Re: [id-android] Motorola Is Listening
Dah lama sih, jaman evo 3d www.xda-developers.com/android/the-rootkit-of-all-evil-ciq/ On Jul 4, 2013 12:44 PM, Yudhistira Dwi Putra yudhistira.d.pu...@gmail.com wrote: Wah yang mana tu om masih ada artikel nya gak? ketinggalan berita gw :D. Tapi apa CiQ ngirim data2 personal semacem ini juga kah? On Thursday, July 4, 2013 9:25:44 AM UTC+7, ray wrote: Ini bukannya serupa kayak kasus treve vs ciq dulu ya? On Jul 3, 2013 4:49 PM, Yudhistira Dwi Putra yudhistir...@gmail.com wrote: ada yang udah pernah liat/baca artikel ini? http://www.beneaththewaves.**net/Projects/Motorola_Is_**Listening.htmlhttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html *Content preview :* In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel. If you're in a hurry, you can skip straight to the Analysis - email, ActiveSync, and social networkinghttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#Analysis1 section - that's where the most sensitive information (e.g. email/social network account passwords) is discussed. Update 2 (2013-07-02 @ 08:03) - potential device security concern I realized this morning that there may be a more significant problem. See Potential (untested) device security concernhttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#PotentialDeviceSecurityConcern, below. Update 1 (2013-07-02 @ 05:30) - Android, the Droid X2, and Blur This article has gotten a lot more attention than I expected. A clarification I'd like to make (because there seems to be a lot of confusion about this) is that *the Droid X2 does not use Motorola's Blur/MotoBlur user interface*. That's one of the reasons I picked that model specifically back in 2011 - it seemed to be running something very close to the stock version of Android. The email client, web browser, text-messaging app, and so on look like the ones that were included on the G1 I had previously, which is about as close to stock Android as you can get with a carrier-installed OS. Based on my research, it seems that they've all been modified to silently send data to and/or through the Blur web-service back-end, but there's no indication to the user that this is the case unless they do the sort of network capture that I did. There is no prompt to create or use a Blur user ID - the phone uses a randomly-generated Blur account for all of the behind-the-scenes activity described below. I would be *very* interested in trying this same test with more recent Motorola phones, because there's definitely the perception out there that Blur has been phased out, and I think it's much more likely that it's just the UI on their phones that's been changed, as opposed to removing the underlying Blur functionality. If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?...**.. Serius bikin penasaran klo bener iya apa ada hubungannya sama program us yang ngemoniting semua traffic internet ato emang datanya cuma buat motorola pribadi? yang bikin tambah penasaran jadi pengen ngecek apakah touchwiz or sense ada beginiannya juga ato gak ;p. -- == INDOSAT SUPER 3G plus http://www.indosat.com/**Personal/Internet/INDOSAT_**SUPER_3G_plushttp://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?**v=0u81L8Qpy5Ahttps://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google. Untuk berhenti berlangganan dan berhenti menerima email dari grup ini, kirim email ke id-android+berhenti berlan...@googlegroups.com . -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry
[id-android] Motorola Is Listening
ada yang udah pernah liat/baca artikel ini? http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html *Content preview :* In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel. If you're in a hurry, you can skip straight to the Analysis - email, ActiveSync, and social networkinghttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#Analysis1 section - that's where the most sensitive information (e.g. email/social network account passwords) is discussed. Update 2 (2013-07-02 @ 08:03) - potential device security concern I realized this morning that there may be a more significant problem. See Potential (untested) device security concernhttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#PotentialDeviceSecurityConcern, below. Update 1 (2013-07-02 @ 05:30) - Android, the Droid X2, and Blur This article has gotten a lot more attention than I expected. A clarification I'd like to make (because there seems to be a lot of confusion about this) is that *the Droid X2 does not use Motorola's Blur/MotoBlur user interface*. That's one of the reasons I picked that model specifically back in 2011 - it seemed to be running something very close to the stock version of Android. The email client, web browser, text-messaging app, and so on look like the ones that were included on the G1 I had previously, which is about as close to stock Android as you can get with a carrier-installed OS. Based on my research, it seems that they've all been modified to silently send data to and/or through the Blur web-service back-end, but there's no indication to the user that this is the case unless they do the sort of network capture that I did. There is no prompt to create or use a Blur user ID - the phone uses a randomly-generated Blur account for all of the behind-the-scenes activity described below. I would be *very* interested in trying this same test with more recent Motorola phones, because there's definitely the perception out there that Blur has been phased out, and I think it's much more likely that it's just the UI on their phones that's been changed, as opposed to removing the underlying Blur functionality. If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?. Serius bikin penasaran klo bener iya apa ada hubungannya sama program us yang ngemoniting semua traffic internet ato emang datanya cuma buat motorola pribadi? yang bikin tambah penasaran jadi pengen ngecek apakah touchwiz or sense ada beginiannya juga ato gak ;p. -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google. Untuk berhenti berlangganan dan berhenti menerima email dari grup ini, kirim email ke id-android+berhenti berlangga...@googlegroups.com .
