Sandboxie

Not a truly mobile story today by itself but one that started as a such some time ago on this blog. A while back I reported on a first weakness found in the Wi-Fi WPA encryption. I didn't get all the facts right the first time and was promptly corrected by a reader who was kind enough to supply a link to Security Now, a great podcast show, that each week explains security issues at great length but easy to understand. I listened to the podcast, corrected my mistakes and subscribed to the podcasts on my N95 to have interesting podcasts while traveling. Recently I listened to podcast 172 about a program called Sandboxie for Windows machines that I think is so useful that I would like to mention it here.

With Sandboxie, you can put programs like web browsers, e-mail clients, instant messengers, etc. in a sandbox that redirects write access to files and the registry to a copy instead of to the original. This way should you catch a virus via a web page or via that attached power point file of an e-mail from a trusted friend, all the malicious code can do is harm a copy of the file and the registry. It can still steal data as it has standard read access to all other files but it can't harm the machine anymore. As soon as the last program in the sandbox ends, the files in the sandbox are deleted and gone is the threat.

It's even possible to install programs in the sandbox. They just run just fine afterward, but only in the Sandbox of course. Once you are done with testing, delete the sandbox and you can start from scratch. No orphan files remaining, no extra clutter in the already fat registry. So the concept of Sandboxie is quite similar to that of a virtual machine except that the applications have read access to the outside. The big advantages are that it requires no extra memory and processor resources, it just adds a shell of protection around those programs so they can't do any harm.

Completely blocking write access has it's drawbacks, too, of course. With a complete isolation, it's not possible to permanently store bookmarks for example and you will also loose your e-mail that is stored in local files once the sandbox is deleted. But the author has thought about that as well and it's possible to activate exceptions for the most well known programs so that their configuration and data files are not sandboxed. For less well known programs, it's possible to configure files or directories that are excluded from the sandbox manually. And, with the registered version, it's even possible to define programs which are automatically run in the sandbox when they are started. Great for an installation for less computer savy users to make the sandbox almost transparent for them.

So while it's not the purpose of Sandboxie to replace an anti-virus scanner it's a great tool to add another layer of protection. It takes some knowledge to configure it for individual purposes but once done, even less computer savvy users should not have a problem with it. So while the proof for that is still outstanding, I'll install it on a normob notebook soon 🙂

I love it how one gets from A to B on the web, I would never have heard of it would I not have blogged about the Wi-Fi WPA attack, if someone would not have commented and left a link and if someone else hadn't bothered to do a great podcast every week I listened to on my mobile phone during a long car trip. In this way, it is actually a mobile story after all.

Carnival of the Mobilists 158 over at the VoIP Survivor

Cotm-button
This week, the Carnival of the Mobilists has stopped over at Tsahi Levent-Levi's blog, aka the VoIP survivor for an as usual impressive roundup of what's been happening in the mobile blogging sphere over the past week. To my great pleasure and surprise, my entry on the use of Wi-Fi in mobile devices has been voted for being the best post of the week. Thanks for that, I really appreciate it! So for all the best from the mobile blogging sphere, don't hesitate, head over and enjoy!

Wireless Repeaters in the Spa?

Spa-1
Yes, yes, one should go to a spa to relax but I couldn't help to notice that even in a spa there are interesting wireless things going on. Recently we went to the Linsberg spa near Vienna, newly opened a couple of months ago, a place that even the old Romans would have approved of. It's a bit outside the small village of Bad Erlach and one wouldn't expect great mobile coverage there. To my surprise, however, the ground level was well covered by all but one of the wireless networks by the antennas in sight over in the village. On the lower level, things looked a bit different, the concrete walls are probably too thick for signals to make it through.

Nevertheless, Mobilkom's GSM and UMTS networks were available with full signal strength while all other networks didn't quite make it through. Quite interesting so I had a closer look around. There is an antenna on the roof of the adjacent spa hotel so the good signal could come from there. Or it is those little boxes installed throughout the building with a "Mobilkom" sticker on it (see the pictures below)?

