> depending on how willing the firmware of your modem is, the signal used to transfer GPS coordinates to the carrier for emergency response situations can also be triggered remotely by carrier hardware
Do you know if (at least some) basebands actually limit network-side ___location requests to emergency call/text situations only?
All I know is that some don't. I don't know brands or if there are even common modems that are filtering for this.
If you don't have a Faraday cage and cell site equipment, you're going to have a hard time verifying any of this. The modem is closed source, the SIM card is closed source, and various firmware blobs to make phones work are all closed source. I believe Qualcomm has debug interfaces on some chipsets, which might catch these messages, but verifying that they catch all use cases is impossible unless you have knowledge of the actual mechanism used (or usable) to activate the modem.
This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones), but it only takes a small group of Linux enthusiasts to actually catch the phone network in the act.
Of course, the trouble is that you'll need to be the target of government surveillance to be even at risk of any of this. If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you, and whatever criminal enterprise hacked its way into the carrier network won't either. If you are being tracked by either of those, I think developing open source modem firmware is probably the least of your concerns.
I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
It's all rather pointless anyway when 5G and to an extend 4G can geolocate you about as well as GPS can, barring reflections and such.
> If you're not a criminal or a human rights activist, the government is probably not pointing its secret spying equipment at you
If there's one thing we know for certain about the US and domestic spying it's that they're targeting literally everyone. They were caught copying all internet traffic going over the AT&T backbone in the early 2000s and decades later Snowden showed us they never stopped pointing their secret spying equipment at us. The best you can hope for is that if you don't become an activist or commit enough crimes they won't pay much attention to the massive and ever-growing troves of data they have on you personally.
Agreed – it's not really a personal concern I have (I have no illusions about the chances that none of the apps I grant ___location access to are selling it to the highest bidder), but I'm still curious. I can also imagine some legitimate use cases, such as pinging the ___location of somebody that had an accident and is possibly unable to call 911 themselves.
And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
> And same here – I've read a few of the 3GPP specs, but they make legalese sound like plain English, and of course never tell the full story including actual manufacturer decisions.
They are technical standards designed to ensure interoperability (though not always successfully — cough VoLTE cough) rather than exhaustive guides on how to implement features. They have been developed over a long period of time and have become quite complicated to read, especially if you are not familiar with the specific nomenclature. However, with enough time and willpower you can make sense of them quite quickly.
PS. The software behind these standards is probably the most complex we have in the world. At least I am not aware of anything else that is as complicated.
> This is one of the reasons I'm hoping for the open source phone community to succeed. So far, the modem stack is usually proprietary (with hardware kill switches in the most paranoid phones) [...]
This is very unlikely to happen, primarily because certifying these modems is extremely expensive. I doubt any commercial vendor (e.g., a phone manufacturer) would commit the necessary resources to support them. Modern modems are also highly complex; they not only support various radio technologies but also incorporate numerous offloading mechanisms and a range of proprietary communication methods with telecom operators (e.g., VoLTE). Furthermore, the firmware must be carefully optimized for the hardware, so unless you have access to the complete package, this will likely remain confined to amateur circles.
> I honestly wouldn't be surprised if the standard was written to make this kind of surveillance possible and that any modem refusing to cooperate would be spec incompliant. You can read most of the 3GPP spec for free on sites like https://portal.3gpp.org/ but I don't have the time or interest to dig through the unreadable stream of abbreviations and industry terms to find out.
The standard is written to accommodate the most prevalent use cases. Given the ongoing efforts to improve security and address known vulnerabilities, I highly doubt it was written with bad intentions. However, that does not mean they will catch everything, nor does it guarantee that they will always prioritize stronger security over better usability - whether for network operators or end users.
Also worth noting that if the carrier is cooperating then you can do better than static snapshots. Tracking signal strength of a target moving between towers will give you quite a precise historic path (within a few seconds or minutes depending on velocity).
5G Standalone networks don’t have 4G to fall back to. 5G Non-standalone networks are essentially 4G networks with a 5G RAN, so SUCI remains optional and most core vendors don’t support it.
That's not what 5G standalone means, as far as I understand.
The network I'm using supports 5G SA in some cells, but my phone definitely still falls back to both 4G and 5G non-SA in some areas where it's not yet available.
And even if 5G SA were available everywhere, there's the concern of roaming.
Correct, your phone needs to actually re-connect between the two networks. It's a whole new session and you can't handover between 5G SA and 5G NSA/LTE networks. There are some configurations that make this not much of an issue, but technically they are totally different networks.
I've always been wondering: Is there a SIM card configuration flag that allows telling the phone to never even attempt an attach using a given technology?
This would allow leaking identifiers (at the cost of greatly reducing roaming coverage, at the moment), attaching to spoofed networks (for 2G, which does not have mutual authentication) etc.
