Author: Martin

When Products Fail With Long Passwords

I have two Wi-Fi enabled printers in my network and both have a web server for configuration. So far, I didn't set a password on neither of them but I thought it might be a good idea to do so lately, with interesting results:

As I like long passwords for security reasons I chose a 20 digit password, which at first seemed to work. No error messages when setting the password. But when accessing the printers again, neither would allow me to log on with my 20 digit password!? After some trial and error I established that I could access my HP Photosmart C7280 when only using 16 digits of the initial 20. The same with my brand new Samsung ML-2525W which only let me back into the menu when I only used 18 digits of the original password. Now there are four things that are very wrong with this:

  1. The password length is too short.
  2. It seems the passwords themselves are stored and not a hash value, thus creating the problem. Very unsave to store the password and not a hash value by the way…
  3. Why was there no error message that the password was too long?
  4. There is no delay between two login events, so a brute force attack is possible.

If I were daring, I'd try special characters in the passwords now… But I spare myself the trouble.

Rise and Resurrection of the 2D Barcode?

2d-barcode 2D barcodes for mobile use have been on the horizon for at least half a decade. My first blog entry on the topic I could find with a quick search seems to be from 2006 and I have pretty much given up on the idea seeing a breakthrough anytime soon just this year. And just when I've put the idea out of my mind, they seem to be resurfacing quite massively. A case in point is the picutre on the left which I have recently taken in Cologne. They can't get any bigger than this, can they!? When looking a bit around in that neighborhood I noticed a few more 2D barcodes on a billboards and also restaurants (with links to their Facebook account or website). Looks like the advertisement industry keeps pushing.

A Paper on Fast Dormancy From the GSMA

Fd-paper One of the things the original UMTS did not take into account were mechanisms to allow mobile devices to reduce their power consumption when they come to the conclusion that for the moment, physical connectivity to the network is no longer required. This has led to a significant reduction of battery autonomy with the rise of bursty applications such as push email. As a result, device manufacturers started to become creative with the 3GPP specs and used a mechanism referred to "Signaling Connection Release Indication" not quite as it was originally intended to cut the physical connection to the network. 3GPP then caught up and specified an enhancement of this procedure in 3GPP Release 8, which brings improvements for both mobile devices and networks over the initial non standardized solution.

So what are those enhancements and what are the benefits? I've discussed this topic at length over quite some time on this blog such as here, and I think that in combination with the Continuous Packet Connectivity features as described here, battery performance, network signaling and network capacity can be improved significantly today and in the future. As the topic is quite hotly discussed in the industry from various points of view, the GSM Association has set out to assemble a freely available technical white paper that contains a consolidated view of both network operators and manufacturers on the topic. In the 23 pages of the white paper that can be found on the GSMA website in the technical documents section, the technical background is explained in depth including the impact of other features and settings on mobile power consumption. An interesting read no matter whether you work on the mobile device side or the network side of things.

And a small disclaimer at the end: I was part of the team working on the paper and I am happy to recommend it as I in my opinion it contains a fair and balanced view in addition to all the technical details that can be found in it. Enjoy!

The USB Cable Ensures Connectivity – Again

The-cable-again
It's amazing at how many places I go where 3G coverage is barely available at the window of a room but not inside. The situation hasn't really changed all that much in many years. And every time I am glad I have that USB extension cable with me to put the 3G USB stick at the window while working somewhere else. Or, in case I have several devices with me requiring Internet access, the same trick helps with a 3G/Wi-Fi bridge such as this one when the power plug and the window are not in the same place…

Resurrection of the Camera – Big Time?

One of the things I noted on a recent vacation was not only how many people these days use their camera phones to take pictures but also how many people are now carrying dedicated cameras again. No, not the small point and shoot ones, the big SLR type cameras, heavy as they are. Interesting that now that camera optics and software have become so good on mobile phones to replace an extra camera people are willing to carry heavy and big cameras for the extra quality (or just for the zoom and night shot capabilities?). Agreed, SLR cameras are now cheaper than ever but it doesn't make them any lighter to carry.

