顯示廣告
隱藏 ✕
※ 本文為 Knuckles 轉寄自 ptt.cc 更新時間: 2013-02-24 16:46:09
看板 Gossiping
作者 HYL (@EVERYWHERE)
標題 [新聞] htc仆街再一次:軟體捅漏洞.客戶個資如
時間 Sun Feb 24 11:57:15 2013



天遠律師事務所: http://0rz.tw/UVyDi
htc仆街再一次:軟體捅漏洞.客戶個資如糞土!
[圖]
「明亮之星,早晨之子啊,你何竟從天墜落?你這攻敗列國的,何竟被砍倒在地上」?【聖經.以賽亞書第14章第12節】 [...]... ...
 
NY Times      : http://0rz.tw/PhSz3

htc 仆街再一次:軟體捅漏洞.客戶個資如糞土!

「明亮之星,早晨之子啊,你何竟從天墜落?你這攻敗列國的,何竟被砍倒
在地上」?

舊約聖經以賽亞書第14章第12節的這段話,恰似htc的寫照。

曾經享有過短暫的成功,htc從上到下就已閃爍著驕矜與自滿。也就因此,近
年來屢次踐踏 股東權益 不說,最近一份Federal Trade Commission(美國聯
邦貿易委員會)的調查結果公布,我們才知道這家公司竟然連客戶的個資保護
,都膽敢不當一回事!


由於htc擅自移除了Android及Windows Mobile裡的個資保護機制,以致於手機
使用者的電話號碼、簡訊內容、瀏覽紀錄、所在位置、信用卡及銀行交易等等
極度敏感的資料,都處於能輕易被駭客取得的狀態;更不可思議的,是連自己
與他人的通話內容,都因為htc故意將安全機制移除之緣故,而可以被竊錄!
FTC消費者保護局的資深律師Lesley Fair表示「這家公司在設計產品時,根本
不把資安放在眼裡;它不測試自己手機軟體上潛在的安全弱點、不遵循在撰寫
程式時為業界通用的安全規範、而當對其漏洞提出警告時還根本不予理會…」
(“The company didn’t design its  products with security in mind,”
 Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer
 Protection, wrote in a blog post. “HTC didn’t test the software on
 its mobile devices for potential security vulnerabilities, didn’t
 follow commonly accepted secure coding practices and didn’t even
 respond when warned about the flaws in its devices.”)

 htc逼不得已,只好同意FTC的要求,在往後20年間,其手機都必須接受獨立專
業機構的資安檢查。

我們不知道嚴凱泰和王雪紅究竟交情深到什麼程度,得公開痛罵Apple的使用者
王八蛋。現在htc蔑視手機個資保護的醜聞曝了光,恐怕用宏達電的人,才會赫
然發現自己在莫名其妙之下所有敏感個資都被惡意軟體公開,而變成了王八蛋。

個人資料保護法第22條第1-4項規定「中央目的事業主管機關或直轄市、縣(市
)政府為執行資料檔案安全維護、業務終止資料處理方法、國際傳輸限制或其
他例行性業務檢查而認有必要或有違反本法規定之虞時,得派員攜帶執行職務
證明文件,進入檢查,並得命相關人員為必要之說明、配合措施或提供相關證
明資料」、「中央目的事業主管機關或直轄市、縣(市)政府為前項檢查時,
對於得沒入或可為證據之個人資料或其檔案,得扣留或複製之。對於應扣留或
複製之物,得要求其所有人、持有人或保管人提出或交付;無正當理由拒絕提
出、交付或抗拒扣留或複製者,得採取對該非公務機關權益損害最少之方法強
制為之」、「中央目的事業主管機關或直轄市、縣(市)政府為第一項檢查時
,得率同資訊、電信或法律等專業人員共同為之」、及「對於第一項及第二項
之進入、檢查或處分,非公務機關及其相關人員不得規避、妨礙或拒絕」。


htc從台灣之光,變成台灣之恥。政府倘若再不對宏達電依法進行上述檢查,確
認其已經為所有賣出的手機填補軟體漏洞、而杜絕個資被盜的風險的話,我們
非但不建議買htc的手機,恐怕還應該暫時別打電話給htc的手機使用者。您總
不希望原本以為只有天知地知你知我知的商業會談或私密傳情,都變成了茶餘
飯後的談話頭吧?


HTC Settles Privacy Case Over Flaws in Phones

[New York Times, By EDWARD WYATT, February 22, 2013]

【另可參考FTC官方文件 /PCMagazine 之報導】

WASHINGTON — More than 18 million smartphones and other mobile devices
made by HTC, a Taiwanese company that is one of the largest sellers of
smartphones in the United States, had security flaws that could allow
location tracking of users against their will and the theft of personal
information stored on their phones, federal officials said Friday.

The flaws affected HTC’s Windows-based phones. The Federal Trade
Commission charged HTC with customizing the software on its Android-
and Windows-based phones in ways that let third-party applications
install software that could steal personal information, surreptitiously
send text messages or enable the device’s microphone to record
the user’s phone calls.

