Archive for the ‘GSM’ Category

The Obscurer has possibly the first intelligent article on the whole “turn off their Facebook! that’ll learn em!” furore. Notably, they interviewed one-man UK mobile industry institution Mike Short. Go, read, and up your clue. I especially liked that the piece provided some facts about the 7th July 2005 terrorist incident and the mobile networks.

There is only one reported case of a UK network being closed by police. During the 7/7 London suicide bombings, O2 phone masts in a 1km square area around Aldgate tube station were disconnected for a number of hours.

Police have an emergency power to order masts to be put out of action known as MTPAS – Mobile Telecommunication Privileged Access Scheme. The move has to be approved by Gold Command, by the officers in highest authority during a major incident, and is designed to restrict all but emergency service phones with registered sim cards from making calls. But a shutdown can have dangerous knock-on effects. Short says that phones within the Aldgate zone automatically sought a signal from live masts outside it, overloading them and causing a network failure that rippled out “like a whirlpool”.

On the day, other networks were simply overloaded as Londoners sought reassurance and information. Vodafone alone experienced a 250% increase in call volumes

MTPAS is the GSM-land equivalent of the old fixed phone Telephone Preference Scheme (not to be confused with the new one that blocks cold-callers), which permitted The Authorities to turn off between 1% and 90% of phone lines in order to let official traffic through. As far as I know, the Met never asked for it and it was City of London Police who initiated it without asking the Met or anyone else, and in fact O2 UK’s network had been keeping up with demand up to that point, before the closure caused the cascade failure Short describes.

The significance of O2 is that it used to be “Surf the Net, Surf the BT Cellnet” and some residual gaullist/spook reflex in the government tried to keep official phones on what was then one of two British-owned networks.

Anyway, this weekend seems to have the theme “The Intersection of Charlie Stross and the August 2011 Riots”. Charlie’s talk at USENIX is sensibly sceptical about some tech dreams as they apply to networking.

This leaves aside a third model, that of peer to peer mesh networks with no actual cellcos as such – just lots of folks with cheap routers. I’m going to provisionally assume that this one is hopelessly utopian, a GNU vision of telecommunications that can’t actually work on a large scale because the routing topology of such a network is going to be nightmarish unless there are some fat fibre optic cables somewhere in the picture. It’s kind of a shame – I’d love to see a future where no corporate behemoths have a choke hold on the internet – but humans aren’t evenly distributed geographically.

Especially as the theoretical maximum bandwidth of one fibre is about the same as the entire radio spectrum. And the point about routing table size and complexity is a very good one, especially as it’s assumed that the routers aren’t CRS-1s but rather Linksys fifty quidders or mobile phones.

However, one thing the liberation technologists should take away from the riots is that you shouldn’t get hung up on bandwidth. It’s great to be able to post the photos on Flickr, but it’s more useful to have your own secure voice and messaging. When the Egyptian government relented on its GSM cut-off, the Egyptian Twitter feeds lit up with calls for more people to this or that exit of Tahrir Square or medical supplies to the clinic or (and I remember this) that a lost child was waiting at the press tent.

It was what NANOG users would call operational content. There was of course no need whatsoever for it to go via a Bay Area website – all Twitter provided was the one-to-many element, very important, and the publicity on the Web. The latter is a nice-to-have feature, the former, critical. Text, or even voice, is not a high bandwidth application and doesn’t necessarily need access to the global Internet.

So yes – perhaps there is in fact quite a bit of angular momentum to be had in a mobile mesh-WLAN client as an instrument of democracy, as long as you’re willing to accept that it’s not the sort of thing that can be exclusive to people who agree with you. But then, that’s the test of whether or not you actually believe in democracy.

Something else, between Charlie’s USENIX talk and the riots. Isn’t one of the biggest disappointments, from a police point of view, the performance of CCTV? No doubt it will help put some of the rioters in jail. But it didn’t prevent the riots and neither did it seem to help quell them much. It’s possible that the whole idea that potential surveillance (like the original panopticon) is a policing influence isn’t as strong as it’s made out to be.

