Feeds

Software maker sorry for trying to silence security researcher

Withdraws legal threats over mobile 'rootkit' claims

SANS - Survey on application security programs

A Silicon Valley software maker has withdrawn legal threats against an Android developer who claimed the company's diagnostic application amounted to a rootkit that posed a privacy threat to millions of handset owners.

In a statement issued on Wednesday, Mountain View, California-based Carrier IQ apologized to Trevor Eckhart for threatening to sue him for publishing training manuals he said supported his rootkit characterization. The about face came a few days after the Connecticut-based Android developer received legal support from the Electronic Frontier Foundation, which asserted his postings were protected by the US Constitution's First Amendment.

"Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart," the statement read. "We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world."

Eckhart's posting claimed that Carrier IQ software was able to log detailed information on millions of phones powered by Google's Android, Research in Motion's Blackberry, and Nokia operating systems. A user's GPS coordinates, key taps, and websites visited were just some of the details phone makers and carriers used the software to track, he claimed.

Eckhart also objected to the lack of disclosure given to handset owners that their devices contained the software. In some cases, he said, Carrier IQ versions were modified so phones showed no signs the software was installed and running. That led to claims Carrier IQ was no different than rootkits installed to secretly track and control devices.

Carrier IQ officials responded that the software didn't log keystrokes, track users' whereabouts or report on the content of emails or text messages at all. Rather, they said, the software helped network providers to diagnose a range of problems, including identifying causes of premature battery drainage, dropped calls, and other system problems.

In an email sent to The Register shortly after Carrier IQ dropped its claims, Eckhart held his ground.

"I stand by my statements still and hope that Carrier IQ will engage anyone who has questions with direct answers to facts posted," he wrote. "The community needs to know exactly what is recorded, who has access to it, and why we cant remove – especially from devices not under carriers contract."

He made no apologies.

"I saw something wrong, clearly logging data without user consent," he wrote. "Anything logging sensitive data should not be hidden and have clear opt-in guides. I was lucky to have the support of the EFF though who I cannot thank enough for this." ®

Follow @dangoodin001.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
Canadian taxman says hundreds pierced by Heartbleed SSL skewer
900 social insurance numbers nicked, says revenue watchman
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.