This is my section on networking. Remember I'm a programmer not a sysadmin so I actually try not to remember all this stuff so that's why I'm writing it down here.
Perhaps the Next iPhone won't be called iPhone 5 but the Zombie iPhone, in honor of the new spate of rumors that the late Steve Jobs is still with us in a sense, as the chief designer of the upcoming handset.
Three winners of an academic competition at the University of Rochester to create the most innovative and useful applications for IBM's Watson cognitive computing systems were announced yesterday by Big Blue.
The 2012 IDG Enterprise Unified Communications and Collaboration (UC&C) survey was completed with the goal of gaining a better understanding of current and future UC&C investments. The survey highlights the uptick in UC&C adoption and investments in the coming three years — specifically in enterprise organizations — demonstrating the value organizations place on technologies that enable consistent and connected communications between employees, customers and partners.
Cisco's Wireless Networking Business Unit doesn't actually talk so much about wireless networking these days. Increasingly, its message aimed at IT groups is about the broader concept of "mobility."
If you're a Verizon customer upset that your next smartphone contract won't include unlimited data, Sprint would like to remind you that you have an alternative.
Social media -- Facebook, Twitter, LinkedIn, Google+ and so forth -- has become a way of life for companies and their employees to interact with the public, but beating back the fraudsters that try to prey on customers, not to mention keeping employees from spilling sensitive data, is becoming a full-time job for many.
Apple historically has fought iPhone jailbreaking by warning customers that their device warranties will be voided if they muck around with the innards of their Apple products. Now Apple appears to be taking its disapproval of jailbreaking one step further by censoring at least some references to "jailbreak" in its U.S. iTunes store.
Doctors are being cautioned by hospitals they work with to avoid interacting with patients on social media, and that they reject any overtures by patients to interact on the likes of Facebook and Twitter.
The next iPhone, which may or not be called iPhone 5, will have a 4-inch screen according to several unidentified sources cited in news stories this week.
Growth in the Ethernet switch market is now being driven by specialized devices for specific applications, rather than evenly across all customer deployments.
Actress Geena Davis, President of Argentina Cristina Fernández de Kirchner and Huawei Chairman Sun Yafang have been named winners of the 2012 ITU World Telecommunication and Information Society Award for their efforts promoting information and communications technology (ICT) to empower women and girls.
In this article the author debates about the concept of domain vs local user account and suggests that all local user accounts be deleted and only those that are truly required be allowed.
Privacy advocates are riled up after the recent passing of the controversial Cyber Intelligence Sharing and Protection Act by the House, which occurred despite opposition from privacy advocates, lawmakers and the White House.
This new series of articles deals with various advanced deployment topics. This first article deals with using Microsoft Deployment Toolkit vs. System Center Configuration Manager.
Although SolarWinds is best known for paid products such as Server & Application Monitor, they do offer some free tools as well. As such, I have written a mini review of three such utilities.
This article continues the discussion of server hardware by explaining how SATA drives can be used on an SAS backplane. The article then goes on to discuss SAS expanders.
The Android platform is currently the top selling mobile platform in the U.S., and in quarter four of 2010 smartphones began to outsell PC platforms worldwide. Android was even recently picked up as the choice platform for the U.S. Department of Defense. With the ubiquitousness of Android growing, naturally it and other smartphone platforms will become prime targets for malware authors. Be it for fun or for profit, stealing your information, sending you spam, and other malicious activity, has been a widespread problem in the computing world for years. It is only natural that as smartphones know even more about their users than traditional PC platforms, and have access to additional features such as text messaging and GPS data, that they will be become juicy targets for high tech criminals.
This past year has seen new developments in Android malware both in the wild and by researchers intent on raising awareness and improving the state of security. The Droid Dream attack against Android in early 2011 made headlines for being the first known malware infection inside of the official Android market. The malware was packaged with seemingly legitimate applications, but once installed, the apps turned Android phones into drones in a mobile botnet. This attack had been foreshadowed by security researchers when Jon Oberheide uploaded a proof of concept app to the Android market disguised as an inside look at the upcoming Twilight movie. Though malware analysists and network security experts have been combating botnets for years, smartphones open new avenues of both attack and control, that experts simply don’t have as much experience analyzing. For example security researchers have created proof of concept smartphone botnet scenarios that use text messaging (SMS) for command and control mechanisms.
Putting aside the continually growing sophistication of smartphone based attacks, how easy is it actually to attack Android phones? How much work would be involved to learn how to write an Android app, develop an app that performs malicious activity, and get that app up on the Android market? Is this something that a beginner could feasibly accomplish, or is Android malware solely the realm of hard core criminals with the skills, time, and money to develop cutting edge attack techniques?
I started off by learning a little bit about coding in Android. I have some coding background including in Java, the language from which the Android software development kit was derived. My only previous experience developing for smartphones was writing base operating system level proof of concept malware in C. I had never written a mobile app before. Android Developer offers beginning tutorials, which I worked through to get started. Android prides itself on being easy for developers to pick up and dive into, and that was my experience as well.