Another point; not all crimes are punished or even taken notice of. This is obvious. Less obvious is that the degree to which the police ignore crime is an important political fact. Is it possible that CCTV, by forcing them to make at least a token response to everything that passes in camera range, actually contributed to using up the police strength? In a riot, the police aim is to demonstrate public, mass control. They are usually willing to ignore quite a lot of individual criminality in the process. It’s possible that surveillance culture and technology are opposed to strategy.

Over at Stable & Principled, I’ve been blogging about running out of policemen and how the Prime Minister doesn’t seem to have any thoughts at all that weren’t adequate-ish newspaper columns from about 2004. But how did we get to the stage of using up the Met and most of the wider police forces’ reserves of manpower just like that? This isn’t a “What does it all mean?” post, although inevitably we’ll have one of them for you as well. It’s more like a “How does it all work?” post.

In all, 2,347 people have been arrested nationally. This is only a rough lower bound on the numbers of people involved, as obviously not everyone got caught and some of the people arrested are innocent. At an arrest rate of one in 10, that would give a total of 23,000. 51% of the arrests were in London, or to be precise the Met’s area of operations, which gives us the answer to one question at least – the police eventually quelled the riot by outnumbering the rioters, 16,000 cops versus an estimated 11,500 rioters. Obviously if you pick a different arrest rate fudge factor you’ll get a different answer, but then at least we’re using a model of sorts.

It’s certainly interesting, though, that a fairly small crowd was able to exhaust the policing resources of most of the UK. If the 23,000 rioters had shown up in central London to march on Whitehall, even assuming they were willing to be as troublesome and violent as they were elsewhere, I think the Met would have handled it without breaking sweat and certainly without needing to summon the South Wales force as mutual aid. Even the most hayseed British police forces deal with crowds of 23,000 young men reputed to be ready for violence, every weekend, quite commonly several at the same time, without very much happening. They are lower division football matches. And to be frank, a 23,000 strong national demo is disappointing.

So what’s up? One point is dispersion vs. concentration. Demonstrators want to occupy symbolic space and show their organisation by the very fact they could concentrate all these people. Casuals want to duff up the other mob. Therefore, the police problem is to either prevent them from getting to Parliament Square or the match, or else keep them segregated from other people while they are there. The police are on the tactical defensive, but the strategic offensive – if they stick it out they win.

Obviously, the demonstrators (or thugs) can’t counter this by dispersing because that would defeat the point. They have to come to the Bill, and the Bill can then canalise them. Kettling is the ultimate expression of this thinking.

If the police have to look for the crowd, though, this is obviously going to be a much more labour-intensive exercise. You can’t kettle several dozen groups of ten or so people spread over a dozen streets – the idea is absurd. You have to go looking for them. That in turn conditions what the crowd can do – it can’t stage a classic mass demonstration – and favours people who are willing to just randomly destroy stuff that happens to be undefended, while the traditional mass demo favours a show of what you might call subversive respectability. The slow march of the Zulus, if you like.

Another important point was that there was no key identity-group here – it wasn’t aligned with any one ethnic or religious group or geography and wasn’t even totally young, and it didn’t explicitly identify with a class either. Therefore, anyone who felt like it could join in, and did. This obviously helped it go national and also made a traditional (since the 80s) police tactic more difficult. How do you call community leaders to ask everyone to go home if you can’t identify the community? From the other direction, how do you negotiate with authority if you can’t identify a community?

(This is of course the final problem with the Big Society – its only organising principle is that it’s a society and apparently it’s big.)

I wonder if a lot of the violence was driven by the fact anyone could turn up, and therefore the only way to demonstrate that you really were one of the gang rather than a do-gooder or a fink or just some random spectator was to do something obviously illegal.

Also, did this kind of riot drop in between the classic modes of British policing? If someone commits a crime, there’s investigative policing, if it’s the right kind of crime and the right kind of victim. If the Chartists are marching on Westminster, line up on Westminster Bridge with shields and big sticks. And of course there’s community policing if there’s time between the other two for some cups of tea and old ladies, etc.

