(Disclaimer: Putting this out there, but my time at work this afternoon is forcing me to do less re-reading than I’d like. Hopefully I’m not sounding like an unreasonable ass!)
Carrier IQ is a hot topic right now, which itself sort of pisses me off. In the same spirit of what pisses me off, I read the ComputerWorld article, “Carrier IQ is BYOD kiss of death — urgent action required” (via Dan Morrill). Yes, read the article because it at least doesn’t whine about data gathered by carriers, rather that this data is logged and stored on vulnerable devices.
1. If the confirmed presence of Carrier IQ on your phone prompts new (ensconced) action, you’re doing it wrong. Whether this is a business-purchased device or a personal one, it’s not entirely YOUR device. The carrier is going to and is already doing whatever it wants. While it’s nice that people are getting mad now, you shouldn’t be surprised by this state of affairs. Maybe this will spur usage of unlocked phones not supplied by carriers, or custom ROMs, but still…
2. If you’re pissed about carrier-implemented apps, are you pissed about all the crappy apps your users can install on their phones? Again, if not, you’re doing it wrong. And there will be apps with even worse transgressions (if not outright malware apps). In users’ defense, at least they dont have a chance to know about carrier apps.
3. Are you worried about corporate espionage targeting your phones but not your carriers? You’re somewhat doing it wrong. I like that the article mentions the risk of phone-based attacks harvesting extremely juicy data that is brilliantly stored on the end device, but one should also keep in mind that these carriers and anyone else logging anything at all (the carriers absolutely will be, it’s their network) are also risks (that includes Google or Apple, the makers of your OS). Those entities are making your risk decisions for you.
4. Why are you kneejerk reacting to get rid of Carrier IQ software in the “urgent action required” section? This is the same backwards approach to security that says you only react to bad things actually happening right now, instead of doing any prevention. It’s fine to react, but please don’t be surprised or crazed with action after the revelation of something that was predictable and probably expected at some point. And just because you get rid of Carrier IQ, does that mean you also fully understand every other part of your phone’s OS, included software, carrier presence, and installed apps? Shit no.
Is there a difference between malware keyloggers vs carrier-embedded software logging vs OS-enabled logging? In my books, not really, until users are fully made aware of what is going on. Which itself is an entirely new topic because if you’re doing something that will piss people off if it were made known, why the crap are you doing it?
I think Dan is on the money when he says this really doesn’t change anything on the BYOD front and poses the question of whether these phones really are yours or not.
Another discussion topic would be what makes these phones so different in this regard to our Microsoft-clad personal computers running on our ISP of choice? It’s interesting that I do actually trust Microsoft as my OS more than Google or Apple and I trust my interaction with my ISP a bit better than with my phone carrier and I also trust the software process a bit more (i.e. I have the ability to deeply on a technical level watch an install and monitor/alert on behavior). You make everything convenient which hides the details which, to me, fosters less trust…