I can't be fully certain that those are 2G/3G repeater antennas but it pretty much looks like it. So it looks like Mobilkom has seen a business opportunity in specifically covering this location. I wonder if they are 'only' providing mobile coverage or if they are also providing the infrastructure for local communication, both fixed and mobile!?

I think it would make a lot of sense to be an end-to-end telecom/Internet provider for both employees and customers at such a place. You install your infrastructure once and get paid by several user groups. But that's all speculation on my part, of course. I think there's lots one could do with that. For example: Instead of installing a separate data infrastructure and Wi-Fi access points in the hotel for those that don't yet have a 3G USB modem one could rent out dongle docks such as the D100 to guests. Also, covering meeting rooms with Wi-Fi and backhauling it over 3G saves a lot of money as well.

So, if anyone from Mobilkom (or anyone else for this matter) is reading this and would like to comment, please do.

Repeater-1
Repeater-2

How To Secure The BarackBerry

Some sources have started speculating if the secret service lets President Barack Obama continue to use some sort of Blackberry. The latest speculations are that he might get a Sectra Edge, a ruggedized and secured Palm Treo 750. You can find the specs here but while they are interesting, they don't (of course?) go into the details of how things are secured in practice. Tomi Ahonen over at Communities dominate brands has a good post on possible angles of attacks. I think these are quite possible for someone with time, monetary resources and a couple of infiltrators. Tomi suggests a couple of countermeasures which I think are quite interesting and I've come up with some of my own while commuting today that I thought I'd share here:

Phone identification and targeting

The first thing that needs to be done is to ensure anonymity. Today, there are two IDs in GSM/UMTS systems that can be exploited if somebody knows them and can get access to the core of the mobile network to find out the current location of the phone up to the level of the radio tower. These IDs are the International Mobile Subscriber Identity (IMSI) on the SIM card and the International Mobile Equipment ID (IMEI) of the mobile phone itself. Also, knowledge of one of the two values can also be used by someone who has access to the core of the mobile mobile network to intercept non end-to-end encrypted voice calls and Internet traffic.

To ensure anonymity these IDs should be changed in regular intervals. If I were the secret service I would get a large number of IMSI's of several network operators, get the SIM card vendor on board and devise a scheme to change the IMSI on the SIM card on a regular basis. Concerning the IMEI a changing random number would do. 

Another thing I would do is to use the pool of IMSI's not only for the president but also give similar phones to his aides and other people in the government that need to communicate with him and others securely. This ensures encrypted communication. At the same time more than one IMSI of the pool is active, so its fruitless to get hold of the IMSIs of the pool as the attacker still wouldn't know which one is currently used for the president's phone.

Changing IMSI's on a regular basis has one big disadvantage: Whenever an IMSI is used for the first time it is transmitted in clear over the network. In all subsequent communication establishment requests a changing temporary id (the TMSI and the P-TMSI) is used. So an attacker could use this to try finding the president's phone by scanning the air interface for those rare IMSI based connection establishments. In addition the scanner used would have to be near the location of the phone (i.e. in the same cell) and the attacker would need the list of IMSI's used for the purpose. A very remote possibility and the attacker could not do a lot with the info anyway. A countermeasure would be to have many such phones around the president (e.g. those of his aides) doing the same thing. 

Outgoing Voice calls

Both network encrypted and end-to-end encrypted calls could be directly connected to the destination. However, I would put a gateway in the middle to which all calls are sent and which then forwards them over a secured link to a second gateway which brings it back into the public network again. This way the current phone number of the president linked to the IMSI could not be seen at the other end and could also not be tracedby someone having access to the public network.

Incoming Voice calls

A bit more tricky as other persons don't know the presidents current phone number. Again, a gateway would help which knows the current number of the president. It could be informed via an encrypted data connection by the phone itself of the current phone number (see below).