My next goal was to write an app that performs malicious activity. Specifically I wanted to steal the smartphones personal identifier (IMEI) and send a text message without giving any indication to the user. As it turns out the Android API has built in capabilities to perform both of those tasks. The only caveat is the user has to be informed at install time that I want access to these clearly potentially dangerous capabilities. Whenever a user installs an Android app, they are presented with a list of potentially dangerous capabilities the app requests. An example install screen is shown below:
I then wondered if malware writers need to somehow bypass this permission model in some way so the dangerous permissions don’t show up at install. Would having a list of dangerous permissions that would allow an app to steal data and run up fraudulent charges raise a red flag to average Android users and deter them from installing an app? I did a search for popular Android apps to take a look at the permissions they request. The general consensus seems to be that the top downloaded Android app of all time is from an obscure company called Facebook. The complete list of permissions the Facebook for Android app requests upon install includes: sending SMS, reading the IMEI, the smartphone’s GPS information, accessing accounts stored on the phone including their credentials, among a long list of others that can be found here. As a sometimes proud member of Facebook since it was for college kids only, I often access Facebook from my computer. Facebook seems to work just fine without sending SMS, knowing my location, or having access to my Gmail password. It appears that being warned about potentially dangerous permissions does nothing to deter users from installing apps to their Androids. To be fair, the Facebook app comes from a legitimate and well known company. Users have less reason to be wary of Facebook than they would the sort of apps seen in the DroidDream attack. That being said, as we saw in the recent detection of spyware in the CarrierIQ service installed by default on many smartphone platforms, any service or app can be a potential malware source, even if the developer doesn’t intend for it to be malicious.
Now that I knew I could just use the Android API’s permission model to make my malicious app, I went about writing it. I thought I would have to search through the Android Development manager to find out the correct code for what I wanted to do. As it turned out, a quick Google search for “Send SMS Android App” or “Access IMEI Android App” revealed several other curious developers asking for and providing the code snippets I needed. For example the code to send an SMS transparently to the user is only a two lines long:
SmsManager sm = SmsManager.getDefault();
sm.sendTextMessage(number, null, message, null, null);
where number is the phone number to send the SMS to, and message is the message to send. By requesting the right permissions I was able to quickly and easily build an app that accessed private data and sent it to another phone through SMS. The SMS does not appear in the user’s sent folder, so users receive no indication that the message has been sent.
My demo app in action video:
My last task was to see about getting my proof of concept app to the Android market. Using a Gmail account that didn’t link back to my real name I was able to sign up, and I used someone else’s credit card (with permission) to sign up. This leads me to believe it is possible for a malware author to leave no trace of her true identity on an app. I didn’t actually publish my app to the market, but other researchers have already proven that a malicious app is automatically published to the Android market upon upload.
My conclusions are that for anyone with any development experience it is easy to pick up the Android programming language. Thus any malware authors with experience on PC platforms will be able to make the switch to Android without any trouble. Also, the Android permission system is not working to keep users safe. The average, security unaware user will often simply install an app regardless of permissions. Using the API to call malicious functionality was straightforward given the correct permissions. Finally, uploading a malicious app to the Android market is trivial.
Read more about Georgia Weidman
This is my first guest blogging opportunity on Netstumbler.com and I wanted to discuss what I believe is missing in most of the student/consultants I encounter. I would recommend these things for anyone preparing to be a consultant in IT security.
So, the first and most important thing to learn in my opinion is TCP/IP. You need to know it as well as you do the alphabet. The majority of people I meet in the University world and out in industry do not have a detailed and thorough knowledge of TCP/IP. For a security consultant it is best that you can look at the packets and know exactly what is taking place at the lowest level the wire. Elite hackers know TCP/IP as well as they can write their name. To be able to secure the environment and the enterprise it is imperative you know it like they do.
Take wireless for example, many people will start playing with Wireshark to observe the traffic over the wireless card, as most of you can attest to when you first use Wireshark with a wireless card you start a capture, and you see NOTHING, because you are at the application layer, and do not have a good understanding of the lower layers, and also do not understand that you need to be in monitor mode to capture traffic for the most part, and you are connected to the network, and cannot sniff the wireless traffic, so as you read the alert message that tells you to check the selection for promiscuous mode, and then you deselect it, and what do you see? You see the 802.3 Ethernet traffic and not the 802.11 traffic you were expecting. Taking it one step further you need an understanding of the PHY layer before you start looking at a tools that analyze it for you.
The second most important thing is to learn Linux and Unix. Also, do not stop at Linux, download one of the Unix virtual machines and play with it until you get proficient at it.
A note on certifications, they are good for getting you an interview, but once you get that interview you have to convince the people there that you know what you are doing. There is no certification that can replace hands-on experience and knowledge, you can get that on your own by using virtual machines and building and running your own test labs. The concern over certifications is most are based on rote memorization, it is the same problem we have in academic circles (more on that in a moment).
The problem with this is when you study and cram for a certification exam you memorize something take a test, and then you get certified, but what does this really mean? In my view it means you studied and took a test, and be honest, some of these classes cram all of the information into your brain in 4-5 days, and if the class does not provide a study guide, or something similar to practice the types of questions you may encounter you would not see 90% and above exam success rates touted by so many sites. Now, we shall discuss academic thinking, most of the “academics” without industry experience do not understand what I have been talking about either. I was on a team that developed a Master of Science in Information Security, and I was the only non-academic on the team, the entire group was made up of all PhDs but me, and as we discussed the curriculum I focused on teaching the students protocol analysis … that is packets! Well this shocked pretty much all of the team, but I argued my point in many of the meetings, and finally swayed enough support where we had packet and protocol analysis as part of the curriculum
The most important thing I look for when hiring someone when I was running the Network Operations Center (NOC) is desire and initiative to learn. I would interview people with a list of certification as long as their arm, and when I asked them practical questions, they could not answer them, so they did not get the job. This is because I had junior personnel who could answer the questions, so how could I give someone a position over one of them at about 5 times the amount of pay they were getting. I could not justify it, and never did waiver on that. If a person has desire that is the most important thing. I had a guy come in fresh out of bootcamp that did not even know what UNIX was, and in 6 months he became my UNIX expert.
Another thing that helps is understanding programming, you do not have to be proficient at it, but being able to look at code and at least understand the fundamental concepts of it is very important in this field.
