Archive for the ‘GSM’ Category

Well, this is interesting, both on the Bo Xilai story and also on the general theme of the state of the art in contemporary authoritarianism. It looks like a major part of the case is about BXL’s electronic surveillance of Chongqing and specifically of top national-level Chinese officials:

One political analyst with senior-level ties, citing information obtained from a colonel he recently dined with, said Mr. Bo had tried to tap the phones of virtually all high-ranking leaders who visited Chongqing in recent years, including Zhou Yongkang, the law-and-order czar who was said to have backed Mr. Bo as his potential successor. “Bo wanted to be extremely clear about what leaders’ attitudes toward him were,” the analyst said.

That’s Zhou Yongkang as in the head of the whole Chinese internal security structure, cops, spooks, and all. Bo’s police chief (and future sort-of defector) Wang Lijun is described as being “a tapping freak”, addicted to the productivity and hence apparent power of electronic intelligence. Not only that, Wang eventually began tapping Bo, who was also tapping the CDIC feds who came down to keep an eye on him.

The practicalities are, as always, interesting.

The architect was Mr. Wang, a nationally decorated crime fighter who had worked under Mr. Bo in the northeast province of Liaoning. Together they installed “a comprehensive package bugging system covering telecommunications to the Internet,” according to the government media official.

One of several noted cybersecurity experts they enlisted was Fang Binxing, president of Beijing University of Posts and Telecommunications, who is often called the father of China’s “Great Firewall,” the nation’s vast Internet censorship system.

It’s worth pointing out that the provincial networks belonging to China Mobile, China Telecom etc. are usually organised as companies in their own right, and they often have their own AS numbers, and indeed they often contract for substantial network development projects with Western vendors (Nokia Siemens recently had a big mobile network contract in Sichuan, notably) on their own right.

Anyway, Fang’s involvement is very interesting indeed. He is responsible for the state-of-the-art authoritarian solution to the Internet. This is not just, or even primarily, a question of blacklisting websites or turning off the Internet. The Great Firewall’s detailed design, as the Cambridge Computer Lab found out a while ago, is specifically intended to be a semi-permeable membrane. Rather like Hadrian’s Wall, it is more about the gates through it than the wall itself, and the defences point in both directions.

When a computer within it tries to initiate a TCP connection to one outside that is classified as dodgy, the Firewall sends an RST message back to kill the connection. This permits much higher performance than the DNS-based blacklisting typical of, say, the UAE.

It also means that it’s possible to ignore the RST and look through the firewall by using your own firewall utility (specifically, set something like iptables to drop any RSTs for connections in states other than ESTABLISHED before a suitable time has elapsed). However, it would be a fair guess that any traffic doing this is logged and analysed more deeply.

Further, there is a substantial human infrastructure linking the media/PR/propaganda system, the police system, and the Ministry of the Information Industry. This uses tools such as moderation on big Web forums, direct recruitment, harassment, or persuasion of important influencers, the development of alternative opposition voices, and the use of regime loyalist trolls (the famous wumaodang).

The firewall, like Hadrian’s Wall or the original Great Wall, also has an economic function. This acts as a protectionist subsidy to Chinese Internet start-ups and a tariff barrier to companies outside it. Hence the appearance of some really big companies that basically provide clones of Twitter et al. Because the clones are inside the firewall, they are amenable to management and moderation.

And none of this detracts from the genuine intention of the people at 31 Jin-rong Street, the China Telecom HQ, to wire up the whole place. Iran’s surprisingly important role providing broadband to Afghanistan and diversionary links to the Gulf reminds us that providing connectivity can be a powerful policy tool and one that you can use at the same time as informational repression.

So, Fang’s achievement is basically a package of technical and human security measures that let whoever is in charge of them command the context Web users experience.

Last autumn, several of the Chinese web startups were subjected to the combined honour and menace of a visit from top securocrats. Tencent, the owner of QQ and the biggest of the lot, got Zhou Yongkang in person. In hindsight, this will have been around the time the CDIC landed in Chongqing.

So, where am I going with this? Clearly, there was serious disquiet that somebody was usurping the right to control the wires. Even more disquieting, the surveillance establishment in Fang’s person seemed to be cooperating with him. And the systems he set up worked just as well for someone increasingly seen as a dangerous rebel as they did for the central government. (In fact, the people who like to complain about Huawei equipment in the West have it the wrong way round. It’s not some sort of secret backdoor they should be worrying about: it’s the official stuff.)

I do wonder, depending on what happens to Fang (he’s still vanished, but his Weibo feed has started updating again), if we might not see a relaxation of the firewall, which the pundits will consider “reform”. In fact it will be no such thing, rather a cranking up of internal chaos to facilitate a crackdown on opposition.

