The Canadian Government announced this morning that Globalive (operating as Windmobile in Canada) is free to enter into the Canadian Market and compete with our Tier 1 providers in the wireless space. Their ability to compete in Canada has been under fire by Rogers, Telus, and Bell for a while now. What I am amazed at most is the responses I have been seeing on Twitter, instant messaging, comments on news articles and even a poll. If it wasn’t obvious before now, Canadian consumers seem to be:
- very happy that the CRTC decision was over turned and Globalive is allowed to compete in Canada.
- Customer anger, frustration, and resentment are very obvious with Rogers, Bell, and Telus.
These feelings don’t just pop up. They have obviously been building in consumers over time. I hope this is a wake-up call for the providers. The anger and frustration being expressed is serious and I am disappointed they either were too naive to see it building in their customers, or just didn’t care. Either way, it will now probably directly affect them. My hope is that they learn to value their customers thoughts and opinions in the future. As a side note, I think this is the happiest I’ve seen Canadians with the current conservative government to date.
I came across this article. It is a great synopsis of how easy it is to track the location of someone using thier own mobile phone. Third party companies are popping up to offer services like this. How do they do it? It is easy since some service providers are selling location data to anyone that wants it. What interested me about the article is it highlights how security analysis is changing. If you look at many of the current research papers and projects they involve using statistical data to determine patterns and what a particular user or group of users is up to. This removes the need for signatures, and also can yield useful information even if encryption is present.
Some key statements in the article that caught my attention:
- Anyone can, for instance, sign up – at £29.99 a year – to mapAmobile.com (‘you’ll always know where your loved ones are’), which allows you to follow the movements of your ‘family and friends’ on a computer screen
- That this sort of enterprising solution is possible is the result of the major networks – in the UK, Vodafone, Orange, O2 and T-Mobile – having decided, in around 2002, to sell their location data to any company willing to pay for it.
- the information your phone provides is out there anyway. It doesn’t belong to you, and anyone with the required resources can do with it what they will.
- Everyone on a network, he said, is part of a group; most groups talk to other groups, creating a spider’s web of interactions.
- The remaining groups ranged in size from two to 142 subscribers. Members of these groups only ever called each other – clear evidence of antisocial behaviour – and, in one extreme case, a group was identified in which all the subscribers only ever called a single number at the centre of the web. This section of the ThorpeGlen presentation ended with one word: ‘WHY??’
- It also sells ‘profiling’ systems, which measure the behaviour pattern of an individual subscriber and, using statistical analysis, determine whether that same pattern is now appearing from another source.
A recent example of this type of research is the Switzerland project which is currently in alpha at the time of this post. This is an open source project designed to detect when service providers modify or change subscriber packets before letting them continue on in the network.
Another research project was able to detect what movie you were watching via a Slingbox even though it was encrypted.
Michael Geist gave a great talk on the state of wireless in Canada I listened to it while eating lunch. I think it is a great talk and he is an excellent speaker as well. issues discussed include open devices, networks, and services, unlocked devices and more. For those interested talk with slides can be seen here.
Permanent link is here.
Great article by Jennifer Granick on mobile phone tracking. We all know that service providers keep the location information in a database for each mobile phone as it moves from tower to tower. I am unaware of the retention time for this data, but it is probably safe to assume forever.
The article focuses on the requirements to legally obtain access to mobile location information. Unfortunately, it appears that it is getting easier not harder. A simple showing of ‘relevance’ is now enough for law enforcement to request mobile location information. This is just one example of many that show the privacy laws in the United States being eroded away slowly, undetectable to the average person. Eventually one day the world will wake up and say “Wait a minute! What happened? We need to do something.” But by then I fear it will be too late.
This of course doesn’t apply to Canada yet, but that is only a matter of time.
I attended a law enforcement presentation this evening on new forensics software for mobile phones. I’ve attended at least a dozen of these over the last 4 years and I’ve got to say I’m really disappointed. All mobile phone forensic software I have seen to date does not image the mobile or do a actual memory dump of the mobile independent of the mobile software. The software uses the API extract a copy of the data. The data is then stored in a file or database, which then permits you to search and view the information.
Extracting data in this way you are trusting the API to properly transmit all the information you requested. Maybe the code doesn’t transmit certain fields or data. What if this data is important to the investigation? How will the investigator know? In all presentation I’ve seen, when asked how the software handles records that are marked for deletion but not yet erased from memory, the answer is the API will ignore them, so they will not be transferred over for investigation.
Since the API on the target mobile is the actual interface used to extract the data from the mobile, it is not possible to ‘prove’ that what is on the phone is exactly what is on the copy. Suppose a judge asks an investigator “please prove to me that the extraction you used for analysis, exactly matches what you find on the mobile and show me that there is no way an error or bug in the software could have caused the data to be changed.” I wonder how many people would be comfortable swearing to that under oath? I would not be.
You would have to be sure the API doesn’t change, mis-interpret data, or have any bugs. Most mobile and personal data assistants (PDA) require a password to access any of the data. By going through the API, you are required to know this password in order to gain access. This makes it much more difficult, especially if the target is not aware they are under investigation and their mobile data is being extracted without their knowledge. You can’t ask the person under investigation for the password. If the mobile is ceased with a warrant, the owner may choose to not give up the password.
I’ve been waiting for mobile forensics companies to actually spend time and money to come up with ways to extract data from the different mobiles and PDAs directly and independently of the mobile API. How to analyze memory data and memory dumps from the mobiles. Instead, I keep seeing new GUI interfaces, new ways to connect to the mobile, new ways to store and transmit the data. No work seems to be done on the individual mobiles themselves and the problem of actual extraction with chain of custody preserved for evidence handling. Very disappointing.
Watch them make calls from your phone as you pass them.
http://www.youtube.com/watch?v=dltjEnrePxc
