Technik News

Das Blog zu IT, Mobilfunk & Internet

Fon

How not to install a WiFi antenna

von

Leaving aside regulatory issues that may turn this particular setup into an illegal operation, I will better not describe the quality of the installation to be polite. Check out this picture:

wifi antenna

Spotted the problem yet? Radio antennas are affected by any element that is present around them, even non-metallic elements, such as the ground. In this particular case, kanijo, a Fonero, has attempted to provide more “range” to his FON hotspot, which is in itself commendable, however, the means may not result in the desired end.

You can see that the vertical omni antenna, a carefully tuned radiating element, has been strapped to a metallic pole, which also runs a coaxial cable into a TV antenna right on top. The router is inside a sealed plastic box, with power and Ethernet going into it from below. There is no way that this antenna is radiating correctly, as the pole that supports it is probably grounded (if it has been installed according to regulations), and even if it is not, it is inducing an imbalance into the tuned element, causing a large amount of RF to be attenuated. The user reports good results with it, which are most likely due to good luck.

The second problem with this type of setup is that vertical antennas don’t emit downwards, and thus will provide very limited coverage to users below the antenna. There is some downwards bleed of course, but it will only reach lower users that are some distance away from the antenna.

Recommendations for these sort of setups: install the antenna right at the top of its own pole, and ground the pole. If you have no choice but to use an existing pole, get a T arm fitting and mount the antenna at least 1 meter (3 feet) away from the pole. A perfect example of such as setup, in this case with two supports as the antenna is rather large and care for wind load is needed, is this (credit to Roger Halstead):

Check out Roger’s page, it is a very good read if you are interested in radio installations.

FON fixes maps vulnerability, and why Martin should apologize

von

You probably remember the post I made regarding FON’s figures, and how much I thought they differed from reality. It got quite a lot of attention, particularly from detractors, and from Martin Varsavsky himself. Many comments were posted on my blog and some others, which pointed towards the fact that I am involved in a startup which supposedly is a clone of FON, and thus I was biased and in no position to comment on FON. To cut a long story short, Martin posted a rather vicious personal attack on his blog, which I answered, he counter-commented, to which I again answered, but he never conceded a bit.Fon Maps

During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.

All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.

I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:

  • Document the vulnerability, and inform the company about the fact that you have found it.
  • Wait for an initial response, establish contact points, and work a schedule for fixing the issue.
  • Work with the company to help them solve the issue.
  • Once the issue has been fixed, make a public disclosure on both sides about the vulnerability, giving credit to the person or company that discovered it.

You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.

In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.

I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.

The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.

Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.

My first death threat, by Mosbach, the chief FON forum troll

von

Today, I saw my very first death threat – jeez, some people really need the attention of a specialist. The post in question is this one:

Blogwar: Sumpfblueten oder “mother contra FON” – Babelfish translation

Basically I am pictured with a gun pointing at my head, as can be seen here:

Threat by Gerhard Mosbach, a Fonero

This is a serious threat, and can carry heavy legal consequences in most countries. I have posted a comment on this blog, and sent a message to Google, in order for the material to be removed, and an apology posted. Failing this, I may take legal action against this individual.

However, being a curious person, I decided to investigate a bit further. Many interesting things have turned up – first and foremost, the owner of this blog is none other than a Dr. Gerhard Mosbach, with ties to at least three members of FON staff and/or advisory board (Florian Forster, Robert Lang, and Nina Wiegand).

First, I looked up the URL foneros.blogspot.com in Google, which turned up this post in Martin Varsavsky’s blog, where “german fonerofan” claims to have the first german blog about FON. The del.icio.us link in the same comment leads us to a bookmarks page by foneros.de, which is also in the title of the foneros.blogspot.com blog.

A quick WHOIS check on foneros.de revealed this:

    Domain: foneros.de
    Domain-Ace: foneros.de
    Descr: Gerhard Mosbach
    Descr: Frankenwald 27
    Descr: 95138 Bad Steben
    Descr: DE
    Nserver: ns1.kundencontroller.de
    Nserver: ns2.kundencontroller.de
    Status: connect
    Changed: 2006-01-27T17:54:33+01:00

    [Admin-C]
    Type: PERSON
    Name: Gerhard Mosbach
    Address: Frankenwald 27
    Pcode: 95138
    City: Bad Steben
    Country: DE
    Remarks: [11178/4505]
    Changed: 2005-01-30T19:36:05+01:00

Who is this Gerhard Mosbach? The picture he posts of me is only found online at OpenBC, and then, only if you have an account and thus can browse people’s profiles, including mine. A search on OpenBC reveals the profile of none other than a Dr. Gerhard Mosbach (registration required), of Bad Steben in Germany. In his confirmed contacts, we find the three members of FON mentioned above. For those of you who don’t have or don’t want to have an account at OpenBC, here is a screenshot of Gerhard’s profile, with Robert Lang, who leads the European Business Development for FON, in the contacts list.

Mosbach’s OpenBC profile

This individual has been a constant pain in the FON public forums, if you don’t believe me, check this out and judge by yourself – there are a number of people who even called for his banning. I am in no way saying this is representative of FON or the FON community, but honestly, Gerhard Mosbach is not helping the ‘movement’ too much.

The internet is so much fun sometimes – but less so when one’s life is threatened.

[Update: about ten minutes after posting my comment on his blog, he has removed the pictures. This is why I took the screenshots!]

