AT&T just filed a 10-Q with the SEC and publicaly confirmed what the company has been warning in private for the past two years:

Also as part of our ongoing efforts to improve our network performance and help address the need for additional spectrum capacity, we intend to redeploy spectrum currently used for basic 2G services to support more advanced mobile Internet services on our 3G and 4G networks.

[…]

We expect to fully discontinue service on our 2G networks by approximately January 1, 2017.

[…]

As of June 30, 2012, approximately 12 percent of our postpaid customers were using 2G handsets.

A 5 year sunset plan seems like a long time for those of us who would argue 2G should be described as a terribly weak and dated protocol.

Any further delay is especially bad news for Apple customers who are unable to choose 3G-only (i.e. iPhone and iPad). (Another reason I recommend the Nokia N9 is the option to disable 2G communication).

2G, or 2nd Generation, was launched in Finland in 1991. How many electronic devices are you using today that are 22 years old? More to the point, 2G is older than the web and pre-dates the “data” revolution in communication. It also used a security-through-obscurity method, which became untenable by the mid 1990s. Although 2G had some functionality limitations fixed through extensions (2.5G) it never really fixed the security problems. Instead a 3G network was started in 1992 and by 2001 was launched in Japan. The path to far better performance and security should be crystal clear.

Yet AT&T doesn’t mention security in their filing as one of the reasons for ending their old network. Perhaps they don’t want to draw attention to the fact that it is trivial to impersonate a GSM base transceiver station (BTS). Or maybe they don’t want to mention that the fixed network is unprotected, encryption is weak (COMP128 implementation of the A3 and A8 algorithms can be broken in less than a minute), encryption is often disabled and/or completely useless (keys sent in the clear), there is no integrity or network identity…and so forth.

The AT&T filing says they have just over 100 million customers. So the end of service for 2G, which they say is 12%, must be around 12 million customers. That sounds like a lot of vulnerable end-users until you take a closer look at usage profiles. It is tempting to think of the numbers in terms of consumer handhelds. In fact this announcement has more relevance to appliance-like devices such as ATMs, Point-of-Sale and security alarms.

So the problem of 2G is not really about people who refuse to buy a new phone. There might be a few of those but most humans tend to frequently update their phones for a number of simple functionality reasons from dead batteries to better signal while moving around. Users also tend to absorb some of the replacement procedure costs.

The embedded device market however has a harder time discontinuing deployed assets and dealing with the cost of re-provisioning. Embedded devices tend to have a if-it-ain’t-broke-don’t-fix-it mentality for upgrades. Embedded devices also may drop down to 2G to provide service continuity. A message getting through often gets higher priority than a message being kept a secret; instead of demanding better service/coverage from AT&T, 2G may be given as an availability option. Unfortunately, embedded devices tend to be used for applications that are security-related and need confidentiality to be a priority.

In other words, AT&T could probably greatly accelerate the adoption of 3G and newer networks for millions of remaining devices if they admitted or otherwise raised awareness of serious security issues in 2G. In the meantime I suspect some may continue selling 2G as deceptively “inexpensive” and “reliable” option right up to the end of service in 2017.

A video of my BSidesLV presentation has been posted:

The WSJ reported in March that a company in Beijing had been accused of identity theft at a very large scale.

Commercial information provider Dun & Bradstreet Corp. said it suspended the operations of a China-based business pending an investigation into whether it violated local consumer-privacy laws, and it is also looking into whether employees there violated the U.S. Foreign Corrupt Practices Act.

The business involved, Shanghai Roadway D&B Marketing Services Co., is a direct marketer that helps marketers reach customers through its database.

[…]

Dun & Bradsheet’s disclosure follows a report last week by state-controlled China Central Television that alleged the operation improperly collected private data on 150 million consumers. The report couldn’t be independently confirmed. It was broadcast on Thursday as part of China’s observance of World Consumer-Rights Day.

According to Paul McKenzie, managing partner at law firm Morrison & Foerster’s Beijing office, Chinese law provides its citizen with a broad right to privacy, even though “relative to other countries China has a relatively undeveloped privacy law infrastructure.”

According to Chinese criminal law, it is illegal for employees of government institutions or any private agency in a sector specified by the law with access to personal data, such as health care, education or telecommunications, to sell that data to a third party. Depending on the circumstances, the person buying the data could also be criminally liable.

You might think of this as a great sign. Identity information is being protected in China, which should help the market by reducing fraud.

CNN, however, argues a completely different perspective in a report. They say outsiders are uncomfortable with privacy for the Chinese as it makes investment more risky.

Beijing has clamped down on information once publicly available on listed and state-owned companies, hurting the effort of Western investors and companies to gauge whether to invest in — or short-sell — Chinese firms.

[…]

“This is a handicap to people investing in China right now. It is linked to the political atmosphere of this year’s leadership transition period, which has made China more tense, and the gathering of legitimate business information more sensitive” [said Peter Humphrey, managing director of ChinaWhys, an international business risk advisory firm in Beijing]

The move to limit public information on companies comes after the April arrest of 1,700 suspects in a widespread crackdown on the illegal selling of personal information, the Shanghai Daily reported, including an official in Baoding who sold large amounts registered company information.

Interesting angle on the topic of transparency. The question that CNN does not bring up or try to answer is when and how people should trust their identity information to foreign investors and, more importantly, whether they should be able to decide how their identity information is collected and shared. They skirt around the central issue: at what point does “gathering of legitimate business information” become “improperly collected private data”.

Newspapers in Australia, such as the Sunshine Coast Daily, are reporting a massive fraud scheme using SMS messages

The Federal Government’s SCAMwatch sent out a national warning.

“These hoax death threats typically involve SMS text arriving out of the blue from what appears to be an international number. In some cases the number appears to be blocked,” SCAMwatch said.

“A typical message reads: ‘Someone paid me to kill you. If you want me to spare you, I’ll give you two days to pay $5000. If you inform the police or anybody, you will die, I am monitoring you’.

“Some of the messages are long and contain all the text, while others are broken up into shorter messages.”

The Daily understands the scam started spreading over the weekend and was sent out again yesterday morning.

Reports indicate the requested amount varied from $1000 to $50,000.

Police urged members of the public not to be alarmed and not to respond in any way to the message.

The police should urge the public to forward to the messages to an official abuse desk for free.

Phone providers can assign a SMS abuse reporting number (e.g. 8888) so it funtions like reporting email abuse (e.g. abuse@providername.com). The SCAMwatch form for reporting abuse is so big I doubt most people could fill it out in less than five minutes, which means it won’t be used.

Providers also could be a lot smarter about their blocking services. If the official response was to forward fraud messages for free to the providers then far more pressure would be felt by providers to stop fraud and SMS abuse.