Building a ‘DIY NSA’ with the PwnPlug

What happens when an NPR reporter volunteers to get the NSA treatment at the hands of an ArsTechnica flack and Pwnie Express’ CTO?

They find that not only can they collect the to-be-expected unencrypted-but-sensitive data with a PwnPlug passively sniffing said NPR man’s home network, they can also snoop on a number of ostensibly secure services. No codebreaking necessary!

Thanks to Google’s panopti-cookies, for example, they can identify more or less what the ‘target’ is searching for even if Google itself uses HTTPS. Skype, too, had a bug which leaked good parts of his address book when it went to look up people’s avatar photos.

What’s more, his smartphone apps relentlessly ‘phoned home’ even when he didn’t think it should be doing anything. Both in terms of background apps, and background tabs which he’d forgotten to close.

While much of the rest is probably ‘ho hum’ to most of us, it’s a good reminder of just how fuzzy and messy security can be. You think, hey, this thing’s encrypted or whatever… and then it turns out, nope, it’s actually splashing kompromat all over the place like a bucket without a lid in the Baja 1000.

%d bloggers like this: