11 posts • joined 29 Oct 2010
Mobile operator. Normal users are not meant to send this kind of messages.
It's not the phone, it is the SIM
I had to read both the NYT and Forbes articles to understand what it is all about.
Even though plain DES should not be used, I think it is a protocol failure: the articles did not mention brute force attacks, but malformed OTA messages. Besides SIM manufacturers (Gemalto, G&D and friends) I'd blame mobile operators' cheapness: saving a few pennies on each SIM card goes a long way when you are rolling out millions of them, so they choose old models with very limited memory and obsolete operating systems and crypto processors.
There are two big security fails here:
- first, sending the encrypted keys to the SIM as a response to a malformed message (probably the so-called "Issuer Security Domain keys"). Maybe some debugging mode that should have been deactivated?
- second, breaking the 'sandbox' mode, which I am not sure whether it is a failure of the JavaCard virtual machine implementation or of the underlying SIM operating system, which must implement a security architecture based on "Security Domains" that prevent applications accessing each others' data. Without this second failure, getting access to the SIM would have enabled attackers to delete all existing applications in the SIM and install new ones, but not access their data or keys.
Finally, there is no "security through obscurity" here. All specifications are publicly available, see ETSI, 3GPP or GlobalPlatform.
Fierce competitors? Don't make me laugh, they are mostly the kings of price fixing.
BTW, Mr. Alierta was proven guilty of insider trading a few years ago but was lucky that the statute of limitations for such crimes kicks in really early in Spain.
Re: You can cast aluminum direct from a 3D print
That's a pretty good step-by-step guide for those of us who still don't know much about practical applications. Has made worthwhile reading the comments, thanks!
Re: As predicted last year....
I'm also gladly surprised that NSN did well, that's some hope for the European telecom engineering business.
But I would not make any conclusions from old wars: pick almost any country, and you'll be able to find past victories if you go back in History far enough...
Re: No bloody bullfight with ultragore so that politicians can complain? SOMETHING IS WRONG!
Yes, it is indeed anti-competitive to sign an AGREEMENT not to compete, by entering your competitor's home market. I don't think anyone will fine Telefónica or PT for offering telecom services in New Zealand, for example.
Is it so hard to understand?
Re: Die Grande Die
I can't fathom why they decided to call that size "grande"... no self-respecting Italian, Spaniard or Portuguese would ever ask for a pint of coffee.
Your comparison with the Assyrian Empire is just great
If the European Commission is serious about pulling down borders, barriers to commerce and such, they can do with mobile pricing something similar as they did with money transfer costs in the Euro zone (at least; I don't know if they apply when one of the accounts is in the UK): same price regardless of country of origin and destination.
50,000-watt radio station?
Do they publish radio stations' transmitting power in the US?
That's really cool, much more than the silly iPhone.
No remote management?
The feature missing from this card, and the winning argument for putting NFC in the mobile phone, is remote management: OTA downloading of applications ('cards') to the secure element (most likely the SIM), remote updates (ticket purchases, account lock/unlock, etc).
Anyway, it is much more difficult to play card skimming attacks against this kind of devices than against magnetic stripes: the secure element will not exchange any information until the NFC reader has authenticated itself.
- Fee fie Firefox: Mozilla's lawyers probe Dell over browser install charge
- 20 Freescale staff on vanished Malaysia Airlines flight MH370
- Neil Young touts MP3 player that's no Piece of Crap
- Review Distro diaspora: Four flavours of Ubuntu unpacked
- Sysadmins and devs: Do these job descriptions make any sense?