It looks like Daniel Davies’ plan to classify the world into people who file their accounts with Companies House on time, and people who don’t, may be less eccentric than it seems. News International missed, and asked for an extension. Obviously a dodgy lot of bastards. Anyway, check this quote out.

Coincidentally, News International’s company secretary of many years standing, Mrs Carla Stone, has resigned. A filing to Companies House, dated yesterday, stated that her appointment had been terminated. However, I understand that she left the company in February and her formal employment contract ends later this month.

Stone, a fellow of the Chartered Institute of Secretaries, held 212 company directorships in all, almost all of which are subsidiaries of News International and related companies.

You’ve got to like the “coincidentally”, which I take to mean “it is no such thing but we’ve not finished the story yet”. Anyway. The dump of directorships is here, providing an interesting insight into the structure of News International. Am I right in thinking that “Deptford Cargo Handling Services Ltd.” will be the company that owned the Wapping site?

Meanwhile, a colleague of mine asked me an Android question, which I misunderstood as being a question about USSD (you know – like *#06# to get your mobile phone IMEI number, but also including things like *21*some-phone-number# to divert all your calls). As a result, I ended up over here and learned that the network password “tends to be 1919″, which is very interesting in context and might explain a lot. Bonus: this ETSI pdf actually contains something which is otherwise quite annoying to find, a complete and categorised list of the code numbers.

Well, speak of the devil. Peter Foster makes his appearance in the Murdoch scandal and fingers the Sun directly.

He said he then received an email from a Dublin-based private investigator calling himself ”Autarch”, who told Mr Foster he tapped into his mother’s phone in December 2002.

That month, The Sun published the ”Foster tapes”, which featured transcripts of Mr Foster talking about selling the story of his links with Tony Blair’s wife, Cherie. Yesterday, Mr Foster said he had since had a Skype conversation with the investigator in Dublin, in which Autarch described how he tapped into Mr Foster’s mother’s phone.

”He said she was using an analogue telephone which they were able to intercept,” Mr Foster said. Autarch said he discussed the hacking with Sun journalists.

However, this story – at least this version of it – probably isn’t true. It is true that the first-generation analogue mobile phone systems like TACS in the UK and AMPS in the States were unencrypted over the air, and therefore could be trivially intercepted using a scanner. (They were also frequency-division duplex, so you needed to monitor two frequencies at once in order to capture both parties to the call.) It is also true that they were displaced by GSM very quickly indeed, compared to the length of time it is expected to take for the GSM networks to be replaced. In the UK, the last TACS network (O2′s) shut down in December 2000. It took a while longer in the Republic of Ireland, but it was all over by the end of 2001.

So Foster is bullshitting…which wouldn’t be a surprise. Or is he? TACS wasn’t the only analogue system out there. There were also a lot of cordless phones about using a different radio standard. Even the more modern DECT phones are notorious for generating masses of radio noise in the 2.4GHz band where your WiFi lives. It may well be the case that “Autarch” was referring to an analogue cordless phone. Because a lot of these were installed by individual people who bought them off the shelf, there was no guarantee that they would be replaced with newer devices. (Readers of Richard Aldrich’s history of GCHQ will note that his take on the “Squidgygate” tape is that it was probably a cordless intercept.)

This would have required a measure of physical surveillance, but then again so would an attempt to intercept mobile traffic over-the-air as opposed to interfering with voicemail or the lawful intercept system.

The Daily Beast has a further story, which points out that the then editor David Yelland apologised after being censured by the Press Complaints Commission (no wonder he didn’t go further in the Murdoch empire) and makes the point that such an interception was a crime in both the UK and Ireland at the time. They also quote Foster as follows:

According to Foster, the investigator told him that, for four days at the height of Cheriegate, he had been sitting with another detective outside Foster’s mother’s flat in the Dublin suburbs, intercepting and recording the calls to her cordless landline

The Sun hardly made any effort to conceal this – they published what purports to be a transcript, as such.

Do this help?

In a perfectly normal Jamie Kenny comments thread, weird machines are seen, circling the skies of West Yorkshire. What’s up is that someone has been reading Richard Aldrich’s book on GCHQ (my five-part unread series of posts starts here and refers here).

Basically, the intelligence services maintain various capabilities to acquire electronic intelligence. As well as ground-based and maritime systems, these include the (temporarily reprieved) Nimrod R1s, the Shadow R1 based on the Beechcraft King Air, and a group of three Islander planes which seem to be based in the UK permanently. Aldrich describes these as being used to hoover up mobile phone traffic, and claims that voiceprint data collected in Afghanistan from Taliban radio intercepts is compared to the take in an effort to identify returnees.

