Must be a youtube day!
Thursday, September 24, 2009
Wednesday, September 23, 2009
GSM Mobile Phone Security
I know I babble a lot about computer and internet security, and I tend to be more paranoid about it than most people...but I thought this topic was important to mention, because it covers a much wider range of people than just wireless network computer users.
GSM (Global System for Mobile) is the technology standard used to encrypt and transmit voice and data on most of the cell/mobile phone networks in the world. Everyone in the US that has AT&T or T-Mobile for service, as well as most major carriers in over 200 other countries use the GSM standard.
The GSM specification was created back in 1980, as a way to try to standardize mobile phone encryption and transmission. Now, for those of us who were alive in 1980, take a second to remember what kind of computers and computing power existed back then (Apple II+, Commodore 64, IBM/MS-DOS computers where processors were measured in HERTZ and memory was measured in KILObytes). For those who don't remember this, just imagine the computers back then had less power than even the lowest-end TI calculators have today, and certainly way less than any current mobile phone. OK....got that idea in mind?
The encryption strength and algorithm that is used in GSM was VERY strong for 1980. Even super computers in 1980 would have taken a long time to brute-force attack the 64-bit encryption that was being used. The encryption algorithm was also proprietary (secret) which, in 1980 wasn't a problem to keep secret because we didn't have the internet and the unlimited collaboration potential we have now. In addition, given the processing power of mobile phones in 1980, it would not have been possible to use any stronger encryption or any more complex encryption algorithms. It was the right solution for then.
Fast Forward to 2009, 29 years later. We're still using the same GSM technology from 1980. The same encryption strength, the same encryption algorithms. Personal computers have the processing power that super computers had in 1980. Even the lowest-end mobile phones have more processing power than computers in 1980. 128-bit encryption is the MINIMUM now for computer applications (keeping in mind that 128-bit encryption isn't just twice as good as 64-bit, it's 2 to the 64th POWER better than 64-bit encryption - it increases exponentially). We have the internet and can share ideas and collaborate with the entire world. We've also had 29 years to figure out the "secret" proprietary encryption algorithms. Can you see where this is going?
GSM has been completely cracked. Any hobbyist with a little spare cash and a willingness to do some googling can hook up a circuit board and antenna to their laptop (via standard USB or ethernet) and monitor and decrypt GSM-based transmissions right out of the air. There's enough open source software out there to make it easy to listen to voice streams, look at data streams, or whatever the streams of packets happen to be transmitting/receiving from a GSM phone.
The problem with this technology no longer being secure, as opposed to other wireless technologies like WEP and WPA, is that even if there's a newer more secure technology available, it will take years for everyone currently on GSM networks to be upgraded to use it. Not only would the network itself have to be upgraded, but all existing phones would have to be as well - not something that happens overnight.
Again, none of this is meant to scare people, it's just meant to make people aware. People should never make the assumption that everything they do on their phone is private and secure and should understand the risks.
A couple of other points to make:
Internet use on GSM phones - while the encryption used to transmit packets from your phone to the tower is broken and crackable, if you're using a secure web connection (https/SSL) in the web browser itself, that encryption is in addition to the GSM encryption, and is much better/stronger (it is the same as what your PC web browser uses) so there is less to worry about. So, for example, if you access your online banking site from your phone, you're still protected by the SSL encryption the banking website is using.
People that don't use the GSM network (the other major one being CDMA, used by Sprint and Verizon) - if you think you're safer, you're probably not. While there is no specific widespread CDMA cracking technology out there yet, the level of technology CDMA uses isn't really much stronger than GSM, it's just that GSM is a bigger target since it's used so widely across the world. It's day is coming :(
GSM (Global System for Mobile) is the technology standard used to encrypt and transmit voice and data on most of the cell/mobile phone networks in the world. Everyone in the US that has AT&T or T-Mobile for service, as well as most major carriers in over 200 other countries use the GSM standard.
The GSM specification was created back in 1980, as a way to try to standardize mobile phone encryption and transmission. Now, for those of us who were alive in 1980, take a second to remember what kind of computers and computing power existed back then (Apple II+, Commodore 64, IBM/MS-DOS computers where processors were measured in HERTZ and memory was measured in KILObytes). For those who don't remember this, just imagine the computers back then had less power than even the lowest-end TI calculators have today, and certainly way less than any current mobile phone. OK....got that idea in mind?
