There is this damn breathing noise I hear on the line everytime I make a phone call from my cell.
What’s that? It was Paget and Nohl?
…oh!
From The Register:
At a hacker conference in Berlin that runs through Wednesday, the cryptographers said they’ve cracked the algorithm that determines the random channel hopping and have devised a practical means to capture entire calls using equipment that costs about $4,000. At the heart of the crack is open-source software for computer-controlled radios that makes the frequency changes at precisely the same time, and in the same order, that the cellphone and base station do.
“We now know this is possible,” said Karsten Nohl, a 28-year-old cryptographer and one of the members of an open-source project out to prove that GSM, the technical standard used by about 80 percent of the mobile market, can’t be counted on to keep calls private. The attack “is practical, and there are real vulnerabilities that people are exploiting.”
Ouch!
Yet another reason on the long list of “Why the hell am I not in Berlin?”.
For the full article read on.
Also, here’s where you can find a copy of the presentation at 26c3. And yes, the video of the preso is available on torrent sites. 1 2 and 3
OK, so this isn’t so much a security piece as a good laugh. Well, I guess if you factor in availability as a security angle then, yes, it counts.
From USA Today:
Internet speed and connectivity in Africa’s largest economy are poor because of a bandwidth shortage. It is also expensive.
Local news agency SAPA reported the 11-month-old pigeon, Winston, took one hour and eight minutes to fly the 50 miles from Unlimited IT’s offices near Pietermaritzburg to the coastal city of Durban with a data card was strapped to his leg.
Including downloading, the transfer took two hours, six minutes and 57 seconds — the time it took for only 4% of the data to be transferred using a Telkom line.
Wow. How is that for a kick in the balls?
For the full article of bandwidth woe, read on.
(Original pidgeon image used under CC from lordferguson’s Flickr feed)
In a weird moment on my train ride home this evening I saw something from the future.
Perhaps.
It was odd. As I got up to get ready to get off at my stop I noticed a gent sitting just to my right with his feet propped on the stairs. What caused me to take notice was the black MacBook he was using.
Hmm, just like mine.
Then I noticed what was on his screen. He was writing copy for a Bell Canada advertising campaign. Nothing overly exciting. That is, until he hit F9 on his keyboard and brought a graphic into focus. It was an iPhone ad for Bell Canada that is apparently scheduled for Q4.
WTF?
Sure enough, there it was. As I knew that I’d not be believed I snapped a pic. Sadly, the screen is washed out. But, from conversations with our own James Arlen it appears that Bell and Telus have been ramping up for 4G in a hurry and the new device might make an appearance on Verizon as well.
Not sure if this is in fact the case but, I do know that I saw it on his screen. Should really make things interesting in the Canadian mobile market. Might actual have *gasp* competition. Damn three year lock in.
And for those of you travelling on trains, planes and automobiles buses, please use caution when you open your laptops. Be aware of your surroumdings. Get a bloody privacy screen for your laptops and FOR $DEITY SAKE DON’T PUT YOUR PASSWORD ON A POST-IT NOTE ON THE LID!
/rant off
Tags: Bell iPhone, iPhone 4G, iPhone 4G Canada
Well, a practice that got Canadian ISPs into hot water recently seems to have jumped the pond.
From Boing Boing:
Bell Canada, the national Canadian telcom, has been caught filtering P2P connections initiated by customers of its reseller ISPs — that means that if you start a funky little ISP in Toronto and buy a giant fat industrial pipe from Bell to serve it, Bell will secretly throw away your customers’ packets.
That was back last year. Now, fast forward to 2009. Dateline, London.
From BBC:
Britain’s biggest broadband supplier has been accused of limiting download speeds on its cheapest package without giving users a clear warning.
BT Broadband cuts the speed users can watch video services like the BBC iPlayer and YouTube at peak times.
A customer who has signed up for an up to 8 megabit per second package can have their speed cut to below 1Mbps.
A BT spokesman said the firm managed bandwidth “in order to optimise the experience for all customers”.
In Canada this type of behaviour prompted a significant backlash. I wouldn’t be surprised to see a similar result in the UK.
Earlier this week it was reported that a list of Comcast customers’ usernames and passwords, 8,000 entries long, was exposed on a public website for at least two months. A man by the name of Kevin Andreyo who works as a professor at Wilkes University came across the list while performing a search for his own personal e-mail address. The search dug up a website called Scribd which is a document sharing site that housed the list of 8,000 user names and passwords including Mr. Andreyo’s.
Reportedly the list had been viewed “over 345 times and downloaded 27 times.” This in it of itself is a relatively small number but means that the list is still out there and can be shared again or even added to.
A spokesperson for Comcast commented stating that the list contained only 700 active accounts and that the rest were either dead or not Comcast customers. She also stated she does not believe the breach came from within the company because the manner in which the list was created was sloppy.
Comcast can downplay this as much as they’d like but it sounds to me like, at least, 345 people got their hands on a seriously dangerous resource. At the safest end of the spectrum of what could happen with this, people can add to their lists of known usernames and more importantly list of known passwords. I’ve seen what a wordlist compiled of actual passwords can do and 8,000 attempts would fly by in less than 3 or 4 seconds.
Also if only a fraction of items on the list were Comcast customers, what were the other items customers of? Chase? Bank of America? AIG executives?
I guess it’s just a good thing that it was only up for two months, as far as we know, even though that is two months too long.
Tags: comcast, password leak, inadequate response, corporate bullshit
“Sometimes it feels like, somebody’s watching meeee”
Under the guise of protecting intellectual property, RIM, has admitted that they record every phone call on company lines.