However, he also suggests that the interception is of backhaul, rather than access, traffic. This is unlikely to yield much in the UK, as typical cell sites here were originally set up with between a pair and a dozen of E-1 (2Mbps) leased lines depending on planned capacity. For many years, Vodafone was BT’s single biggest customer. More recently, a lot of these have been replaced with fibre-optic cable, usually Gigabit Ethernet, quite often owned by the mobile operator. O2 got some microwave assets in the demerger from BT, so they may have used more. But in general, 3G operators have been pulling fibre since 2005 or thereabouts.

I would therefore tend to guess that it’s the access side. There are good reasons to do it this way – notably, requesting surveillance of someone’s phone via the Regulation of Investigatory Powers Act or alternatively via the alternative Dodgy Ex-Copper Down the Pub route usually requires that you know who you’re looking for quite specifically. That is to say, you need to know an identity that is likely to be in a given phone company’s database. Also, in some use-cases you might want imperfect but live coverage rather than a giant pile of data weeks later.

Listening in to radio doesn’t work like that, and could be done more secretly as well. I’m not particularly convinced by the idea of trying to match “voiceprints” – it sounds a bit Nemesysco, and in this case, the sampled voice would have first gone through whatever radio system the Taliban were using (which will have filtered out or just lost some information, and also added some noise and artefacts) and the target would have been filtered by the voice codec used on their phone, which throws away quite a bit, as well as by the network’s acoustic echo cancellation if the call is inbound. Also, they might be speaking a different language, which may or may not make a difference but won’t help.

Perhaps they have some magic, or perhaps this is a cover story. This happens to be the most difficult case of a speaker identification system – it’s identification rather than verification (so the number of possible alternatives scales with the size of the population), it’s an open set process (no bounds on who could be in either group), and it’s wholly text independent in both samples (no way of knowing what they are going to say, and no reason to think they will say it twice). There are methodologies based on high-level statistical analysis, but these require long-term sampling of a speaker to train the algorithm, which gives you a chicken-and-egg problem – you need to know that you’re listening to the same speaker before you can train the identification system. Of course, other sources of information could be used to achieve that, but this makes it progressively harder to operationalise.

Anyway, doing some background reading, it turns out that a) speech perception is a really interesting topic and b) the problem isn’t so much the quality of the intercept (because speech information is very robust to even deliberate interference) as just the concept of voiceprint identification in general. Out of Google-inspired serendipity, it turns out Language Log has covered this.

In lab conditions with realistic set-ups (i.e. different microphones etc. but not tactical conditions and not primarily with multiple languages), it looks like you could expect an equal-error rate, that is to say the point where the false-negative and false-positive rates are equal, of between 3% and 10%. However, the confidence intervals are sizeable (10 percentage points on an axis of 0-40 for the best performing cross-channel case). Obviously, a 3% false positive rate in an environment where there are very few terrorists is not that useful.

Here’s something interesting. You may remember this story from back in November about the CIA spy network in Lebanon that met at a Pizza Hut they codenamed PIZZA, and which was rolled up by a joint Hezbollah-Lebanese military intelligence investigation. The key detail is as follows:

U.S. officials also denied the source’s allegation that the former CIA station chief dismissed an email warning that some of his Lebanese agents could be identified because they used cellphones to call only their CIA handlers and no one else.

Lebanon’s security service was able to isolate the CIA informants by analyzing cellphone company records that showed the numbers called, duration of each call and location of the phone at the time of the call, the source said.

Using billing and cell tower records for hundreds of thousands of phone numbers, software can isolate cellphones used near an embassy, or used only once, or only on quick calls. The process quickly narrows down a small group of phones that a security service can monitor.

If the top paragraph is true, it would have been catastrophically ill-advised. Even somebody special, like a CIA agent under diplomatic cover, has a relatively large number of weak ties to normal people. This is the reverse of the small-world principle, and is a consequence of the fact that the great majority of people are real human beings rather than important persons. As a result, things like STELLAR WIND, the illegal Bush-era effort to analyse the whole pile of call-detail records at AT&T and Verizon in the hope that this would find terrorists, face a sort of Bayesian doom. We’ve gone over this over and over again.

However, phone numbers that only talk to special people are obviously suspicious. Most numbers with a neighbourhood length of 1 will be things like machine-to-machine SIMs in vending machines and cash points, but once you’d filtered those out, the remaining pool of possibles would be quite small. It is intuitive to think of avoiding surveillance, or keeping a low profile, but what is required is actually camouflage rather than concealment.

