Sprint Faces Backlash For Adding MDM Software To Devices (csoonline.com) 123
itwbennett writes: On Wednesday, Sprint customer Johnny Kim discovered an in-store technician adding MDM software to his personal iPhone 6 without prior notice or permission. Kim took to Twitter with his complaint, sparking a heated conversation about privacy and protection. One expert who commented on the issue told CSO's Steve Ragan that 'it's possible Sprint sees the installation of MDM software as an additional security offering, or perhaps as a means to enable phone location services to the consumer.' But, as Ragan points out, 'even if that were true, it's against [Sprint's] written policy and such offerings are offered at the cost of privacy and control over the user's own devices.' (MDM here means "Mobile Device Management.")
Nice summary! (Score:5, Insightful)
Re: (Score:3)
Extremely helpful. I kept reading it as a misspelled Man (in) The Middle...and kept wondering what the D could actually stand for.
Sounds like I got the meaning correct, though.
Re:Nice summary! (Score:5, Funny)
Man in Da Middle
Re: (Score:2)
And I thought it was some sort of MoDeM software which would enable you to use your phone as a modem. :)
Re: (Score:1)
Concur.
Re:Nice summary! (Score:5, Informative)
I think you've forgotten how multidisciplinary Slashdot is. Hell if I've ever seen that acronym before.
Re: (Score:2)
Yeah....as I was reading the summary, I actually opened the link to the article (in a new tab) so that I could get a definition.......being as this is Slashdot, I was very surprised to see the definition of the term at the end of the summary (which is why I had opened the link).
Re: Nice summary! (Score:1)
That's something they teach in Editing 101, which you have to fail before becoming a Slashdot editor.
Re:Nice summary! (Score:5, Insightful)
Credit where it's due: adding the definition of "MDM" at the end was a nice touch for those not already in the know.
Perhaps, but going the extra step to define it for this audience is like having to spell out STD in a porn workers forum.
Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story? Doing it at the end does make it seems as I am splitting hairs, which I am not, as long as the acronym was defined, I understand it.
Re:Nice summary! (Score:5, Funny)
Re:Nice summary! (Score:5, Insightful)
To be fair, it's not far from what is considered journalism today.
I mean, the difference between copy/pasting from other places to aggregate stories isn't that far from copy/pasting press agency reports and cutting it so the ad fits on the page.
Re: (Score:2)
It's only common within a subset of the community.
I've been a Slashdot reader forever; I own a smartphone; I have been a professional programmer since before they even had smartphones. But until I joined a group that actually had to interact with MDM software (I do email sync; we need to interact with policy managers to support Exchange ActiveSync policies), I had never heard of MDM as an acronym.
Re: (Score:2)
I have been a professional programmer since before they even had smartphones.
Too funny! Now get off my lawn...
Re: (Score:2)
Proper writing period, not just journalism. When you introduce acronyms in technical manuals, letters, newspaper articles, or even webpages then the correct usage is to write out the term on the first usage followed by the acronym in parentheses immediately after. From then on one can use the acronym.
While it was nice to have the acronym defined it was weird to do so at the end because it would have made the summary easier to read instead of having the uncertainty while reading the summary and then findin
Slashdot != Journalism (Score:5, Informative)
Isn't it proper journalism practice to define acronyms on their first use, then continue on using the acronym through the remainder of the story?
Slashdot isn't journalism. Slashdot is a debate forum that is kinda sorta vaguely topical. Nobody comes to slashdot for breaking news. They come to debate things and occasionally be informed with a viewpoint they might not have considered previously.
Re: (Score:2)
Re: (Score:2)
According to my universities "Women in IT" Group, it stands for "internet technologies" XD
Re: (Score:2)
Huh? I still don't know what MDM is without following that link. We're a bunch of engineers and high tech people, here, unused to the low tech social media smart phone culture.
Re: (Score:2)
Re: (Score:2)
Would that be std in, std out, or std err?
I mean i view a lot of porn so I should be qualified to understand but damned if I do.
I don't care how Sprint "sees it" (Score:3, Insightful)
It's not their devices and they should not be installing software without the express permission of their owners.
Fight for your bitcoins! [coinbrawl.com]
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Its not really the act of rooting that is the problem. It is the dmca anti circumvention law that makes circumvention as well as most collaboration and dissemination the problem.
Re: (Score:2)
Indeed, why can't you?
