Forgot your password?

Comment: Re:Stupid question for the EEs here (Score 1) 81

by jquirke (#41080181) Attached to: Mobile Operator Grabs 4G Lead In UK — But Will Anything Work On It?

Sure the digital baseband is all the same, as the signal coming in is usually at a specific IF regardless of the band.

It is the old fashioned hard wired analog circuitry that is the issue, and that is not just the antenna.

Think filters, duplexers, etc which are designed and optimised for a certain band. Not to mention amplifiers and mixers. As someone who has designed active RF & microwave circuits, it is not easy achieving broadband filtering and impedance matching at multiple bands. So you need to have multiple filters, components, etc, which adds $$ to cost. So you pick a handful of bands that you want to support, and swap the components depending on the regional variation of your model.

Comment: Re:So in other words... (Score 1) 68

by jquirke (#40696711) Attached to: iOS 6 Beta 3 Jailbroken Already

[1]: Along with SHAtter. Screw you, Geohot, for blowing a low level exploit because of your ego.

To be fair, it's possible SHAtter and limera1n would have been plugged at the same time by the same fix.

They both depend on bugs in the firmware read-back mode code in DFU mode. Limera1n exploits a bug in which the direction bit of the USB transfer is automatically trusted to match the command type, and SHAtter exploits a bug in which the read index offset (a global variable) is not reset after each call to re-initialize the USB code in the outer loop. Both bugs were "fixed" by the removal of the firmware read-back code in A5 devices.

Comment: Re:Stop tethered jb news (Score 2) 68

by jquirke (#40696659) Attached to: iOS 6 Beta 3 Jailbroken Already

It's substantially more complicated than that. If it were as simple as every buffer overflow being exploitable in this way, then jailbreaks would come thick and fast after every release.

With iOS you have:

(a) stack is never executable, so all payload must be ret-to-libC style
(b) consequently, because user space address layout is randomized with about 8 bits of entropy, you have to find a way to leak address of a symbol, or else find some more sophisticated exploit
(c) even if you defeat above, you still only have typically gained executable control over a restricted user account
(d) now you have to trigger a kernel exploit from restricted process space sandbox OR

(d)+(e) break out of the sandbox or gain root with another userland exploit in order to be able to trigger the kernel exploit, which may depend on functionality accessible from root only

Anyway you get the idea. My hat goes off to pod2g and co for their dedication.

Comment: Re:Innovate or become obsolete. That's where it's (Score 2) 515

by jquirke (#40085931) Attached to: FCC Boss Backs Metering the Internet

The fundamental flaw here is that cable capacity is shared between *all* users from the local node, i.e. everyone in your street, unlike ADSL.

Therefore, there's not really much improvement to be made. The only possible optimisation with this hypothetical IP system would be to "detect" that everyone is watching Australian Idol (or whatever people watch these days) and then allocate more capacity to that program perhaps to improve video quality. Otherwise, if everyone is watching something different it's no different to the current "broadcast" situation. DVB is compressed, usually with an MPEG-4 class of video codec, so it's already highly efficient.

Oh, and particularly with digital transmissions, there already is a substantial channel changing delay anyway, even with "broadcast" style DVB. Especially the case with MPEG-4 I've noticed, up to a couple of seconds even on modern receivers; even if the channel is on the same transport stream (i.e. same carrier), while it waits for enough key frame data to accumulate. Even worse delay if its on a different carrier, because the lower level receiver has to synchronise to that.

Comment: Re:Sony's war on their customers (Score 1) 290

by jquirke (#39653521) Attached to: Sony Projects Record Losses of $6.4 Billion

Warranty deadlines seem to be a very typical US-consumer-shafting.

If the product has failed due to manufacturing defect despite reasonable use, then the retailer (and then ultimately manufacturer) is required to replace it. If this is a few days out of the manufacturer's warranty it is usually irrelevant.

See Warranties and Refunds - ACCC

Statutory rights are not limited to a set time
period. Instead, they apply for the amount of time
that is reasonable to expect, given the cost and
quality of the item.

This means a consumer may be entitled to a
remedy under their statutory rights after any
manufacturer’s voluntary or extended warranty has

For example, it is reasonable to expect that an
expensive television should not develop a serious
fault after 13 months of normal use. In this case,
the consumer could argue the item was not of
merchantable quality and ask for it to be repaired,
even if the manufacturer’s voluntary warranty had

Comment: Re: Not a problem (Score 3, Interesting) 67

by jquirke (#39097769) Attached to: Leaky Cellphone Nets Can Give Attackers Your Location

Further to this, here is an example of some paging traffic I captured over a live UMTS network (Telstra NextG, in Australia), using nothing more than a USRP with 900MHz daughterboard, and some custom Matlab code. The message has been unpacked from ASN.1 format to XML, but it clearly shows IMSI and TMSI in plaintext.

File is here.

This shows the flaw is definitely not GSM only.

Comment: Re: Not a problem (Score 4, Informative) 67

by jquirke (#39097755) Attached to: Leaky Cellphone Nets Can Give Attackers Your Location

The concepts here are not necessarily specific to the GSM Um link. The same concepts used by the authors equally apply for UMTS and LTE, and most other cellular systems.

ALL of those systems page out phones based on some temporary (but plaintext) identifier when an incoming call needs to be routed and there is no active RRC (radio) connection. All of those systems try to mitigate this exact problem by using a temporary ID (the TMSI), rather than the permanent ID (the IMSI). The TMSI is re-allocated over a ciphered connection.