Finally, it is all about research, I learned to do research in Graduate school, I had a Professor Frank Coyle that specializes in using JAVA for real time systems, and he was instrumental in teaching me how to do research, and that is the intent of these short research topics, the more practice you get the better you get to be at it. Today with the amount of online information you can research in a few hours with the Internet. When I was in graduate school, I spent weeks doing research at libraries, take advantage of this opportunity we have today. Recommend you dedicate one hour a night to reading something, a whitepaper etc. There is a saying in the consultant field that as long as you can read the manual and understand it faster than the client you will always get the contract. That is why research is so important.
As I like to tell my clients, up until 2006 my certification count was 0, and now it is at 20, so it is not about getting a certification, it is what you do before and after you get that cert.
- Kevin
Kevin Cardwell currently works as a free-lance consultant and provides consulting services for companies throughout the world, and as an adviser to numerous government entities within the US and UK.
He is an Instructor, Technical Editor and Author for Computer Forensics, and Hacking courses. He is the author of the Center for Advanced Security and Training (CAST) Advanced Network Defense course. He is technical editor of the Learning Tree Course Ethical Hacking and Countermeasures and Computer Forensics. He is author of the Controlling Network Access course. He has presented at the Blackhat USA Conferences. He is a contributing author to the Computer Hacking Forensics Investigator V3 Study Guide and The Best Damn Cybercrime and Digital Forensics Book Period. He is a Certified Ethical Hacker (CEH), Certified Security analyst (E|CSA), Qualified Penetration Tester (QPT), Certified in Handheld Forensics, Computer Hacking Forensic Investigator (CHFI) and Live Computer Forensics Expert (LCFE), and holds a BS in Computer Science from National University in California and a MS in Software Engineering from the Southern Methodist University (SMU) in Texas.
Christmas is around the corner. Some of the top gifts are going to be shiny new mobile devices – smartphones, tablets, hacked Kindle Fires, Playbooks, and others. Is Exchange ActiveSync turned on in your environment? What is your plan for handling mobility in the Enterprise? But the biggest question of all is – What does a lost or stolen mobile device mean to your organization in terms of risk? What about when the CEO loses her device? Can you quantify your risk today?
The data leakage disclosed in this post has been gathered from a technique the author refers to as Offensive Mobile Forensics. The term forensics is usually associated with incident response and management. In other words, an activity performed after something bad has happened. In contrast, offensive forensics is the act of preemptively performing a forensic analysis of systems or applications as a function of security testing, or for the purpose of quantifying risk. An interesting side-effect of applying this technique to mobile device analysis is that it enables one to truly understand the risk of an attacker stealing or finding a lost device. For example, if your analysis turns up native or third-party applications storing user credentials in cleartext – the author has seen everything from Facebook and Twitter to enterprise users’ Exchange ActiveSync credentials stored in the clear – depending on the accounts and data available, that could be a serious issue.
This technique depends on the ability to jailbreak (iOS) or root (Android) the target device, which provides root access to the underlying file system. If the reader is unfamiliar with these terms, some great resources to learn about jailbreaking and rooting are Redmond Pie (iOS) and XDA-Developers (Android). The author typically utilizes Redsn0w for iOS and SuperOneClick for Android, performing virtually all Android analysis on Samsung devices.
iOS
After jailbreaking is complete, only one other tool is necessary, OpenSSH, used to pull data from the device to a host computer for analysis over WiFi. However, as is always the case with information technology, there’s more than one way to accomplish your objective. So, experiment with other tools, and tweak and tune your own methodology.
Although outside the scope of this blog post, readers interested in learning about some of the other tools used for this analysis technique can check out the iOS Insecurities article in November’s issue of Hackin9 Magazine. The article is a greatly expanded version of what’s here, and also includes a table listing physical locations on iOS devices that contain interesting information for analysis.
There are many different locations containing interesting data on iOS devices. Data often resides in SQLite databases, the chosen format for local storage on mobile devices. The next best place to find sensitive information is in plist, or property list files – these are the primary storage medium for configuration settings in iOS, and they are also a fantastic source of sensitive information. User credentials are often stored here, instead of inside the KeyChain where they should be. Rounding out the top three data sources are binary or binary-encoded files, such as the device’s keyboard cache and pasteboard. Although storage locations commonly change with the release of new iOS firmware, it is fairly simple to poke around the general area and find what you’re looking for.
The most severe threat to mobile devices and applications is loss or theft of the device. As the old saying goes, “if an attacker has physical access, it is game over.” It only takes a few days of analyzing applications on a device to discover that the vast majority of mobile application developers fail to consider the threat of physical access to their data. Simply put, they are stuck in the mindset of web application or client/server developers, where virtually all threats affect applications remotely. Add some terrible design and implementation decisions related to native apps and services from Apple themselves, and you have a device that can pose a significant risk to enterprises and consumers in the event of loss or theft. The following examples are provided in no particular order.
Keyboard Cache (dynamic-text.dat)
In an effort to learn how users type, iOS devices utilize a feature called AutoCorrection to populate a local keyboard cache on the device. The problem is this feature records everything a user types that is not entered into a SECURE text field, which masks displayed data. The author fondly refers to this feature as “Apple’s native keylogging facility”. Data typed into text fields for virtually any application can remain in the cache for more than a year if it is not reset periodically by the user:
Settings > General > Reset > Reset Keyboard Dictionary
Developers can also disable this feature programmatically by using the AutoCorrection = FALSE directive in desired UITextFields, although studies conducted with applications disabling this feature have shown users unanimously disapprove of it.
The file itself is a binary file, so passing it to the utility ‘strings’ is all that is required to generate newline-terminated output suitable for analysis. Figure 1 displays the result of running ‘strings’ against the file, and Table 1 provides examples of near-complete conversations recorded by AutoCorrection.
Figure 1: Keyboard cache output to stdout in terminal
The keyboard cache is a well-known weakness in the iOS system, and there are many more interesting system-related locations to explore as an exercise for the reader.
