The Firehouse

After Whisher was acquired by wifi.com in mid-January, I was to continue working as CTO for the new venture as part of the deal. Since I had worked on the technology since the very first day, it made sense that I continued to oversee the development of the new phase of the project. In April, news came out that Rob Monster, who headed the venture fund Monster Venture Partners, had shut down the fund and needed to cut costs on all the startups he was funding as a result. This lead to an awkward situation which left me in a limbo, with no income, and no significant equity. I’m waiting for the issues to be worked out, but things are not particularly promising right now.

Spiritus – the divine breath – inspiration^[1]

What I need most after this transition was inspiration, so after I saw Martin’s post about TechTalk ‘09 in Menorca, I sent an email asking if I could join the event. Reply quickly came that while the full event was…well…full, I was welcome to come on the Friday for the talk itself, scheduled for the afternoon. The TechTalk is a loose-scheme round table, where people can stand and share their views, problems or ask questions, and then interact with others during the rest of the event, in a very relaxed and beautiful setting.

As a kid, I had visited Menorca every summer with my parents. We would rent a small house for a month, in places such as Cala en Porter, Cala Galdana, or the beautiful Cala Morell. Menorca is also ripe with archeological features (one of my other interests), with many neolithic constructions such as the Naveta d’es Tudons, and the many taulas and talaiots from around 2.000 a.C. The archeological museum in Mahón, with its necropolis, is also of great interest. Going back after many years would be very interesting, even if I didn’t have the time to tour around the island.

The arrival

Call it fate, but Jordi Vallejo (Fon’s CTO) and I had been trying to meet so that he could give me one of the new Fonera 2.0 routers to try out. Even though we live very close, plans were always thwarted one way or another. Turns out he was sitting two rows in front of me on the flight from Barcelona to Menorca. We took a taxi to Torrenova, Martin’s villa, which left us at the gate after a difficult ride through narrow dirt tracks.

A lesson in optical physics and muon detection

Behind our taxi was a small rented Mercedes, and in it was Isaac Shpantzer, who offered us a ride to cover the rest of the dirt track up to the villa. And what a ride! It turns out that Isaac was a NextNet founder, invented OFDM, and was currently working at CeLight, a company that develops high-tech for communication and military applications. One example is a high-bandwidth optical communication system that points a blue laser towards the sky (and it is blue for a reason, but I’m not telling – it’s really really clever), and uses coherent detectors to grab scattered photons which have been modulated to convey data. We are talking terabits per second throughput – truly amazing. He was preparing a demo on Friday or Saturday night, but sadly I was leaving earlier, it was sad to miss it!

Another interesting development he explained during the trip was a nuclear device detector – picture a small nuclear bomb inside a steel crate shipped to the US by a terrorist group. Current detection methods are essentially x-ray arches and physical inspections. CeLight’s method relies on cosmic radiation detection. This radiation is composed in part of a negatively-charged particle called the muon. Powerful x-rays work at 120 keV, whereas a muon has an energy just over 105 MeV – thus, it has a huge penetration power, much higher than electrons. Every square meter of the Earth is hit by about 10,000 muons per minute. Since nuclear weapon cores consist of very dense, positively charged material, placing two detector plates above and below a steel container should show a straight path of muons hitting both plates, unless they pass through the nuclear core, in which the polarity difference deflects their trajectory. It’s a very neat idea, and they have a working prototype already.

Settling in

We moved into Binisegarra for a couple of hours before lunch, and had the chance to talk with a few people. Many were chilling inside the pool, trying not to get stung by the approximately 4,921 wasps that were flying around it (my most accurate count, they were moving so it was hard to keep track). Saw many known faces such as Loic, Anil, Michael Jackson (no, not that one), Rodrigo, and Ola.

Time for lunch

We had a very nice buffet lunch, and talked to Dina Kaplan of Blip.tv, who also runs the NY Founders Club, which is an interesting idea which could be taken to Barcelona. There are some events already happening here to promote interaction between startups, but nothing like Founders Club (if there is, let me know!).

The talk

Since there were so many people this year, instead of having everyone stand up and say their bit, volunteers spoke about their startups, problems or questions for the audience. It was interesting to hear Isaac’s presentation (which was way less technical than in the car but still left some puzzled faces), and Deborah’s project involving the location of firefighters in 3D space through time-reversal techniques – it’s a shame we didn’t get to talk more on the subject. Ola (the other half of Sweden!) related his most embarrassing story ever, involving clothes (or the lack thereof), a hotel in Chueca, and room locks – all in exchange for solutions to his fix-the-world problem.