The naked Fonera

von

After a few days of silence, digesting the hubbub created by my analysis of Fon’s status, I’ve put my head back into more useful things than answering hate mail and out-of-line comments (thanks to those who provided balanced views, either for or against!). So, I decided to open a Fonera and see what lives inside.

A full review is coming, but first impressions:

  • The plastic casing looks and feels very nice, the molds must have been expensive, as the different parts mate very well.
  • Inside lives a single PCB, with components on both sides. The top holds the bulkier components, such as power regulator, RAM and WiFi section, inside an aluminium RF shield.
  • The PCB looks professional and well laid out on first inspection.
  • Components used (I haven’t opened the aluminium chassis yet) are older SOIC and TSSOP, thus cheaper to handle and solder. Balled components require from special handling, such as baking in hydrogen for 24 hours to dry them before soldering, etc.

Here are some pics (click each photo for bigger views on Flickr) I have taken with a Nokia N93 (really nice phone btw, mini-review coming):

Fonera - underside of casing

The underside of the case, with screws off.

Fonera - perspective view

Perspective view of the top PCB.

Fonera - Bottom PCB

Bottom side of the PCB.

Fonera - firmware version

Sticker on the flash IC showing the firmware version.

The real FON statistics – lies, manipulation or fantasy

von

On September 14th, FON launched the new version of their online mapping service, after several months of complaints from users that the service wasn’t up to scratch, and announcements stating the development team was working on the problem.

On a first look, the maps look really nice – they use Google Maps, by default in the mixed view, where you see a satellite image and an overlay of roads and placemarks. I will not bore you with the details, as it is better that you check them out yourself and make up your mind.

This post is not intended as a review of the service itself, but rather, a revelation of the real figures behind FON’s network – peeking under the layer of PR and flamboyance. Martin Varsavsky is always boasting about FON being the largest WiFi community of the world – in my view, this is not accurate.
During months, FON has been claiming to be a “movement”, with a marked communist image behind (the marching workers, the spray-painted logos, etc.). This movement was supposed to kill mobile operators, who currently oppress people with their sky-high tariffs. We could go into a long debate just on this topic, but lets move on. During all this time, FON has suffered untold problems with staffing, PR mini-scandals, shipping broken routers or taking weeks and months to even send them out, not replying to repeated requests to support@fon.com, and blatantly ignoring the public forums, where the community behind the movement was expressing its increasing anger and frustration.

The blinding truth – less than 3.700 routers online worldwide

Digging a bit deeper into the workings behind the maps, I have found that there is a method to run a query to retrieve all the hotspots in FON’s database, not just two hundred, or those in a particular region. If you want to see an example, click here. This is a query that will return all hotspots on the planet that have been FONing home during the last hour. It can take a little while to load, so be patient. Until a couple of days ago, results were returned in XML format, which has been dropped in favor of the new plain, comma-delimited format.

I predict that FON will not like the above link, and thus will try to either change the format of the php call, or add artificial records to confuse the application I have written to process the data. First, I wrote a simple application using RealBasic (having been a long-time Visual Basic acolyte, it is a welcome change, allowing me to code under Mac and Windows transparently) – source code here. A screenshot of a full run is shown below.

Application screenshot

Just from the details shown after the run, a few enlightening facts surface:

  • The highest user ID found is 92.192, but the total amount of processed records is only 55.384. I have to investigate a bit further, but it appears that in some cases, a record is stored twice, once holding the user type (Linus, Alien or Bill), and again holding the router mode (online or unknown). This is the reason why some people see both the orange dot and the green halo on their locations at maps.fon.com, and also the reason why at this time I cannot confirm that the real number of Foneros is 43.896.
  • There are only 3.674 routers online on the entire planet. So much for the largest WiFi community in the world. The other 7.814 are registered routers, from which nothing has been heard during the last hour. These figures have been checked a few times during the last few days, and they stay more or less constant.
  • Out of the entire user base, only 1.317 have become Bills. So much for milking one’s WiFi.
  • The highest router ID found in the results was 19.889, so if we add offline and online routers (best case scenario), then around 8.401 routers have never been registered, representing 42.2% of sold routers. Extrapolating this to the 1 million routers Martin wants to sell would results in a loss of $10.55 million!.

Looking at the per-country statistics (per-city could be made, given some extra time and coding), some curious details also stand out:

  • There are two registered routers in Afghanistan – but neither is online. Not surprising, considering the amount of explosives that have been dropped on the place.
  • China and Taiwan have 9 routers registered, but none online. Martin was blogging about his expansion into Asia, which looks rather bleak right now. 165 Foneros are registered however.
  • Germany and Spain have around the same number of registered routers, although Germany almost doubles Spain in the number of online routers.
  • The United States ranks third in number of registered and online routers, however, it holds the highest number of Bills (408). The next is Germany, with 237.

Finally, we can derive a few figures from these numbers. These are highly interpreted, and must be taken as theoretical extremes.

  • If FON sold one $3 one-day pass every day of the year on each of the online routers, it would make a gross income of $4 million. This is before tax and the Bill’s share where applicable. You at the back, stop giggling!
  • Making a wild assumption that each router’s signal reaches 100 people, FON would only cover 0.11% of Germany’s population of 82 million.
  • Boingo gives you access to 45.000 hotspots. FON has about 8% of that figure, and with location quality debatable – it is a fact most FON hotspots will not be optimized for even street-level coverage.

I believe it is time for FON to stop boasting about having the largest WiFi community in the world, and start concentrating on its real problems. And if they still don’t know what these are, they have a nice summary at the online forums. Besides, for spending 500.000 Euros per month, this is a pretty poor show, in my humble opinion.