The action is the first attempt by the commission to police a
manufacturer of mobile devices. As smartphones and tablets become a
common way for consumers to shop, bank and chat online, personal
information and privacy will need to be guarded.

HTC America, based in Bellevue, Wash., agreed to settle the civil
suit with the commission by issuing software patches that close the
security holes, and by creating a security program that will be
monitored by an independent party for the next 20 years. The F.T.C.
does not have the authority to assess fines in consumer protection cases.

“The company didn’t design its products with security in mind,”
Lesley Fair, a senior lawyer in the commission’s Bureau of Consumer
Protection, wrote in a blog post. “HTC didn’t test the software on
its mobile devices for potential security vulnerabilities, didn’t
follow commonly accepted secure coding practices and didn’t even
respond when warned about the flaws in its devices.”

An HTC official said Friday that the company had already started to
update its software and distribute it to users of some, but not all,
of the affected phones.

“Working with our carrier partners, we have addressed the identified
security vulnerabilities on the majority of devices in the U.S.
released after December 2010,” Sally Julien, an HTC spokeswoman, said
in a statement. “We’re working to roll out the remaining software
updates now and recommend customers download them once available.”

“Privacy and security are important,” the statement added, “and we
are committed to improving practices that help safeguard our customers’
devices and data.”

The trade commission charged that the security flaws resulted from
HTC’s modifying the operating system software used on most of the
affected phones. In the case of Android, created by Google, the system
is designed to protect sensitive information and phone functions through
what is known as a permission-based security model.

That requires a user, when installing an application that is not a
standard part of the operating system, to be notified and to agree
that the application could gain access to certain information or
functions.

HTC, however, preinstalled certain apps on its phones in a way that,
in addition to preventing consumers from removing them, disabled the
permission-based model and allowed newly installed apps to have
immediate access to personal data.

“The analogy isn’t exact,” wrote Ms. Fair of the F.T.C., “but it’
s like giving a friend the combination to a safe only to find out he’
s handing it over to anyone who asks.”

That security hole could, for example, let the rogue software secretly
record users’ phone conversations or track their location.

Flaws in the security system could also give third-party apps access to
phone numbers, contents of text messages, browsing history and information
like credit card numbers and banking transactions. Those flaws also
affected HTC phones that used Windows-based operating systems.

While HTC’s actions introduced numerous security vulnerabilities to
its phones, a commission official said it was not clear how many
users experienced illegal incursions into their phones and personal
information.

The flaw in the company’s phones has been known since at least 2011.
HTC acknowledged the problems at that time and developed software
patches for at least some of the deficiencies that year.

But the problems were far from minor. The F.T.C. said that text-message
toll fraud, in which a hacker causes a phone to send text messages to
a number that charges the user for delivery of the message, “is one
of the most common types of Android malware,” or malicious software.

HTC’s user manuals either said or implied that a user was protected
against malware because of the permission-based security, the commission
said.

The commission will collect public comments on the proposed remedies for
30 days, after which it will decide whether to formally carry out the
order. If HTC subsequently violates the order’s restrictions and
requirements, it faces civil penalties of up to $16,000 a violation.


--
鹽總裁表示:王八蛋

--
--
※ 發信站: 批踢踢實業坊(ptt.cc)
◆ From: 36.231.40.60
corlos:中國手機不重視資安,有什麼好意外的1F 02/24 11:58
Jason0813:先幫你補血 等一下就來了2F 02/24 11:58
coon182:這是新聞?3F 02/24 11:58
kahgf:抓到了!!!4F 02/24 11:58
meredith001:支那手機不意外 ㄈ粉護航倒數計時 5.4.3.25F 02/24 11:59

簡易版的內容如下:原文是 FB 看來的

「再提醒大家一下,htc的微博app,除了出廠就幫你裝好,自動啟用,不可
  移除外,還把微博程式的權限設成:

    可以存取你的個人資料
    可以讀取修改你的聯絡人
    可以讀取寫入你的通話記錄
    可以存取你的簡訊
            你的位置
            你的完整網路存取權
            你的sd卡
            你的照片
            你的錄音
            你的手機狀態

  這一切都沒有經過你的同意,而且權限不能修改!
  只要你買了用了手機,背景程式就可將你的所有資料送進解放軍的資料庫!
 」
※ 編輯: HYL             來自: 36.231.40.60         (02/24 12:04)
del680202:勸你不要小看哥的HTC6F 02/24 12:02
motan:這是哪家新聞?7F 02/24 12:02
query:監聽正夯8F 02/24 12:03
ANOTHERK:中國品牌 不意外9F 02/24 12:03
thisisnobody:有NY TIMES新聞10F 02/24 12:04
hachime:h迷快來護航!!!!11F 02/24 12:07
f1234518456:內建92共識 你不爽ㄇ12F 02/24 12:09
chenyeart:哪有app不給移除的?  (查了一下) 告非還真的不給移除!!13F 02/24 12:10
ian90911:我馬上打開來查 結果真的只有強制停止 停用 不能移除...14F 02/24 12:12

