HN Theater @HNTheaterMonth

This is all very confusing because you're mixing up your definitions of what precisely is "inactive" here.

It's like the OSI model, there are multiple layers here representing different things. An IMEI is a representation of piece of equipment. A SIM is a representation of a subscriber (or, to be more precise, it's a cryptographic 2fa token that a subscriber carries), so a piece of equipment may have multiple SIMs and a subscriber may have multiple SIMs each associated with at most 1 piece of equipment (at a time). A SIM may be associated with a phone number, and may be associated with a plan which may be active or inactive.

The data model is really:

user <-one to many-> SIM token <-many to one-> IMEI

And a phone number is an at-most-one feature of a particular SIM token.

The fact that you didn't pay your bill this month doesn't mean your phone number is inactive - someone who dials that will get a "call cannot be connected" message because the phone network still knows it's you. The carrier just chooses not to connect your call, the phone number is still actually mapped underneath.

And even if your number eventually gets reallocated, the fact that your SIM doesn't have a number associated with it is irrelevant - the network still knows you by your SIM and knows your phone by its IMEI.

The phone number is really like a domain - it's a human-readable abstraction for the physical reality of the routing layer (SIM/IMEI). And the SIM is a representation of what user-token (a user may have many tokens, but a token has at most 1 user) is using a particular IMEI.

At the network level, they don't care about your phone number - that's just used for a "DNS lookup" of what equipment needs to ring. And they can send a message to that equipment even if there's no actual phone number associated with it. You can also have a IOT SIM where there is no actual 9-digit phone number to ring it (although that's a US-specific routing scheme, other countries do it different) and the network just talks to it via its SIM.

And even if you don't have a SIM (subscriber-token) the phone still talks to the network, and can still make e-911 calls and similar, you can initiate outbound traffic too, because your phone is still connected to the network even if there's not only no phone number, no plan, but even without a SIM. It's still an IMEI in a cell talking to some particular tower even if there's not a SIM in it, and can both send/receive metadata traffic or even real traffic (e-911 calls).

I'm probably getting the finer details wrong here too... it's a very complex model with a lot of entities and relationships.

For some fun tangential stuff on the topic, especially surrounding the SIM card, check out this DEFCON video. It goes into the 2fa nature of the SIM - actually the SIM is a full security processor (javacard) that can execute arbitrary javacard applets sent by the network, and push/poke stuff into the SOC or baseband directly, it is like an "Intel management engine for phones" and it has a huge amount of power over what the SOC can do and see on the network.

https://www.youtube.com/watch?v=31D94QOo2gY

There was one really good talk about from black hat or defcon [1] but there's also this [2] which seems more thorough so I'm gonna watch it too later. I happen to have a friend who writes software for simcards so that's what really was my main source.

1. https://www.youtube.com/watch?v=scArc93XXWw

2. https://www.youtube.com/watch?v=31D94QOo2gY

This video from defcon gives a good overview of what Java Card applets is, the limitations and what it can do: https://www.youtube.com/watch?v=31D94QOo2gY

Defcon talk on it: https://www.youtube.com/watch?v=31D94QOo2gY

> Postgres allows you to run python in the database, Oracle has support for java, Postgres can do limit 100, you can build subqueries using views, and reuse these in larger queries...

Compiling down to fast bytecode is important and what I am thinking is more of a "pythonesque"/"javaesque" than an actual thing on a python VM / java VM. Limit the allowable syntax, it doesn't need to be full-spectrum python/java where you can recursively declare objects/etc, just what can be mapped into SQL.

Give me Javacard+LINQ that compiles to bytecode with cursors. https://youtu.be/31D94QOo2gY?t=607

(OK not real javacard but... a minimal java equivalent that compiles to C bytecode, with LINQ, and with stack allocated variables/etc.)

Views as subqueries are a good idea though, we don't hardly ever use them so I mostly don't think about it. It takes more authorization to modify a DB object (view) than program code, so we have a political bias against it...

> Problem with query optimization is that it needs to be done at runtime, you can't optimize it in some procedure language easily. The optimal way to retrieve data depends on the number of records in your tables, the where clauses you use, the actual values you are filtering by, the records already in cache, etc.

> 99% of all programmers would not be able to program better performing queries when doing this with a procedural language or streams expressions or it would take them way too long.

That's probably fair but also leaves you at the mercy of the stats/query planner when it doesn't work the way you want.

Maybe a middle ground would be to make the query command an "expectation" and if the plan doesn't match the expectation then a connection flag is raised and you can check that at the end of your session, so if it's set you know to look for that session's query planner data.

lol I know there's no way that wouldn't get muted and I'm sure programmers would end up tilting at the windmill anyway but

⬐ hobs

(SQL Server) Query hints(OPTIMIZE FOR), fixed plans, compiled stored procedures - they all do things like this but they all have tradeoffs that you generally would rather just let the engine take care of and write more clearly expressive queries than take on, mostly "hey wait why did my performance suddenly get worse?" type of reasons.

