Author: Martin

When I got my VDSL line installed at home about 3 years ago with a 25 Mbit/s downlink and a 5 Mbit/s uplink I wasn't actually quite sure for what I would use such high speeds. At the time, most servers could not deliver data at such high speeds anyway. This has changed in the meantime, however.

While for web surfing such speeds are still far beyond what is necessary today, there are a number of services that make good use of the available bandwidth by now. My online video recorder, save.tv, has been capable to send me the recorded videos at my full line speed for a while now. A full movie recorded from television at my home in just a few minutes. Also, downloading Linux distributions to experiment with are now usually also downloaded at full line speed.

The 5 Mbit/s in the uplink are also taken into good use in the meantime, for example for my private VPN at home to tunnel my mobile Internet connectivity from my PC for privacy and security reasons through my network at home. As all data goes through the uplink, the highest speed I can get over the VPN is not 25 Mbit/s but 5 Mbit/s. Still enough for most purposes but if it was any slower the solution would be far less usable for many purposes. Also, I sometimes have to share large files with other people and don't like cloud based solutions such as Dropbox for the purpose. Instead I store the files on my NAS at home and let the recipient access the files via https. Works perfectly and the 5 Mbit/s are put to good use for this service as well.

OS and program updates are now usually also delivered via content delivery networks and a 50 MB update is downloaded in a matter of seconds instead of saturating the line for many minutes. And finally, Skype video telephony also makes good use of a fast uplink, perhaps not the full 5 Mbit/s but at least 1-2 Mbit/s for very good video quality. With a 5 Mbit/s uplink, other services using the network simultaneously do not get in the way of the transmission.

And I've only talked about single use so far. When you have kids at home, each with a computer and other gadgets accessing the Internet, even such a link could become congested sometimes. Time to think about the next step and perhaps put some traffic shaping in place 🙂

Ever since Free has started as a forth mobile network operator in France, the three others are less than happy about it and are complaining about too much competition and too lower prices by their fourth competitor. But, I would argue, they are still far from the prices consumers enjoy in other countries. Here's a pretty interesting example:

When I'm in France I use a prepaid Internet access offer of Orange at the moment. 25 euros buys me 495 megabytes of data to be used within 2 months. In Austria, on the other hand, I get 1500 megabytes on a prepaid SIM valid for 12 months for only 20 euros. 495 megabytes in two months, vs. 1500 megabytes over 365 days for even less money. Quite a a difference I would say.

Every now and then I want to share large files with someone else and I am always a bit reluctant to use cloud based services such as Dropbox for privacy reasons. With a recent software update of my Fritz.Box VDSL router, I finally have all that is necessary to share files and directories right from that box with other people without the need for a dedicated device in my home network.

While my Fritz Box 7390 already contains half a gigabyte of Flash for user files I've decided to connect a USB flash drive via the USB port for extra storage. That doesn't take much extra power and provides a couple of gigabytes of extra storage. Sharing files is then as easy as copying the file from my PC to the the network drive via a Windows network share or via the web interface and then getting a unique download by simply clicking on a button in the web interface.

Links to files and directories individual, so I can share different files with different people. And for the other side, getting the file is as simple as clicking on the link. Just what I wanted for years without using a dedicated box for the purpose in my home network. And with the 5 Mbit/s uplink speed of my VDSL connection, even big files can be transferred over the Internet in a very reasonable amount of time.

Great, another cloud service replaced with my own infrastructure!

Already back in 2007 when I got my first HSDPA data card I was quite surprised how big the difference in terms of data transfer speed was when a mobile device's antenna was just moved by a few centimeters. In the meantime, better receivers and noise cancellation must surely have done away with this!? Turns out that this is not the case at all.

Recently, when being in the countryside with very weak network coverage, I managed to only get around 50 kbyte/s throughput with my 3G dongle and very unstable connections. But with some measurement equipment I finally found a spot in my room where I could get a sustainable and rock solid data rate of around 750 kbyte/s, i.e. around  6 Mbit/s (Dual Carrier 3G dongle…) in the downlink direction and around 3.5 Mbit/s in the uplink direction.

The screenshot on the left shows the remarkable difference (click on the picture to enlarge). The low throughput on the left half is in various spots in the room while the right throughput shows what is possible from one corner in the room. Just 15cm away and we are back at 50 kbyte/s. Remarkable!

Even with an old HSDPA category 8 dongle I could still get around 400 kbyte/s in the downlink direction. I did not quite expect that because that is more than half of what is possible with the dual carrier dongle, even though that category 8 stick does not have the same kind of interference cancellation techniques of the dual carrier stick. Again, something I did not expect.

Light Reading has recently posted an interesting article on how much power Voice over LTE calls draw compared to circuit switched calls today from a smartphone battery. In the report, Metrica Wireless is quoted with a power consumption measurement of a VoLTE call of 1358 mW compared to 680 mW of a circuit switched call over a CDMA network.

No further details are available so it's difficult to tell why the difference is quite significant in the device tested. It could be many factors such as a still non-optimized air interface use for voice over IP on both the network and the smartphone side. Also, there's an additional overhead in the smartphone itself for using the baseband processor for the radio transmission and the IP stack and voice compression on the application processor versus the standard circuit switched voice approach in which all processing is done in the baseband processor.

For people that mostly use their smartphones for non-voice related activities will probably not care very much. For those who make a lot of phone calls during the day, however, the difference will be quite notable.

The interesting thing to look out for now is by how much these initial values can be improved over time. And there is still some time left as there are only few VoLTE deployments and users so far and LTE network ubiquity in most countries is still far from GSM and UMTS.

While there is little incentive for European operators to think about LTE carrier aggregation at the moment, things might be different for US operators that have a couple of megahertz in one band and a couple of megahertz in another (relatively speaking to the large 20 MHz bands used in Europe). So I was a bit surprised when reading this whitepaper by Nomor research that points out that inter-band carrier aggregation is only introduced in 3GPP Release 11, which is not even yet out the door. In other words, we are at least 2 or 3 years away from mobile devices (and networks) that might actually be able to combine carriers in different bands. Very strange, I would have thought US carriers would have been more insisting to get this functionality sooner…

P.S.: The paper also contains interesting details on how a correct timing advance is ensured in inter-band carrier aggregations HetNet situations where antennas are distributed and connected via fiber links and timing advance to different component carriers can be different.

Femto cells have been a buzzword for many years in the industry. They might now have been renamed into small cells but in most countries they are not (yet) used. One way to use a femto cell is to patch coverage holes in private homes. Here, it may makes sense to restrict the use of the femto to family members. Other mobiles that see the femto and try to use it are then rejected and have to return to the macro network. There are several ways how that can be done and I always wondered which one is used in practice. Recently, I stumbled over this blog entry that describes an encounter with a femto in practice. This one used a Location Update Reject with Cause Code #13 (Roaming Not Allowed In This Location Area). This then triggers the return to the macro network. For further details, have a look at that post, it also contains other interesting thoughts about femtos in practice based on the authors observation.

When I watched a video on Youtube today I noticed that the page's URL was https://www.youtube.com…. Interesting, I thought, it's encrypted now! If the streams are encrytped too, that would have interesting implications for video caching and compression servers in some mobile networks as they would no longer be able to compress and scale videos.

So I ran a quick Wireshark trace to see if the streams themselves were encrypted, too. However, they were not. An interesting implication of this is that the user might get the impression that the session is secure. But as the videos are sent in the clear, it's actually not secure at all. From the outside, it is no longer possible to see what the user is searching for, but which videos are streamed are still visible and can be cached or modified or simply blocked.

As the unecrypted URL requests are requeted by the Flash player there's also no warning that there are "secure and non-secure elements on the web page", as browsers often display when web pages start mixing secure and non-secure content.

From this point of view, I am not sure that it is a good idea to use https for Youtube. It simply gives a wrong impression of security to the user…

A non-mobile book review today about a book that has taught me a lot about things that are quite relevant in mobile, too. After reading Zero Day about which I blogged here and after I had to come to the rescue to get rid of a malicious program on a friend's PC I decided it was time to learn more about the subject. After doing some research I got an ebook copy of 'Practical Malware Analysis – The Hands-on Guide To Dissecting Malicious Software' by Michael Sikorski and Andrew Honig.

After reading the first paragraphs I became instantly hooked and the material is well laid out from the simple to the complex. The authors first discuss static malware analysis which means having a look at a binary file from the outside with various tools without actually running it. All tools such as the virustotal website, strings, MD5 check, PEid, Dependency Walker, Resource Hacker and the IDAPro disassembler are available for free on the web.

Apart from the main goal about learning about how to detect and what to do about malicious programs, I was especially interested in the chapter on disassembly. It's been a long time since I last worked directly with assembly code and while I still knew the basics I looked forward to using the book also as a refresher course for this. Just looking at assembly programing from a theoretical point of view without having somthing practicable in mind for doing with it would not have been much fun. Malicious program analysis was the perfect use for an assembly language, processor internals and operating system details refresher.

The second part of the book then deals with dynamic analysis, i.e. actually running the malicious program to see what it does. My recent ventures into the virtual machine space paid out handily here as it's absolutely necessary to run malicious programs in a virtual machine with proper separation of host and guest operating system and separate Internet connectivity to ensure other hosts on the network can't be touched by the malware in case it decides to go viral. Also, a virtual machine comes in handy as snapshots of intermediate results can be saved and a clean environment can be restored after performing the analysis by simply deleting the snapshots. Again, all tools for dynamic analysis discussed in the book are freely available on the web.

The book also discusses how C and C++ code look like in assembly code. For me that was a highly interesting topic even outside of malware analysis as I always felt that this was kind of the missing link between my knowledge of higher level programming languages and the assembly world. Especially the inheritance part of C++ always had me puzzled of how that might look like in assembly code. All chapters, including this one has a learning section with sample code provided and it was often quite humbling to do the exercises after reading the chapter. It seemed so clear when reading about it but the real understanding came when actually doing the exercises and working with the code.

