How Long Was the iPhone Location Vulnerability Known?

I’m very intrigued by the Guardian’s piece iPhone keeps record of everywhere you go | Technology | guardian.co.uk but I’m wondering how new this information is, and whether other less transparent folk have already been using this gaping hole. Charles Arthur writes:

Security researchers have discovered that Apple‘s iPhone keeps track of where you go – and saves every detail of it to a secret file on the device which is then copied to the owner’s computer when the two are synchronised.

The file contains the latitude and longitude of the phone’s recorded coordinates along with a timestamp, meaning that anyone who stole the phone or the computer could discover details about the owner’s movements using a simple program.

For some phones, there could be almost a year’s worth of data stored, as the recording of data seems to have started with Apple’s iOS 4 update to the phone’s operating system, released in June 2010.

But it seems that folk on a forum have already been talking about it since January: Convert Iphone 4 Consolidated.db file to Google earth:

Someone called Gangstageek asked on Jan 6:

Is there a way to, or a program (for the PC) that can read the Consolidated.db file from the Iphone 4 backup folder and accurately translate the cell locations and timestamps into Google earth?

Other forum members helped him out. Indeed, an earlier forum, from November 2010, looked at the same file. kexan wrote on Nov 26:

We are currently investigating an iphone used during a crime, and we have extracted the geopositions located within consilidated.db for analysis. During this we noticed that multiple points have the same unix datestamp. We are unsure what to make of this. Its kind of impossible to be on several locations at once, and the points are sometimes all over town.

Going back even further, Paul Courbis wrote on his site (translated from the French), including a demo:

Makes it relatively easy to draw the data on a card to get an idea of ​​places visited by the owner of the iPhone..

I don’t have an iPhone so I’ve not been able to test this. But I’m guessing that this issue may have already been known for some time by some kind of folk. Indeed, there are tools in use by police and others that may have already exploited this kind of vulnerability.

23 Ways to Make a Better Pitch

There’s been quite a bit of to-ing and fro-ing in the light of a recent post by Charles Arthur of The Guardian (original post here; more discussion here) about journalists and PR pitches. So I thought I’d throw in a few ideas of my own, which rapidly expanded to 22 23. (Note to self: never write these in the morning before I’ve eaten.)

  1. Put a link to the product/company’s website in the press release or pitch. Really.
  2. Don’t duplicate the pitch (your contact list should be pruned of any duplicates, whether they’re different email addresses or not). It looks poor to get lots of emails from the same person. One email, one pitch.
  3. Make sure your contact list and press releases are geographically sound: Not everyone, amazingly, lives in the U.S. and cares about Texas.
  4. Drop the lame intros and get to the point.
  5. Leave out industry jargon.
  6. Don’t bury the significance or drown it in longwinded subordinate clauses.
  7. If you’re going to offer “an expert” to comment on a news event, be upfront about any possible conflicts of interest. We’ll find them eventually and we won’t be impressed.
  8. Don’t offer to write our story for us. It’s frankly insulting.
  9. If we try out your client’s product and have negative feedback, don’t take offense or try to persuade us otherwise. Instead ask permission to pass it onto the client. We like to think we’re experts, and while we’re probably not, getting into a debate about it with anyone less than someone big from the company is unlikely to sway us.
  10. Don’t try to win us over with the line “your rival has written about us! Maybe it’s time for you to!” It reveals only your ignorance about how journalism works.
  11. Put contact details on the press release that are helpful, including time zones. IM and Skype are legitimate communication tools: offer them. (But don’t pitch via them unless you know the reporter well enough.)
  12. Don’t leave out important information, such as the imminent launch of a new product in the range that will make the review of the soon-to-be-obsolete model we’re working on look silly.
  13. Don’t follow up with phone calls or a reminder email if you don’t get a reply to a pitch. If you don’t get a reply assume we’re not interested. Know how many press releases and pitches we get per day?
  14. If we do reply with interest, please respect our deadlines, time zones and preferred medium of communication. We’re not prima donnas (well a bit) but there’s a reason why we give this information. Whole days can get lost if you don’t understand that the whole world is not on Seattle’s timezone.
  15. If we request a particular expertise or subject, keep your pitch to that subject. It wastes everyone’s time to have to read through pitches that begin “I know you asked for an expert to comment on polar bears, but would be you be interested in talking to one of my clients about athlete’s foot?”
  16. Similarly, please don’t try to force a pitch to fit a request. “Your request for comment on polar bears made me think of my client Bob who doesn’t know anything about polar bears, but once went on holiday to Finland, which has lots of snow. He could comment on how snow is white, like polar bears.”
  17. Don’t think that writing a pitch as if it’s a done deal is going to make it any more likely to result in a sale: “When is a good time to set up a phoner with my client?”
  18. Never, never, call us out of the blue. Especially in the middle of the night. (Second reminder: not everyone in the world is on Seattle time.)
  19. If someone leaves your company make sure their email address patches through to whoever took over their job/accounts. Don’t let the email bounce back.
  20. Make sure you, and your clients, have updated About/Press pages that let us find contacts quickly and easily. And email addresses, too, please. No just offering a phone number, or a lame email form.
  21. If we do contact you out of the blue with a request, do please respond with more than a press release. Chances are our request doesn’t fit exactly what you’re working on, but that shouldn’t stop you from helping us, even if it’s only passing us on to someone else who might be better suited to help us.
  22. If such a request does not fall in your geographic area, don’t just leave the reporter hanging. (That’s you, Sony!)
  23. Not every request is going to follow exactly your launch and publicity schedule. Roll with it. The important thing is getting some coverage.