Third-party applications represent the greatest threat of data leakage on iOS devices. This is usually the result of lazy or poorly-informed, or trained, developers storing user credentials or other sensitive information in clear text. This threat can be mitigated by developers in several ways including storing user credentials in the KeyChain, encrypting sensitive information in plist files with the Common Crypto library, or encrypting sensitive information in SQLcipher SQLite databases. Figure 2 shows one example of a mobile application improperly storing credentials in a plist file. Unfortunately, this particular application utilizes various Internet APIs for authentication including Evernote, Google Docs, Dropbox, and others, which in the event of loss or theft, could result in the compromise of each account.
Figure 2: Credentials disclosed in an application's configuration PLIST
Android
Although there are many similarities between iOS and Android, there are a few notable differences that should be discussed. First, Android does not use property list files (“plist”) for storing configuration data, which is common on iOS devices. Android uses XML files instead of plists. Also, analysts will find many more SQLite databases on an Android device. In fact, configuration information is sometimes stored in SQLite database in lieu of utilizing XML files. Similarly to the configuration files for iOS, the XML files storing preferences for Android applications commonly include user credentials and other sensitive information. Finally, there is a very rich diagnostic and debugging environment in the Android platform, and unfortunately this output is also a common source of data leakage.
A huge difference between iOS devices and Android devices is the presence of the Android Debug Bridge (“ADB”) for the latter. Using the ADB, one can push or pull files to the device, review diagnostic information, and even gain access to a remote shell. The ADB Shell is the primary method of accessing the device’s file system for the purposes of pulling data to a host computer for analysis, or performing analysis on the device itself. More information on this, and other, differences can be found in the Android Insecurities article in January’s issue of Hakin9 Magazine.
Annotated WiFi Credentials
Email
The Android system, like iOS, stores email in a SQLite database. Unlike iOS however, which stores email credentials in the KeyChain, user credentials on an Android system are stored in cleartext in the email database. This may seem like a trivial occurrence of data leakage, but in addition to personal email accounts such as Gmail, Exchange ActiveSync (“EAS”) credentials are also stored there. As if credentials weren’t bad enough, the database also stores messages in the clear, along with email addresses of contacts that have sent the user mail. This could be particularly devastating for corporate enterprises utilizing EAS, in the absence of a proper mobile device management (“MDM”) solution.
EAS and personal email account credentials can be discovered in a couple of different ways. Figure 3 shows analysis of the EmailProvider.db SQLite file in Base, a GUI SQLite client. An even easier way to find user information is by simply running the ‘strings’ utility against the database file, as seen in Figure 4.
Figure 3: Email credentials disclosure
WiFi
The email situation is bad, but equally shocking is the method in which the Android system stores WiFi configuration information. Navigating to the /data/misc/wifi directory yields a configuration file called wpa_supplicant.conf on a Samsung Captivate that stores configuration information for every WiFi network the device has connected to – in cleartext. Assuming the data is disclosed to an attacker, an organization’s only defense is the use of multifactor authentication for their wireless networks, i.e., if corporate enterprise is using a combination of username and password exclusively, this could be a serious issue. The configuration file stores SSID, key management type, and the pre-shared key for the network.
Figure 4: Email credentials disclosure
Conclusion
Now, obviously various mitigating controls exist for protecting a user’s data on a mobile device, most notably the hardware-based encryption and Data Protection on the iPhone 4 and above, and encryption Android devices with Gingerbread. Passcodes lock devices, and in the case of Data Protection, enable a secondary layer of software-based encryption. That said, a recent study indicated over 50% of users don’t use a passcode at all on their devices, and another 20% utilize a 4-character combination that can be easily guessed in the usual 10 tries allotted – 1234, 4321, 9876, and so on. Add to this the ability to deploy OpenSSH as part of the jailbreaking process for iOS devices, the most prevalent choice for the Enterprise, or simply crack the passcode, and loss or theft is illuminated as a serious threat to data security. In the current ecosystem, with physical access to the device, it’s game over.
Joey Peloquin
Joey Peloquin is the director of mobile security at FishNet Security, where he’s responsible for MDM technology review, mobile security research, testing methodologies, and business development. He’s spent the last twelve of twenty years in IT specializing in Information Security. His experience ranges from risk assessment to intrusion analysis and incident response, network and application penetration testing, and mobile forensics.
Solid-state storage technology is becoming a viable storage alternative for high-performance applications. Learn the important acronyms surrounding the technology.
Hybrid cloud services and products offer a "best of both worlds" approach by bridging locally installed storage and cloud storage. Learn how to evaluate hybrid cloud solutions.
The Ohio Department of Developmental Disabilities found deploying VDI to be cheaper than replacing 80% of its aging desktops. See what approach Ohio DoDD took to implement VDI and how it avoids VDI boot storms.
Virtual machine storage requires greater performance, capacity and resiliency than with physical servers and requires a careful choice between block and file access.
Use this Essential Guide to learn what choices you'll face in a data deduping project and to determine how to best implement data deduplication technology in your data centre.
It's important to discuss the reality of VDI storage costs when VARs are planning a VDI project with customers. Find out how to manage VDI expectations and solve performance issues in this tip.
Find out how storage vendors are addressing bottlenecks in disk array controllers, as well as the benefits and downsides of these approaches for your customers.
A new dawn for DAS? New forms of direct-attached storage have emerged that aim to meet the needs of virtual servers and their extremely random I/O characteristics.
This blog has run its course: Thank you, loyal readers, many of whom still read this site regularly and have been following the blog for most of the decade it's operated. Even less-regular readers may have noticed that posts to Wi-Fi Networking News have become fewer and farther between.