SIM cards don't connect to networks, the phone modem can just disable support for such protocols. That'd probably be illegal, though, in case you're trying to call emergency services and don't have 5G reception.
Some Android phones have a setting to at least disable 2G and you can easily configure them to a "preference" of only 5G. I believe iPhones have a 2G toggle as well if you enable lockdown mode.
It'll be years before you can reliably get rid of 4G without losing coverage, though.
I don't know about any such settings on mobile platforms such as watches, though. I also doubt cars have a setting for this (maybe if you use one of those Chinese Android-tablet-with-a-car-skin systems?).
SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
That said, some knobs are frustratingly missing, though – why is manually entering an APN a thing, but the default SMSC can be stored on the SIM?
That's true, of course, but SIMs can be reprogrammed by the carrier on a whim. Plus, there are handover features that command the modem to downgrade the connection from the network side, and who knows if the modem will listen to the SIM's config if the network commands it to do something.
I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
I think limiting this at the modem side will be more effective than reprogramming the SIM card, but the specifications are open enough that you could take a look at a SIM's contents by throwing it in a reader.
You could also look at the code and blobs dealing with eSIMs, as they provide the same features but often come packaged in the form of software.
Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
In terms of existing examples, there's a few equivalent (or at least similar) fields defined as SIM files - for example, the FPLMN (forbidden PLMN) list of networks your phone shouldn't attempt to attach to.
You're right that this needs limited at the modem - but the main user accessible method of configuring the modem is the phone UI. As this setting is one which needs network support, and is likely to disconnect a user who misconfigured this, a SIM file for permitted RAT (radio access technology) types would make sense, as SIM files are under the responsibility of the operator.
Where this would get complex is edge cases, like under roaming scenarios, where your home network can't predict what might be available, and your handset may need to permit downgrading to a technology not permitted on the home network.
The toggle in Android to disable 2G seems a start towards a user accessible setting for this, which selects what the modem is willing to join, but it's certainly far from a user friendly way to enable and disable particular technologies.
> Check your local laws before you start messing with SIM cards, though, altering certain identifiers can be a crime.
Generally the contents of specific important Elementary Files (EF) are protected by requiring you to have an ADM code to read/write.
> I haven't needed to enter APNs in years, there are standards to provision those by SMS if they're missing and most of them are pre-configured in the phone's OS.
You might need to enter an APN if you have a B2B contract with the operator, where they'll route all traffic from your device(s) through a VPN directly to you. Besides that and static addresses, I am not aware of any other prevalent use-case for changing an APN.
> SIM cards have hundreds of various configuration knobs influencing what a (compliant) baseband does, so I wouldn’t be surprised if there was one that does just that.
There is EF-UST (USIM Service Table) but it doesn't explicitly allow/deny radio access technologies.
The wording your usage here seems to suggest that the phones can be configured to not connect to 2G networks. This is false if you live in the USA. The phone will not connect to 2G networks regardless of any setting. There have not been any to connect to for a while now. The only thing out there that is 2G any longer is malicious actors.
It should come as no small surprise that phones in the US markets ship with a feature that is a de-facto backdoor.
Tangentially related, the latest major Android release supports updates from the modem with details about whenever your IMSI/IMEI/unencrypted SUCI are disclosed to the network (with support for some contextual information, e.g. which protocol message was it disclosed in), as well as insight into the in-use network cryptography configuration for different protocols.
if you pay the google tax for a pixel, you get a convenient 2G toggle.
if you don't have an extra $400-900 and buy a cheaper android, you get to dial ##4636## (hn screws asterisks, look it up) them go into phone info, select each sim radio and change the drop down (and hopefully you know all the standards by all names to make the right choice. hint 5G is NR there)
There's a convenient toggle on my Moto G Stylus 5G 2023, if not a convenient name. In the carrier settings right next to allow 5G. Can't easily disable 3G or LTE though. IIRC, LTE is also mutually authenticates, but if we're talking about passive catching and the ismi is sent in the clear as the article says, then that doesn't eliminate passive catching. I'm not sure about 3G, I thought it wasn't mutual auth either.
Definitely, mutual authentication and (not) using long-term identifiers in the initial attach request are largely orthogonal concerns.
I believe even 3G supports mutual authentication (at least if the SIM supports it, i.e. it’s not a very old GSM only one), but anonymized identifiers only appeared with 5G.
The 2G toggle can also be found in some other phones, but not every phone manufacturer has support for configuring their modems like that or has bothered to keep the setting in their settings app overhaul.
I know that setting, but I'm not entirely sure if that controls a preference or a mandatory cell config, and if it will prevent downgrades from the network side or not.