There are more direct methods – which is where electronic warfare and shopping mall management intersect.

Path Intelligence, a Portsmouth-based startup, will install a network of IMSI-catchers, devices which act as a mobile base station in order to identify mobile phones nearby, in your shopping centre so as to collect really detailed footfall information.

Similarly, you could plant such a device near that Pizza Hut to capture which phones passed by and when, and which ones usually coincided. Alternatively, you could use it in a targeted mode to confirm the presence or absence of a known device. Which makes me wonder about the famous Hezbollah telecoms network, and whether it was intended at least in part to be an electronic-intelligence network – as after all, nothing would be a better cover for a huge network of fake mobile base stations than a network of real ones.

Meanwhile, this year’s CCC (like last year’s) was just stuffed with GSM exploits. It really is beginning to look a lot like “time we retired that network”.

Well, here’s a contribution to the debate over the riots. The Thin Blue Trots’…sorry…Police Federation report has been leaked.

Among the failings highlighted by the federation, which represents 136,000 officers, were chronic problems, particularly in London with the hi-tech digital Airwave radio network. Its failings were one reason why officers were “always approximately half an hour behind the rioters”. This partly explained, it said, why officers kept arriving at areas from where the disorder had moved on.

The Airwave network was supposed to improve the way emergency services in London responded to a crisis after damning criticism for communication failures following the 7 July bombings in 2005.

It is being relied upon to ensure that police officers will be able to communicate with each other from anywhere in Britain when the Olympics come to London next summer. The federation wants a review into why the multibillion-pound system collapsed, leaving officers to rely on their own phones.

“Officers on the ground and in command resorted, in the majority, to the use of personal mobile phones to co-ordinate a response,” says the report.

It sounds like BB Messenger over UMTS beats shouting into a TETRA voice radio, as it should being about 10 years more recent. Not *this* crap again!

There’s surely an interesting story about how the UK managed to fail to procure a decent tactical radio for either its army or its civilian emergency services in the 1990s and 2000s. Both the big projects – the civilian (mostly) one that ended up as Airwave and the military one that became BOWMAN – were hideously troubled, enormously overbudget, and very, very late. Neither product has been a great success in service. And it was a bad time for slow procurement as the rapid technological progress (from 9.6Kbps circuit-switched data on GSM in 1998 to 7.2Mbps HSPA in 2008, from Ericsson T61s in 2000 to iPhones in 2008) meant that a few years would leave you far behind the curve.

And it’s the UK, for fuck’s sake. We do radio. At the same time, Vodafone and a host of M4-corridor spin-offs were radio-planning the world. Logica’s telecoms division, now Acision, did its messaging centres. ARM and CSR and Cambridge Wireless were designing the chips. Vodafone itself, of course, was a spinoff from Racal, the company that sold army radios for export because the official ones were ones nobody would import in a fit. BBC Research’s experience in making sure odd places in Yorkshire got Match of the Day all right went into it more than you might think.

Presumably that says something about our social priorities in the Major/Blair era? That at least industrially, for once we were concentrating on peaceful purposes (but also having wars all over the place)? Or that we weren’t concentrating on anything much industrially, and instead exporting services and software? Or that something went catastrophically wrong with the civil service’s procurement capability in the 1990s?

It’s the kind of story Erik Lund would spin into something convincing.

By the mid-2000s the minimal cost-to-serve a mobile phone user had got down to the point where it was worth Roshan’s while to put base stations in places where British soldiers broke down 105mm light guns to carry them piece by piece up a cliff, in order to fire from the hilltop next to the base station and get additional range.

It’s fairly well known that the Taliban weren’t entirely pleased about this, especially when ISAF started publicising their tip-off hotline and people did just that with their new second-hand Nokias. And they started destroying base stations until the operators agreed to shut down for part of the day. An uneasy settlement was arrived at – after all, Talibs use the phone too, and so do their families and friends. Like the old pattern of the insurgent owning the roads during the night and the government during the day, the insurgent owned the 900MHz band during the night and left it to the government during the day.

(However, their control of radio spectrum is purely negative, as if they were to use it themselves, the government could spy on them doing so, direction-find the transmitters, traffic-analyse the network to find out who is important, and sic drones, attack helicopters, or commandos on them. They can intimidate other people out of using it, but they can’t use it themselves without very careful security precautions.)

So I’d like to recommend this really excellent article.

It seems that this shaky modus vivendi has broken down. Not only are the Taliban destroying more sites, they are doing so more thoroughly.