The encryption strength and algorithm that is used in GSM was VERY strong for 1980. Even super computers in 1980 would have taken a long time to brute-force attack the 64-bit encryption that was being used. The encryption algorithm was also proprietary (secret) which, in 1980 wasn't a problem to keep secret because we didn't have the internet and the unlimited collaboration potential we have now. In addition, given the processing power of mobile phones in 1980, it would not have been possible to use any stronger encryption or any more complex encryption algorithms. It was the right solution for then.
Fast Forward to 2009, 29 years later. We're still using the same GSM technology from 1980. The same encryption strength, the same encryption algorithms. Personal computers have the processing power that super computers had in 1980. Even the lowest-end mobile phones have more processing power than computers in 1980. 128-bit encryption is the MINIMUM now for computer applications (keeping in mind that 128-bit encryption isn't just twice as good as 64-bit, it's 2 to the 64th POWER better than 64-bit encryption - it increases exponentially). We have the internet and can share ideas and collaborate with the entire world. We've also had 29 years to figure out the "secret" proprietary encryption algorithms. Can you see where this is going?
GSM has been completely cracked. Any hobbyist with a little spare cash and a willingness to do some googling can hook up a circuit board and antenna to their laptop (via standard USB or ethernet) and monitor and decrypt GSM-based transmissions right out of the air. There's enough open source software out there to make it easy to listen to voice streams, look at data streams, or whatever the streams of packets happen to be transmitting/receiving from a GSM phone.
The problem with this technology no longer being secure, as opposed to other wireless technologies like WEP and WPA, is that even if there's a newer more secure technology available, it will take years for everyone currently on GSM networks to be upgraded to use it. Not only would the network itself have to be upgraded, but all existing phones would have to be as well - not something that happens overnight.
Again, none of this is meant to scare people, it's just meant to make people aware. People should never make the assumption that everything they do on their phone is private and secure and should understand the risks.
A couple of other points to make:
Internet use on GSM phones - while the encryption used to transmit packets from your phone to the tower is broken and crackable, if you're using a secure web connection (https/SSL) in the web browser itself, that encryption is in addition to the GSM encryption, and is much better/stronger (it is the same as what your PC web browser uses) so there is less to worry about. So, for example, if you access your online banking site from your phone, you're still protected by the SSL encryption the banking website is using.
People that don't use the GSM network (the other major one being CDMA, used by Sprint and Verizon) - if you think you're safer, you're probably not. While there is no specific widespread CDMA cracking technology out there yet, the level of technology CDMA uses isn't really much stronger than GSM, it's just that GSM is a bigger target since it's used so widely across the world. It's day is coming :(
Monday, September 21, 2009
Online Privacy
The title of this article is misleading, because it's really commenting on the whole "how private is your information" issue in terms of Facebook and social networking:
http://www.boston.com/bostonglobe/ideas/articles/2009/09/20/project_gaydar_an_mit_experiment_raises_new_questions_about_online_privacy/?page=full
I guess I've always understood these basic concepts of online privacy:
1) If you post some piece of information about yourself online (social networking, etc.) (data, pictures, etc.) they're out there and you should assume that you no longer have complete control over it.
2) The more information you put out there, the easier it is to correlate and determine other things about you.
3) No matter what a company's privacy policy is, SOMEONE at that company has full access to whatever you've given them, and you can't guarantee that they will not abuse that access.
I'm not trying to scare people, I just want to point out that this is an ongoing tradeoff between convenience and cost vs. privacy and security. Things like Facebook are free, and they are useful services. The tradeoff is that you trust them with information about you. It is certainly in their best interest to try their best to keep your information private, but both them and everyone you allow to see your information (e.g. your friends list) can see everything you put up there, and thus can let anyone else they want to see it see it.
I use Gmail (Google Mail) and many people use other online mail services, and we're trusting these services with the contents of all our emails. We do this because the service is free, convenient, and useful, and so we assume the risk of a third party storing our email data.
The main point is, it's ultimately your choice - if you want to use something like Facebook, which may provide a great benefit to you, you also assume the risks. Be as careful as you can, limit your risk, but remember that nothing is perfect.
http://www.boston.com/bostonglobe/ideas/articles/2009/09/20/project_gaydar_an_mit_experiment_raises_new_questions_about_online_privacy/?page=full
I guess I've always understood these basic concepts of online privacy:
1) If you post some piece of information about yourself online (social networking, etc.) (data, pictures, etc.) they're out there and you should assume that you no longer have complete control over it.