Thoughts on RRC Settings in Italian 3G Networks

I've been in Rome recently for a week and I noticed that on Vodafone and TIM's 3G networks the experience on my mobile phone was quite bad. Quite often when clicking on a link the page would not load in any reasonable amount of time. When switching to their GPRS networks page load times with Opera Mini where good so my problem likely resulted from some air interface issues. On Tre's 3G network, my device performed flawlessly so they must do something different to Vodafone and TIM. To see where my problems came from I therefore decided to take a closer look at how the radio network state changes where configured. Here's the result:

TIM:

DCH timer: < 5 s
FACH timer: 75 s
Final state: idle

Vodafone:

DCH timer: < 10 s
FACH timer: 45 s
Final state: cell-pch

Wind:

DCH timer: < 3 s
FACH timer: 75 s
Final state: idle

Tre (3IT):

DCH timer: < 5 s
FACH timer: 60 s
Final state: idle

When compared to network settings in other countries such as Germany, for example, I was quite surprised about the very long FACH timers. In Germany, those timers are much shorter, and in the range of 15-20 seconds to conserve battery power in mobile devices. Beyond 30 seconds, they are a huge energy drain and really, Fast Dormancy is a mandatory self defense mechanism against such settings…

Concerning Fast Dormany, I am at a loss when it comes to Vodafone Italy's settings. Why is there a 45 seconds Cell-FACH phase when the network then transitions to Cell-PCH instead of Idle. Cell-PCH combines the advantages of low battery consumption with fast data transfer resumption with less signaling in the network to reestablish the connection so such a long Cell-FACH phase seems very unnecessary (for details see the Fast Dormancy link above).

On Wind's network I found the Cell-DCH timer of 3 seconds or perhaps even a bit less quite surprising. In practice this means that the connection frequently changes between DCH and FACH, resulting in an inferior web browsing experience, as each time the state is changed, the transmission is interrupted and packets have to be queued. I noticed this when surfing on my pad as pages loaded much slower than they usually do, especially if they contained content that took a bit of time to be downloaded. Wind as furthermore set the thresholds in a way that the DCH is not kept if only little data flows. So a default "ping" will not keep the connection in DCH state. Only a ping packet size of around 500 bytes had the desired effect. Again, I am wondering why they are doing this!? Are they having problems with the number of concurrent connections in DCH state? It surely can't be to conserve power on the UE side. Time to buy some more DCH licenses guys instead of crippling the performance of your network!

While all of this is very interesting it does not explain why web pages are often not correctly loading after pressing a link on Vodafone and TIM. I therefore suspect that it has something to do with the UE and networks having an interoperability issue when changing between the different states and/or perhaps carrier frequencies, since both have two 5 MHz carriers deployed. Difficult to tell without a deep drill down. So during my stay, Tre.it became my favorite roaming network in Italy and I am glad about manual network selection.

Project Gutenberg on the Tablet

Quick tip of the day: If you are into classic books and want to read them on a tablet/pad/mobile you can of course always download them via one of the dedicated ebook stores and use their proprietary reader apps. But there's also an open alternative, as many of those classics are available for free in PDF or ePub format due to the expired copyright via the Project Gutenberg website. And with reader apps such as "Cool Reader" for example, I find the reading experience quite enjoyable.

Google Maps – Offline in a 10 Mile Radius Only

A couple of weeks ago, first reports emerged that Google is in the process of offering an offline component for their great maps application. This was at first great news to me as one of the things that keeps me with Symbian is the availability of Nokia Maps and navigation that can be used in full offline mode with maps of full countries and continents downloaded to the device in advance. Anything else is simply not affordable with steep data roaming tariffs. After Google's latest maps release with offline capabilities, however, I am quite disappointed. Only strips of 10 by 10 miles can be downloaded for offline use and no car navigation is possible even within this limited area as reported by the NY times here. No good for me.

IPv6, 6to4, Ubuntu and Windows 7

Last week I got a software update for my VDSL Router at home which included IPv6 functionality. Very nice, so finally I could finally get some hands-on IPv6 experience. Here are some of my findings of this exercise:

6to4 Tunnel Setup on the VDSL Router

As my network provider does not yet offer IPv6 natively, I decided to activate the IPv6 6to4 tunnel option on the VDSL router which then gets an IPv6 address space and redistributes that into the local network. Each device in my home network that is IPv6 capable can then assign itself a public IPv6 address out of that pool. Very easy to set up with nothing but to configure the router and then let my Windows 7 and Ubuntu machines grab IPv6 addresses automatically.