A typical problem for an emerging-market GSM operations engineer is the security of diesel fuel. Some operators in Africa are their countries’ biggest electricity generators. This is fiendishly expensive – not only do you have to buy the diesel, you have to pay people to fill up the tanks on thousands of remote cell sites. And other people will steal it, or even steal the whole generator, which is why some of them are half-way up the tower although that means the structure must be much heavier and stronger and more expensive. Highway robbery is a better payoff than burglary as you get the whole truckload and the truck to move it, so you also have to pay for protection. That might mean protection as in guards, or protection as in racket, and quite often the distinction is far from clear.

This also becomes a typical first world GSM operations engineer’s problem as soon as a big storm knocks over a few hundred towers and outs the electricity, as some bright spark inevitably notices the backup generator running.

Although you can buy solar and wind-powered base stations, there are still a lot of diesel ones out there. Now, if your objection is not merely financial, this means it’s easy to destroy the infrastructure – you force open the valves and set it on fire. Interestingly, though, the Taliban have moved on from just starting a fire to breaking into the equipment cabinet and soaking it with the fuel, then setting that on fire. Thus multiplying the cost of repair and the downtime by an order of magnitude at least.

Alternatively, they sometimes dig a hole and blow the whole thing up with high explosive, wrecking the civil works (budget for quite a bit more including the labour) and demonstrating their aggression to everyone in earshot.

It also looks like they’ve realised that the backhaul links from the base stations to the switching centre are point-to-point microwave ones, and that the network has a hierarchical structure, with multiple base stations linked by microwave radio to a base station controller (or radio network controller in 3G) site which has a microwave link to the switch, and where there may be a variety of other equipment depending on exactly how the network is designed. As all that suggests, this is a crucial node and therefore a target. It is suspected that they have expert advice.

So the operators shut down service, and then the Afghan government and NATO yell at them to turn it back on.

And this is where it gets interesting. NATO has been installing macro-cells – big high power base stations – on its outposts as well as the private, ruggedised femtocells I wrote about with regard to Mr. Werritty. The idea was that if the commercial network was down, the phones would roam onto the backup network. Take that, forces of Islamofascism! But there’s a problem. The commercial operators won’t let the new network be in the list of permitted roaming networks on their SIMs, because they fear that if they shut down and service is still available, the Taliban will blow up even more of their stuff and perhaps start murdering engineers.

The government network could run like an IMSI catcher, masquerading as all four networks to capture their subscribers but forwarding everything – but I get the impression the operators don’t want to interconnect with it, so calls would have to be routed out of the country and back in via the international gateway and it probably won’t work very well.

And as a result, NATO has created the exact opposite of a successful emerging market GSM operator. Rather than cut-down low-power small cells cunningly distributed in the landscape, it’s got big expensive pigeon fryers placed whereever seems safe or rather less unsafe. You’d think the same sort of place would do for a radio station as would do for a fort, but radioplanning is far more complicated than just picking hilltops and often deeply counter-intuitive. Rather than rock-bottom cost-to-serve, it’s thought to be the most expensive phone network in the world per-user.

It’s possible, thinking back to Rory Stewart, that a network designed along the lines of the kind of wireless-mesh broadband system his mates are building for the Penrith area might be more robust against such an attack. The Mexican Zetas seem to think so. Even staying in GSM, the BSC functions can be forward-deployed to the cell sites, and more of the backhaul could be point-to-multipoint rather than point-to-point, and more of the sites could be interlinked, thus getting more redundancy at the expense of worse efficiency. But that would only reduce the number of critical nodes. GSM remains a fundamentally hierarchical network architecture, and some would inevitably be much more important at the system level than others.

And finally, they could still just destroy towers, only with rather less efficiency. Putting more equipment at the cell site might just make it more vulnerable. Also, a problem with mesh networks is that they are more effective the more nodes there are – but the places where we usually want them because other networks are impossible tend to be sparsely populated. It would also make the whole issue personal. Owning the device would make you a target.

In the final analysis, fire remains an effective technology of rebellion.

Eh, Charlie Stross’s blog is a machine for destroying time. Anyway. This post is going to be so wonkish it’s to not come back from.

An occasional theme on this blog has been the intersection between the Bush wars and the mobile phone industry. In fact, looking back, that’s not been so much an occasional theme as more of an obsession, and I’d have written more if I hadn’t been subject to non-compete clauses.

