Hi all, this is a provocative email.
IMHO we need "practical", really practical ability for hackers to "easily" make gsm hacking and gsm interception. We need something like aircrack-ng for WiFi, we need that anyone with basic knowledge and not that big costs could start playing and hacking gsm. Why? Because if we don't reach that goal the problem will be always there, GSM equipment is not going to be replaced easily. What's already happened with other technologies like 802.11/WEP? Until well known, cheap and easy to use attack tools was diffused the industry did not reacted by making WPA1, WPA2 and working on security awareness. The real sense of full disclosure is this. GSM is sensitive, mobile voice and data interception is a strong matter and companies, governments and various agencies does not want anyone being able to break it. The interception tool exists. But they costs a lot of money (200-600k) and officially can be brought only by governments (even if most private agencies have it...). So only private spies, organized crimes, law enforcement, secret services and military can use it. And the general feeling of the man walking the street is that "calls and data are secure". Because they don't feel the risk, a real risk for the system, for the economy, for the industry, for the democracy itself. If people does not "taste" the risk, they will not react. Is the "public" is not *strongly aware* about the problem, then problem for them DOES NOT EXISTS (like has been done in past 15 years). Mobile networks are building block of the information society, and information society is the building block of the information and services economy where we live. All past GSM hacking attempt got serious attention from authorities and big lobbies, there was always "legal" problem and "pressure" on the project founders. I think we should think about it seriously, Karsten also told in various talk about such kind of "pressure". The project should probably increase it's resilience to possible attacks to the project itself, with the creation of always up-to-date mirror of the informations and development environment, sharing of mailing lists subscribers to always keep the community up&running. Then on top of that framework it would be fine to get some financing for additional development and refinement and eventually even build some business around it to make it economically sustainable and reach the "point-click-sniff" tool. It's a very difficult step but if we want to really change the landscape of the mobile security we should reach a level that will "force" the industry to upgrade or when not possible to explicitly do awareness about the risk. On Windows Vista if i connect to an open wifi network i receive the advice that the network is insecure and someone could sniff the traffic. Well, let's force them to do awareness on the users if the don't want to upgrade, users should always know what they are using and what are their risks. Telecommunication companies account 3 quarter of the european high yield bonds (http://www.cadwalader.com/assets/article/HighYieldBondMk.pdf ), they are plenty of debt to invest in selling dumb sing and logos for mobile, restricting network neutrality of the internet and a lot of very nasty and lobbystic stuff. I would like to see them to invest more in securing the information society, that is the foundation of their business required to sustain their debt. Let's do everything to make the project reach a "point-click-sniff" tool, at least on software side. Let's release everything, with very precise documentation, so privacy activists can demonstrate the risks to the masses. Let's mirror everything across trusted networks. Let's get public donations and private funding to carry on the development. Let's increase documentation and community strength to expand the knowledge. That's my personal point of view, all you guys have made an excellent job, now we should not stop. We should goes on, let anyone insisting on privacy activism in the world, on information society right to "access" the technology that demonstrate how the industry acted. We need more people involved that will start using the "tools" around the policy and activism scene, that will make the process unreversible. Without an easy to use attack tool available for anyone that want to show up which are the risks, all this effort not reach the result. Citizens and politicians will not care about it, and worst things will do all the bests to say that "everything it's ok, it was just a fun stuff by some bunch of young hackers!". Fabio _______________________________________________ A51 mailing list [email protected] http://lists.lists.reflextor.com/cgi-bin/mailman/listinfo/a51
