One of the podcasts I listen to regularly is Security Now, a TWiT show. Every one of these shows (as well as many of the shows on the TWiT network) finds me learning a great deal that I use personally, for my company, or my own “Security Tip of the Week” on the Minnov8 Gang Podcast. To say I find Steve Gibson and Leo Laporte knowledgeable, trustworthy and reliable is an understatement — and I’ve taken to extending those feelings to their advertisers — since Leo continually touts the fact that he only supports advertisers he vets and actually uses.
But I think these guys either had a lapse when it comes to the VPN provider proXPN, or they have never signed up for a trial period with this vendor and then tried to cancel the account during that trial period (which I now suggest they have a TWiT staffer do for EVERY potential advertiser).
Making it hard to cancel is the oldest trick in the book to get some percentage of people to pay when you charge their credit card immediately and then make them jump through a bunch of hoops to cancel and get a refund. Here is what happened and why I strongly caution you to consider another vendor for your VPN services:
Would it be OK for the government to collect all of your private data in one place, share it between agencies, enable companies to send anything “suspicious” to our intelligence agencies, all in the name of keeping us “safe?” What if your Facebook friends and photos you post were collected and sent to the government by Facebook? What if your internet provider (e.g., Comcast, Time Warner) or mobile provider (e.g., AT&T, Verizon) intercepted and sent your check-ins, photos posted, emails sent, websites visited and all your digital traffic to a government intelligence agency?
It’s happening now and a bill, CISPA, will only make it easier.
CISPA, the Cyber Intelligence Sharing and Protection Act, has been reintroduced in the House of Representatives. It’s the contentious bill that would provide a poorly-defined “cybersecurity” exception to existing privacy law. CISPA offers broad immunities to companies who choose to share data with government agencies — including the private communications of users — in the name of cybersecurity. It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency.
Andrew Couts at Digital Trends — a refreshingly pragmatic voice in technology — pointed out in this article All You Need to Know about Washington’s Big Cybersecurity Push that this CISPA bill isn’t horrible, just far too incomplete.
The problem with CISPA—and many of these Washington knee-jerk “homeland security” legislative reactions—is that the legislation itself has far too many holes in it, the obvious potential for abuse exists with the usual lack of strong oversight, and companies have been granted immunity (just like AT&T was in the ongoing NSA Warrantless Wiretapping fiasco) so there are no checks-and-balances on them either.
As an aside, if you don’t know about the NSA $2 billion plus data center nearing completion you should. Read this Wired article from last April and it will make you stop-and-think about what the government might do with all the data they’ll increasingly have access to if CISPA passes as-is: The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say). It always amazes me that the gun-nuts out there are SO concerned about their 2nd amendment rights being taken away but are either clueless, too stupid, or not bothered to become aware of the fundamental Constitutional rights U.S. citizens have already lost…and continue to lose bit-by-bit.
Couts said this in his article:
Like Obama’s cybersecurity order, CISPA’s primary aim is to increase the sharing of cyber threat information (or CTI, as the cool kids call it). Unlike Obama’s order, however, CISPA allows the sharing of information in both directions – from government to business, and vice versa. Sharing is not required by the law, but it is allowed.
CISPA also provides broad legal immunity to companies that collect and share CTI with the federal government, as long as they do so “in good faith” – which might mean businesses can’t be sued or charged with crimes for collecting and sharing CTI under CISPA. Furthermore, CISPA shields the shared CTI from transparency mechanisms, like the Freedom of Information Act (FOIA).
Read the full text of CISPA here: PDF.
HOW TO OPPOSE CISPA (it’s really easy and fast to do so): That’s why I oppose this legislation. Since I’m a member of the Electronic Frontier Foundation (EFF) I was particularly pleased that they made it extremely simple and fast to send a letter to your congressional representatives. You can do so here and it will take 2-5 minutes.
Do you ever do anything on your Android smartphone that you would like to be secure and private? You know, like banking, sending a text message to a friend or loved one, accessing secure web pages, or calling someone? If you do any of that, the U.S. mobile carriers have embedded software on Android devices that can grab every keystroke, see every app you launch, and even view the content of the secure web pages you access even when you are in Wifi mode with mobile 3G/4G turned off!
Though I’d been peripherally aware of a kid named Trevor Eckhart who’d come across what he calls a “rootkit” on Android phones, I was stunned to see this Wired article explaining it and was even more appalled when I watched Trevor’s 17 minute video (embedded below).
I’ve been observing the continuing acceleration in governmental intelligence gathering since 2006 (see, “Massive, sweeping surveillance on *all* you do“) and the U.S. National Security Agency’s warrantless wiretapping, but watching this video gave me one of those “Oh. My. God.” moments this morning.
Wired said this at the start of their article:
The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.
Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience – ostensibly so carriers and phone manufacturers can do quality control.
But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.
CarrierIQ, now busted, has backed off of their cease-and-desist (PDF) and pointed out that they’re not really doing anything with the data. It’s all to help out the carriers managing their networks. Aha…that’s what the guy said when the cops popped his trunk and found lockpicking and glass cutting apparatus along with a black ski mask and latex gloves. “Really officers, I don’t use that stuff for breaking and entering.”
The Register also wrote about this and it’s a great read…but do that and make sure you also watch the video below. Yes, it’s a bit geeky and long, but the first few minutes explains the issue and about the 15 minute mark he shows what’s happening.
Action? Raise a stink by contacting your Congressperson. Join what continues to prove is our only tech-savvy defense against the assault on our Constitution and Bill of Rights when it comes to technology: the Electronic Frontier Foundation. Tweet about it using the hashtag: #CIQ.
Glad I have an iPhone 4S since it doesn’t have this embedded software on it…until we find out otherwise.