   System App 都是不可以移除的阿,所以內建程式的資料安全性很重要,
  直接把客戶的資料安全,全送給了外部的商家的公司,只能說心臟很強,
  要是第三方 App出了包,責任是要一起擔的阿
※ 編輯: HYL             來自: 36.231.40.60         (02/24 12:16)
Iser1ohn:……@@a" 內建軟體除了root以外不給移除不是正常的嗎?15F 02/24 12:15
balberith:http://ppt.cc/wXPo 這應該是相關新聞16F 02/24 12:17
HTC尋求就安全漏洞指控與美國FTC達成和解_新聞_鉅亨網
[圖]
北京時間2月23日下午消息,HTC美國周五宣佈,將與美國聯邦貿易委員會(以下簡稱“FTC”)就有關其設備存在安全漏洞的指控進行和解。, ...
 
mailismine:反正會買的人,腦子都...17F 02/24 12:17
SuperUp:真的內建92共識!還以為嘴砲而以!18F 02/24 12:17
winiS:企業文化如此 習慣就好=w=~19F 02/24 12:18
runa2:我用sony的內建微薄可以刪除阿?20F 02/24 12:21
koko0:ㄧ則讓迷迷溫馨的新聞21F 02/24 12:22
donotrefuse:每支HTC手機都是中國網路長城的一塊磚22F 02/24 12:25
vincent0911x:迷迷快來護航阿~~23F 02/24 12:27
zukidelko:先幫你補血 H迷等下會說你是月月鳥24F 02/24 12:28
keineAhnung:迷迷還沒來崩潰喔25F 02/24 12:28
mathrew:就中國手機啊, 不是很正常嗎?  鄉民酸屁啊26F 02/24 12:29
wak:可不可以刪是他們決定的 所以sony可以 不保證htc可以27F 02/24 12:29
worf:內建微博 果然是中國人的品牌28F 02/24 12:30
styleppt:之前批三星安全漏洞的h迷.....29F 02/24 12:31
aven01:太扯30F 02/24 12:48
lichopin:真假~蝴蝶機還挺吸引人的~看來只好放棄了31F 02/24 12:49
dashonyu:Sony三星也都內建微博,原來也通通是中國品牌32F 02/24 13:00
mdfh:其實apple也內建微薄 所以jb後第一件事就是移除他33F 02/24 13:00
mira5:真的假的 好可怕…34F 02/24 13:01
westfour:設定→應用程式→管理應用程式→fb→可以存取你任何東西35F 02/24 13:04
westfour:哇 amazing  大家快把facebook移除
westfour:根本ㄏㄏ
mdkn35:你一定是月月鳥泰派來der38F 02/24 13:09
kene:看內文是講HTCLogger的事情, 這洞2011年就補起來了吧39F 02/24 13:10
mdfh:facebook看光沒差阿 但是就不想給微薄看40F 02/24 13:12
winff:41F 02/24 13:14
MarsZ5:fb用不用取決在我,微博強迫要用。這是何居心?42F 02/24 13:25
moonlightz:月月鳥泰的味道~~~43F 02/24 13:30
carbine:鳥泰文筆太好,可以說中文嗎??44F 02/24 13:31
austin8210:轉錄至看板 MobileComm                                02/24 13:33
whizz:    這就是內建92共識啊!!! 幫助中國拿資料  錯了嗎???45F 02/24 13:39
kene:存取權限很大是一回事, 但我沒看到強迫要用啊 哪隻會這樣啊46F 02/24 13:43
Iser1ohn:……「背景程式會直接送給解放軍」這是怎麼連結的?47F 02/24 13:47
chienk:絲毫不覺得意外...中國品牌48F 02/24 13:53
goshfju:就說是中國手機了49F 02/24 13:53
ReDmango:一點程式常識都沒有50F 02/24 13:55
Asucks:超痛恨htc一堆內建無法移除的程式51F 02/24 13:55
ReDmango:三星 SONY ASUS哪家沒有內建不能移除的程式? 有點常識52F 02/24 13:57
ReDmango:並且只要root沒有刪不掉的東西
siroman:內建92共識不意外54F 02/24 14:01
triop:2011年已經解決的事情為什麼NYT會在2013年報導呢?55F 02/24 14:12
iMANIA:HTC意外嗎56F 02/24 14:19
mkiWang:穿越時空的文章?2011的事還在講57F 02/24 15:07
widec:真‧內建92共識58F 02/24 16:41

--
※ 看板: Gossiping 文章推薦值: 1 目前人氣: 0 累積人氣: 1567 
分享網址: 複製 已複製
( ̄︶ ̄)b herbertking 說讚!
1樓 時間: 2013-02-24 13:20:49 (台灣)
  02-24 13:20 TW
之前砲打三爽安全漏洞的HTㄈ粉,這下子哭哭了...
2樓 時間: 2013-02-24 20:40:49 (台灣)
  02-24 20:40 TW
HTC迷果然跑出來護航了!!!不意外!!
e)編輯 d)刪除 ^x)轉錄 同主題: =)首篇 [)上篇 ])下篇