Seeing the ShadySIM project mentioned on that page reminded me of this DEFCON talk, which talks about some of the capabilities of the SIM OS (some of them run Java!) and what power they grant you over phones if you have control over the underlying cell network (legitimately or otherwise).

https://www.youtube.com/watch?v=31D94QOo2gY

⬐ puzzlingcaptcha

I think they run Java Card, which is not quite the same thing https://en.wikipedia.org/wiki/Java_Card

Wonder if it's written itself into recovery. Or the SIM card/baseband - SIM card in particular usually includes functionality for triggering a sideload of apps (eg for carrier apps), sending notifications, etc into the main SOC so it fits. Maybe the second instance of SIM card malware ever.

https://www.youtube.com/watch?v=31D94QOo2gY

There are only so many places it can be hiding if it's surviving a factory reset.

--Guy who is undoubtedly vastly underestimating the problem given that it's resisted AV vendors for a while

⬐ buildzr

All they'd have to do in order to survive a factory reset is to write to the /system partition, which contains the main OS. A factory reset only wipes /data and a few caches.

Writing to /system requires it to be mounted read/write and permissions to do so, so they'd need a root exploit in order to pull it off, but there's quite a few to choose from especially as devices age and given that they're doing this outside Play Store where Google won't pick them up.

I'm just crossing my fingers advanced users don't lose the ability to side-load apps over bad publicity like this, maybe they should make it harder to enable though.

⬐ hunter2_

Is side loading the only way that code requiring root can easily get on a phone though? What about USB debugging?

⬐ buildzr

True, just disabling it via PackageInstaller by default would do the trick, the root community could re-enable it easily and those who only needed to sideload the occasional app could do so via USB debugging.

It seems like every time I hope for a reasonable solution like this I get let down substantially though.

⬐ piracy1

No. The play store does not check very well and is pretty easy to bypass. Up until recently you could just download .dex (android equivalent of .jar) files into your apps resources at run time then call the classloader. Then for their runtime scan you can either just wait to put the real code online or have a hardcoded switch to execute the main function based on like an NTP server saying it's past X day. I think that is why they removed calls to the classloader from android. There's a few other ways to do basically that that still work but I'm not sharing those for free.

IMO There is a slight flaw to how this question is worded. It's not that they block you from running code that you need to be root to run (you'll just get insufficient perms errors) it's just that you're not root. You could write the code to write to /system, and it will run it just will not work. Thus, you need to utilize some sort of local privilege escalation. That is it's own equally semi-sticky wicket.

⬐ thenewnewguy

Only semi-related, but I wonder if owning the SIM card could be used as some sort of rooting mechanism?

⬐ tgsovlerkhgsel

While there are theoretically many places it could hide in, the system partition or recovery seem the only realistic ones.

And recovery is already a stretch IMO.

⬐ imglorp

AV vendors have multiple conflicts of interest and should not be trusted.

⬐ haliax

Can you elaborate?

⬐ explodingcamera

Stories of bad viruses actually help them

⬐ ggm

This only really goes to the "don't entirely trust their statements regarding their product being the only effective barrier" part of the story. Reputable anti-virus companies do have a huge conflict of interest reporting on viruses they find and can tackle, but they also remain an important source of information about viruses. Disreputable anti-virus companies sell product which could be as simple as a "hollywood OS" green stripe animated GIF which says "virus cleaned" for all they really do: they probably install more malware rather than removing any.

Also, an anti virus company saying they can't understand how a virus remains infected after removal is interesting.

⬐ diminoten

Yeah and fires "help" firefighters...

How uselessly cynical.

⬐ pizza234

If you refer to the theory that AV actually wrote viruses (it's not clear), that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.

I've followed the VX scene for years (it died long ago) and there has never been shortage of new malware.

Even if we wanted to give some credit to the theory, which type of virus would the AV companies develop? Something trivial, that requires a variation of a signature to detect? Or something extremely complex, that requires month of work, and that slows down the AV engine because it's algorithmically complex to detect?

None of this makes any sense. The truth is very simple - malware has always been an interesting subject, and writing viruses always had a subversive appeal to young rebels.

⬐ newnewpdro

> If you refer to the theory that AV actually wrote viruses (it's not clear), that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.

This analogy is not helping your case at all. It's not unheard of for police to plant evidence for such purposes. It's also been proven that law enforcement has been willfully using technology having high rates of false positives for things like drug testing to bring real charges against otherwise innocent people.

⬐ snarfy

> that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.

https://www.washingtonpost.com/nation/2019/07/11/florida-cop...

⬐ thereare5lights

> that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.

So very realistic then?

Or have you not encountered the numerous incidents where cops plant and manufacture evidence to frame people for various reasons such as increasing their numbers for a promotion or bad culture leading to quotas for arrests/tickets/etc.?

⬐ fattire

Now imagine a wholly for-profit police force.