Getting to the Microphone and Camera

Every now and then one can find reports that hackers can get access to the microphone of a phone by giving it a secret hidden call. It might work or not with some public phones but not with one that was inspected by the NSA. Also, frequently changing IMSI's should prevent anyone from knowing which number to call.

GPS Positioning

By controlling the operating system itself and the applications that run on the smartphone it can be ensured that even if the phone has a GPS the coordinates are not smuggled out. Not a big issue here.

Internet connection

I'd only allow a "full tunnel" solution, i.e. everything goes through an encrypted tunnel to a gateway and only from there to the Internet. The tunnel termination on the network side must be well protected, of course, but I think the people working at Ford Meade know how to do that.

Smartphone viruses

With a customized OS version I would ensure that applications can't be installed and that all applications running on the phone have no hidden weaknesses and backdoors. Not trivial but I am sure it could be done with a tiny fraction of the NSA's budget.

E-Mail

The e-mail client must of course be able to use strong end-to-end authentication and encryption, and authentication and encryption for transmission to the server itself. Needless to say that the server should be well secured.

Web surfing

To prevent bad things in web pages harming the smartphone I would run all communications via a secured and monitored web proxy. No direct contact with the Internet for the web browser. Another benefit of the proxy is to anonymize the traffic.

And the rest

I'd block all other Internet traffic from or to the phone to ensure that the e-mail client and the web browser are the only applications that can communicate with the outside world. Also, I'd give the TCP/IP stack a very hard look to ensure no buffer overflows from malformed packets can cause any harm.

Lot's of stuff to be done to secure such a phone, no question about that. But I guess the president of the United States is not the only person requiring air tight security so the cost can be split. Also I would be very surprised if a lot of this infrastructure is not already in place. Like all security measures, securing the BarackBerry is a cat and mouse game and not a one shot operation. I am sure the list above is far from complete. Further ideas?

Business Rationale Behind 12 Month Prepaid Data Offers

Previously, I reported that Vodafone UK is the third operator I know that has now started to offer a prepaid package for wireless broadband access that includes a gigabyte of traffic and is valid up to 12 months. When only looking at the 12 months, it would seem that this is rather a bad deal for the network operator or in other words, not a lot of revenue opportunity. However, I think quite the contrary is the case.

Let's take Austria for example: If you take a post paid contract for wireless Internet access from mobile network operator Three for example, 3 gigabytes per month are now available for 9 euros. Compared to the 15 to 20 euros others like A1 and Yesss charge for the one gigabyte per 12 months, is only a fraction. So the 12 month offers are attractive for infrequent users and travelers who would otherwise not spend anything at all, as even the 9 euros is too much for them. So it is better to get that 15 to 20 euros revenue than not getting it at all. And by doing so, your margin is much higher compared to the contract offers.

I guess a lot of people taking the 12 month prepaid offer will not fully use the gigabyte so the bottom line is even better. And for those that do, they are likely to buy a top-up, thus increasing the revenue once again. A win-win situation in any case.

How Can LTE Reduce the Cost Per Bit?

Recently, a question was asked in the LTE forum on LinkedIn how LTE can reduce the cost per bit compared to todays broadband wireless systems such as HSPA. I found it quite interesting that a lot of people immediately jumped at the greater spectral efficiency as the means to reduce the overall cost. But I think there are also other innovations which will drive down cost:

  • There are no Radio Network Controllers (RNC) anymore, i.e. fewer network components
  • The backhaul network is radically different. While E-1/T-1 connections (cable, microwave) are still heavily used today, LTE will be rolled out with Ethernet over fiber / VDSL and microwave. Huge cost advantage here. It's not spectral efficiency operators worry about today, it's the rising E1/T1 backhaul costs.
  • In all fairness, it has to be said, that current HSPA networks are changing towards this as well in terms of backhaul and network element (e.g. one tunnel architecture) but it is not built in and the RNC is still required.
  • Another reason why LTE has a cost advantage over today's deployed networks is that technology has advanced and allows smaller base stations to be built which require less power, less space. These will be deployed from day 1 and in many cases will be put inside existing base station cabinets or mounted besides.
  •  Also count in remote radio head technology that will probably be used heavily with LTE to drive the cost down.
  • In the mid- to long term, I think LTE access will be the catalyst to have multi radio base stations with a common Ethernet based backhaul thus also driving down the cost of 2G and 3G systems to some extend that will remain in place for the time to come.

Anything else you can think of?

Lots of Wi-Fi in Smartphones These Days

When Nokia started to put Wi-Fi into smartphones about three years ago they were pretty much the only company doing that and they were looked at suspiciously by both the competition and network carreirs. At the time a lot of people said they were not sure if Nokia would prevail with their strategy and that carriers would strongly oppose such phones.

If you look at the market these days I think it has prevailed quite well. All Nokia N-series phones have Wi-Fi built and virtually all competing mobile device vendors have followed their lead. Apple has it, HTC has it, RIM now has blackberries with Wi-fi and even Sony Ericsson has now started to put Wi-Fi into their camera feature phones (e.g. the new C905).

The way I see it, Nokia has made good use of their first mover advantage and currently offers the widest range of services over Wi-Fi. Here's how I use the built in Wi-Fi in my N95:

  • Mobile web browsing (the number one application for every Wi-Fi enabled phone I guess), both the built in browser do a great job for surfing the web in general, using Google Reader for my RSS feeds, mobile banking, etc.
  • My second killer application: VoIP telephony with the built in SIP client. I guess Nokia is the only company that has so far integrated a full VoIP client integrated in their software. It's fully automatic. When I get home, the N95 senses my home Wi-Fi and automatically connects. It's fully replaced my landline cordless phone by now.
  • Automated podcast download: The podcasting application runs in the background and automatically downloads the latest podcasts when they appear. A very nice application and I've configured it in a way to only do it over Wi-Fi but not over cellular.
  • Mobile Web Server: Very cool application to access my phones address book, calendar, camera etc. via my notebook's web browser. Here are some more details in case you never heard about it before.
  • Picture upload to Flickr: When I travel to countries in which I only have an expensive mobile data subscription I rather wait to upload pictures to Flickr until I reach the cover of a Wi-Fi network. Shozu does a good job here with queuing pictures marked for upload and automatically sending them when a configured network becomes available.
  • e-mail: When at home, my e-mail client (Profimail) uses the Wi-Fi instead of the cellular connection. Very convenient and cost saving.
  • When I am traveling, I have my dongle dock with me and instead of communicating with the 3G network directly, most applications use Wi-Fi to the dongle dock which then sends out the data via 3G. Helps to save cost because in many country data over data only SIMs is much cheaper than a data add on to a SIM card with a decent voice tarrif.
  • Some people us the 3G connectivity and the Wi-Fi as a Wi-Fi bridge for other devices. I prefer my dongle dock but I am sure such a solution appeals as well.

To see how the competition has reacted in the meantime here's a question to those with a non-Nokia smartphone: Which applications does your device offer today and which of those do you use?

The Real Time Web And Connected Home Services

Here's a link to a very interesting presentation of fellow book author Paul Golding about the real time web and it's impact on mobile. A powerful train of thought and I would summarize what he calls the real time web as follows:

  • Today, the web (or the Internet in general) on mobile devices is still dominated by polling, i.e. the user requesting web pages.
  • Paul foresees that news and events happening around the world in real time will be pushed automatically to both mobile devices and of course also to desktop PCs and notebooks. Desktop and idle screen widgets based on web technologies is one possibility for this.
  • Information is meshed up on the Internet before it is pushed to the user on his mobile or stationary device. An example of this for example is TweetNews that sorts Yahoo search results with input from Twitter to increase the relevancy of breaking news that is spreading mach faster via social media than via the traditional channels.
  • Content is not only created by others and put on the web for public use, but everyone is creating content that while being private should be pushed into the web as well so it is accessible by its creator and owner from different devices and can be mashed-up with other content. An example for content that should be accessible from everywhere is the calender or address book.