Investigation was rather irrelevant while it was going on, although of course it’s not any more. And the heavy mob couldn’t draw a shield wall around every shop in London. Neither could they find enough bodies to kettle every group of rioters, or find enough rioters in one place to kettle. It does look like the December 2010 student riots were a tactical learning-experience for a lot of people.

Finally, those BlackBerries. Not much to say here, except that the most important feature involved seems to have been the fact that BBM is multicast. You can message groups rather than only individuals. There are apps that let you emulate this with SMS, although the reply will only go to you.

As a general rule, BlackBerry Enterprise Server traffic should be hard to do anything to as the server, typically hosted by an organisation for its own purposes, generates its encryption keys when it’s set up. It’s not anything RIM or your operator has to know about. But this is of limited relevance – plenty of people run their own mail servers, but I’ve never heard of anyone who self hosts BlackBerry. The BlackBerry Internet Service, which is hosted by operators, certainly can be monitored by the operator as they own the server. UK operators would be covered by the Regulation of Investigatory Powers Act and might have to hand over logs from the BIS servers.

I don’t know, however, if the BIS machine archives the content of what passes through it (which isn’t required by RIPA anyway). Obviously, the traffic-analysis data of who messages who and when is potentially revealing.

From a network point of view, though, I doubt if snooping on the traffic in transit would be very useful. You’d know that someone was using a BlackBerry, as it would be opening Packet Data Profile connections through the network and querying the BlackBerry network DNS. But as they monitor messaging all the time, that isn’t very useful information. Certainly nothing as useful as the BIS server log.

Ah! Found it: although Yates told the House he had the mobile operators inform the hacked, and named Vodafone and Orange, he didn’t. Specifically, Orange identified about 45 victims but didn’t tell anyone. Vodafone identified 40 and only told a few who were considered VIPs. T-Mobile UK claims not to have found any. 3UK isn’t mentioned. Only O2 is known to have informed all of theirs without waiting to be asked. I therefore presume that the operator that has logged all the lawful intercept requests back to 2009 is O2, although I don’t have any further evidence for this deduction.

Did you know ISAF has been carrying out air missions to destroy Taliban radio towers? You do now, thanks to Thomas Wiegold’s blog. Specifically, Task Force Palehorse includes UAE Apache Longbow attack helicopters and American Kiowa Warrior reconnaissance helicopters, plus (according to comments) German ELINT specialists. And they go out and identify Taliban radio networks, and kill them.

There’s much interesting stuff for German-speakers in comments, notably that the technologies include old fashioned VHF, pirate GSM, and possibly other systems as well, that the relays are often solar-powered, and that the Taliban are significant users of IMSI-catchers – fake GSM/UMTS base stations used to monitor mobile phone activity.

So are the Germans, in order to prevent leakage from their own camps. The British have been using ruggedised, highly portable small cells for some time to stop soldiers using the Afghan GSM networks, for fear both of security leaks and also that (as in Iraq) their relatives in the UK might get nasty phone calls.

I have just been reading the catalogue for the Design Museum’s exhibition on Kenneth Grange. An interesting thought – he makes the very good point that the problem with both the matt-black Apple laptops and the iDevices is that they soak up oil and fingerprints and human grease in general. This is of course the case of all touchscreens – they’re reflective surfaces, so the filth shows, and people touch them. When I lived in Coop Himmelb(l)au’s Gasometer B development the management had placed some tablet PCs (it was just being a thing then) around the public spaces for people to fiddle with. Of course, the screens were practically black with gunk all the time.

As far as the matt black element goes, apparently he copied an idea from Braun and had the mouldings spun in a drum with walnut shells, slightly roughing up the texture and letting the walnut oil soak in, excluding anything else from going the same way. Not something to try with the touch screen, obviously.

So, I wonder, what would a post-iPhone user interface pattern be like? Also, oddly enough, in all his myriad projects over the years, Grange has never done a mobile phone. He did some really amazing designs for Reuters trader terminals, so much so that a casemod almost seems justified. But Psion in the 1980s, Ericsson or Motorola in the 1990s, or Nokia in the 2000s never apparently asked. It would probably have had at least one oversized orange GO button – a constant in his work.