Re: (Score:2)
Who says you can't? Whether you have the technical means to do it or not is a different matter, but legality? No problems there.
Re:I don't care how Sprint "sees it" (Score:4, Interesting)
Re:I don't care how Sprint "sees it" (Score:4, Funny)
Re: (Score:3)
Are you installing a program on another person's computer, without his knowledge and consent, that will allow you to at any time take control of that computer again without his knowledge and consent?
That is not legal. That is how botnets work.
Re: (Score:2)
Sorry, but if you install software on my computer that allows you access to it without my explicit prior consent to this, rest assured that whether I just discontinue business with you or send my legal department after you depends only on whether or not you have a bigger legal department than me.
One thing is certain: You will not have me as a customer anymore.
It's Sprint's Now (Score:1)
Sprint recently changed to a "iPhone forever" lease plan where you lease the phone for $5 per month, plus additional undisclosed add-ons that make it actually $10 per month. But, you're leasing the phone. You don't ever own it.
They still offer you the option of buying the phone outright for ~$700 and no subsidy, if you want to "avoid paying them" the monthly lease rate.
Re:I don't care how Sprint "sees it" (Score:4, Insightful)
If it's Sprint's phone, then Sprint should be the one paying for it.
Re: (Score:3)
The times of "I pay for it so I own it" are gone. Today you gotta be happy if only your device is owned by some corporation and you still may decide what you do with your body.
Just wait 'til implanted technology becomes available, then this is gone too.
Re:I don't care how Sprint "sees it" (Score:5, Insightful)
If the phone is part of a contract you are paying for the phone over a number of installments. Paying for a car by using a loan doesn't make it bank's.
The provider's terms don't make the phone theirs either. Just like signing up to an ISP doesn't make your computer belong to that ISP or by getting a license for your car doesn't make it belong to the government.
Re: (Score:1)
Everyone is blaming Sprint (Score:5, Insightful)
Re: (Score:3)
Except, it is a Sprint owned MDM and domain.
Any sufficient level of incompetence is indistinguishable from Malice. Which is the more likely scenario, Incompetence or Malice? Knowing Sprint Techs, Incompetence is my initial guess.
Now, if it was something out of Corporate, I would assume Malice. Just because it usually takes evil to get to the top of such organizations.
Re: (Score:2)
Re: (Score:2)
Here's the alternative: the technicians are so incompetent they don't know the meaning of individual steps and just do them by wrote, have no idea what the policy says, and don't give a fuck about your phone.
Essentially a malicious level of incompetence.
Re: (Score:1)
Sorry if I'm being a Nazi, I never know if someone just typo'd something or acutely used the wrong word, and if so if they would appreciate knowing the correct one or not.
Re: (Score:2)
Sir, I would love to commend you on reaching level 7 in your quest to be a full-fledged pedant.
And while your goal of offering enlightenment to others is commendable, I must caution you that pedantic behavior is, ultimately, a reward only to the one opting the exhibit the pedantry.
But, with great haste and alacrity I will endeavor to send my endorsement letter to the Counsel of Tedious Grammatical Endeavors. ;-)
Re: (Score:2)
You seem like you just need to learn to spot humor.
Not according to TFA (Score:5, Informative)
Isn't it more likely you have an unethical tech who is looking for future access to phones?
Reading the article (yea, I know) it seems Sprint gave him several different reasons why it was installed. None of which included rogue technician.
Re: (Score:2)
Dumbphone FTW (Score:1, Interesting)
Every time I want to upgrade to a smart phone I think back to the 1990s when I didn't have a cell phone. Then about issues like this.
Having a tiny portable phone in my pocket: $20.
Not having to treat it like a crotchety piece of IT equipment: priceless.
Great sentence structure, SprintCare! (Score:2)
Also - clearly he didn't fucking want it installed... Is it a new rule now that Customer Service just not read messages at all?
Re: (Score:3)
*after bashing techs head in*
Didn't want to get beaten up? Let me know!
Re: (Score:2)
When did they start reading messages?
How to tell if you may have MDM (Score:5, Informative)
On your iPhone, go into Settings / General, select Profile, then look at the profiles that have been added. A stock iPhone has none. If you have an ISP who adds a cert that allows you to connect to their hotspots, you may see that here. If you have installed your company's MDM, perhaps a product like AirWatch, that will show up here. If you see something you don't recognize, that's when you need to do some research.