Everyone who reads this blog probably knows that Afghanistan got GSM coverage very quickly after 2001, with Roshan and the Afghan Wireless Communications Company or AWCC in the lead. Things went so fast that for a while there were four operators with licenses and a good half-dozen pirate networks. The explanation of this is pretty simple – in the early 2000s the mobile industry had developed a whole package of technology, business models, methods, and personnel that made it possible to unfurl a GSM network pretty much anywhere and make an absolute killing.

Thaksin Shinawatra’s career is a case in point – who knows how a Royal Thai Police colonel raised the money to come up as the holder of a GSM licence, but he did, and there were consulting engineers and contractors who would build the network and equipment vendors who would supply the parts with 100% vendor finance. Once it was up, it rained money and he was off to the races.

Of course Thailand is nothing like Afghanistan – a solid middle-income, industrialising economy with the kind of institutions that function by corruption rather than failing because of it. By 2001 there weren’t so many plums like that one to pluck and the buccaneers who were first in were beginning to think about cashing out.

On the other hand, the gear kept getting cheaper and the success-stories made it easier and easier to borrow from the World Bank or other friendly local multilateral financial institution, as at this point it looked like about the only development success in 40 years or so. Thanks to people like Mo Ibrahim and the rest at Mobile Systems International, the level of average revenue per user that made it viable to build a GSM network was driven down until now we’re operating below $5/month and there is no country that doesn’t have at least a little bubble of coverage around the capital city.

So that’s why it happened. There was a reliably deployable package of technology and economics and legalities, with a global workforce of Sven-units with frequent flyer points on every-damn-thing, and a set of reliable sources of capital. As well as the Aircom or Ericsson Professional Services guys who would design the network, and the contractors who would recruit the people who dug the foundations on the knolls and warps in the landscape that the radio planners made obscurely significant, there were others who would write the formal licence proposal to fit through the newly established bureaucracy of “regulators” and public procurement systems redesigned to please the IMF and other princes of the Washington consensus. No doubt there were people who specialised in operating the other, informal procurement systems. If you know what I mean. There was a product that sold and that, once sold, became one of the markers of modernity and status. The wheel of capital intensification kept turning, recapitulating the development of the Grand Banks fishery in the 1500s. Or something like what Erik Lund would say.

Of course, there were some problems with the package. Most of all, it structurally favours creating a new operator over extending an existing one’s network, which is why Uganda has six mobile phone networks (and two WiMAX DSL-substitute not-officially-mobile networks) when a lot of people who ought to know think the UK only needs three. The turn-key vendor contract is meant to give you all the bits you need to call yourself an operator; the MFI funding is released when the licence application is accepted; the money starts flowing when the 15% or so of the cells that carry 50% of the traffic are on line. Increasing population coverage is mostly cost, which is why a coverage requirement is typically laid down in the licence.

And that’s why supposedly (and that should be a big “supposedly”) Kabul has better mobile service than Rory Stewart’s constituency. Rory may need to consider what kind of mobile service places that stand in the same relation to Kabul as Penrith does to London get, and we’re going to discuss this (and some other stuff) in the next post.

OK, so “Not All That” Foxy Liam Fox is in trouble.

“He is an odd bloke,” said one fellow minister. “He has fingers in so many pies that you kind of think one of them will land him in trouble somewhere along the line.”

Another Tory MP said Fox’s tendency to name-drop and brag about his close friendships with Republicans in the US, media magnates such as David and Frederick Barclay (owners of the Daily Telegraph), and his endless globe-trotting, even before he entered the cabinet, has made many bristle and help explain why he has plenty of enemies in the Tory party and in Whitehall. “I think you either roll with the bluster or find it repellent,” said a Tory MP.

Ah, one of them. Anyway. Part of the problem is this famous meeting where his bestie Adam Werritty just happened to turn up. What was on offer? Well, a product called Cellcrypt, whose makers were trying to sell it to the MoD to stop evilly-disposed persons from eavesdropping on British soldiers’ phone calls back to the UK. (Note: this is going to be long. Technical summary: voice encryption apps for GSM-style mobile networks can guarantee that your call will not be overheard, but not that your presence cannot be monitored, and not necessarily that the parties to your calls cannot be identified.)

Back in the early days of Iraq, the CPA permitted one mobile phone operator in each of its three zones to set up. The British zone, CPA-South/Multinational Division South-East, let the Kuwaiti national telco, MTC (now Zain and busy running Mo Ibrahim’s old Celtel business into the ground) set up there with a partner some of us may have heard of. It’s from Newbury and it’s not a pub or an estate agency and its logo is a big red comma…funny how Vodafone never talked that particular investment up, innit? Anyway. Later the Iraqi government did a major tender for permanent licences and Orascom got most of it, but that’s another story.