There are a few reasons, discussed here before. First, Wi-Fi has become embedded in everything, and it generally works. When it does not, the reasons tend to be specific and technical enough that broad advice doesn't help. Second, Wi-Fi is now like oxygen, found everywhere, and often free in the United States. Third, cellular or mobile broadband has become much more important, and while I've covered that issue here, it's never been a perfect fit. (I once had a Cell Net News site, but it didn't generate enough traffic to keep operational, and had too narrow a focus.)
Fourth, the many, many gadget and tech sites that fill the zone with coverage of every last little issue deal well enough with much of what I blogged about—short items and links, rather than full-blown articles—that it seemed futile to write 100 words here when 1,000 articles were all over Google News and the rest of the Internet.
And, finally, many of the issues I formerly wrote about here, I'm now paid to write about elsewhere, where I receive a bigger readership as well. For instance, I wrote an item about closing up this blog for BoingBoing, which makes sense as it's one of the places I contribute on a routine basis. I also have a regular gig for the Economist, writing technology items each week for the Babbage blog. Ars Technica, Macworld, and TidBITS have also been more targeted and appropriate places for me to write at length about issues that involve wireless and mobile networking.
I've loved writing this blog, but as traffic plummeted after 802.11n was finalized and municipal networks started falling apart, it's been difficult to make the time to keep this site useful. I'm bowing to reality: I have too much on my plate, not enough readers (and thus, not enough ad revenue) here, and better fora in which to write more broadly about the topics that interest me.
There are so many people to thank over the years for their help with this blog. First and foremost is my good pal Nancy Gohring, who now writes for IDG News Service, who spent a couple of years working as a freelancer for me during our heyday, and has been a supporter of the blog from beginning to end. Also, the many, many community wireless folks with whom I spent inordinate amounts of time speaking and visiting, primarily from 2001 to 2005, when that movement was at its peak. Esme Vos of Muniwireless.com was a key and helpful friend and colleague during the municipal wireless phase, and we exchanged tons of information. Klaus Ernst has been a long-time correspondent and a great friend of the site, filing reports about his first-hand experiences with so many ostensibly launched and working Wi-Fi networks in Manhattan—that never seem to measure up to snuff.
I so appreciate the support everyone has given me over the decade in running this site. The blog will stay up forever. I have no plans to pull down archives. But I doubt there will be a new post here unless the market shifts again and there's a need for it.
Taco Bell will add free Wi-Fi and entertainment systems to its 5,600 US stores: I've been wondering for years, as loyal readers know, why McDonald's was the only of the large quick-service restaurants to do a full-chain adoption of Wi-Fi. The system will be part of adding damned television sets to the "dining rooms." Because if there's one thing better than eating a taco comprised of the cheapest possible ingredients, it's having programming and advertising blaring at you at all possible moments.
I also know there's a cost involved in all this, but the rollout will take four years. Which means that when complete in 2015, McDonald's will have had a full-chain US deployment for something like 7 or 8 years longer.
There's no discount, but you can use your Boingo account to pay for in-flight Internet: This is a nice move, long expected, which links up two popular offerings for business travelers. Boingo has a variety of service offerings which may include either unlimited or high-usage access to various parts of the globe. In North American, their $10-per-month plan provides unlimited use of terrestrial hotspots in the network.
The Gogo connection lets you use the same Boingo software, account, and linked credit card to pay for in-flight Internet access at the same retail rate as other passengers. One would hope Boingo could negotiate a better rate by reducing Gogo's marketing burden to bring customers in the future.
The company tells me it has 10,000s of access points in place across its New York, New Jersey, and Connecticut markets, along with 7,000 hotspots in business locations that are Cablevision customers. Over 500,000 Cablevision customers have used the network so far.
Wi-Fi networks, even at 802.11g speeds, can easily handle 15 Mbps over short distances. With 802.11n, 15 Mbps should be achievable over longer ranges.
This comes years after varying plans and bidding proposals that didn't work: AT&T is paying for the cost of installing and operating Wi-Fi in 20 parts in the five boroughs of New York City, including the High Line, the park converted from old elevated rail lines, long abandoned. It's a several-year deal, apparently. Right not, three parks (Battery Bosque in Battery Park, part of Joyce Kilmer Park, and the rec center at Thomas Jefferson Park) have service. The rest are coming this summer.
Update: Please read the comments. Parks didn't bid this out or have an open process.
Bryant Park has long had free Wi-Fi, delivered through a series of hands, and it's been an apparent success as part of the terrific revitalization of a public space that was once abandoned to drug deals.
Karl Bode at DSLReports reminds us that last September, Time Warner Cable and Cablevision were planning to install Wi-Fi in 32 parks as part of their cable franchise extension, offering just 10-minute sessions up to three times a month before charging 99¢ a day. It's unclear where these two plans intersect.
An area between the Brooklyn and Manhattan Bridges, nicknamed DUMBO (Down Under the Manhattan Bridge Overpass), gets free Wi-Fi: New York has precious little free Wi-Fi, even though non-profit groups like NYCWireless and private firms have worked at times with business districts and parks to get some action going. A number of different parties worked together to make the Dumbo Wi-Fi zone happen: the neighborhood improvement district, the Two Trees Management Company (for site placement and funding), and NYCwireless.
Alaska Airlines says its Gogo Inflight Internet installation on most planes: A handful of aircraft won't feature service, mostly those carrying freight. Facebook access will be free through June, and the airline has a game promotion as well. Alaska charges the same access fees for service as the rest of Aircell's partner airlines, with most users paying $10 or $13 for laptop service for short and long flights, and a few dollars less for handheld (not tablet) service.
Ah, this brings back memories: Cast your mind way way back to 2006, when Tempe, Ariz., was on the cutting edge of municipal wireless systems. The city, which already had its own wireless ring for city backhaul, put out a tender for a firm to provide a combination of public and private services. Neoreach won the bid, and built some of the network out as it shifted through names and subsidiaries, winding up with Gobility as the ultimate owner when the network failed. (Gobility had oceans of issues unrelated to this network.)