Inside the profile you can view the certs it installed. A WiFi cert will list what it can do: be wary if it includes a proxy.
Re: (Score:3)
Nor do I. The iPhone settings has a search feature. Doing this finds it, which is under settings/general -- but it is still not there. I'm not sure if it is hidden due to a snafu or malicious intent...
Re: How to tell if you may have MDM (Score:5, Informative)
Sprint clarifies the confusion (Score:3)
The technician misheard the customer, the customer said " i do NOT want to be ass fucked". the tech didn't hear the NOT.
Re: (Score:1)
The customer said "I DO NOT want that." The technician heard "I DONUT want that." Donuts are fucking tasty and hell yes everyone wants a donut, so of course he installed it.
I don't understand ... (Score:2)
At what point was the technician handling his phone, and what was he doing with it?
Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.
I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.
Surely he didn't walk into a Sprint store and hand the technician his phone, did he?
Re: (Score:2)
Don't you have to enter an iTunes password every time you go to install an app on an iPhone?
If so, then why would the user allow this app to be installed in the first place?
Re: (Score:2)
This show how much I know about iPhones.
Thanks for the explanation.
Re: (Score:1)
Re: (Score:2)
At what point was the technician handling his phone, and what was he doing with it?
Because if I go in for you to add me to your network, and you start installing shit on my phone ... I'm going become unreasonable quite fast.
I just can't quite figure out from the article how the technician came to be installing this in the first place; it was obviously in the middle of something else.
Surely he didn't walk into a Sprint store and hand the technician his phone, did he?
Every time I've bought a device from the network provider, I make them hand me the box, still shrink wrapped. I can insert the SIM, if it doesn't come with one, tyvm. They never hesitate to just give me the box. Sometimes they need to scan barcodes off the back, but that's about the extent of it. Of course, certain devices come with vendor spyware already installed at the factory.
Re: (Score:1)
I make them hand me the box, still shrink wrapped.
Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.
Re: (Score:2)
I make them hand me the box, still shrink wrapped.
Plenty of commercial places have the simple equipment and supplies needed to re-shrink wrap inventory. I'd never trust a 'wrapped box as factory-fresh.
Yes but you can tell if it has been factory reset when you turn the iPhone on.
I'm pretty sure that's not the case (Score:2)
without prior notice or permission
I'm pretty sure it says they can do that in your contract. You remember your contract right? The one you signed to get service? What do you mean nobody reads those? You didn't read the contract you signed???
While I agree that pulling shenanigans like this is not something I want from the people who I hired to give me phone service, I'm willing to bet they are not acting outside the law.
Re: (Score:3)
That's OK, I have an EULA on my phone which says you will not install any software without directly getting written permission, or I will give you an epic smackdown right there in the store.
I'm not acting outside the law either now.
Sorry, but this is stalling software which give them remote control of your phone without consulting you.
How's "computer fraud and abuse act" sound?
Re: (Score:3)
Re: (Score:2)
I had a friend who, when he bought software, paid with a check that had a note on the back saying that endorsing the check means a warranty of (IIRC) 100 hours mean time to failure. He always made it clear that the check said that, and never had a problem. Not that he had the money to sue anyone....
Re: I'm pretty sure that's not the case (Score:1)
Actually, that's wrong. I work for a company that develops MDM software, and what you can do to a smartphone is incredibly limited, especially non-Samsung devices and iPhones.
Firstly, the iPhone can never be touched or targeted directly by an MDM server, it can only relay information through apple's Push Notification Services servers.
Secondly, Apple explicitly blocks any tool sets of access to contents of the device, including personal information. It is literally impossible to read that data on an iOS devi
Re: (Score:1)
Sixth, there is no means in any current MDM to enable or perform any type of screen sharing or access anything like cameras or other electronics.
Bottom line, MDMs are quite limited in their ability to do any snooping of any user data. The worst that can happen is someone issuing a remote erase command or device lock command. Nothing more invasive can be done.
How does TeamViewer's mobile app fit in with that? I'm guessing different because the user has to agree to some sort of pop-up?
Just curious. I know they advertise some of that functionality, but I never got around to demoing it.
Re: (Score:2)
This is why I love my country's consumer protection laws. Bits in consumer contracts that are "unusual" are not going to stick unless you explicitly point them out AND have the consumer sign that you did point out exactly this passage that is unusual.