From CNET:
“Everything I have that’s on RIM is recorded and retained as RIM. So if they want to have a chat with somebody and it’s not a chat that’s within RIM’s domain, then they may want their own personal device,” she said.
When asked exactly whether it was conversations, rather than just written information she kept tabs on, Bienfait answered: “Everything. I record everything.”
It wasn’t a violation of privacy, according to Bienfait, who maintained the workers were aware of the surveillance: “They’re doing business inside of RIM. Everything they can say or do can be patented…We’re not violating anybody’s privacy. They’re aware that their information is transparent and in visibility.”
Most firms these days monitor their employees email and occasionally phone calls. RIM has gone for the full package. I understand, as do most, that communications may be monitored. But, I wonder how this plays out from a legal aspect in Canada. Not to mention in other countries where RIM has operations that have laws regarding taping conversations.
First off -10 points for use of the word “cyber”. But, more importantly it appears that the NSA is getting more work. The NSA, under the Bush junta administration, was leveraged to conducting monitoring of US nationals on somewhat questionable legal grounds. That being said, our American cousins have a new administration.
Well, it turns out that the NSA may be apparently taking on a greater role in the “war on packets”.
From Information Week:
“There are some wizards out there … who can do stuff. I think that capability should be harnessed and built on,” Blair said in testimony to the House intelligence committee.
Blair acknowledged that many Americans distrust the agency, which operated former President George W. Bush’s secret program of warrantless electronic spying on some Americans’ overseas phone calls.
“The NSA is both intelligence and military, two strikes out in terms of the way some Americans think about a body that ought to be protecting their privacy and civil liberties,” Blair said.
Fair enough. There needs to be a stronger presence for this in the US. But, it can’t be left to run roughshod over everything also.
Worst quote from the piece, the NSA is the “greatest repository of cyber talent.”
Article Link (via The Intern)
Have you ever had to call 911 from a cell phone? Regrettably, I have. The most frustrating aspect of it was trying to explain to the operator where I was while simultaneously trying to figure if my wife and I were still in one piece.
Location detection, fail.
Now some good news. Canada’s telecom regulator has dropped the hammer on cellphone companies and now they have a year to upgrade their 911 equipment.
From Globe & Mail:
Such technology is used widely in the United States, while dispatchers in Canada have struggled without it.
On Saturday, police in Manitoba searched for nearly three hours for two children stranded in a storm on Lake Winnipeg. The children dialed 911 after their father collapsed snowmobiling. Other callers have not been as fortunate.
In January, the body of 18-year-old Matt Armstrong was found in woods near Williams Lake, B.C., 10 hours after he called 911 for help.
I hope that we won’t hear any whining from the carriers on this but, I think that we may very well. Rogers has said they will start using the location technology this summer but,
Bell Canada refused to comment on whether the deadline set by the CRTC is reasonable, but said it would work with the CRTC and emergency officials.
Indeed.
Bell Canada in its infinite wisdom saw fit to reduce the bills of some of its customers that had been hacked. The hack was a breach of the phone mail systems that would allow an attacker to access an use the voice mail as a relay to call, well, anywhere on the victim’s dime.
Or in the case of one law firm $207,000.
From CBC:
The law firm isn’t alone with the billing problem, but Bell Canada spokeswoman Julie Smithers calls the situation “really rare” and a “very old scam” that affects primarily business customers, although she said some residential consumers have been caught.
Here’s how Bell thinks it works: an automated dialer will target a specific phone number, and wait for the voicemail to respond. Then, the computer will go through standard voicemail passwords.
Once it finds the correct password — often a predictable number combination — the automated dialer will choose an option on the voicemail that allows it to make long-distance phone calls.
The part of this story that seems unclear is that were these customers managed by Bell? If so, does that not point to an abject failure in their own password management as opposed to the customers?
But she added “it is extremely important and it is the customer’s responsibility to put passwords in place that are difficult to guess.”
Hmm. But,
Bell Canada spokeswoman Julie Smithers calls the situation “really rare” and a “very old scam” that affects primarily business customers.
Business customers. Like the one’s Bell manages? It’s not like Bell ever makes mistakes. How I loath the spin.
So, whatever happened to the dinosaurs again?
(thx to Andrew Hay for pointing me to this article)
The EFF issued a challenge on Thursday to the blanket retroactive immunity that has been granted to telecom providers in the wake of the warrantless wiretapping.
From EFF:
In a brief filed in the U.S. District Court in San Francisco, EFF argues that the flawed FISA Amendments Act (FAA) violates the federal government’s separation of powers as established in the Constitution and robs innocent telecom customers of their rights without due process of law. Signed into law earlier this year, the FAA allows for the dismissal of the lawsuits over the telecoms’ participation in the warrantless surveillance program if the government secretly certifies to the court that either the surveillance did not occur, was legal, or was authorized by the president. Attorney General Michael Mukasey filed that classified certification with the court last month.
“The immunity law puts the fox in charge of the hen house, letting the Attorney General decide whether or not telecoms like AT&T can be sued for participating in the government’s illegal warrantless surveillance,” said EFF Senior Staff Attorney Kevin Bankston. “In our constitutional system, it is the judiciary’s role as a co-equal branch of government to determine the scope of the surveillance and rule on whether it is legal, not the executive’s. The Attorney General should not be allowed to unconstitutionally play judge and jury in these cases, which affect the privacy of millions of Americans.”
Interesting.
I wonder how this will play out in the waning moments of the current administration?
For the full piece read on.