While the network hasn't been operational even in part since 2007, the gear was left all over town. Two-thirds of the access points were owned by a leasing firm, Commonwealth Capital Corporation (CCC). If the nodes were abandoned, Tempe alleged, then Tempe would be granted ownership. CCC disagreed, because it hoped to sell the system with the nodes still in place.
CCC sued to have the nodes returned to it after ridiculous attempts were made by it to sell the network. The case ran from Feb. 2009 to March 2011, when the company dismissed its own lawsuit. Tempe, meanwhile, had sued CCC for the rent due on pole usage for the period when CCC was trying to sell the gear. Tempe prevailed in court for $1.8m and ownership of the hardware.
The money assuages the fact that the 4–5-year-old hardware is likely nearly unusable. It should be mostly Strix Systems gear, which appears to still be a going concern, even though its "news spotlight" page refers only to events in 2007. There's likely some backhaul equipment from other makers.
This is the last gear hanging that I'm aware of from the olden days of 2006–2008 that isn't in active use, such as the network in Minneapolis.
The wireless backbone provider Towerstream will flip on a dense Manhattan Wi-Fi network: Towerstream built a wireless network in the skyline, paying for prime locations on the top of buildings to point high-speed service at line-of-sight locations where conventional wired or even fiber broadband wasn't available, would take too long, or wasn't competitive or reliable enough. Now it's taking aim at Wi-Fi.
But it's not trying to be a metro-scale Wi-Fi operator. That would be foolish. Rather, Towerstream is building out a dense Wi-Fi zone, described by BusinessWeek as seven square miles of Manhattan. The firm is deploying 1,000 routers, and the backhaul is clearly its own building-top network. Being able to leverage its own backhaul is a distinct financial advantage, as it already has a business model that works for the point-to-multi-point service it offers today. This is icing on the cake.
Towerstream will sell access to the network to carriers looking to offload mobile 3G and 4G traffic from congested, expensive cellular networks to Wi-Fi. AT&T has built similar zones itself, although I doubt quite as dense or extensive. Towerstream could become a vendor-neutral cost-effective alternative to carriers building these "heat sinks" for high bandwidth usage themselves.
Phone users benefit from this offloading as well as carriers. You get a much faster rate of service from a dense, high-speed Wi-Fi network than the comparable 3G or even 4G service, and no carrier in the US bills by the byte for Wi-Fi: if it's included, it's free. Thus, you can use much more data without hitting limits or paying overages.
The BusinessWeek article has a serious flaw, however. It misstates the nature and reason for failure of municipally backed Wi-Fi networks. The writer, Peter Burrows, makes a variety of historical errors, including stating, "While most of the failed experiments of yore were based on taxpayer-funded municipal projects, this time there's a clear business need for wireless carriers." In fact, there wound up being built no taxpayer-funded municipal networks. All of the deals involved cities or counties bidding out the right to build a network, with access to public facilities (conduits, towers, building tops, etc.) as part of the carrot. Very little municipal money was spent, while private firms went through tens of millions in never-completed network buildouts. Minneapolis stands as a shining example of the only network that was completed and thrived. (The city purchases services from the network operator, but the network was funded and is run by US Internet.)
Burrows also describes the router that Towerstream will use somewhat incompletely. He talks about it being an antenna, for starters, and claiming the units run $800 each. That might be the unit cost, but installation and providing an electrical feed will run the installed price much higher. He notes, though, that Towerstream will pay $50 to $1,000 per month to the owner of the property at which a router is installed. Nice fees if you can get them.
There's a great capper to this story: Towerstream's quiet 3-month test of 200 routers in Manhattan: "Last year, Towerstream conducted a three-month test of a 200-device Wi-Fi network in Manhattan. Without any promotion, the network handled 20 million Web sessions by consumers who happened to spot Towerstream when trolling for a Wi-Fi connection." That's the kind of data that might get carriers to sign up.
GigaOm confirms T-Mobile will add free Wi-Fi calls to its UMA-capable phones: T-Mobile tried an alternative to femtocell and unlimited calling plans several years ago, allowing unlimited domestic calls over Wi-Fi for handsets with unlicensed mobile access (UMA) technology built in. UMA allows seamless roaming between Wi-Fi networks and the cell network, handling the billing and call details on the back end.
After a few years, however, even after making the add-on price as low as $10/mo for a family plan for unlimited calls that started on Wi-Fi (either placed or received on a Wi-Fi network at home or a hotspot), T-Mobile stopped offering the service to new customers. Apparently, it continued to be available as a calling option, with Wi-Fi calls being deducted from general minute pools.
Now, T-Mobile is making Wi-Fi calling free to postpaid Even More and Even More Plus customers (those that have had a credit check and pay at the end of a billing cycle). These customers need a UMA handset, which includes many BlackBerry models, and have to opt in to the free service.
Finally: I've been asking the question for several years: when will media servers on planes be used to provide in-flight entertainment over Wi-Fi? The answer is now. Aircell told me years ago that they had provisioned the ability to put media servers on planes, and were waiting for pieces to fall into place. Its public trial with American Airlines on a couple of 767-200s will start this summer.
It's a logical connection that when you have people on a local, high-speed wireless network that you could deliver content to them for free and for a fee. Given that the majority (sometimes entirety) of people on a flight have some kind of device with a screen, why build in miles of wire and clunky seatback entertainment systems?
One of the best, Virgin American's Red, is still slow, hard to navigate, and of poor quality relative to even the worst tablet or netbook. Alaska Airlines never installed such systems for reasons of cost, and rents its digEplayer instead—a portable tablet preloaded and precharged.
