Monday, June 28, 2010

google's godlike power

I like Google. I use Gmail, Docs, Apps, Reader, Calendar, Chrome...I'm a GooGrrl through and through. I even have an Android phone. I generally think it's funny when people complain about Google doing this or that "evil" thing, such as the flap a few months back about the Aurora hack and Google's role in it. Corporations exist to make money, and Google is no different. The fact that they are as un-evil as they are is pretty impressive. Also, I love my phone.

A few days ago, Google removed two apps from its Android Market and also, more intrusively, removed the installed apps from the phones of any users who had installed them. This is a move somewhat similar to when Amazon removed copies of two Orwell works from Kindle e-readers, which caused a HUGE flap among Kindle owners. Never mind that the works had been pirated; it was a privacy violation! Interestingly enough, I haven't heard the same outcry over Google's actions with the two apps, both of which were proof-of-concept apps from a security researcher. This may simply be due to the fact that Google's Terms of Service are more easy to understand than Amazon's; I don't know because I don't own a Kindle (and my CLIQ can't run the new Kindle Android app yet).

Or rather, I haven't heard much of an outcry. The Register ran an article in which writer Cade Metz compared the Google pull to the one from Amazon. As the article points out, Apple has the same ability -- to pull installed apps -- from its iPhone, but if that ability has ever been used, nobody has said so. Of course, Apple also has more of an application vetting process than Google does.

So was Google evil for pulling the apps or not? On the one hand, I'd like to think that my phone and all its apps and data are sacrosanct. After all, I would be mightily pissed if Microsoft or my ISP started removing apps that they didn't approve of from my desktop or notebook...uh...not that I have any such apps installed! Right. On the other hand, mobile phones, no matter how cool, are not exactly analogous to computers in form, function, or, apparently, terms of service.

Much more potentially sinister, says the security researcher whose apps were pulled, one Jon Oberheide, is the fact that Google can install apps at will. Not because Google might do so -- after all, anything Google might install on your phone in their infinite wisdom could only be for the greater good -- but because the INSTALL_ASSET message contains no source authentication. But don't take my word for it; read his article yourself.

So, in other words, the most evil thing about this latest Google issue is not the power that Google wields nor the fear that they might use it for evil: it's the fact that they are wielding it ineptly. Clean up your act, Google, so I can once more feel confident about the virgins I sacrifice to you. (If anyone has any virgins they're not using, please send them my way: my supply is running low.)

Sunday, June 27, 2010

gee it's been a while

I know, right? Basically, right after my last post, I started a new job. I was working on a DoD contract, and even though I didn't really have access to anything all that exciting, I just felt constrained not to talk about anything Infosec related. However, about six weeks ago I was hired by the coolest company on earth, and while I must provide the disclaimer that in this blog I in no way speak for my employer, I do feel that I can talk about my profession once more.

So what the hell, I'll say something controversial. As probably everyone knows by this point, a hacker named Andrew Auernheimer, also known as Weev, was arrested when he and his security group, Goatse security, revealed some flaws in AT&T's website.

Now Goatse is not exactly the most...dignified group of people, which you can tell just from the name, which refers to a widely distributed pornographic image, a stylized version of which is the group's logo. On the other hand, they contend that they informed AT&T of the security flaw back in March, were ignored, and only then did they publish the exploit and the data.

Now Weev has been charged not only with the exploit, but with possession of pretty much all the drugs in the world. And I have to echo BoingBoing in wondering if this is just spite on AT&T's part. It's also possible that the police and AT&T know they can't really make the hacking charge stick -- especially if there's proof that Goatse contacted AT&T about the issue well before publishing -- so they are finding anything they can to nail Weev with. This isn't necessarily spite, but it's definitely dirty pool.

Honestly, AT&T has no excuse for all the negative press, especially security-related negativity, that they are generating lately. Anybody who's been in the Infosec business for any length of time once viewed AT&T as one of the authorities on the subject. Because AT&T is the only service provider for Apple products -- in itself not the best idea in my opinion -- they need to be much more serious about patching exploits in a timely fashion. Given how popular the iPad is and that all the cool kids rushed out to buy one (I'm not a cool kid), it is in fact reprehensible on their part not to patch it.

AT&T has an easy target in Weev: he's a self-proclaimed drug user, and the picture of the old-time "scruffy hacker". He's not an attractive champion in any sense. But at the same time, AT&T has totally lost its own white knight status with their attitude. Weev's in trouble now no matter what with this new drug charge, but here's hoping that AT&T is found more to blame in the case of the exploit than Goatse.