Catching the last flight home

It was sad to have to leave as many activities went on during the weekend, and those are the real opportunity to talk to people about their projects and learn from them, but it was time to go. Alejandro Santana was kind enough to drive me to the airport, even though he had a later flight to Madrid.

In all, it was a very good experience after many months of stress due to a number of situations, the worst just having come to light as I was typing this post – more on it later. All I can say is that I found the inspiration to get going again, and look for new exciting projects (either join or start them). Thanks Martin for hosting such an event in such a beautiful setting!

[1] Quote taken from the movie Always, when Hop tells Pete that his task will be to inspire a young pilot as he gets started in firefighting attack planes.

I read with interest the list of the top 50 startups to watch by BusinessWeek after a post by Martin Varsavsky on Facebook. I think there are considerations not taken in the list, such as how much money every point earned cost, which would measure how good the brand image, PR and relationship with its users are, among other things.

I tried to weigh the ratio of funding to points ($M/point), the funding versus how long the company is running ($M/year), and the number of points gained for every year the company is running. After scoring each company on these three factors plus the original score, this is the result:

Some curious results show up, such as Ning and Tudou dropping many places (due to their huge amount of funding).

I get asked this question a lot, in regards to Whisher, the startup I’m the CTO at: “why is your software based solution better than a dedicated, purpose-made router like the Fonera?” I believe software based has many advantages that offset the perceived advantages of a dedicated box.

Reality check

Right now, there probability of finding a purposely shared WiFi hotspot is close to zero, as evidenced in the recent poll run by Martin Varsavsky, where the top reason for people to stop sharing was the lack of sufficient roaming. This poll was really surprising as he says (and I quote) “Dime que piensas porque es un tema que realmente no entiendo bien”, or translated, “Tell me what you think because this is a topic that I really don’t understand well”. For the CEO of a company that has received over $53 million in funding, it seems a shocking thing to ask. It may be time for a quick trip to the office in between conferences to find out what is going on.

One comment caught my eye, which mentioned that what is the point of having your Internet connection shared for 99.999% of the time, if you would only get roaming elsewhere 0.00001% of the time. Today, the reality is that if you want reliable WiFi, you go to a hotel or a coffee shop where you know you will have a decent connection. The penetration of free shared WiFi must be an order of magnitude larger than what it is today to really start making an impact.

Before Whisher with WiFi Out, this was completely true. You would share your WiFi, and then either sit patiently waiting for someone to connect, or try in vain to find another shared signal. WiFi Out fixes this problem, not for free of course, but by giving users a cheaper access at locations that are well placed and easily accessible, such as hotels, coffee shops and airports. Since it is a pre-paid credit and charged by the minute, you only pay what you use, and carry on the unused minutes over the next months.

Hardware based WiFi sharing

The most publicized, hardware based WiFi sharing solution today is Fon, which sells a small router with a customized firmware based on open-source OpenWRT, and which creates two SSIDs, one encrypted, for use by the owner of the router, and one open, for use by visitors. The theory goes that the separation of traffic makes the owner safer, by firewalling the visitors from the internal network of the owner. In any case, the visitor is not protected from passive sniffing of the public signal, as it is not encrypted, and available for anyone to see without the need to even connect to it – contrary to what Fon claims.

To share your WiFi using such a custom-made router, you must first buy it for $64.30, install, and configure it. This may sound easy, but network devices such as routers are hardly plug-and-play, and in many cases, require from the help of a techie friend or support from the provider. Problems like MAC address cloning, disabled DHCP or DNS forwarding can all get in the way of the sharer, causing him to simply give up and put the router back in its box.

If you get the router up and running, you must then keep it switched on at all times, or you lose roaming privileges. Knowing if your router is actually online is not as easy: even though the router looks OK, Fon’s servers could not be receiving the router’s heartbeat. In this case, you would not have roaming rights and you would not know about it. Fon recently started emailing users who were detected as having offline routers, but relying on an email for this is not what I would consider reliable – nothing beats a big red blinking LED to signal trouble. Mine has been offline for a while now, and I never got an email.

Finally, the factor which in my opinion is the primary cause of people stopping sharing with hardware-based solutions is that the router going offline permanently does not affect their lives one single bit. The roaming possibilities are so small that are not a decisive factor, and if they just unplug the router, they will still be able to surf the web, check their email, or download content, using their existing ISP-provided or bought broadband WiFi router!. In other words, there is zero incentive to share or not share, other than the feeling that you are contributing something to the rest of the world, and in any case, sharing costs you extra money (not a lot, but more than if you unplug the router and it stops using electricity!).