Re: [id-android] Motorola Is Listening
Ini bukannya serupa kayak kasus treve vs ciq dulu ya? On Jul 3, 2013 4:49 PM, Yudhistira Dwi Putra yudhistira.d.pu...@gmail.com wrote: ada yang udah pernah liat/baca artikel ini? http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html *Content preview :* In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel. If you're in a hurry, you can skip straight to the Analysis - email, ActiveSync, and social networkinghttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#Analysis1 section - that's where the most sensitive information (e.g. email/social network account passwords) is discussed. Update 2 (2013-07-02 @ 08:03) - potential device security concern I realized this morning that there may be a more significant problem. See Potential (untested) device security concernhttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#PotentialDeviceSecurityConcern, below. Update 1 (2013-07-02 @ 05:30) - Android, the Droid X2, and Blur This article has gotten a lot more attention than I expected. A clarification I'd like to make (because there seems to be a lot of confusion about this) is that *the Droid X2 does not use Motorola's Blur/MotoBlur user interface*. That's one of the reasons I picked that model specifically back in 2011 - it seemed to be running something very close to the stock version of Android. The email client, web browser, text-messaging app, and so on look like the ones that were included on the G1 I had previously, which is about as close to stock Android as you can get with a carrier-installed OS. Based on my research, it seems that they've all been modified to silently send data to and/or through the Blur web-service back-end, but there's no indication to the user that this is the case unless they do the sort of network capture that I did. There is no prompt to create or use a Blur user ID - the phone uses a randomly-generated Blur account for all of the behind-the-scenes activity described below. I would be *very* interested in trying this same test with more recent Motorola phones, because there's definitely the perception out there that Blur has been phased out, and I think it's much more likely that it's just the UI on their phones that's been changed, as opposed to removing the underlying Blur functionality. If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?. Serius bikin penasaran klo bener iya apa ada hubungannya sama program us yang ngemoniting semua traffic internet ato emang datanya cuma buat motorola pribadi? yang bikin tambah penasaran jadi pengen ngecek apakah touchwiz or sense ada beginiannya juga ato gak ;p. -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google. Untuk berhenti berlangganan dan berhenti menerima email dari grup ini, kirim email ke id-android+berhenti berlangga...@googlegroups.com . -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google. Untuk berhenti berlangganan dan berhenti menerima email dari grup ini, kirim email ke id-android+berhenti berlangga...@googlegroups.com .
Re: [id-android] Motorola Is Listening
Wah yang mana tu om masih ada artikel nya gak? ketinggalan berita gw :D. Tapi apa CiQ ngirim data2 personal semacem ini juga kah? On Thursday, July 4, 2013 9:25:44 AM UTC+7, ray wrote: Ini bukannya serupa kayak kasus treve vs ciq dulu ya? On Jul 3, 2013 4:49 PM, Yudhistira Dwi Putra yudhistir...@gmail.comjavascript: wrote: ada yang udah pernah liat/baca artikel ini? http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html *Content preview :* In June of 2013, I made an interesting discovery about the Android phone (a Motorola Droid X2) which I was using at the time: it was silently sending a considerable amount of sensitive information to Motorola, and to compound the problem, a great deal of it was over an unencrypted HTTP channel. If you're in a hurry, you can skip straight to the Analysis - email, ActiveSync, and social networkinghttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#Analysis1 section - that's where the most sensitive information (e.g. email/social network account passwords) is discussed. Update 2 (2013-07-02 @ 08:03) - potential device security concern I realized this morning that there may be a more significant problem. See Potential (untested) device security concernhttp://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html#PotentialDeviceSecurityConcern, below. Update 1 (2013-07-02 @ 05:30) - Android, the Droid X2, and Blur This article has gotten a lot more attention than I expected. A clarification I'd like to make (because there seems to be a lot of confusion about this) is that *the Droid X2 does not use Motorola's Blur/MotoBlur user interface*. That's one of the reasons I picked that model specifically back in 2011 - it seemed to be running something very close to the stock version of Android. The email client, web browser, text-messaging app, and so on look like the ones that were included on the G1 I had previously, which is about as close to stock Android as you can get with a carrier-installed OS. Based on my research, it seems that they've all been modified to silently send data to and/or through the Blur web-service back-end, but there's no indication to the user that this is the case unless they do the sort of network capture that I did. There is no prompt to create or use a Blur user ID - the phone uses a randomly-generated Blur account for all of the behind-the-scenes activity described below. I would be *very* interested in trying this same test with more recent Motorola phones, because there's definitely the perception out there that Blur has been phased out, and I think it's much more likely that it's just the UI on their phones that's been changed, as opposed to removing the underlying Blur functionality. If you're still unsure why I think this is a problem, ask yourself this: if you bought a desktop PC running Windows, then discovered two years later that the hardware manufacturer had installed modified versions of standard Windows software like Outlook Express and Internet Explorer which - without any indication to the user - sent your passwords to, and routed other traffic through servers owned by the PC manufacturer instead of connecting directly to the actual websites and mail servers, would you be OK with it? If not, then why are you when it's a phone instead of a desktop PC?. Serius bikin penasaran klo bener iya apa ada hubungannya sama program us yang ngemoniting semua traffic internet ato emang datanya cuma buat motorola pribadi? yang bikin tambah penasaran jadi pengen ngecek apakah touchwiz or sense ada beginiannya juga ato gak ;p. -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google. Untuk berhenti berlangganan dan berhenti menerima email dari grup ini, kirim email ke id-android+berhenti berlan...@googlegroups.comjavascript:. -- == INDOSAT SUPER 3G plus http://www.indosat.com/Personal/Internet/INDOSAT_SUPER_3G_plus - ID-Android on YouTube https://www.youtube.com/watch?v=0u81L8Qpy5A Web Hosting, Zimbra Mail Server, VPS gratis Raspberry Pi : http://www.hostune.com Aturan Umum ID-Android: http://goo.gl/MpVq8 Join Forum ID-ANDROID: http://forum.android.or.id == --- Anda menerima pesan ini karena Anda berlangganan grup [id-android] Indonesian Android Community dari Grup Google.
