Um guys, A5/3 is completely broken. According to Wikipedia: "In 2010, Dunkelman, Keller and Shamir published a new attack that allows an adversary to recover a full A5/3 key by related-key attack.[5] The time and space complexities of the attack are low enough that the authors carried out the attack in two hours on an Intel Core 2 Duo desktop computer even using the unoptimized reference KASUMI implementation. The authors note that this attack may not be applicable to the way A5/3 is used in 3G systems; their main purpose was to discredit 3GPP's assurances that their changes to MISTY wouldn't significantly impact the security of the algorithm."
Even if A5/3 weren't broken, there are still tower dumps and IMSI catchers, which are a whole lot easier to use than breaking encryption.
Yes A5/3 is better than A5/1, but I call bullshit on this whole article.
>Yes A5/3 is better than A5/1, but I call bullshit on this whole article.
Super pendantic, but the title is 'hardens' not 'makes hard'. If it's better, than it's been hardened. Might not be the best thing available, but that's the meaning of a comparative.
I have T-Mobile, and I have to say, I've been quite happy with it and I've been just waiting for the other shoe to drop. The only negative thing I hear about them is people don't like the coverage area - which doesn't bother me because when I switched to them they were the only company that offered wifi calling (meaning I can comfortably use my phone at work and at home, where I spend 99% of my time, for the first time in 6-8 years).
Do I just have a rosy outlook, or is T-mobile's limited marketshare such a problem that they're somehow disciplined into being an actually good mobile carrier?
Same story here. Have had T-Mo for ~3 years, wouldn't ever switch to one of the other big carriers (I would move to Republic Wireless if I was going to change). My wife moved from Verizon -> T-Mobile last year after finally getting tired of the ridiculous prices from Verizon, and is also very happy.
Coverage is fine. Sometimes on road trips to the beach here in North Carolina we will lose service for say 5-10 miles when we are really in the middle of nowhere (the sprawling metropolis of Elizabeth City, NC in particular gives me trouble). This is acceptable in return for nearly 50% savings and not having to do business with AT&T/Verizon.
I've been a VoiceStream, then T-Mobile customer for over 16 years. There's been ups and downs in the relationship over the years. The most notable "down" was the $800 international roaming charge they refused to remove from my bill a few years back. Even though I really wanted to leave them then, a thorough cost analysis of the competition showed they really were still cheaper...
More recently, the Simple Choice plan they introduced last year which includes "free" international data roaming has ensured I stick with them for even longer. I travel quite a bit, so that + the wifi calling which works pretty much anywhere in the world has been a great thing.
T-mobile is the only carrier in the U.S. with good coverage and unlimited data + iPhone support, so for me it's really my only option. They've been really great so far; only charge what they say they are going to charge, no contract, and no overages. It's incredibly disheartening to know that these basic requirements are unheard of for other large carriers.
Regarding coverage, I'm feeling the pain. I've been a TMobile customer for over 2 years now and their service in NYC is great, but out in Pennsylvania (where I am almost weekly) is terrible to non existent.
On top of coverage being bad, their plans are limited to around 10MB of data roaming per month. Yes, MB. That is only domestic though, if you're international you get unlimited data roaming. I guess that is what happens when you bad-talk other carriers then ask them about letting your customers roam on their networks.
They really did refund my early termination fee with Verizon, and it only took about a month. I was expecting the worst (as is the norm in the world of rebates) and was pleasantly surprised.
The slam dunk for me is the JUMP (Just Upgrade My Phone) program which allows you to upgrade phones much more frequently and easily. Doesn't save much money, but I am tickled knowing that I will get new phones much more frequently now.
I've been a T-Mobile customer since 2004 and I've been really happy with them the whole time. The customer service has always been what kept me there even when I (briefly) lived in poor coverage areas. My feeling is that if you live in a good coverage area and you don't do a ton of travel then theres no good reason not to use T-Mobile.
I checked them out, but their coverage just doesn't exist where I need it. Ended up going with the Verizon Allset plan. Requires that I buy my device up-front, but I get 4G LTE with a gig of base data, the ability to add-on data as-needed, and the ability to tether with no contract, and no activation fees.
Depends on your definition of "actually good". I've been a T-Mobile customer since they first entered the US, and I've generally been happy, but I was incredibly upset when I saw that they started zero-rating "approved" music services[0] .
I have unlimited data, but as a strong supporter of net neutrality, I take issue with that.
Just a reminder: TMobile is also actively chipping away at net neutrality through their 'free' music streaming feature.
That is, they inspect your traffic and don't charge your bandwidth quota for network traffic with TMobile-selected music streaming services (Spotify, Google Play, etc).
They don't DPI your traffic for this feature - if Spotfiy detects you're on .tmodns.net, they will serve you from internal Telekom network caches instead of hitting the wider internet. This is pretty much equivalent to australian ISPs' freezones.