The TMSI rotation policy is up to the operator. It can in theory be rotated each connection, but few operators do this - too much signalling load on the core network. Most operators will hold the TMSI until the next periodic (i.e. after a certain number of hours - operator defined), or aperiodic (when the phone moves into a different paging domain [location area]), or when the phone is power cycled (which implicitly does a type of location update anyway).

One solution for future versions of the standard might be to encrypt the paging message (along with a random nonce to give uniqueness to each paging message) with the last known ciphering key, but this may not be known by the network entities in the new location areas.

Comment: Re:It's all the customers' fault... (Score 2) 406

by jquirke (#39054393) Attached to: AT&T On Data Throttling: Blame Yourselves

I don't know how this myth keeps getting propagated. It is absolutely not true, for both the GSM and UMTS systems.

You don't need to have a background in cellular engineering to understand that if you want to use a service in near real-time (i.e. SMS), it is going to have to consume resources then and now.

Your phone is not using control channels constantly. This is for good reason - the control channels are extremely limited in capacity, and using them frequently would consume your battery as well.

Your phone is only using control channels typically when moving between cells or locations areas. You can easily see this on GSM phones if you have an old radio nearby; you will know when the phone is transmitting and it most certainly isn't often.

So if you want to write an SMS, and send it now. a radio connection must be established. In GSM, this requires an SDCCH (Standalone dedicated control channel). This is a finite network resource (even if you are using it for 5 seconds or so, it is still a finite resource). In most cells, a static reservation of 8 SDCCHes exists only. Also, setting up this SDCCH involves other temporary channels - it occupies capacity on the AGCH (access grant channel) and RACH (random access channel - to establish the request in the first place). If it is an incoming SMS, it additionally requires capacity on the PCH (paging channel). All of these latter channels have particularly finite resources.

In UMTS ("3G"), the scenario is similar. SMS is typically delivered over the FACH (forward access channel) mapped to the S-CCPCH. The S-CCPCH has very limited capacity in most networks, and is being shared between other requests to establish channels, mobility updates from phones moving about, etc etc etc.

The point is SMS does consume finite network resources, and they are more finite than you think. Your assumption/myth might be valid if you can piggy back SMS onto the back of the (typical) hourly location updates that occur, but who wants their SMSes to all be buffered once an hour?

Comment: Re:rename "Airplane mode" "Shopping mode" (Score 1) 236

by jquirke (#37711626) Attached to: Australian Malls To Track Shoppers By Their Phones

The IMEI is usually sent over an encrypted channel, after the CIPHERING MODE COMMAND has been sent in GSM (although the specifications do not mandate this).

It is not possible to track your long term movements. GSM and UMTS use what is known as the TMSI - the Temporary Mobile Subscriber Identity, which is a 32-bit temporary identifier which may not persist more than a few hours at a time.

Your IMSI (international mobile subscriber identity) is only ever sent over the air in clear text in 'recovery' situations, where your mobility context cannot be retrieved from the previous VLR. Otherwise, new TMSIs are allocated over an encrypted channel, so it is extremely difficult to establish a chain of TMSIs.

So in short, it is not possible to establish your long term visiting trends, but it is possible to establish the length of time you spend in a shopping centre (as phones periodically re-register themselves with the network, even in the same location area), if your phone is otherwise idle.

Comment: Re:Spending 20 to save 10, my experience (Score 1) 111

by jquirke (#37550816) Attached to: IBM Launches Parking Meter Analytics System

Our meters already do a spot empty check to clear existing funds out of the meter when someone leaves.

This is a serious dick move. Seriously. Just a dick move.

Agreed. The meter is paid, who cares who paid for it? Stop double dipping.

Though on the topic of dick moves, the US has it pretty easy. Look for these vermin (The Melbourne City Council) are up to:

  In ground sensors - a device that records when a vehicle moves in and out of a parking bay. A five minute grace period will be built in and once a vehicle has overstayed the limit a signal will be sent to the nearest parking officer’s hand-held device. The in ground sensors will be progressively rolled out to 4,619 single marked bays across the CBD from 1 July to 30 October.

  Licence plate recognition systems – image processing technology used to identify a vehicle via its number plate in some residential areas. The system consists of a high speed digital camera, integrated GPS system and optical character recognition software. Two systems will be in operation in Flemington, Kensington, North Melbourne and Carlton. The license plate recognition technology will be on the road from 1 July.

Comment: Re:I'm getting old (Score 2, Interesting) 262

by jquirke (#35414334) Attached to: Facebook May Bust Up the SMS Profit Cartel

This is simply a myth. The sending of text messages consumes network resources that cost money. How much they cost is a different question - and I am not disagreeing with you that the markup may be exhorbitant, but I do have to correct your claim.

In GSM, sending a text message still predominantly operates over an SDCCH (standalone dedicated control channel), which requires a full paging (for network originated) or random access cycle, encryption setup messages, authentication messages. The whole process can take around 5 seconds (don't believe me? put your phone on top of an old radio so you can hear the radio transmission activity..)

Where your claim is correct is during a call - the SMS uses the SACCH (slow associated CCH) which places minimal additional load on the network, but the majority of SMSes occur when the phone is not in a call.

Some GSM networks allow the text message to be send as a packet of data over GPRS/EDGE which greatly reduces radio-link (Um link) signalling burden.

I'm a Lisp variable -- bind me!