GSM & A5

[Ross Anderson]

There is an extensive discussion in my book about the design and
consequences of GSM security. It's an interesting case study, as the
mechanisms do quite different things for the different principals.

* It helps the subscriber very little: it doesn't stop premium-rate
scams, and although it blocks casual air-link eavesdropping it
doesn't stop the big government agencies, who do almost all of the
eavesdropping in the known universe.

* Although it doesn't do any real harm to thse agencies, it does raise
the bar a bit for local police forces. But not much - they mostly get
the phone company to do their taps anyway

* It does shift the crooks who want to make free / untraceable calls
from cloning to identify theft / stolen credit card / preissue fraud
- in other words, the cost of fraud is shifted from the phone 
company to the bank. And as the banks tighten up, villains turn to
prepaids, which they throw away regularly. So that's more $$$ for
Vodafone and Cellnet, while the villains get slightly higher-grade 
anonymity than with clones. But not much - as Owen remarked earlier,
the average villain doesn't have the self-discipline to use anonymous
comms effectively.

The executive summary is that its main beneficiaries were the phone
companies. The normal subscriber is the same as before; fingers is
slightly better off and Plod slightly worse off, while GCHQ is
almost unaffected.

The moral is: don't ask `is this equipment secure?' but `for whom is
this equipment secure?'

Ross