One thing that did happen was that soldiers took their mobiles with them to Iraq, and some of them pretty soon realised that buying a local SIM card in the bazaar was much cheaper than making roaming calls back to the UK. Either way, lots of +44 numbers started showing up in their VLR, the big database that keeps track of where phones are in a GSM network so it can route incoming calls.

Pretty soon someone who – presumably – worked for the MTC-Voda affiliate and whose purposes were not entirely aligned with Iraq The Model realised that you could use the VLR to follow the Brits (and the Yanks and the Danes and the Dutchmen and Kiwis and all sorts of contractors) around. Not only that, you could ring up their families in the UK and make threats with the benefit of apparently supernatural knowledge.

This obviously wasn’t ideal. Efforts were made to mitigate the problem; soldiers were discouraged from using local GSM networks, more computers and public phones were made available. The eventual solution, though, was to get some nice new ruggedised small-cell systems from companies like Private Mobile Networks Ltd., which basically pack a small base station and a base station controller and a satellite backhaul terminal into a tough plastic box of a suitably military colour. You open it up, unfold the antenna, turn on the power, and complete some configuration options. It logs into the mobile operator who’s providing service to you via the satellite link.

Now, because radio signals like all radiation lose intensity with the inverse square of the distance, you’ll be vastly louder than everyone else. So any mobile phone nearby will roam onto your private mobile network and will be in the UK for mobile phone purposes, a bit like the shipping container that’s technically in Egypt at the end of Four Lions. And none of this will touch any other mobile network that might be operating in your area. Obviously you can also use these powers for evil, by snarfing up everyone else’s traffic, and don’t for a moment think this isn’t also done by so-called IMSI catchers.

You’re not meant to do this, normally, because you probably don’t have a licence to use the GSM, GSM/PCS, or UMTS frequencies. But, as the founder of PMN Ltd. told a colleague of mine, the answer to that is “we’ve got bigger tanks”.

So, where were we? Well, the problem with trying to do…something…with Cellcrypt is that it doesn’t actually solve this problem, because the problem wasn’t originally that the other side could listen to the content of voice calls. Like all telecoms interception stories, it was about the traffic analysis, not the content. Actually, they probably could listen in as well because some of the Iraqi and Afghan operators may not have been using up-to-date or even *any* air interface encryption.

But if you’re going to fix this with an encryption app like Cellcrypt, you’ve got to make sure that every soldier (and sailor and diplomat and journo and MoD civilian) installs it, it works on all the phones, and you absolutely can’t make calls without it. Also, you’ve got to make sure all the people they talk to install it.

And the enemy can still follow you because the phones are still registering in the VLRs!

So, there’s not much point relying on OTA voice encryption to solve a problem that’s got nothing to do with the voice bearer channel. However, bringing your own small cell network certainly does solve the problem, elegantly, and without needing to worry about what kind of phones people bring along or buy locally.

And the military surely understand this, as by the time of the famous meeting, they’d already started deploying them. Also, back when this was a big problem, 19 year-old riflemen usually didn’t have the sort of phones that would run a big hefty application like Cellcrypt, which also uses the mobile data link and therefore would give them four figure phone bills.

To sum up, Werritty was helping someone market gear that the MoD didn’t need, that was hopelessly unfit for purpose, wouldn’t actually do what the MoD wanted, and would cost individual soldiers a fortune, by providing privileged access to the Secretary of State for Defence.

my love affair with GSM hardware

Even more trivial than the last one! Some mobiles I loved.

Samsung ???

This was the first of them all in 2000-2001. A weird reverse-clamshell design that very rapidly developed dodgy contacts in the joint. But eh, I had a real, lasting relationship and I could send her texts from the union!

Siemens c55i

Neat and sort of German. With a big square INTERNET key to remind you that you could look at a small subset of the Web on it, if you wanted to spend an absurd amount of money. I took this one away to Vienna and ran up horrible roaming bills (see above) and went without for six months.

Nokia 3210

First Nokia. Smaller, thinner, more future-y. Lit up like a squid from within.

Nokia 6210

Ah, an enduring design classic. Really great, clicky but soft, good sized keys with lighted markers. Less Star Trek than 2001: A Space Odyssey. Real European design. Series 40 OS. Sound hardware. And when we moved into the new flat, I remembered that Royal Holloway computer centre still had a dialup pool, so we aligned the IR port and dialled in over the circuit voice channel, and we could load the blog. 2003 was a bit late for dialup though.

Nokia 6210i

Same as the 6210 but with a 1.3 megapixel cam. Operators had finally repented of trying to make everyone use MMS and therefore squeeze photos into the size mandated by the 3GPP standards group. Sadly, they also made the keys silvery and destroyed its austerity of design. This was the only one I ever lost, from a boozy working lunch at MCI.