IPv6 Firewalling

As the local machines now have public IPv6 addresses they can be reached by any outside node. As this might be a security risk, the VDSL router also has a built in IPv6 firewall and any unsolicited incoming IPv6 packets are discarded unless allowed via a configuration table. In effect, this is a similar scheme as the individual incoming port forwarding of traditional IPv4 NAT (Network Address Translation) but with fewer potential application issues, as IP addresses and TCP/UDP ports don’t have to be mapped.

Allow IPv6 use in Firefox again

You might remember that some time ago, I wrote a post of how to disable IPv6 DNS support in Firefox to speed up web loading times. For details see here. Obviously, that this needs to be disabled again when you have real IPv6 connectivity and want to make use of it.

Ubuntu – Activate IPv6 Privacy Extensions

Strangely enough unlike Windows 7, Ubuntu doesn’t have the IPv6 privacy extensions enabled by default. With the feature, the host part of the IPv6 address is changed regularly to ensure that a particular device can’t be identified over days based on the IP address. To enable the feature, the following to lines need to be added to /etc/sysctl.conf to activate it for the Wi-Fi (wlan0) interface:

  net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.wlan0.use_tempaddr=2

To see the privacy extensions in action, i.e. to verify that the interface has now several global IPv6 addresses the “ip -6 addr” command is quite helpful.

Ubuntu – Prefer an IPv6 address of a 6to4 tunnel over IPv4

Another thing that stands in the way of is that IPv6 addresses generated out of 6to4 tunnels are recognizable by hosts. This means that in case a website offers both IPv4 and IPv6 connectivity, IPv4 will be preferred by the operating system. This makes sense as the IPv6 packet is tunneled and hence performance with IPv4, which is not tunneled, is likely to be better. However, there is a way to change this preference and make IPv6 addresses of 6to4 tunnels preferable to IPv4 addresses. This is done by uncommeting following lines in /etc/gai.conf:

label ::1/128         0
label ::/0               1
#label 2002::/16    2
label ::/96             3
label ::ffff:0:0/96  4
label fec0::/10       5
label fc00::/7         6
label 2001:0::/32    7

Ensure that the label for 2002:: remains commented! Afterwards, a reboot is required. For details see RFC 3484 chapter 2.1 (Policy Table).

Windows – Prefer an IPv6 address of a 6to4 tunnel over IPv4

The same preference of IPv4 over 4to6 IPv6 applies to Windows 7 as well. Here’s how to change it via an admin comannd line here:

1. Start -> Run -> “cmd” -> “netsh” -> “interface” -> “ipv6”
2. To set IPv6 (6to4) as the default protocol on Microsoft Windows…

set prefix 2002::/16 30 1
–> Only the 2002::/16 line (6to4 prefix policy) is changed.

3. To make things goes back to original mode (IPv4 preference)…
set prefix 2002::/16 30 2

Firefox Add-On to Show IPv6 in Action

The best way to monitor IPv6 in action is of course to use Wireshark. But in case it is not running all the time while you experiment and you just want to know when IPv6 is used while web browsing, the “ShowIP” add-on for Firefox is most helpful as it shows the IPv4 or IPv6 address from which the current web page was delivered.

There you go, hope you’ll find this helpful. And for a general introduction on IPv6, I’ve written a 4 piece intro some time ago. For deatils see here, here, here and here.

Mapping UK and Global Network Coverage

Unwired Insight recently reported about interesting projects going on at the moment for the crowd to report on cellular network coverage:

The first one is a project by the BBC to get an independent view on the network coverage of the networks in the UK. It's based on an Android App that takes coverage readings in the background and reports them back to a central server in the network.

The second project is more global in nature and is called Open Signals Maps and aims at mapping wireless coverage globally. Like the BBC approach it also uses an Android app that runs in the background. The results can be seen immediately on their website. I had a go for a number of places all over Europe I am about to go to in the next weeks and found that for each, data already exists. A great tool for travelers, especially when visiting small towns in the countryside to see if there is good 3G coverage available or only 2G and from which network operator.  Also it spares one the trouble of looking for coverage maps on individual network operator web sites, if they are available there at all.

What both approaches are not saying, however, is who the collected data belongs to? To the community reporting in or to the companies running the project?

If the data behind the maps frontend is available it might also be an interesting pool of information for national telecum regulation bodies and IT/consumer publications to compare different national networks with each other, to compare network deployments of different countries with each other, etc. etc.