At some point I also started working on real malicious code, the stream to my email inbox supplies fresh samples that get past the network based malware scanner almost daily. With the tools and methods learned one can quickly see what the malware does, which files it creates, how it ensures that it is started automatically, how it calls home to the command and control server and how it downloads further malicious code. Once the virtual machine was infected it was also a good test bed to see how my arsenal of virus removal tools dealt with the issue and if all malicious files were found. Sometimes it was, sometimes it wasn't and only a try a week later with updated virus signatures removed the infection.

The hard part with real malicious programs is disassembling the code or running it in a debugger. All samples I got via email contained a multi-stage packer which helps the malware to better hide from antivirus software and also makes analysis of the code a lot harder. Some of the malware contained anti-debugging code which detects that it is looked at and then does something entirely different. Also, lots of packed code I was looking at also only used indirect function calls to the Windows API making it difficult to impossible to statically analyze it with a disassembler. All of these things are discussed in the book and in practice it takes a newcomer a lot of time to overcome.

Further topics discussed in the book, again including examples to dissect, are user space root-kits, kernel debugging, kernel root-kits, shellcode and 64 bit malware code. The book also goes into the details of how stack overflows are used to infect machines in the first place and also discussed countermeasures such as address space randomization and stack execution prevention. These make it harder to exploit a vulnerability but the book also discusses how black hats have found their way around these counter measures.

The one thing I was really surprised about, because I've never heard or seen this is how malicious programs run inside other running processes to hide themselves. This is called Process Injection and removes the Trojan horse completely from view. One real malware I examined copied itself into explorer.exe and the other one spawned a svchost.exe instance and lived in there. There are various methods how this can be done, again all described in the book and backed-up with sample code that can be analyzed and run for better understanding.

It's been a long review and I still haven't touched on all the points that I found interesting in the book. With some background into programming, Windows and how computers work in general, the book is easy to read and the example code sections always start with something easy and increase their difficulty towards the end. In other words a fully recommended read from a malicious code analysis point of view. If you want to learn more about how operating systems and computers work, looking at malicious code is just the practical thing for which you want to go through the general theory.

Before I close, some thoughts on technical books in ebook format vs. print: If I intended to read it only at home I would have ordered the print version. However, since I was traveling at the time and wanted to start with this topic right away I went for the Kindle version. While this was definitely beneficial for where and when I wanted to use it in terms of instant availability and not needing to carry a full book, I have to say that there's still a lot of room for improvement for reading a technical book on an ebook reader. Quickly jumping from one place in the book to another, going to the table of contents and back, taking notes and generally have a visual idea where some information might be found is very hard to come by in electronic version. I don't know if there is a perfect middle ground in the future but the ideal book for me doesn't weigh anything, is instantly available, i.e. downloadable, I own the binary file for lifetime, nobody can take it away anymore, it should be possible to jump through the book like in a print version combined with text search to find specific content, that would be it. We are still far away from this.

After my recent discovery that three mobile network operators in Germany now use Release 8 Fast Dormancy to reduce signaling overhead and power consumption of UMTS devices and  also to improve responsiveness to user input from a more power efficient state I wanted to dig a bit deeper to see how each one makes use of the feature. This post is about the network that uses URA-PCH instead of Cell-PCH like most networks do today as the more energy efficient state.

The difference between Cell-PCH and URA-PCH is that the mobile does not have to send a Cell-Update message whenever it moves from one cell to another. Instead, an update is only necessary when the mobile reselects to a cell that is in a different URA (UTRAN Registration Area, 3GPP TS 25.401). This saves signaling overhead and power when a mobile is located just between two cells and thus frequently switches between them. It is equally beneficial for fast moving users in cars or trains where mobiles select a new cell quite frequently, often several times a minute.

The big question for me was how large a URA actually is. Just one cell, several cells or even much bigger? As I am a frequent public transportation commuter, the answer was not too difficult to come by and actually quite surprising. On a 30 km trip on a train, all cells, and I estimate there are around 25-35 cells on that route (based on Cell Logger traces) are in the same UTRAN Registration area as I didn't observe a single update message being sent to the network. So an URA is quite large in that network, perhaps as large as a whole Location Area which usually includes a major city such as Cologne or Bonn and it's surroundings.

The downside, of course, is that for incoming data packets the mobile has to be paged not only in a single cell but in all cells of the URA. For devices not using the fast dormancy trigger mechanism on their side such as UMTS/LTE sticks, for example, this is not a big problem as the network timer to go to URA-PCH state (from Cell-FACH) is set to 30 seconds. For mobiles that are using the Release 8 Fast Dormancy Functionality (Signaling Connection Release Indication) things could be different. Triggering it too early could result in a state ping pong and frequent paging in all cells of the URA until all data has been exchanged. From my practical experience with the feature, however, that seldom happens.

To summarize: Using URA-PCH instead of Cell-PCH can be quite advantageous for network operators as no signaling required when the user moves. For the user URA-PCH has the advantage over Cell-PCH that less power is used for non user-data related signaling while they are in trains and cars. Let's see, perhaps it will be a growing trend.