Although perhaps not an extra large number 5.

Am I right in thinking that Andy Hayman’s testimony yesterday fingered Met press chief Dick Fedorcio? Hayman admitted he’d regularly had dinner with News International executives while he was meant to be investigating them. He mentioned that he had done this in the company of the head of communications of the Met, presumably with his approval, although Hayman was also acting in his capacity as ACPO media lead.

Fedorcio has had the same job since 1997. He was named by Nick Davies as having been present in the meeting where the Met demanded to know why Dave Cook was being followed by News International private detectives, and apparently intervened with senior police officers to get them to go easy on NI. Surely the guy in charge of police-press-political relations is a key figure in a scandal that’s all about relations between the press, the police, and politics?

Like the key News International men, Alex Marunchak and Greg Miskiw, there’s no sign of him. The Home Affairs committee, and indeed anyone else who wants the truth about this, must call Fedorcio without delay. Oh, and is Greg Miskiw in the UK?

Second point. Yesterday’s New York Times claims that Miskiw and others on the NOTW were able to locate mobile phones by paying £500 a shot to a corrupt police officer. That is to say, this policeman had access to the lawful intercept systems that are part of all GSM and UMTS cellular networks, or at least he could task people who did. ETSI Specification 01.33 defines this as a standard element of all GSM networks and the corresponding 3GPP TS 33.106 does so for UMTS ones.

If this is so, they could certainly also get pen-register information – lists of calls to and from given phone numbers – and even tap the calls themselves.

This is a massive violation of the UK’s critical national infrastructure security, of the Regulation of Investigatory Powers Act, and of the Data Protection Act. News International, their police contact, and the police force responsible (not necessarily the Met) should all be prosecuted.

There is an urgent need to audit the lawful interception systems’ logs, among other things to find out if there are other unauthorised users out there. International standards foresee a detailed audit trail as part of these systems in order to preserve the legal chain-of-evidence. If the Interception Request message was submitted in proper form from the police to the telcos, the operators are legally in the clear, but if I was in charge of their network security I’d suspend processing the requests until such an audit was carried out as we now know that an unknown but significant percentage of them are illegal.

Thank fuck we didn’t build that giant national ID card database.

Third point. Not that anyone will answer this, but were any of the Prime Minister’s designated deputies for nuclear retaliation subject to illegal telecoms surveillance?

Fourth point. Circling back to the Defence Vetting Agency and Andy Coulson, the vetting procedure as described on the DVA Web site states that in some cases, the decision may be taken to issue a security clearance subject to risk management measures taken by the department involved. In these cases, the DVA will disclose information to the sponsoring department that it would usually keep confidential. Did they make such a recommendation to the Prime Minister’s office, and if so, what was the information?

The Libyan rebels are making progress, as well as robots. Some of them are reported to be within 40 miles of Tripoli, those being the ones who the French have been secretly arming, including with a number of light tanks. Now that’s what I call protecting civilians.

They are also about to take over the GSM network in western Libya like they did in the east. How do I know? I’m subscribed to the Telecom Tigers group on LinkedIn and so I get job adverts like these two.

ZTE BSC Job: URGENT send cv at [e-mail] for the job position or fw to your friends : Expert Telecom Engineer ZTE BSC.Location:Lybia,Western Area,1300USD/day,start immediate

URGENT send cv at [e-mail] for the job position or fw to your friends : ERICSSON MGW/BSS/BSC 2G/RAN Implementation Senior Expert Engineer.Location:Lybia,Gherian,Western Mountains,1300-1500 USD/day

In fact, one of the ads explicitly says that the job is in the rebel zone and the other is clear enough. What the rebels are planning to do is clear from the job descriptions:

must be able to install a ZTE latest generation BSC – platform to be integrated with 3rd party switching platform,solid knowledge of ZTE BSC build out and commissioning to connect up to 200 existing 2G/3G sites

To put it another way, they want to unhook the existing BTSs – the base stations – from Libyana and link them to a core system of their own, and in order to do this they need to install some Chinese-made Base Station Controllers (BSCs – the intermediary between the radio base stations and the central SS7 switch in GSM).