An airline that moves away from seatback systems and into passenger-provided hardware could also stock tablets for rental, now that there will be ready availability of a variety of sizes and capabilities that handle video playback well, and which cost relatively little compared to custom systems like the digEplayer.
This could also eliminate live satellite feeds by providing time-delayed playback on demand. Imagine that when a plane comes to a halt and the doors are opened that a system at each gate starts a high-speed 802.11n transfer of several hours of news and other recent sports, talk shows, and network programs. There's something nice about "live," but there's also the reality of operational cost and antenna drag.
Aircell and American haven't announced which programs and movies will be available nor the cost or other particulars.
A Buffalo, NY, man gets an early morning visit (and alleged contusions) from the ICE: His left his Wi-Fi network open, and extremely poor FBI work (according to this AP report) led to a raid on his home because that's where the IP address led. While it's no crime in the US—it is in some other countries—to leave your network open for anyone to access, this isn't the first time this has happened. I've written up a few previous similar incidents that led to police or federal agents breaking down the doors for criminal acts conducted over the network at the physical address. In most cases, a neighbor is the guilty party.
You'd think the FBI would be briefing agents on this issue, so that they don't face multi-million-dollar lawsuits for faulty work that pinpoints the wrong person. The Buffalo man isn't suing, even though his attorney alleges he was thrown down the stairs by Immigration and Customs Enforcement (ICE). He says they didn't properly identify who they were after breaking down the door and brandishing weapons. (Who knows from ICE?)
Even on an open network, it's possible to track identifiers that would allow relatively easy confirmation of which machine was the case, or to stake out the area for a few nights, tracking signals and locations. Then agents could enlist the homeowner with the open network to ensure the Wi-Fi signal remained available and could be used to track at which exact moment that a perpetrator was engaged in an illegal act and then raided at the same time. (We're talking child pornography here, not file swapping.)
The AP article says that US-CERT recommends "closing" a Wi-Fi network among other security measures. This option, labeled differently on each maker's router software, disables default beaconing, and thus the network name and availability isn't broadcast. However, whenever the network is use by a party that knows the name and has associated with it (encryption or otherwise), traffic can be snooped and connection information extracted. I don't recommend closing a network as it provides no effective security, and neither does limiting an network to specific MAC addresses (the Wi-Fi adapter's unique hardware number).
US-CERT has six recommendations for best home practices on its Securing Wireless Networks page, which include these two. Closing a network is noted as "Protect Your SSID."
Really, using a nine-letter/digit WPA password is the simplest way to protect a network in a reliable and secure way no matter what other restrictions are in place.
I choose to password protect my network in part because I don't want to be indirectly responsible for anyone's actions on my network (whether in a raid or just because someone commits a nefarious act using my router), and because Comcast caps my use at 250 GB per month.
A new mode in Eye-Fi X2 cards let you rely images through a smartphone using a neat trick: I'm a long-time fan of the Eye-Fi digital camera cards that pack a CPU, a Wi-Fi radio, and now up to 8 GB of storage into an SD or SDHC form factor. The Eye-Fi line is regularly updated to add features like transfer of RAW images or video files, or endless storage, in which images already wirelessly transferred to another location can be deleted when storage is needed. (I haven't erased my Eye-Fi camera card since that feature came out. I simply don't need to know what's on the card any more.)
Direct Mode is another in that array of improvements, and it requires a little explanation. Eye-Fi may be a bit breezy in describing the feature, which requires you to think a bit differently about how the card works.
In regular operation, an Eye-Fi card looks to a camera precisely like any memory card. Whenever the Eye-Fi recognizes a Wi-Fi network it knows about, it connects, and starts to carry out whatever operations were waiting for access, such as uploading files to a computer or sharing service. This works whether the network in question is a home network for which you've stored a password, a public network to which you have access through an Eye-Fi subscription, or a free network tied in via Eye-Fi's relationship with Devicescape's Easy WiFi service.
But in Direct Mode, the card will transform from a Wi-Fi client into a Wi-Fi hotspot, but not for just any device to connect. Rather, if you have a smartphone or tablet with the Eye-Fi software running (available for iOS and Android initially), the app connects to the card over Wi-Fi, and images are transferred over. You can use a 3G-equipped device to relay and upload images and movies, or transfer media and then connect via Wi-Fi to a network to upload that data from the app. The mobile app can copy media over the Internet to whatever computer with which you paired the Eye-Fi—the one to which over a local network the card sends files—as well as an online sharing or social-networking site you've picked from Eye-Fi's partners.
Direct Mode was announced with more details alongside the release of the Mobile X2, part of a reshuffling of the Eye-Fi line up, which now comprises Connect X2, Mobile X2, and Pro X2. The Connect has 4 GB and costs $50, while the Mobile has 8 GB and costs $80. That's their only difference. The Pro at $150 and with 8 GB of storage adds RAW file handling, and including a geotagging and a 1-year hotspot subscription. While RAW is restricted to the Pro model, you can add geotagging to Connect or Mobile for $30 (one-time fee), and hotspot access for $30/yr.
Direct Mode will be a firmware upgrade for all current and past X2 models in a few weeks, according to Eye-Fi.
The train line from New York to Connecticut is testing service: The Internet service would be used to drive passenger access, as well as live information on screens in cars coupled with advertising. For now, the MTA isn't revealing which train is equipped during this trial so as not to disappoint riders.
Some palpable numbers: Air Transport World quotes US Airways president saying that usage averages below 5 percent of passengers on flights, and breakeven is above 20 percent. They only have the service on about 50 planes (their Airbus A321s), which lack power outlets. By only covering part of their fleet, as opposed to Delta which has full coverage on mainline planes, they may undermine patterns of usage that build up over time.
