Category Archives: Privacy

This is big business, this is the American way

43 years old “UFO eccentric” hacker Gary McKinnon just loses appeal against his extradition to the States for computer crimes he committed 7 years ago.

If you’ve lived under a rock during the last few years what this dude did was basically break into .gov computers looking for UFO related material.

Probably the last case of recreational hacking I’ve heard about.

So his case is obviously going to be a classical “Strike one to educate one hundred” kind of message to every hacker attacking american computer systems: we can reach you everywhere you live and have you extradited to our country where we will sentence you to life in prison.

Unless you are a multi millionaire cyber criminal living in Russia or a chinese spy, of course.

Iphone jailbreaking crashing towers? FUD!

It’s interesting to read a news about an anti-jailbreaking statement by apple that say that with jailbreaked phones it may be possible to crash mobile operator’s towers:

By tinkering with this code, “a local or international hacker could potentially initiate commands (such as a denial of service attack) that could crash the tower software, rendering the tower entirely inoperable to process calls or transmit data,”

So fun, as the Baseband Processor interface of iPhone is precisely the same of Google android and all Windows Mobile powered devices:

Basically the operating system use AT commands (do you remember old hayes modem commands?) with additional parameters documented and standardized by 3GPP that let more deep (but not that much deep) interaction with the mobile networks.

Please note that those AT commands are standard and widely available on all phones and are the interface to the Baseband Processor.

On iPhone that’s the list of commands that an from apple point of view could let “a international hacker to crash the tower software” :

Undocumented commands on iPhone

Damn, those European anarchist of Nokia are providing publicly also their AT command sets, and are AVAILABLE TO ANYONE:

Nokia AT Commands

Oh jesus! Also the terrorist oriented Microsoft corporation let third party to use AT commands:

Windows Mobile AT Commands

It’s absolutely unacceptable that also RIM, canadian funky against USA, provide access to AT commands:

Blackberry AT commands

And it’s unbelivable to see that Google Android also document how the system speak to the Baseband Processor and find on forums that it’s ease to access it:

Google Android Basedband Processor

Not to speak to ALL other mobile manufactuer that use the very same approach and let any party to speak via AT commands to the baseband processor of the phone.

Is the baseband processor of iphone buggy and the AT&T tower software buggy so that it’s dangerous to let the user make experiment with it?

Probably yes, and so those are only excuse because the software involved are not robust enough.

Apple, be careful, you have the trust of your users because you are apple you always have done things for the user advantages.

Users does like telephone companies that are huge lobbies that try to restrict and control users as much as possible.

If you, Apple, start behaving like a phone company users will not trust you anymore.

Be careful with FUD statements.

1st august 2009: Switzerland start realtime internet interception

The intelligence strength is increasing everywhere… also in Switzerland that had a well known privacy protection approach!

Read the WikiLeaks Article

UAE government placing backdoors into Blackberry devices

Nice attempt to place backdoors inside Blackberry devices.

It seems that UAE government wanted to do something nasty placing backdoors trough software upgrades in Etilsat (local mobile operator) blackberry devices, obviously with the cooperation of the mobile operator itself.

Fortunately, the power of the security community discovered and unveiled the facts. Check it out.

Etisat patch designed for surveillance

Wired magazine: Blackberry spies

Security exists only with transparency.

Nokia World in Stuttgard 2-3 September

Everyone who’s business is directly connected to mobile, aggregators, operators and generally speaking mobility application should really attend Nokia World where most of the world key people in the mobile business .

It’s extremely interesting to see the evolution of the business models related to the Application Portals, how the mobile operators are changing their approach to the market, the increasing of value added services related to mobile industry.

And the most important things is, the mobile operators will be able to became financial operators to really provide mobile payment systems integrated into any day digital life?

And if this will happen, how the manufacturer and operating system provider will play this game?

Saas: is the end of the myth?

Saas business models growth a lot during the past few years and i personally appreciate it.