Here’s the blurb for the Ericsson post:

Responsible for commissioning and integrating an Ericsson 2G BSS network (2048-TRX Ericsson BSC plus Ericsson BTSs) in a multi-vendor environment. Will be responsible for taking the lead and ownership of all BSS commissioning and integration, leading the local team of BSS engineers, and managing the team through to completion of integration.

Experience of Ericsson MGW implementation, and integration of MGW with BSS, is highly desirable. Experience of optical transmission over A-interface.

Compilation, creation and coordination of BSC Datafill. This will include creating, generating, seeking and gathering of all Datafill components (Transport, RF Frequencies, neighbor relations, handovers, Switch parameters, ABIS mapping, etc.) based on experience and from examination of existing network configuration and data. Loading of Datafill into the BSC to facilitate BTS integration.

Working with the MSC specialists to integrate the BSC with the MSC. Providing integration support to BTS field teams; providing configuration and commissioning support to the BSC field team.

So they’ve got some Ericsson BSCs, the base stations are Ericsson too, and an MSC (Mobile Switching Centre, the core voice switch) has been found from somewhere – interesting that they don’t say who made it. That’ll be the “3rd party switching platform” referred to in the first job. They’re doing VoIP at some point, though, because they need a media gateway (MGW) to translate between traditional SS7 and SIP. They need engineers to integrate it all and to work out what the various configurations should be by studying what Gadhafi’s guys left. (It’s actually fairly typical that a mobile network consists of four or so different manufacturers’ kit, which keeps a lot of people in pies dealing with the inevitable implementation quirks.)

The successful candidate will also have some soft skills, too:

Willing to work flexible hours, excellent interpersonal skills and the ability to work under pressure in a challenging, diverse and dynamic environment with a variety of people and cultures.

You can say that again. Apparently, security is provided for anyone who’s up for the rate, which doesn’t include full board and expenses, also promised.

They already have at least one candidate.

ring ring! who’s there?

On the same day that NATO sort-of apologised for a fratricide incident in which a group of tanks the Libyan rebels had put into service were mistaken for Libyan government tanks, it turned out that the MOD was going to send the rebels 500 satellite phones. Well, you can see the point, but the first thing that came to mind was – what? now? why didn’t this happen weeks ago? Is this whole campaign being managed by clowns? And then, of course, I remembered Dave from PR and Sarko and Liam He’s a doctor, you know and Pocket Bismarck. Right.

But then, there’s the Big Society. This is a deeply cool story – Libyan GSM engineers work out how to take over the network in rebel territory and get it going again. The WSJ overstates some elements – it’s not so much that Gadhafi’s government designed the network to be centralised in Tripoli, GSM networks are very centralised by design – but overall it’s a pretty good account. They set up their own switch, home and visitor location registers, and international gateway with satellite connectivity, piped all the base station controllers in their territory into their own set-up, and obtained a copy of the original Libyana HLR with all the phone numbers. Fortunately they decided to let everyone make free calls (viva la revolucion!), or they’d have still been waiting for the billing system to be integrated six months later, whether in the minister’s office or the Libyan Lubyanka.

Ironically, they got quite a bit of help from, of all telcos, Etisalat, the UAE’s national operator. They lent them a lot of equipment and provided the satellite hookup and international access. This is amusing as Etisalat is famous for censoring more Web sites than the Chinese Great Firewall. For their part, the monster Chinese manufacturer Huawei refused to have anything to do with the rebels (or should that be “splittists”?)

This is good as far as it goes, but nobody in NATO CAOC-9 in Naples or the former AIRSOUTH now in Izmir or anywhere else with a NATO TLA is going to let random cell phones talk to the airpower infrastructure. Why didn’t anyone send those satellite phones earlier? Ah, yes, clowns.

Of course, there’s a possibility that they may have been worrying about releasing them into the wild. Here’s Secret Défense confirming assorted loose MANPADs wandering about. But they’re more trackable than arms, less directly dangerous, and far easier to buy anyway.