SlashGear has gotten their hands on the new Novatel MiFi 2352. What makes this different from the previous version offered by Verizon and Sprint? Well, this one is GSM based and could see 3G download speeds of up to 7.2 Mbits and upload speeds of nearly 5.76 Mbits.
For a detailed review, including unboxing pictures of this personal WiFi hotspot check out the review below.
Verizon has joined the bandwagon and announced a new open access plan for its network. This plan will go into effect next year and means any application can run on any device from any manufacturer and will have full access to the Verizon spectrum.
Verizon representatives say this move was prompted by two different motives, the first being more sophisticated customer needs and the second is an explosion in innovation. They are hoping to see an wave of wireless devices flood the market in more arenas than the traditional handset market.
Some speculate that this decision is tied to the upcoming 700MHz spectrum auction, Verizon denies this was their motivation but the timing couldn’t be more coincidental.
Via [arstechnica.com]
The much anticipated 700MHz spectrum auction in January officially has another bidder. Google has announced that it will toss its hat in the ring.
A Google representative says that the company’s goal is to offer American consumers more choices in an open and competitive wireless world. Officially, Google doesn’t have to announce its plans until December 3rd so until then speculations abound.
Some say Google has no interest in becoming a network provider, others look to the previously proposed four open access provisions, or possibly they will lease space to others. Nothing is certain at this point except that when Google does make its plans known it will create a nationwide buzz.
Via [arstechnica.com]
CBS has just made an announcement that is sure to delight New Yorkers. From Times Square to Central Park and from 6th to 8th Avenue will become the new CBS Mobile Zone. This zone will carry free Wi-Fi for cell phones, laptops and other devices that want to access the internet or even make voice over internet phone calls.
In return, CBS gets ad impressions, tons of them. Visitors to the region will be greeted with a sponsored homepage with hyperlocal news and information for people within the specified area.
CBS Outdoor Chairman and CEO, Wally Kelly, explains that this is just one example of how CBS is dedicated to turning Outdoor assets into next-generation interactive platforms.
Via [centernetworks.com]
The deal struck between Sprint Nextel and Clearwire back in July has been scrubbed and the national WiMAX network took a hit. Both companies say they will continue to work on the technology independently.
Although both companies appear committed to developing WiMAX, their shareholders may actually hold the reins as huge sums of money are necessary to go forward.
Manufacturers of WiMAX equipment feel the technology is still sound and they plan to go ahead with device creation, it just may take longer for the technology to take hold. AAA So, the future of WiMAX is uncertain, it may be better suited for emerging markets than the U.S., only time will tell.
Via [news.com]
The recent departure of Sprint CEO, Gary Forsee, is having some far reaching impact. The WiMAX build out between Sprint Nextel and Clearwire is the latest victim as the proposed joint, nationwide WiMAX effort has been dropped.
Sprint’s corporate shake up was not the only reason the proposed venture was nixed,the complexities of the transaction were also cited as a stumbling block. So that leaves the American WiMAX project in a bit of a conundrum, do Sprint and Clearwire go out and forge independent networks or will new bonds form?
In the meantime, WiMAX is progressing nicely overseas, proving that they technology is valid and workable.
Via [gigaom.com]
IBM has joined forces with MediaTek to develop microprocessor chipsets that will wirelessly transmit videos almost instantly.
These chipsets will let you connect HDTVs with set top boxes without the need for wires. They will also transfer data at rates of at least 100 times that of current WiFi standards.
This new technology, mmWave wireless, is expected to be used widely in homes and offices.
Via [networkworld.com]
WiMAX has a reason to celebrate. The International Telecommunications Union has just approved the non-cellular technology as part of a 3G standard. This means that operators with 3G spectrum in their 2.5 GHz bands globally can use WiMAX to build out a spectrum.
The last interface added was back in 1999 when ITU added IMT-2000 as it established the original technologies. IMT-2000 and five other cellular standards had to be used in the 3G standard, now the door is open to WiMAX.
But all is not rosey for WiMAX, the debate between technologies is far from over.
Via [wirelessweek.com]
The BBC has announced that the Health Protection Agency is going to begin a systematic research program on how WiFi is used. The goal of this study is to determine how WiFi is being used and the possible radiation exposure that results from such use.
Spokesmen from the HPA believe that the study will confirm the safety of using WiFi, but feel that since England’s Chief Medical Officer suggested children limit their non-essential cell phone use due to potential exposure to radiation that a study into the radition emmissions of WiFi was the next logical step.
Results of the study will be publicly available, but officials reinforce their belief that WiFi is safe.
Via [bbc.co.uk]
Chicago’s WiMAX World show displayed a large rift between Mobile WiMAX supporters and municipal WiFi.
With continued problems halting all progress in the municipal WiFi world, WiMAX supports say they have the solutions. They contend that their licensed spectrum will guarantee continuous coverage and that indoor reception will not be as problematic as it is for WiFi.
But all is not rosy in the world of WiMAX, hardware is a huge problem. Every laptop has built-in support for 802.11b/g and will soon have 802.11n, this won’t be the case for WiMAX for quite some time, several years at least.
Right now all eyes are on Sprint and their pricing of Xohm. A reasonable price point may make or break a WiMAX solution for the masses.
Via [arstechnica.com]
Another massive wireless network has fallen behind schedule, this time the location is California’s Silicon Valley. About 40 municipalities over a 1500 square mile area are still in negotiations but representatives have said that the model should be completed by the end of the year.
So far the delay has been blamed on technological improvements and changes and the deeply complex process of covering multiple technologies and different services. This may be so, but the template agreement is still not finalized and even when finally done, it still needs to go to individual municipalities for some tweaking.
Like the struggling citywide Wi-Fi in other cities across the country, their plan is very ambitious and progress is slow.
Via [infoworld.com]