I think that his ideas are great and many of them are already worked on by Google, Nokia and others. However, for the last bullet point where I would like to add a different idea. While I like the idea of mashing-up lets say my address book with information about online instant messaging availability of other persons, I don't really like my address book information in the hands of anyone else but me. In other words, I don't like my private information to be stored on a server on the web, I want it stored on a device under my control.

And I think that this is where mobile network operators with fixed line assets can come into play. Instead of having my private information stored in the web, it could also be stored in the user's home network. Fixed/Mobile network operators have all the pieces of the puzzle together to make this work and not much competition to fear. They are in the unique position to sell the following bits and pieces together to their customers:

  • A DSL modem / Wi-Fi / Femto box (also known as a home gateway)
  • Services running on that box or via that box accessible from within the home network and via a secure connection from the outside
  • Wireless Access
  • Preconfigured devices with connected home services that use the cellular / Wi-Fi / femto depending on where they are to access that information.

Of course network operators can't do it on their own, they need device manufacturers to deliver home gateways and software for mobile devices capable of doing that. It's a great possibility to compete with similar services that are web based, a territory where network operators have difficulty to compete in. And the best, the customers will love them for it, since they offer such connected home services with more security and privacy than what is possible on the web.

And for the mash-up part of the scenario it doesn't really matter if a central server mashes up the content or if a service in the home network do that.

Decomissioned SIM Cards

Retired-sims
I heard somewhere, but forgot exactly where, that the German C-Netz mobile network back in the 1980's was the first network that separated subscription from device via a SIM card. Since then we've come a long way and all major mobile network standards these days have implemented the concept. From my point of view this is the most important thing to foster competition between network operators.

As a frequent traveler I use lots of different SIM cards for both voice and data and I love the concept of just inserting a new SIM card into my devices when I arrive in another country or when better and cheaper offers become available.

Evidentce of this is the heap of SIM cards I've decommissioned over the last couple of months as shown on the picture on left:

  • Two years ago, SimplyTel in Germany, a MVNO of T-Mobile started a pretty good voice minute offer for the time. Unfortunately, they haven't kept pace with others and there is still a good data option missing. Also, they've started to introduce a 1 or 2 euro fee per month if the SIM is not used which bugged me since I used one in the block heater of the car for incoming calls only and the other one in a mobile I give to visiting friends from abroad. Now that their accounts have reached 0, I've retired them and replaced them with SIM cards from other MVNO's.
  • The AT&T SIM: This one's a forced retirement as I haven't been in the US for 6 months and the SIM has probably been deactivated already by AT&T.
  • The YESSS SIM: About 18 months ago, YESSS started a prepaid mobile broadband offer in Austria with a validity time of 12 months. In the meantime the year has expired and I have made good use of the offer. Now, however, I've replaced the SIM with one from A1, as they have started a similar offer in the meantime and their network has a wider reach.
  • The A1 SIM: This is the SIM I replaced the YESSS SIM with. Adding a further GB worth of data traffic is 5 euros more expensive than buying another SIM card for 15 euros that already includes a GB worth of traffic. A bit strange but then I don't really care if I buy a top-up voucher or a new SIM.
  • The WIND SIM: This Italian SIM card was deactivated and I haven't quite been able to figure out why. I went to a WIND store but there they could not really help me and told me to call the hotline. I decided it was faster to dump the SIM and buy a new one instead. Much less trouble than to discuss the matter over the phone with a helpdesk lady.

So in short: SIM cards = Power to the consumer!