada 370 SOC. When I first got my Mirabox the kernel support wasn't great. But Marvell has been contracting with an embedded Linux contracting firm, Free Electrons, to get everything into the mainline. Free Electrons has done a great job and now you can run a stock kernel fairly easily.
The Mirabox comes with the Marvell fork of uBoot which is unfortunately quite old. It doesn't have support for device-tree, for example. I'm not aware of a newer working version from either Marvell or Globalscale. There was some initial work to get Barebox working on the Mirabox, but it is very feature limited.
On the plus side, you don't need a JTAG console to reflash the bootloader. Lots of Marvell SoCs support booting over a UART connection using an Xmodem protocol[1][2]. So you can reflash/unbrick your Mirabox using just the USB serial port. (I think that the Dreamplug also supports this protocol, but I have never tried to use it on one.)
>The Mirabox comes with the Marvell fork of uBoot which is unfortunately quite old. It doesn't have support for device-tree, for example. I'm not aware of a newer working version from either Marvell or Globalscale. There was some initial work to get Barebox working on the Mirabox, but it is very feature limited.
This was the situation with the Dreamplug before it got mainline uBoot support. Is there any hope for the Mirabox?
Scary that Google Maps wasn't encrypting significant amounts of its traffic (at least for the reporter in this article, since I know Maps has HTTPS support). Location data can be the most revealing of all.
One of the nicest things about this article is seeing that the Ars reporter (Sean Gallagher) reported at least three information leakage bugs upstream, and the responsible parties have addressed them. How many news organizations can claim to have gotten security flaws fixed so directly?
Even SSL trafic leaks information about websites you are visiting, how much data you download (e.g. for email), how much time you spend, when do you do it, etc. More importantly, it doesn't protect you from the website (and any owner of any 3rd party plugin/widget/js/css/img on the website) from collecting data about your online behavior based on your browser signature or simple cookies.
None of this is shocking except for maybe how unavoidable sharing all this information online actually is. The default settings on most devices are not designed with privacy in mind. In order to avoid this type of data collection, you'd have to walk around with a dumbphone, avoid using any bank-connected services and basically only log on to the Internet via a VPN. Ironically, this usage pattern is so far out of the ordinary that it would make you stick out like a sore thumb.
In the decade between this type of data collection becoming possible and the mass populace becoming concerned about it, I fear we've passed a threshold we can't un-cross. This type of technology is so intertwined in our daily lives that avoiding it isn't a realistic option.
Things like Apple using random MAC addresses to scan for Wi-Fi APs are a start; but too many devices (Android included) use default settings that are far from secure. But it's up to the companies that make usable, mass-market devices to ratchet up the security, and I fear that they have little incentive to do so when their own ambitions include the same type of data collection.
> In order to avoid this type of data collection, you'd have to walk around with a dumbphone, avoid using any bank-connected services and basically only log on to the Internet via a VPN. Ironically, this usage pattern is so far out of the ordinary that it would make you stick out like a sore thumb.
Have you considered trying this, or some implementation of it?
I, for one, would like to see websites that didn't install any tracking software. Specifically, I mean no Google metrics. If there was a news website that didn't install any tracking software, but instead just offered pages with cryptocurrency addresses, I would switch to that as my default news source in a second.
"If there was a news website that didn't install any tracking software, but instead just offered pages with cryptocurrency addresses, I would switch to that as my default news source in a second."
No you wouldn't. You might be hard-minded enough to try and commit to it, but instead you'd almost certainly just stop reading any news...then go back to aggregators/blogs whatever.
It's a well studied problem that as soon as something becomes not free, people change their behaviour dramatically.
Of course, if you really don't care about the news (and broadly normals news websites are pretty useless to me), then you can cheaply skip a step...
> No you wouldn't. You might be hard-minded enough to try and commit to it, but instead you'd almost certainly just stop reading any news...then go back to aggregators/blogs whatever.
Yes I would. I do soft boycotts of all music that isn't Creative Commons, and movies by major media companies. I've listened to almost exclusively free music for years. (Libre music for close to 6 mo.) I still go to movies sometimes, but who cares? The point of a boycott isn't necessarily to hurt a company's revenue, it's also to drive change in consumption habits.