Journalists’ Responsibility Is To The Truth, Not The Cops

I have a lot of admiration for BuzzMachine who expresses better than most the changes underway in blogging and journalism, but sometimes I get depressed about how the blogosphere views journalists, and, frankly, how little they understand their profession. This would be fine, but the success of blogs (a good thing) sometimes engenders what feels like a moral superiority over journalists. That lack of humility is out of place in such a new, and fast-changing medium.

Take this post, for example, that calls on journalists to behave more like citizens and report criminal activities to the police, like NYT reporter Kurt Eichenwald turned in child porn web sites because it is the law. Jeff’s take:

I think the reporter who does not follow Eichenwald’s lead is in a riskier position: of allowing and thus even abetting crimes to be committed. And what does that tell the public about our role in our communities? What kind of citizens are we then?

As I understand it, Jeff is suggesting a journalist should report to the police if he or she believes a crime has been committed. He says that the only counterargument to this is that “sources – especially if those sources are the ones performing the criminal act – will not trust reporters and reveal information that should be revealed if they believe those reporters will not protect them and will hand them over to the authorities.”

This call gets the usual smattering of anti-MSM comments in agreement. But at least one commenter, Charles Arthur, editor of the technology supplement of The Guardian, sees the obvious hole in this one: “Sometimes journalists have to do things that involve talking to people who break the law in order to show society what it’s like. That doesn’t mean standing idly by while someone breaks into a store. But if the only way you can get to talk to someone about something is by promising that you won’t betray their trust, that can be the price of freeing up the information that person holds.”

But that’s not all. Journalists are not designed to operate as citizens, and it’s unreasonable to suggest that being a reporter means being a bad citizen. The problem with the suggestion is that it concerns itself with clearcut cases: It may seem irresponsible not to report a paedophile ring, but should I then report every case of apparent corruption I come across? Every spammer I interview? Every indication of corporate fraud I come across on my stock reporting beat?

The bigger point is that journalists are in a place to report, and occupy a place somewhere alongside the Red Cross in terms of neutrality. This may sound pompous if you’re not in a war zone, but if you are, that’s exactly where you’d like others to consider you. This is why press and their vehicles are clearly marked. You want both sides to consider you as an impartial observer; your life may depend on it. This is a core tenet of journalism, and is something bloggers should be embracing, not trying to dismantle. (In many countries if a journalist was seen to be cooperating so closely with law enforcement, their lives would be in danger.)

Furthermore, what law? If a journalist is considered by government and law enforcement agencies as a model citizen who shops every law breaker she/he comes across in his/her line of work, does that mean even controversial laws that the journalist is writing about? So interview a bunch of human rights illegally blocking a military runway, and you’ll have to turn them after the interview is over?

The bottom line is that we expect our journalists to go out there and talk to all the people we can’t talk to, because we’re here, we don’t have the access, we don’t have the background, we don’t have the time, and then distill their knowledge and, where applicable moral judgements, in a way that makes sense to us. Their eyes and ears are ours not because we want to hear what laws have been broken, but because we want to understand the essential truth of the situation. A family living on benefits in a tenement: We don’t want the journalist to report potential abuses of the benefit system to the police, we want to know why the family is having problems, and, hopefully what may be done to solve the problem.

Journalism is rarely to do with the law. It’s about much more than that. If we suddenly expect our journalists to be model citizens, whatever they are, we can only blame ourselves if they come back with a much smaller part of the story.