2) The more information you put out there, the easier it is to correlate and determine other things about you.
3) No matter what a company's privacy policy is, SOMEONE at that company has full access to whatever you've given them, and you can't guarantee that they will not abuse that access.
I'm not trying to scare people, I just want to point out that this is an ongoing tradeoff between convenience and cost vs. privacy and security. Things like Facebook are free, and they are useful services. The tradeoff is that you trust them with information about you. It is certainly in their best interest to try their best to keep your information private, but both them and everyone you allow to see your information (e.g. your friends list) can see everything you put up there, and thus can let anyone else they want to see it see it.
I use Gmail (Google Mail) and many people use other online mail services, and we're trusting these services with the contents of all our emails. We do this because the service is free, convenient, and useful, and so we assume the risk of a third party storing our email data.
The main point is, it's ultimately your choice - if you want to use something like Facebook, which may provide a great benefit to you, you also assume the risks. Be as careful as you can, limit your risk, but remember that nothing is perfect.
Saturday, September 19, 2009
Friday, September 18, 2009
Palm to drop Windows
I'm not at all surprised, and I'll also say it's about time :)
http://www.informationweek.com/news/personal_tech/smartphones/showArticle.jhtml?articleID=220001048
I hope this means more and better stuff for the WebOS and my Pre!
http://www.informationweek.com/news/personal_tech/smartphones/showArticle.jhtml?articleID=220001048
I hope this means more and better stuff for the WebOS and my Pre!
Friday, September 11, 2009
Turing
Most of us in the computer science field know the name "Turing", referring to famous mathematician Alan Turing. He was the man mainly responsible for famously cracking the enemy encryption codes during WW II, something many believe was a key to the outcome of the war.
Sadly, despite the huge contributions he made to the world (he also created many math and computer science theories still in use today, including the famous "Turing Machine"), a few years later in 1952 he was convicted of "gross indecency" - basically homosexuality, illegal at that time - and had the choice of going to prison or going through a procedure called chemical castration, which was injecting female hormones into your blood stream. To avoid jail he chose the second option, and 2 years later committed suicide at the age of 41.
This morning I read that the Prime Minister of Great Britain, Gordon Brown, at the urging of several in the computer science and gay communities, gave an apology and special recognition to Turing's accomplishments. I thought this was a really great gesture for him to make.
http://www.pamshouseblend.com/diary/12920/the-man-the-apple-logo-salutes-to-alan-turing-gets-apology-from-british-prime-minister
Sadly, despite the huge contributions he made to the world (he also created many math and computer science theories still in use today, including the famous "Turing Machine"), a few years later in 1952 he was convicted of "gross indecency" - basically homosexuality, illegal at that time - and had the choice of going to prison or going through a procedure called chemical castration, which was injecting female hormones into your blood stream. To avoid jail he chose the second option, and 2 years later committed suicide at the age of 41.
This morning I read that the Prime Minister of Great Britain, Gordon Brown, at the urging of several in the computer science and gay communities, gave an apology and special recognition to Turing's accomplishments. I thought this was a really great gesture for him to make.
http://www.pamshouseblend.com/diary/12920/the-man-the-apple-logo-salutes-to-alan-turing-gets-apology-from-british-prime-minister
Thursday, September 10, 2009
Thou shalt not...
From the "why don't I ever learn" file...
#1 - "Thou shalt not upgrade programs that are functioning correctly, just for the sake of upgrading.*"
#2 - "Thou shalt suppress the need to try out every beta or upgrade."
I spent about 2 hours this morning recovering from trying to install an early adopter version of a Lotus Notes upgrade, which, if I'd read the forum posts about it, I never would have considered. And the version I have is working the best of any Lotus Notes I've had in 12 years. So WHY do I do this? I think I have some gene that makes me want to upgrade stuff.
*NOTE: Security patches to Windows or other OS's don't count - anyone NOT doing automatic Windows updates of security patches is just asking for it.
#1 - "Thou shalt not upgrade programs that are functioning correctly, just for the sake of upgrading.*"
#2 - "Thou shalt suppress the need to try out every beta or upgrade."