Some manufacturers and most custom ROMs also seem to offer that option without a dial code, but I haven't found any documentation about that feature yet to be sure it actually forces the modem configuration. I've found mentions online about this setting being changed without user interaction, so there seems to be a mechanism on some phones (carrier-branded ones maybe?) that alters this config.
every modem have to have that control. and you can access it on every model I've ever seen with the code i shared. i think it might be a requirement for some of the regulations they plaster stickers for.
having the ui it not is a balance between playing nice with over reaching law enforcement and enterprise clients.
In my experience (of also roughly 20 years ago), the German Wikipedia is as dysfunctional as it gets.
The primary goal of the admins seemed to be to gatekeep, in particular to keep “unencyclopedic” content out at all cost, e.g. by contesting the very existence of articles on individual episodes of TV shows, software, or video games, which are all completely uncontroversial on the English one.
“Just because it’s relevant on en.wikipedia.org doesn’t mean it’s relevant over here” is a sentence I heard frequently. Keeping the number of articles down was seen as an active ideal.
For me, it was a great motivator to improve my English, and I’ve only ever looked back when the English version didn’t have a lot of information on some Germany-specific topic. Last time I checked, they only just accepted the redesign (the one that greatly improves legibility), after vetoing it for years. What a psychotic way to run an encyclopedia…
> by contesting the very existence of articles on individual episodes of TV shows, software, or video games, which are all completely uncontroversial on the English one.
In the first year or so of the english Wikipedia, I was very engaged in adding content but never really tried to engage with the community. I started adding articles about my topic of interest at the time, which was New York 80s punk and hardcore bands. Soon, I had the lot of my articles deleted for "lacking relevance".
The German Wikipedia is the main reason I keep my country setting on DDG off. That way I get en.wikipedia.org results first.
> Last time I checked, they only just accepted the redesign (the one that greatly improves legibility), after vetoing it for years. What a psychotic way to run an encyclopedia
I once asked on (then) Twitter why they kept that crappy design, and got the most depressing NIMBY answers on even making the new design optional. That really killed any rest of hope I had for the German Wikipedia. Glad to hear that at least that tiny improvement made it.
Yeah, Palestinians are indeed Semites, however, the word antisemitism (for historic reasons) is used to refer specifically to hatred of Jews. It makes historical sense that Germans are afraid to criticize the Jews.
I probably disagree with your opinions, but the debate would likely be useless.
One of the obstacles to getting that point of view across is that very few of the people in countries with a majority religion (which is most countries) see criticism of their government's history as criticism of their religion. I've never really heard a Christian complain about the treatment of the thirty years war in history books, and that's presented in an extremely negative light. The equation you're making doesn't have a lot of traction in the broader world.
It's not documenting historical facts about Israel that's problematic, it's using that history to justify calls for the destruction of Israel. Does anyone cite the Thirty Years' War to advocate for the destruction of Germany?
One issue that occurs is when person A is criticized for documenting historical facts on the basis that since person B has in other contexts used them as a pretext for something wrong, person C, after finding out about the historical facts, might independently come to the same conclusion as person B. The effect is to treat person A's documentation activity with the same approach as person C's eventual choices.
> open model weights fulfill much of the intent / "soul" of the open source movement
Absolutely not. The intent of the open source movement is sharing methods, not just artifacts, and that would require training code and methodology.
A binary (and that's arguably what weights are) you can semi-freely download and distribute is just shareware – that's several steps away from actual open source.
There's nothing wrong with shareware, but calling it open source, or even just "source available" (i.e. open source with licensing/usage restrictions), when it isn't, is disingenuous.
> The intent of the open source movement is sharing methods, not just artifacts, and that would require training code and methodology.
That's not enough. The key point was trust. When executable can be verified by independent review and rebuild. It it cannot be rebuilt it can be virus, troyan, backdoor, etc. For LLMs there is no way to reproduce, thus no way to verify them. So, they cannot be trusted and we have to trust producers. It's not that important when models are just talking, but with tools use it can be a real damage.
Hm, I wouldn't say that that's the key point of open software. There are many open source projects that don't have reproducible builds (some don't even offer any binary builds), and conversely there is "source available" software with deterministic builds that's not freely licensed.
On top of that, I don't think it works quite that way for ML models. Even their creators, with access to all training data and training steps, are having a very hard time reasoning about what these things will do exactly for a given input without trying it out.
"Reproducible training runs" could at least show that there's not been any active adversarial RHLF, but seem prohibitively expensive in terms of resources.
Well, 'open source' is interpreted in different ways. I think the core idea is it can be trusted. You can get Linux distribution and recompile every component except for the proprietary drivers. With that being done by independent groups you can trust it enough to run bank's systems. The other options are like Windows where you have to trust Microsoft and their supply chain.
There are different variations, of course. Mostly related to the rights and permissions.