Software based WiFi sharing

The best known software based solution for WiFi sharing is Whisher. So far, we have gone through three iterations of the concept to find both the right feature set that makes it attractive to users, and that offers an incentive for users to share. If your existing WiFi router already works fine, why not share that instead of buying an extra box that may not even work at all?

When we first launched Whisher, we believed many features in a simple, good-looking client would be best, tying WiFi access to social features such as IM, file exchange and geolocation. During the first eight months after the launch, we learned that these features were neither well understood, nor considered a strong enough benefit to drive users to massively adopt WiFi sharing. Even so, we managed to get a sizable amount of registered and tagged access points, around the 80k mark.

As confirmed by Martin’s poll, we then aimed in the right direction: roaming. How could we both give Whisher users a better roaming footprint, while solving the WiFi sharing incentive chicken-and-egg issue? The answer was WiFi Out, a universal WiFi currency that can be earned and exchanged by giving and using WiFi. By sharing WiFi, you will earn WiFi Out credit, which you can then use to get cheaper access at premium locations with which we have negotiated roaming agreements. Very soon you will see a new setting on your shared WiFi hotspots that will enable you to earn WiFi Out credit by sharing and having others connect to them.

The second large problem, usability, has been resolved by turning Whisher into a plugin rather than a standalone client, integrating its features into the existing operating system’s WiFi manager. The result is that if you install Whisher, you will not notice its presence during your normal use of wireless connections, and when you find either shared or premium WiFi signals, all it takes to connect is the same as with normal networks – one click. Many features have been moved to the web, so you can now manage all your shared WiFi from a central location wherever you are located, all you need is a web browser. Sharing or tagging a network is also done on the web, with a single click on the Whisher plugin. Here is what the Windows version looks like:

Finally, what I believe is truly the largest cause of people stopping their sharing, that it does not affect them one bit – is also solved, because sharing with Whisher works with whatever WiFi equipment you already have, be it the broadband router or modem your ISP gave you, or an off-the-shelf access point bought at the store. There is no need to toy with settings or configurations – one click, and you are sharing. And since the signal you use to normally access the Internet is the one also being shared, you are more likely to keep it on 24/7 without having any extra impact or cost.

What about security?

This is a subtopic that usually crops up once I explain why software based WiFi sharing is better in my opinion. How secure is it? While it is true that visitors have access to your internal network, the likelihood that they will be there to access information on it is very low. You are thousands of times more likely to catch a virus or trojan while browsing the Internet or checking email that having someone connect to your WiFi and do something. If you don’t handle particularly sensitive information, you probably are OK with just sharing your WiFi and not worry, but if you are more security-conscious, there are some things you can do to protect yourself, such as firewalling the range of IPs given by the router’s DHCP server to visitors. I feel vindicated by one of the leading experts in security, Bruce Scheiner, who writes in his blog:

Whenever I talk or write about my own security setup, the one thing that surprises people — and attracts the most criticism — is the fact that I run an open wireless network at home. There’s no password. There’s no encryption. Anyone with wireless capability who can see my network can use it to access the internet.

Is there a risk of someone doing something bad while connected to your network? Yes, but as Scheiner says, it’s as likely as you being hit by an asteroid. In any case, anyone connecting must have previously registered an account with Whisher, since there is no other way to get access to your encrypted network. Thus, if push came to shove, you could identify potential culprits.

Another feature Whisher has to safeguard you is Private Mode – simply enable this while connected to your network with Whisher, or from the web-based My Account section, and all visitors will be disconnected, leaving the network to yourself. We will implement schedule-based sharing soon, which will enable you to specify at which times during the day your WiFi is shared or not.

From a visitor’s point of view, Whisher is more secure than connecting to the unencrypted signal of a hardware based solution, as every other visitor connected must have a Whisher user account, and so they could eventually be identified in the unlikely event something bad were to happen.

Keep in mind we are reducing the attractiveness of your network to attackers by giving you the power of deciding when you are sharing or not, identifying those that do connect, and making passive sniffing of traffic anonymously not possible, all while keeping your network encrypted. As Scheiner observes, “I can count five open wireless networks in coffee shops within a mile of my house, and any potential spammer is far more likely to sit in a warm room with a cup of coffee and a scone than in a cold car outside my house”.

And bandwidth hogs?

The Private Mode functionality solves this issue by enabling you to have the network to yourself with a single click. Bandwidth throttling in hardware is hard to do, and can even cause undesirable side effects, as the small, not-so-powerful router’s CPU has to keep track of all inbound and outbound connections. Besides, it’s fine to say “Give 512kbps from my 3Mbps to visitors”, but how much do you need to give up from your much slower upload (as most broadband connections are asymmetric) to make the visitor’s connection usable? It’s much easier to say “Make the WiFi all mine now”, or “allow only two visitors”.