⬐ A2017U1

> imagine a wholly for-profit police force.

https://www.newyorker.com/humor/daily-shouts/l-p-d-libertari...

⬐ rurban

Or even legal system. That would be unthinkable of ;)

⬐ strbean

> [...] that's as realistic as saying that police commits crimes so that they can get extra reward from the new tasks.

More like saying private 'protection companies' commit crimes so they can get you to pay for their 'protection'.

⬐ madiathomas

This is how mafia operates. They come to you and offer protection in exchange for a recurring "protection fee". If you refuse, they are the ones who commit crimes against you until you fork out a "protection fee".

⬐ jakeogh

Ya totally nothing to do with APT's and plausible deniability.

Darn kids.

⬐ soulofmischief

As a victim of such a falsified crime, testified by half a dozen police officers who couldn't get their stories straight but whom "somehow" were believed, you're only adding credence to the claim with that analogy.

⬐ hunter-gatherer

Not really. I'm not doubting that you have been wronged by the judicial system, as I've seen this first hand with a close friend. However, a bold claim like this requires solid evidence that such practices are the norm.

⬐ hunter2_

It doesn't have to be the norm, it could be a rare thing done only during extremely slow periods to avoid right-sizing.

⬐ imglorp

Yes, AV is in a position where a) it needs regular full priv access to your files and unencrypted web traffic, b) is in a highly competitive, low-margin field where the players are literally attacking each other on your machine [1] to stay even, and c) have enormous motivation to seek other funding sources based on their desktop position [2-5].

I didn't say they created malware, no, but they certainly wave that flag when someone finds some. And it's certainly in their interest to pursue all of these alternatives, or even have a bad third party violate THEM to do so. The money is on the table. Do they take it? They'd be foolish not to.

1. http://www.techradar.com/us/news/software/security-software/...

2. https://news.ycombinator.com/item?id=13079569

3. https://www.wsj.com/articles/russian-hackers-scanned-network...

4. https://wiki.mozilla.org/CA:Symantec_Issues

5. https://www.howtogeek.com/199829/avast-antivirus-was-spying-...

etc...

⬐ morbm

I'd wager that the firmware came pre-infected by the manufacturer (or an update to the firmware has the infection).

Based on the reddit thread at least one of the devices is from a no-name manufacturer.

https://www.reddit.com/r/antivirus/comments/bj6isa/xhelper_k...

⬐ pmlnr

This happened to me with the Triada virus, on a Nomu S10 - it came with factory ota. That one patched the Zygote process and became invisible and unremovable without reflashing.

⬐ walrus01

a not insignificant portion of generic weird mediatek chipset android phones come rooted from the manufacturer, because the OS is built with a root/developer configuration. This also helps malware like this spread on the sub-$80 android phones sold to non technically sophisticated users in the developing world.

⬐ cptskippy

I remember reading something about mediatek based phones saving on the BOM by utilizing virtualization on a single SoC to run the baseband RTOS and the Smartphone OS.

⬐ arcticbull

That’s actually kind of brilliant.

⬐ londons_explore

Until you get bugs like "3D games lag when in fast moving car due to constant cell handovers" and "4G doesn't work at the same time as playing a 1080p60 video, so netflix/youtube are broken unless on wifi".

⬐ scarface74

That’s a fair compromise to make a smart phone more affordable.

⬐ arcticbull

Sure but the phones $80. Getting to that price point requires some compromises. You’d think they’d also set the baseband VM at highest QOS.

⬐ himlion

I'm currently using a Xiaomi Redmi Go that was a bit less than that and I think it's remarkable how few compromises it has.

When I recently watched this talk, https://www.youtube.com/watch?v=31D94QOo2gY, I wondered about that, that is if malicious STK app from network operator could execute AT commands on phone (and compromise device using commands from https://www.usenix.org/node/217625).

But from what I gathered from cursory search, RUN AT COMMAND isn't supported by most devices. (ETSI TS 102 223 states "This clause applies if class "b" is supported by the terminal and enabled by the subscriber through the terminal. ")

> Java is essentially never used for serious embedded work.

I don't know whether it counts as "serious" to you, but literally billions of SIM cards and credit cards are running JavaCard:

https://software.ac.uk/blog/2018-07-13-javacard-execution-en...

https://www.youtube.com/watch?v=31D94QOo2gY

To add on, here's a quick intro to the headache that goes into writing Java for GSM cards - https://youtu.be/31D94QOo2gY?t=607

The SIM card is a separate OS that gets underneath the SOC's OS. It can run its own applets without the knowledge or permission of the SOC OS.

https://www.youtube.com/watch?v=31D94QOo2gY

The baseband is a completely different RTOS as well. And then there's also TrustZone running in the SOC as well.

⬐ snehesht

http://simhacks.github.io

Sim Tools: https://github.com/shadytel/sim-tools

Indeed. And it runs today (on among other things) sim cards.

See eg: "Defcon 21 - The Secret Life of SIM Cards"

https://www.youtube.com/watch?v=31D94QOo2gY