I spent about 2 hours this morning recovering from trying to install an early adopter version of a Lotus Notes upgrade, which, if I'd read the forum posts about it, I never would have considered. And the version I have is working the best of any Lotus Notes I've had in 12 years. So WHY do I do this? I think I have some gene that makes me want to upgrade stuff.
*NOTE: Security patches to Windows or other OS's don't count - anyone NOT doing automatic Windows updates of security patches is just asking for it.
Wednesday, September 9, 2009
My day has been made!
I am a religious listener to the podcast "Security Now" - a weekly podcast about computer and internet security now in its 5th year. I would recommend this show to anyone who uses a computer on the internet - Steve Gibson is great at explaining things in plain terms and I also believe he does this because he's truly interested in sharing information with everyone, and not to make money.
Anyway, every other week they do listener Q&A shows, answering 12 questions from listeners. I have sent in comments and questions over the years, and have never had any on. Apparently, one of mine is read in the most recent episode of the podcast. I haven't actually listened to it yet (I'm about 2 behind) but I'm VERY excited!!!
Anyway, every other week they do listener Q&A shows, answering 12 questions from listeners. I have sent in comments and questions over the years, and have never had any on. Apparently, one of mine is read in the most recent episode of the podcast. I haven't actually listened to it yet (I'm about 2 behind) but I'm VERY excited!!!
50 miles
I have to give a shout out to my friend Wayne who is doing his first 50-mile race this weekend...
http://waynelsona.blogspot.com/2009/09/superior-trail-50-mile-preparations.html
Besides just being an all-around great guy and friend for so many years, Wayne was the first office mate I ever had as a co-op, and was my longtime IBM lunch buddy for over 10 years before taking a job in St. Paul (which makes meeting up for lunch a bit more difficult :)
Wayne is also the one that got me into running 12 years ago - sneakily - so sneakily he probably didn't even know he was doing it - I started tagging along on his short (3-mile) marathon training runs, and just kept tagging along, finally "tagging along" on his 20-mile runs, and then finally doing my own marathon the next year. We've been "runner support" for training, and many times alternated doing marathons different years because it was fun to have someone cheering you on the sidelines, dropping you off, picking you up at the end, etc.
He's now at another level of racing, one I may never get to, but then I never thought I'd run 26.2 miles either before I met him (I never thought I could run 10 miles before I met him and learned that running does not mean sprinting :)
So, all the best this weekend Wayne!
http://waynelsona.blogspot.com/2009/09/superior-trail-50-mile-preparations.html
Besides just being an all-around great guy and friend for so many years, Wayne was the first office mate I ever had as a co-op, and was my longtime IBM lunch buddy for over 10 years before taking a job in St. Paul (which makes meeting up for lunch a bit more difficult :)
Wayne is also the one that got me into running 12 years ago - sneakily - so sneakily he probably didn't even know he was doing it - I started tagging along on his short (3-mile) marathon training runs, and just kept tagging along, finally "tagging along" on his 20-mile runs, and then finally doing my own marathon the next year. We've been "runner support" for training, and many times alternated doing marathons different years because it was fun to have someone cheering you on the sidelines, dropping you off, picking you up at the end, etc.
He's now at another level of racing, one I may never get to, but then I never thought I'd run 26.2 miles either before I met him (I never thought I could run 10 miles before I met him and learned that running does not mean sprinting :)
So, all the best this weekend Wayne!
Tuesday, September 8, 2009
The Cloud
Some interesting articles on slashdot about the growth of "cloud computing":
http://blogs.zdnet.com/Hinchcliffe/?p=771
http://edgeperspectives.typepad.com/edge_perspectives/2009/08/defining-the-big-shift.html
http://i.zdnet.com/blogs/web_os_2009_large.png
My mode of managing my personal information has been slowly shifting to the "cloud" over time - when I switched to gmail a few years ago I eliminated all email clients on my PC. With my last new phone I switched my calendars and contacts over to Google applications from a PC-based Outlook, and this weekend I moved the rest of my "personal information management" stuff (tasks, notes) to Google applications as well.
As always, having everything online is a mixed blessing. It's accessible anywhere there's an internet connection, which is becoming basically anywhere. However, you're also ceding trust of your personal information over to a third party - in my (and many people's) case something free like Google. It's also NOT accessible if for some reason you can't connect to them.