As for big models even their owners, having all the hardware and training data and code, cannot reproduce them. Model may have some undocumented functionality pretrained or added in post process, and it's almost impossible to detect without knowing the key phrase. It can be a harmless watermark or something else.
But there is also no publicly known way to implant unwanted telemetry, backdoors, or malware into modern model formats either (which hasn't always been true of older LLM model formats), which mitigates at least one functional concern about trust in this case, no?
It's not quite like executing a binary in userland - you're not really granting code execution to anyone with the model, right? Perhaps there is some undisclosed vulnerability in one or more of the runtimes, like llama.cpp, but that's a separate discussion.
The biggest problem is arguably at a different layer: These models are often used to write code, and if they write code containing vulnerabilities, they don't need any special permissions to do a lot of damage.
It's "reflections on trusting trust" all the way down.
If people who cannot read code well enough to evaluate whether or not it is secure are using LLM's to generate code, no amount of model transparency will solve the resulting problems. At least not while LLM's still suffer from the the major problems they have, like hallucinations, or being wrong (just like humans!).
Whether the model is open source, open weight, both, or neither has essentially zero impact on this.
I saw the argument that the source code is the preferred base to make changes and modifications in software, but in the case of those large models, the weights themselves are the preferred way.
It's much easier and cheap to make a finetune or LoRA than to train from scratch to adapt it to your use case. So it's not quite like source vs binary in software.
Then delete that data and let the user start over. How come Apple gets to hold iTunes purchases (apps, movies etc.) and somebody's email address hostage just because they also happen to store some end-to-end encrypted data on the same cloud account?
Just imagine Google letting people "brick" their accounts because they have a password protected PDF in their Google Drive they don't remember the password for...
And that's to say nothing about the not end-to-end encrypted data, which is still the default for most things in iCloud accounts (without ADP enabled).
> Somehow the thief was able to change the account password and email account
That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication. And the passcode can be shoulder surfed by the thief...
It seems like a good step forward but still not perfect, and I believe it's not on by default.
On the other side, with Advanced Data Protection, it seems shockingly easy to permanently lock oneself out of an iCloud account: As far as I understand, there is absolutely no way to recover an account protected that way if the recovery code is lost – not even by deleting all data currently stored on it and starting from scratch (e.g. from a local backup).
Given the fact that an iCloud account doesn't only contain a big pile of data, but access to some purchased products and services (subscriptions, app purchases, iTunes songs, the Apple Card etc.), that seems like a pretty big oversight.
Admittedly we in security do a very poor job on equipping users with useful threat models: i.e. the number of times people either don't turn on any sort of security, or turn on extremely aggressive security but don't write down and store a recovery code is too damn high.
And it's made even worse by companies not wanting to deal with meatspace. Secure account recovery isn't too difficult if you're willing to do ID verification in physical stores, but no tech company wants to do that.
> That would be the fact that Apple lets anybody that knows the passcode reset the iCloud password as well, without any further authentication
Doesn't this require at least one other device to allow access and provide a one-time code?
I can't log in to iCloud in a browser, update payment information, or do anything even remotely sensitive with just one device and my screen lock mechanism(s).
EDIT: I stand corrected. On a device that's designated as "trusted" you can indeed change the password using only the screen unlock using the instructions at https://support.apple.com/en-us/102656
> But that's basically an emulator of a VM, isn't it? It's like rewriting the Flash AVM2 into JS... it's still running in JS whereas the original VM was C++.
I think you're using a different definition of the term VM than most other people here. An "emulated VM" is a VM too.
> one major purpose of a VM is to improve performance over what's available in the browser.
That's definitely a very nonstandard interpretation. Many VMs are, intentionally, much less capable (in a permissions sense; in a computational sense, they're almost always exactly as capable) than the host environment they run in.
That's in fact exactly what I love about espresso in Italy and some other European countries: It's ubiquitous, fast, cheap (even cheaper if you drink it standing up!), and as a result a commodity and not something pretentious.
I also don't remember ever having had a bad cup of espresso in Italy. If it ever happens, I'll just walk a few steps down the street and chase it down with a decent or good one.
But that is, in itself, a normalcy bias. I don't generally like Italian roast coffee. It's too oily and generally upsets my stomach. It's not a flavor or style I like in espresso. I'm not going to claim no one should like it - clearly people do, but if you don't like that, Italy is a really bad place to live because it's so orthodox about its espresso and doesn't support "pretentious" places that may serve something that doesn't taste "normal".
Just because a specific style has been around for years doesn't mean it's the only valid style that's not "pretentious".
The best thing about espresso in Italy, besides it being universally drinkable (assuming you like espresso at all), is that last time I was there it was still only 1 euro. Drop a coin on the bar and get an espresso shot, any time.
Do you know if (at least some) basebands actually limit network-side ___location requests to emergency call/text situations only?
reply