And our judges tend to consider anything "unusual" that they're not used to. In other words ... well, you know how tech savvy the average judge is.
How to Check? (Score:1)
So, how can I check my Sprint iPhone 6s for such software?
Re: (Score:2)
How to tell if an iPhone, iPad, or iPod touch is supervised
https://support.apple.com/en-u... [apple.com]
Who Says It's A Sprint-Owned Domain? (Score:5, Interesting)
I'm going to go ahead and throw up a red flag. I don't think this is a Sprint owned domain. I think it's meant to LOOK like one, but I don't think it IS one.
$ dig +short sprint.net ns
ns1-auth.sprintlink.net.
ns2-auth.sprintlink.net.
ns3-auth.sprintlink.net.
$ dig +short sprint.com ns
reston-ns1.telemail.net.
ns2-auth.sprintlink.net.
reston-ns3.telemail.net.
reston-ns2.telemail.net.
ns1-auth.sprintlink.net.
ns3-auth.sprintlink.net.
The places Sprint hosts their "well-known" domains looks remarkably like it's a legitimate place. "wabaw.net", however?
$ dig +short wabaw.net ns
ns6.domainmonger.com.
ns5.domainmonger.com.
ns7.domainmonger.com.
ns8.domainmonger.com.
I'm going to propose a theory that the WHOIS data shows Sprint so that - if someone gets caught and folks go looking for someone to vilify, Sprint is the unwitting victim. But - in reality - it's sitting in some domain-registration that nobody official at Sprint has ever heard of, and someone's been building a network of phones that they control via MDM.
The MDM server is in Austria! (Score:2)
You have a good point:
$ host leon.webaw.net
leon.webaw.net has address 62.99.250.53
$ whois 62.99.250.53 ... snip...
netname: Schneid-GmbH
descr:
descr: Schneid GmbH
descr: Herbert Schneid
descr: PIRKA
descr: IPs statically assigned
country: AT
maxmind corroborates the information.
So... Sprint are putting control of your phone into the hands of someone in Austria. Nice going, guys!
Re: (Score:2)
Oh dammit. Ignore. I typo'd the host name :(
Re: (Score:2)
even worse. It's just a bunch of AWS servers....
$ host leon.wabaw.net
leon.wabaw.net is an alias for awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com.
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.213.59.154
awseb-e-a-awsebloa-saeaoerx3v7z-1299207820.us-west-2.elb.amazonaws.com has address 54.191.121.98
Bets on if the account info for that AWS account is fake?
Re: (Score:2)
Then why have several sprint tech support personal been 'aware' of the software that is installed?
Do you freak out when you see the domain names that Google uses for lots of stuff that in no way look like 'google' domains, but are for a fact Google domains? Trace route to www.google.com ... I think you'll lose your shit based on this post.
Just because you don't understand the shitty logic they used to pick a domain name doesn't mean it was't them, or an outsourced service they use.
Re: (Score:2)
That's not what I said. But you've constructed a wonderful strawman for yourself to knock down.
I said, let's recap:
- The domain servers they're using are not their normal domain servers and look nothing like them
- The domain registrar used for the MDM is not their normal registrar (and corporations don't generally have a bunch of parallel accounts for such things, they centralize)
- The service isn't hosted in their copious capacity but in a pair of anonymous AWS instances
As has been noted elsewhere in this
Buying direct? (Score:2)
So? You can't do jack sh*t about it. (Arbitration) (Score:2)
You can't sue. You certainly can't start a class action suit based on all the customers this was done to. You can elect to go to arbitration over it, however if the arbitrator rules against you you're likely going to have to pay for all of Sprint's costs related to the arbitration - including whatever price tag they pu
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Practically any company you've given your number to in the past 14 years might have decided to sell it to some scummy company, but it's extremely unlikely that it was Apple.
The various Apple license agreements are at http://www.apple.com/legal/ , I'd be interested to see what clause you think Apple has that would allow them to se
Re: (Score:2)
I was finally talked into getting an iphone when it was time to upgrade. So far I don't have any problems with the phone itself... but one BIG noticeable difference is every few weeks after using my new phone I get random calls from phone scammers/telemarketers.
Did you install the LinkedIn app on that phone?
Re: (Score:2)
Wow. To make up such nonsense. No wonder you had to post a AC.