I'm not trying to quit the normal web altogether, I'm just saying that if there were ONE news website that didn't have tracking software installed, I would switch to it as my default news source. I can't say for sure if I would donate to articles via a bitcoin link, but I would imagine it would be optional.
HN is nice, but it's just an aggregator. Even though it doesn't have tracking software, everything that it links to does.
EDIT: Oh, and I meant to say, I have indeed switched to a dumbphone, and I use a VPN. I still use bank related services, but I try to use bitcoin when I can. I have no illusions about its anonymity, I just try to vote with my feet and my dollars. Just because there are a lot of consumers who don't change their consumption habits doesn't mean that some won't.
The point I was making was that the act of knowing that every click through was costing you some small but real amount of money, would change your behavior dramatically.
So that's the challenge: you need no tracking, but no obvious fees either.
Google metrics aren't always used for spying on people -- news sites in particular drool over every possible metric to measure popularity, referrals, etc. to better tailor their online marketing (and sometimes story selection). It sounds weird, but I'm not sure a website without tracking would be as good.
No, I don't think it would be. For a company to announce that they were forgoing tracking would be a brave step. I understand that analytics is a really really useful thing for a company.
But, as a corrolary, what if Google Analytics alters the content in a way that makes it less useful? The obvious example here is clickbait articles (See, Clickhole), but I think there's other more subtle problems here. Isn't the job of a reporter to report what _they_ think is news, rather than what people want to read?
Beyond that, I am troubled by the spying on people. It occurs to me that even if I remove Google Analytics from my website, anyone coming to or going from my website will be subject to monitoring by Google. It's not exactly opt out.
Microtransactions are hard, though, that problem still hasn't been solved.
Website owners can still get most of their metrics without google the same way we did it before google existed: they can analyze their Apache/Nginx logfiles.
Stats is hard? Find some software that does if for you. Better yet, figure out how to do some of it yourself (it's not paritc8ularly hard). Or hire some statisticians. This way, you free your business from being dependent on a 3rd party.
Sounds great for a vacation. But considering I make a living talking to people who don't wear tinfoil hats, it's really not realistic to live the rest of my life disconnected from the net. I imagine the same goes for 99% of people on this site.
That's a fair point, but I'm still willing to bet you could at the very least drastically reduce the amount of time you spend on the net if you wanted to.
I could dramatically reduce any number of things if I really wanted to. That doesn't make it practical though, since I don't want to, or I want to still partake in a modern civilization.
The better question to ask is "will being off the grid actually solve the problem?"
Because plenty of people aren't on the net in Syria, Iraq, Afgahnistan...still doesn't really work out.
I just read the book Two Cheers for Anarchism, where James Scott describes his experiences of "anarchist calisthenics". He suggests, slightly tongue-in-cheek, that practicing occasionally disobeying laws in minor ways like jaywalking could help develop a disobedience skill that he might need some day for an important moral reason.
I think in the same way that we who live in an exceptionally wealthy society often get little practice in giving things up, but that this practice might be beneficial. It's not a very original observation to notice how having so many resources and opportunities and conveniences available to us makes us feel more and more dependent and averse to every sort of inconvenience.
As a vegan, I always find it remarkable how emphatically people feel that it would be impossibly difficult for them to go without eating animal products, or that they can't imagine how someone could possibly manage without them. Maybe that's literally true in the Aleutian Islands or the Australian Outback or something, but not so much in New York City or Portland, where one could eat in a different restaurant every day for a year without running out of vegan entrées to order directly off the menu.
But there are plenty of resources and technologies that I have that my parents and aunts and uncles grew up and lived and worked without for decades and that even today most of the world's population doesn't use—but that it's hard for me to imagine life without. (When I visit friends in Brazil, they don't have a machine to dry their laundry, but use a clothesline, the way almost everybody in history has done it, and to my amazement the clothesline still works OK. It's not even much more labor, just more latency in the clothes-washing process.)
The habits we form from being well-off and having so much access to everything we want, worry some people because they consider how something could go wrong and there are skills we might need that we haven't developed. (We might also feel more acute suffering from losing what we're used to; psychologists have documented that losing what you had is consistently perceived as a much greater cost than failing to gain what you didn't have.) War or social unrest or natural disasters or ecological disruption could strike middle-class city dwellers pretty hard because we mostly don't know how to grow food, how to fix things, and so on.