When I was converting over my notes and documents, I did stop short of moving everything to Google docs - I separated all my documents into two categories, one being information I don't care if anyone sees and the other information I want to know for sure only I have access to. While I don't really think that anything in category one will be seen by the wrong people, if it's in the "cloud" there's always a chance it will be. So I am trading convenience for security on those documents (passwords, financial data, etc.) that I consider most important.
It will be interesting to see how this trend continues and we become more and more dependent on the internet and the "cloud". My latest phone isn't really worth much without an internet connection now (yes I can still call people without it). A PC is very much less useful without an internet connection now than it was 10 years ago. It seems that laws are going to have to catch up this trend soon - right now, we trust companies like Google not to abuse our information (and it's in their best financial interest not to do so) but legally there is probably lots of leeway as to what they can do with it.
http://blogs.zdnet.com/Hinchcliffe/?p=771
http://edgeperspectives.typepad.com/edge_perspectives/2009/08/defining-the-big-shift.html
http://i.zdnet.com/blogs/web_os_2009_large.png
My mode of managing my personal information has been slowly shifting to the "cloud" over time - when I switched to gmail a few years ago I eliminated all email clients on my PC. With my last new phone I switched my calendars and contacts over to Google applications from a PC-based Outlook, and this weekend I moved the rest of my "personal information management" stuff (tasks, notes) to Google applications as well.
As always, having everything online is a mixed blessing. It's accessible anywhere there's an internet connection, which is becoming basically anywhere. However, you're also ceding trust of your personal information over to a third party - in my (and many people's) case something free like Google. It's also NOT accessible if for some reason you can't connect to them.
When I was converting over my notes and documents, I did stop short of moving everything to Google docs - I separated all my documents into two categories, one being information I don't care if anyone sees and the other information I want to know for sure only I have access to. While I don't really think that anything in category one will be seen by the wrong people, if it's in the "cloud" there's always a chance it will be. So I am trading convenience for security on those documents (passwords, financial data, etc.) that I consider most important.
It will be interesting to see how this trend continues and we become more and more dependent on the internet and the "cloud". My latest phone isn't really worth much without an internet connection now (yes I can still call people without it). A PC is very much less useful without an internet connection now than it was 10 years ago. It seems that laws are going to have to catch up this trend soon - right now, we trust companies like Google not to abuse our information (and it's in their best financial interest not to do so) but legally there is probably lots of leeway as to what they can do with it.
Monday, September 7, 2009
Happy Labor Day!
I read about the origins of Labor Day on Wikipedia this morning, and the first US Labor day was in 1882. Oddly, half of the workers in the country don't get the day off now because the other half do get it off and want to go shopping, eat out, etc....go figure.
A fun weekend, kicking off Saturday with meeting HS friends Pat & Laura and kids in Bloomington for lunch, and then off to second-cousin Brittany's wedding. Lots of fun seeing the "Minnesota Byes" as I like to refer to them. We headed home relatively early (9pm) since it was an hour and a half drive from the reception in Medina to Rochester.
Sunday morning coffee with friend Bill, and a day of working on some projects I had been putting off. I finally got everything else that hadn't nicely converted from my old phone to my new one into either Google tasks, Google docs, or just stored in documents on my computer, and put the final closure on Outlook and Windows Mobile. Also worked on the never-ending video conversion and editing project - eventually it will all get done! Sunday evening Chinese takeout and a later evening wine tasting with a couple of friends.
Monday morning - Erin is at orientation for his new job, so I had coffee with Bill again this morning, and am now in the process of doing some more video editing and, unfortunately, figuring out why iTunes isn't working again. I may have narrowed it down to the "Apple Mobile Device Support" process which I don't use, I continue to disable, and iTunes keeps re-enabling, I'm sure trying to be helpful. I'm nearly ready to give up on iTunes altogether after the recent number of times it's quit working - I don't honestly know how "regular" people (meaning people who wouldn't spend the hours I spend figuring out how to fix this stuff or don't have the computer background I do) actually get any of this stuff to work.
I do plan on enjoying the weather today, the whole weekend has been fantastic Minnesota summer/fall weather and I'm loving every minute of it!
Subscribe to:
Posts (Atom)