Qtek 8100/HTC Amadeus

Working at MCI made that a nonproblem. Very soon we got one of these as a gimme. Technically this was the first smartphone I had, with MS Windows CE and an SD card slot. The back was designed fairly obviously to look a bit like some Apple products, and the whole thing was meant to be a “music phone”. That didn’t mean it came with any real storage capacity, and I added a 2GB SD card – at the time those cost real money. Having worked out how to configure the data access point, it meant I could read NANOG on the train of a morning until I got banned for three months for swearing. I also managed to permanently reduce the default camera resolution, so a whole holiday’s worth of snaps were thumbnails. It was this phone that I took to Singapore and Cape Town in one month and set my personal record mobile bill of £132.

BlackBerry ?

Vodafone sent us one of the BlackBerrys before they were designed to not be hideous, as a review of their hosted BlackBerry service. This was quite impressive, even if it was hard to stop it getting my colleague Sean Jackson’s e-mail. My partner was horrified by the blinking, commanding red light, I was delighted by the clickwheel. I took it to 3GSM in Barcelona. VF asked us for it back soon afterwards. I wonder why?


I had this one in early 2006. I can find similar ones, but only from at least a year later – or perhaps we got an early prototype? Anyway, it was similar to this one but with even fewer hardware controls, so only the horribly crap touchscreen. The first one I had with a touchscreen, or WiFi. Didn’t really work. It also destroyed the SD card full of songs. Bastards.

HP iPaq 6915w

This one was actually quite impressive in a slightly grim enterprisey way. It provided a touchscreen, a QWERTY keypad, WiFi, and GPS, and it worked when it wasn’t crashing. It also had a hard plastic cover that flipped over the screen. I remember deliberately taking a photo on board a plane from London to Dubai to get a GPS fix, and finding that the camera app would look up photos on Multimap (Multimap!) if it could. Also, looking up questions on the Buddha Bar’s WiFi from IMDB to settle an argument.

HP wanted it back.

BlackBerry Pearl

Around then, RIM discovered product design and suddenly BlackBerry devices didn’t need a tea cosy over them. The first of the new breed was this one, and RIM sent me one, which I took to Cape Town. It worked well and looked good, although it was made of glue and phone calls sounded really odd.

Nokia N73

3 UK announced a new product – the X-Series tariff, which offered Skype! on a mobile. They sent us one. I was impressed and paid for one myself. It was a damn good photo phone and a good all rounder, even if it wasn’t pretty. The Skype implementation was disappointing. But the camera was great.


I went to an Orange UK product launch. They said there were Nokia E61s going, but I got there late and they were all gone. I got one of these instead – a preview of the future, really. Windows again, with a large but not good touchscreen, and a slide-out QWERTY, and basically top specifications in everything, and a handy click-wheel. The first 3G device I had. My sister then needed a phone and the N73 turned up, so I offered her the gadget. She renamed it the Beast of Telecom but used it for ages.

Nokia E65

I changed operator to 3UK for the X series and stayed for the cheap Internet service. The E65 was part of Nokia’s attempt to outcompete RIM on looks – a shiny slide-out device. But the bit that got me was the fact it could read RSS feeds. I could check key blogs on the train!

Nokia E71

Ah, a genuine design classic this one. So much so I’ve still got it. Mine came in a mix of chrome, white plastic and white leather keys on the QWERTY. The late version of Symbian S60 it ran worked very well unless you wanted to write code for it, in which case you were basically in for a world of tiresome. It felt and looked great and everything built in worked great. And you could just USB it to any computer and wvdial it to get online.

Bizarrely, Nokia shipped it with a 200MB(!) SD card with some apps on it, rather like they sent out crappy tinny headphones with “music phones”. Also, the phones socket was at 90 degrees to the phone, so it wouldn’t drop into a pocket and never worked well.
Eventually I dropped it and the screen crazed, and I thought it was time for Android.

Samsung GT-i7500

A hacky mess. No QWERTY, which annoys me. Seriously buggy in every way. Made of tickytacky, ugly. Atrocious battery life and radio performance. Crashy, although that’s the Google’s fault. At least the headphone cockup was avoided. Perhaps some of the ‘droid issues are fixed in updates, but the updates never come. (On the other hand, Nokia announced in about 2008 that you could update your phone’s software to the latest version…but it would overwrite all the data on it. Thanks!)

And if it runs out of internal storage, it silently drops SMS messages. Fail.


Get every new post delivered to your Inbox.