But another consequence of our abundance of resources and choices, one that I think is more core to what the parent commenter is getting at, is that when we become dependent on technologies and products and resources, our demand curve for them shifts. The people who supply these things to us have more power over us in terms of extracting money or concessions, because we and then understand that we're unlikely to actually give up our habits. That has consequences in terms of the difficulty in resisting changes that harm us (a classic example is if an Internet service changes its privacy policy in a way that reduces existing users' protections; service operators know that very few people will stop using the service even if most users dislike the change). It also means that the prospect of boycotts over ethical issues that affect others is dimmer. Manufacturers think that there's not that much chance many people would actually stop buying something because of disagreements with how it was made.
I think it would be amazing to have a culture where people commonly had the experience of successfully giving up a habit or a product that they liked quite a bit, without being forced to, just as a result of a conscious choice. My Catholic friends often do this once a year during Lent (the religious tradition in many communities used to be to give up specific foods, but many people today interpret it more broadly and personally pick something to give up temporarily—normally, something that they enjoy and that it will be an effort for them to give up). From what I hear, many people find it satisfying and empowering when they succeed. And following Scott's idea, it might be good practice for when you decide that you do have an important reason to give something up.
I was also just reminded of the documentary The Century of the Self which I think I originally saw at Aaron Swartz's recommendation. The documentary took me by surprise in some ways because it seemed to start off with a familiar narrative about the benefits of individualism and economic growth in giving people more choices. But at a certain point it turned darker and described how marketers had understood that giving people certain kinds of experiences of choice and personal attention could be deployed as a means of manipulation. It's something like the advice I just read the other day that you can get little kids to put on their shoes by asking them which pair of shoes they want to put on. The question puts the focus on their choice while directing their attention away from the question of whether they wanted to put on shoes in the first place.
The darker later parts of the documentary make me think that we have a lot of practice celebrating people's power of choice and freedom from constraint (which I fully agree with). We have a lot of recent experience saying yes when there's no reason not to. What we perhaps haven't been practicing as much is saying no at those times when there is a reason to.
I wonder how much sensitive data from governments and companies leaks this way. It doesn't sound unrealistic for an attacker (a spy, a competitor, an inside trader) to pick a coffee shop frequented by low-level government officials and set up a fake Wi-Fi access point. I doubt people doing mundane administrative tasks are security-conscious enough not to leak important data this way.
Realistically, it is really hard to protect your privacy online unless you decide to stop using 3rd party services like email, calendar, file sharing, social networks, etc. All these services collect enormous amounts of information about everyone. The internet protocols (TCP/IP, HTTP) have not been designed with privacy in mind and the only way to ensure real privacy for internet users is to start from scratch and rethink the whole stack. Unfortunately, it is not going to happen thus users pretty much have a tradeoff: either to accept privacy violations from various parties or to (significantly) limit the use of internet services.
VPN is a tunnel. Your computer is on one end and there will be another computer on another end. The ISP or cloud provider on the other end will be able to spy on you even if you use VPN. And of course the website you are visiting has all the information in any case.
Are there any guides on how to get started on penetration testing yourself? I'd quite like to run this experiment on myself and see just how much information I actually leak online.
I was also quite surprised by Google's HTTP Maps flaw in HTTPS search. I'd have previously imagined this would be a standard security pentest that Google products would need to go through. Given how pervasive and important Google is to the digital ecosystem, even small flaws can have a profound impact.
I'll again state that this is why I feel so strongly that Google Analytics should be updated to be HTTPS by default[1]. If you hit a non-HTTP site, you're leaking all the information you would send to Google Analytics to anyone that's listening -- it goes across the wire unencrypted. Considering Google Analytics is on 60+% of the top 100,000 domains, this is a lot of information leakage. Referrers, time on page, browser details, operating system details, everything that Google shows a webmaster in Google Analytics also ends up in the hands of the passive observer.
[1]: http://smerity.com/articles/2013/google_analytics_and_nsa.ht...