In other news, there’s a really excellent piece on the Toyota Land Cruiser as an engine of war in the FAZ, for German-speakers only.

a patron, Sir?

Sensible piece about US State Department funding for mobile anonymity projects, and some interesting stuff. The crack about looking with disfavour on the drowning man and then encumbering him with help once he reaches ground is relevant.

The real prize (as alluded to here) would be a mesh network application that works either instead of the PLMN or alongside it. The only way to avoid leaving traces in the enormous billing/rating/charging infrastructure of your average cellular network is not to use it. According to Comptel, the Finnish OSS/BSS software house, operators spend about €32bn a year on software, of which €11.5bn is in the revenue management segment, another €5.5bn in business analytics, and another €4bn in CRM – €21bn worth of data-mangling kit that could theoretically be repurposed. It’s probably better to just leave a GPRS datacall than a phone call to the person you want to speak to in there, though.

On the other hand, there’s an API for the US Army.

from the MWC gossip column

You can consider MWC as being a giant augmented-reality computer game. You run frantically in and out of different constructed environments, very varied but actually deeply conventionalised, trying to score points. You get points for collecting gossip, useful information, sales leads, and shiny gadgets; you lose them for queuing, being publicly humiliated, or getting stuck in a vacuous keynote session you have to listen to because the guy burbling away is too important to walk out on. If you collect too many shinies in a day you may be robbed. You have various resources to manage – you can’t go too long without checking into a WLAN hotspot, and at some point you must eat and sleep or at least drink more coffee. Progress is measured by winning a higher-status badge for next time.

The ruling emotion is, as always, that horrible sensation that it’s all happening somewhere else. Something really fascinating is being said, in the next conference session or the other party. If you were somewhere else, you’d meet the bloke who can sign that interconnect agreement or uncork this or that barrel of money. So-and-so was at the Dilbertco stand and they were giving away Dilbertphones! Of course, this emotion is a lie. Lester Bangs nailed it in a piece about living in New York and being tormented by the feeling that everyone else must at that moment be doing something more interesting and cooler than he was. Shouldn’t he be out there, getting on with it? But really, he came to understand, everyone else he knew was feeling exactly the same thing.

I grew up in the Yorkshire Dales, so for years it was literally true for me that everything was indeed happening somewhere else, and I’ve never been able to resist it. Which was probably why I went to the awards after-party – I was sort-of invited, which can be the same thing as not being invited at all or even better than being invited, and it’s technique that makes the difference. Having changed out of my suit and donned something with horizontal stripes – literally every time you saw a horizontal stripe at MWC it was wrapped around a software developer, it was quite uncanny – I appeared comfortably after kick-off and climbed up the hill to the Palau Nacional by a back route, smiled politely at the outer layer of goons, asked one of them directions I didn’t need, passed through the doors and made for the rope.

I wasn’t on the list, which I knew, but I was able to muddy the waters sufficiently that they went off to talk to some authority-figure within. I considered a dart up the unguarded stairs but felt confident enough to leave it. And I was in – the usual scene, x hundred immobile suits, a depressed-looking DJ, and about three people dancing, a group of American short film-makers IIRC. Eventually we managed to get the gig going to the extent that others broke off the herd, including an expert dancer wearing (of all things, it’s not usually correlated) a GSMA gold speaker pass* who was eventually hauled to the ground by a drunken, boorish Colombian (I think – the identification is hearsay). The official photographer broke out of his Douglas Adams alert crouch to document the mess – God knows why, but it reminded me of the exhibition in The Kindness of Women (“How do you feel?”)

After he finally took the hint, I found a pair of sunglasses on the floor and handed them to his victim – for want of anyone else to hand them to, but she immediately put them on, before asking if they were mine. She apparently thought this had been some sort of dramatic gesture, but actually I just didn’t want anything smashed underfoot. I think they belonged to the Colombian. Not long after that, as they say, I made an excuse and left.

*not quite as exclusive as all that, I’ve had one in the past