Archiv für November 2006

Vodafone HSDPA with the Huawei E220 USB modem

November 22, 2006 von Harald Puhl

Went to my local Vodafone store to pick up the new Huawei E220 HSDPA USB modem, which with a 49 Euro monthly contract gives you 1GB of transfer at 1Mbps maximum, and free mobile to fixed landline calls – pretty good deal if you ask me. For 59 Euro you get 5GB of transfer, at the full 3.8Mbps that HSDPA offers. These are theoretical rates, as they will depend on a number of factors, such as how many people are also using the same cell, your coverage and the quality of the link.
We can argue all we want about how convenient WiFi is, being omnipresent et al, but in reality, it’s rather hard to get connected while on the road. Let’s examine the following scenarios, and you tell me the chances of getting connected over WiFi:

Riding the train or bus home.
Getting a lift from a friend in his/her car.
Opening your laptop at a random location (cafeteria, bar, etc. that you haven’t before scouted for open WiFi).
On a plane, waiting for the next free takeoff slot that you hope the pilot won’t miss because he was checking the fatness of his wallet.

Let’s be honest – free open WiFi is great once you have identified the locations where you can get connected, such as a friend’s house or the local coffee shop. Other solid commercial alternatives make it easier to find WiFi, as they tend to be present at well-known locations. Walk into any Starbucks or hotel, and you’re bound to find at least for-pay wireless.
For me, on the 30 minutes to 1 hour it takes to get home on the train or bus, being able to get connected is great. The convenience of simply opening the Mac and getting online beats the guesswork of WiFi. I tried getting the Mac working with my Nokia N93 over Bluetooth, but it was just too unstable – one day it worked, the next simply refused to even connect. A more in-depth review of the device is coming, once I get a chance to roam about with it for a while.

So far, installation on the Mac was pretty straightforward, download the setup package from Vodafone’s site (they don’t tell you this in the manual), which then enables the modem as a networking device. If you don’t follow this step, it can get recognized as a storage device, which is not particularly useful for a modem. The one thing I don’t understand is why it comes with a miniUSB cable that ends in two USB connectors, my guess is it’s power-related (some USB ports don’t provide the full 500mA they are supposed to provide).

FON fixes maps vulnerability, and why Martin should apologize

November 15, 2006 von Franz Hieber

You probably remember the post I made regarding FON’s figures, and how much I thought they differed from reality. It got quite a lot of attention, particularly from detractors, and from Martin Varsavsky himself. Many comments were posted on my blog and some others, which pointed towards the fact that I am involved in a startup which supposedly is a clone of FON, and thus I was biased and in no position to comment on FON. To cut a long story short, Martin posted a rather vicious personal attack on his blog, which I answered, he counter-commented, to which I again answered, but he never conceded a bit.

During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.

All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.

I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:

Document the vulnerability, and inform the company about the fact that you have found it.
Wait for an initial response, establish contact points, and work a schedule for fixing the issue.
Work with the company to help them solve the issue.
Once the issue has been fixed, make a public disclosure on both sides about the vulnerability, giving credit to the person or company that discovered it.

You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.

In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.

I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.

The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.

Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.

Conference WiFi IS important

November 9, 2006 von Harald Puhl

Robert Scoble writes about whether having a decent WiFi connection at a conference is something that important, and concludes that if you can afford the $3500 price tag to get in, you can also afford a $80 a month Verizon mobile data plan. Ethan Kaplan thinks it is important, and I agree, but for different motives.
What Robert fails to appreciate is, that while Web 2.0 may be more US-centered in terms of visitor origin, there are many conferences where the bulk of atendees come from abroad. In this case, it makes little sense to get into a Verizon plan just for the few days when you are visiting. Roaming data charges (when roaming data connections such as GPRS even work, which I found impossible around California) are astronomical.

I am in favor of event organizers providing a good quality, solid and stable WiFi connection, even though it can be very expensive. An example was the WOMMA conference at the San Francisco Hilton, which didn’t provide WiFi, as the hotel wanted $20.000 to put a router in the hall. However, a compromise between the two postulates would be for Verizon to offer a rent-a-card service. Just like I pick up my car at Hertz for a week at SFO, I could also pick up a Verizon card, use it while moving about, and return it at the airport before leaving the country. I can already hear critics saying “but people would just keep the cards” – maybe, but what good would they be to them? Additionally, just like you have a retainer placed on your credit card when you rent a car, the same could apply to the card, if you don’t return it, Verizon actually could make more money!

Our new firehouse is happening

November 7, 2006 von Harald Puhl

This Christmas, we should be receiving a gift we have been waiting for over 20 years. Our volunteer Fire Department started with a 4-wheel-drive and a cart-mounted 100 gallon water tank, and has since progressed to become the proud owners of two large all-terrain pumpers and one 4-wheel-drive with a small tank & pump for fast response. For the last seven years, we have been housed in a small portion of the basement of the town’s sports hall, sharing the space with many other organizations and groups, including the Police depot. It was simple, very dusty, no showers, toilets, changing or sleeping facilities, and barely space to sit around and be comfortable during a tour.