They do DPI for other purposes though, such as ensuring that you don't tether without paying (if you use a desktop browser user agent, it'll count your tethering quota separately -- even if you spoof the UA from your phone's browser), and for "caching" HTTP traffic (you'll see a 'X-Via: Harmony proxy' header on any HTTP traffic, on any port).
They also hijack DNS NXDOMAIN for ad-filled pages, with no usable opt out ("opt out" uses a cookie that uses javascript to serve the page anyway, then hide it with a fake nginx 404)
Google Play Music is specifically not on that list, which makes me terribly sad, Google Play Music All Access is the best deal in streaming right now. Speculation is that it didn't make the list because Google refused to turn off HTTPS on Google Play Music for T-Mobile's packet scanning jobs.
On one hand, it sounds reasonably "fair" for everyone involved. It seems that T-Mo is committed to impartiality (the site repeatedly mentions that all legal music services are eligible). They aren't double-dipping, since it's on top of the metered bandwidth you paid for (as opposed to charging the user for unlimited/unmetered data and then throttling services that don't pay up).
On the other hand, it's terribly opaque. Are they charging the streaming providers? Do the providers need to install dedicated proxies for T-Mo customers? Are they charging everyone the same? Is every service on the same terms? It's quite obvious that they have a cross-promotion deal with Rhapsody, but does Rhapsody get preferential treatment?
It seems that T-Mo are aiming for a compromise in regards to net neutrality. It doesn't seem too bad at this point, but there's always the risk of a slippery slope.
I'd say T-Mo is a great example of why net neutrality is a bad idea. From a purely network engineering point of view, it's efficient to bring those streaming services into the carrier's network instead of sending it over the Internet. Net neutrality prevents the carrier from doing something that makes total technical sense and benefits the customer.
In other T-Mobile security news, their customer website only supports SSL3 and will stop working with Firefox 34 on November 24 (because SSL3 will disabled due to the POODLE attacks). (Their website login is currently broken in Firefox Beta, Aurora, and Nightly release channels.)
Active attacks, involving a device called an “IMSI catcher,” may still be able to eavesdrop on individual calls by manipulating a phone’s security settings directly, without having to crack the encryption.
So, just hardens against passive eavesdropping (and only by upgrading to the latest standard, not by any specially devised method).
Germany has great cellular network hackers. If anyone of you would like to know more about this area I'd highly recommend to search for talks by Harald Welte or Karsten Nohl.
For many years I have impression that T-mobile seem to be the most user-friendly network among all of them.
I also enjoy their Simple Talk Network. $40 unlimited talk, text, mms, 3G. Sometimes my friends have hard time on their $120 Sprint or $140 ATT plan to get internet fast in places where SimpleTalk (T-mobile rebrand) works like a thunder!
Good on Tmobile. I had them about 5 years ago and they was pretty good to me. I only switched because I wanted an iPhone and at the time the unlock community didn't come out with a patch. Because of that service I just opened a new line with them for my second phone and so far so good.
A5/3 (Kasumi) is near-on identical to the cyphers used in 3G connections, but you're right, this is the 2G only implementation; so yes, this only affects (applies to) 2G/EDGE/GSM.
I'm absolutely bloody agog that commercial first-world operators have taken until the end of 2014 to actually support this -I think it was ratified into the specification around 2001 if not earlier.
Also, for all you tinfoil wearers out there, you might like the fact that the original specification for A5/3 was altered to make it more hardware friendly. In 2010 it was realized that this actually made it extremely easy [1] to recover the session key (if not in real time) [2].
[+] [-] cooperq|11 years ago|reply
Even if A5/3 weren't broken, there are still tower dumps and IMSI catchers, which are a whole lot easier to use than breaking encryption. Yes A5/3 is better than A5/1, but I call bullshit on this whole article.
[+] [-] rtpg|11 years ago|reply
Super pendantic, but the title is 'hardens' not 'makes hard'. If it's better, than it's been hardened. Might not be the best thing available, but that's the meaning of a comparative.
[+] [-] dmix|11 years ago|reply
This is a pretty big conditional. But I still imagine intel agencies have broken KASUMI.
[+] [-] AlyssaRowan|11 years ago|reply
[+] [-] x1798DE|11 years ago|reply
Do I just have a rosy outlook, or is T-mobile's limited marketshare such a problem that they're somehow disciplined into being an actually good mobile carrier?
[+] [-] qeorge|11 years ago|reply
Coverage is fine. Sometimes on road trips to the beach here in North Carolina we will lose service for say 5-10 miles when we are really in the middle of nowhere (the sprawling metropolis of Elizabeth City, NC in particular gives me trouble). This is acceptable in return for nearly 50% savings and not having to do business with AT&T/Verizon.
[+] [-] anonu|11 years ago|reply
More recently, the Simple Choice plan they introduced last year which includes "free" international data roaming has ensured I stick with them for even longer. I travel quite a bit, so that + the wifi calling which works pretty much anywhere in the world has been a great thing.