No software to be installed, configured, maintained, service available when you needed with a early adoption time and most important reduction (or apparent reduction) of the total costs of ownership.

I had few experience with SaaS business (as a customer) and i have to say that the following Gartner Group analysis on SaaS businesses imho tell you the truth only for half of statements:

  • There is always a partial integration issue (not all systems are so flexible to really integrate into your business like you would like)
  • There is often a lacks of the technical requirements needed by the specific business case
  • I DO NOT agree that there is a barrier in the costs, as SaaS usually let you start spending only a few. However it’s true that while doing the deployment you should be more conservative in the usage of features and items (es: I am using for my company a hosted VoIP PBX system, we pay for each extension we add. We don’t have test extension or extensions that are not strictly needed because it costs. When we had an internal VoIP PBX system, we was plenty of test extension. This slightly increase some complexity in maintenance and deployment, even if the total cost of maintenance is a lot lower than an internal system to be managed.

So we can assume that Saas it’s for most but not for all, especially if the need of customizations for the very specific business needs are relevant.

An in depth analysis and testing has to be carried on, in order to discover all the limits of the solution, on functionalities and pricing, to really discover if the specific solution fit the business need.

Mobile platform hacking: worms and botnet from phones?

The hacking community is finally starting seriously auditing and hacking Symbian OS, even if it’s difficult, hard to work on, unpleasant to debug it .

There are so many mobile operating systems (Symbian OS, Nokia S40, Windows Mobile, RIM OS, Mac OS X, Android/Linux, Brew) that a worm/virus being able to leverage a cross-platform vulnerability it’s just a theory.

Trusted computing platforms, security model of J2ME Java only phones (like RIM and S40), digital signature everywhere are all tools that make massive hacking on mobile platform really difficult.

It’s difficult and costly to develop on mobile platforms, it’s difficult and costly too doing hacking on that platforms.

Still look at a very nice achievement of paper from SEC Consult called Pwning Nokia phones (and other Symbian based smartphones) .

Can we expect future worms or botnet on mobile? I don’t expect so, too many different OS with hard-to-beat security model.

And even if a worm would be able to penetrate a single mobile paltform bugs, mobile operators would be able to block it very quickly (compare how many GSM/UMTS operator exists compared to Internet Service Provider?).

The real goal of online marketing: lead generation

Often i discuss about online marketing, however it include the mysterious “marketing” magic word that’s tipically subject to misunderstanding and misconception .

The end goal of online marketing is to generate qualified leads coming from international markets.

Some interesting links about it, and how things should be properly done are below:

I would really like to see an effective leverage of online techniques and tools as the main interface and providers of information, the main pre-sales agent of the company explaining almost everything required to get back a qualified lead.

Voice encryption in government sectors

I will make some in depth articles about how voice encryption really works in government environments.

The open standards and open source still have to reach the military and government environments for what’s related to secure speech.

To give you an idea of the complexity and kind of particular issues that exists, look at the USA 3G Wireless Security: A Government Perspective and the A Waveform Architecture to Support Security and Interoperability in Multi-National Wireless Networks for Tactical Communication .

They are using so-custom protocols like Secure Communications Interoperability Protocol that require the use of patented MELPe ultra-narrowband codec that there’s not a real market of application and equipment using this. Only a small elite of government controlled companies from few countries manage this de-facto lobby.

Should we change this bringing open standards also to government sectors?

How the various audio compression codec sounds?

You know, we would not be able to use VoIP and have cheap international phone calls without audio compression codecs.

It’s plenty of them, some royalty free, some patented by telco’s lobby (think that some patented and royalty-based codec it’s also a standard, where all market player have to pay the most aggressive one that acquired the patent while defining the standards).

However, there is a nice collection from vocal, to understand how they sounds.

Voice Security and Privacy slides

Below my slides on voice security and privacy from Security Summit 2009.

mmm, yes i am working in this area from 2005, will write again about it.

sux