[+] [-] ryanSrich|11 years ago|reply
[+] [-] reustle|11 years ago|reply
On top of coverage being bad, their plans are limited to around 10MB of data roaming per month. Yes, MB. That is only domestic though, if you're international you get unlimited data roaming. I guess that is what happens when you bad-talk other carriers then ask them about letting your customers roam on their networks.
[+] [-] jordanpg|11 years ago|reply
The slam dunk for me is the JUMP (Just Upgrade My Phone) program which allows you to upgrade phones much more frequently and easily. Doesn't save much money, but I am tickled knowing that I will get new phones much more frequently now.
[+] [-] dopamean|11 years ago|reply
[+] [-] uptown|11 years ago|reply
[+] [-] chimeracoder|11 years ago|reply
I have unlimited data, but as a strong supporter of net neutrality, I take issue with that.
[0]https://www.eff.org/deeplinks/2014/07/net-neutrality-and-glo...
[+] [-] jschwartzi|11 years ago|reply
[+] [-] joshavant|11 years ago|reply
That is, they inspect your traffic and don't charge your bandwidth quota for network traffic with TMobile-selected music streaming services (Spotify, Google Play, etc).
http://www.t-mobile.com/offer/free-music-streaming.html
[+] [-] dylz|11 years ago|reply
They do DPI for other purposes though, such as ensuring that you don't tether without paying (if you use a desktop browser user agent, it'll count your tethering quota separately -- even if you spoof the UA from your phone's browser), and for "caching" HTTP traffic (you'll see a 'X-Via: Harmony proxy' header on any HTTP traffic, on any port).
They also hijack DNS NXDOMAIN for ad-filled pages, with no usable opt out ("opt out" uses a cookie that uses javascript to serve the page anyway, then hide it with a fake nginx 404)
[+] [-] ariwilson|11 years ago|reply
[+] [-] zyx321|11 years ago|reply
On one hand, it sounds reasonably "fair" for everyone involved. It seems that T-Mo is committed to impartiality (the site repeatedly mentions that all legal music services are eligible). They aren't double-dipping, since it's on top of the metered bandwidth you paid for (as opposed to charging the user for unlimited/unmetered data and then throttling services that don't pay up).
On the other hand, it's terribly opaque. Are they charging the streaming providers? Do the providers need to install dedicated proxies for T-Mo customers? Are they charging everyone the same? Is every service on the same terms? It's quite obvious that they have a cross-promotion deal with Rhapsody, but does Rhapsody get preferential treatment?
It seems that T-Mo are aiming for a compromise in regards to net neutrality. It doesn't seem too bad at this point, but there's always the risk of a slippery slope.
[+] [-] rayiner|11 years ago|reply
[+] [-] diminoten|11 years ago|reply
It's in the same vein as, "unlimited in-network calls".
I just feel like folks don't realize the fact that net neutrality has never purely existed, not since peering agreements were first established.
[+] [-] cpeterso|11 years ago|reply
https://bugzilla.mozilla.org/show_bug.cgi?id=1042380
[+] [-] sarciszewski|11 years ago|reply
Oh, right.
http://eprint.iacr.org/2010/013.pdf
[+] [-] eli|11 years ago|reply
[+] [-] x1798DE|11 years ago|reply
Active attacks, involving a device called an “IMSI catcher,” may still be able to eavesdrop on individual calls by manipulating a phone’s security settings directly, without having to crack the encryption.
So, just hardens against passive eavesdropping (and only by upgrading to the latest standard, not by any specially devised method).
[+] [-] teamhappy|11 years ago|reply
[+] [-] joering2|11 years ago|reply
I also enjoy their Simple Talk Network. $40 unlimited talk, text, mms, 3G. Sometimes my friends have hard time on their $120 Sprint or $140 ATT plan to get internet fast in places where SimpleTalk (T-mobile rebrand) works like a thunder!
[+] [-] davidholmesnyc|11 years ago|reply
[+] [-] justignore|11 years ago|reply
[+] [-] ddustin|11 years ago|reply
[deleted]
[+] [-] benguild|11 years ago|reply
The only time I’ve been on 2G with AT&T in the last few years was going through the BART tunnel in South Bay… haha.
[+] [-] BuildTheRobots|11 years ago|reply
I'm absolutely bloody agog that commercial first-world operators have taken until the end of 2014 to actually support this -I think it was ratified into the specification around 2001 if not earlier.
Also, for all you tinfoil wearers out there, you might like the fact that the original specification for A5/3 was altered to make it more hardware friendly. In 2010 it was realized that this actually made it extremely easy [1] to recover the session key (if not in real time) [2].
[1] core2due in a couple of hours easy, see the abstract [2]. [2] http://eprint.iacr.org/2010/013
[+] [-] largote|11 years ago|reply
[+] [-] offmycloud|11 years ago|reply
[+] [-] esturk|11 years ago|reply