So what do you think? Is software better than hardware? You are welcome to comment! If I managed to convince you, download Whisher now and start sharing in minutes – if I didn’t, it will take you at least a couple of weeks for the box to arrive once you have paid for it.

I am quite surprised about the lack of respect for privacy and anti-spam laws that many startups are showing nowadays, with the excuse that being social and web-two-d0t-ohish gives them carte blanche to jump over all the hoops. Today’s case: Twitxr.

A friend got this in his inbox:

——– Original Message ——–
Subject: Martin Varsavsky wants to keep up with you on Twitxr
Date: Mon, 3 Mar 2008 01:01:07 +0000 (UTC)
From: Twitxr
Reply-To: no-reply@twitxr.com
To: notshown@nospam.com

See Martin Varsavsky’s pictures:

http://twitxr.com/martinvars

Thanks,
The Twitxr team – http://twitxr.com

About Twitxr

With twitxr you can share a moment, a picture, a thought, instantly with your mobile phone. Where are and what are you doing your friends now? Twitxr tells you.

To start with, the email address this was sent to is from an old company he worked at, and which has not been used for over three years. It seems that Martin has just taken his list of email addresses, containing anyone who he has ever been in touch with, and copy/pasted them into the Twitxr database. Secondly, the email comes from a no-reply email address, and provides no way to unsubscribe from these communications. In fact, this email was not even used to subscribe to a Twitxr account!

Now, I believe there are many laws in Europe and the US that prevent this. We currently use a mailing list platform that requires us to comply with many regulations and provisions, so I know for a fact that it’s not as simple as copying a bunch of emails into a database and clicking ’send’.

Weirdness happens in the most strange places, and the Fon forums are an endless source of fun. Their moderator, known as moderfon, throws his wrath around like a dragon, censoring posts that are not convenient to Fon’s image. Those who complain or even link to external stories that deal with topics such as replacing the Fonera’s firmware, or problems and bugs such as the overheating routers, are ruthlessly censored, and the posters threatened with being banned.

I have moderated public forums for almost 10 years now, and there is a very delicate balance between keeping things on topic, abusive users, and the community. You simply cannot have a forum about a topic, and then arbitrarily decide when and how its members can or cannot talk about the topic. If the topic of Fon’s forums is Fon, then users should be allowed to say anything related to Fon, be it good, bad or even how to hack the routers. People should be allowed to complain about a company on the company’s own forum, else, it is basically a propaganda tool, or something one must have for public image. “Sure, we like our community, we have a blog and a forum!”. Keeping a company forum on topic does not mean keeping it on the topic the company would like to see, but making sure there is no spam, users don’t become abusive, flame wars are tamed, and people get a feeling that they are contributing to something. Censoring uncomfortable topics is not the way to go.

In this particular case, a UK ISP known as Fondoo.net, who define themselves as “the UK’s first FON Friendly ISP.”, has had its name censored from Fon’s forums. Any mention of the word ‘fondoo’ will be shown on posts as *xxxx*, as can be seen on this thread (scroll down a bit to the first post by euronerd). Seems like a very fast way to lose friends, and shows how to not build a community. As this thread will probably be censored (there was a thread about censorship that itself got censored!), I took a screenshot of the relevant bit:

Update: I found a link to this Wikipedia entry (I tend not to link to Wikipedia as a general rule, but I’ve reviewed this article and it seems just fine), which is a great introduction and explanation of what it means to moderate a forum (wink wink, moderfon). Thanks to Kyros for posting the link on AustinTX’s blog, it will come in handy more than once methinks!

You probably have seen the video on YouTube about a molten Fonera, apparently due to overheating, which shows the plastic case completely deformed. Gizmodo (also in spanish) and other sites are also reporting on this. As usual, Fon has censored the post on their forums that broke the story, but alas, thanks to their partners at Google, here is a cached version. Even Martin Varsavsky seems worried about this. It seems the damage is obviously from heat, but could it have come from the Fonera itself?

I, and others, have our doubts about wether this video is a fake stunt, or a true story. It is true that the Fonera overheats, much more than would be expected from a consumer-electronics product, but to the point of causing physical damage to the plastic case?

The heat problem

Heat in electronics mostly comes from dropping voltage by converting current into it, in our case, the voltage regulator in the Fonera drops 5V to 3.3V at 500mA, resulting in the dissipation of 850mW. That’s right, we are dumping 850mW right into the atmosphere in the form of heat. This brings the operating conditions very close to the maximum ratings for this regulator, which has a maximum rated thermal resistance of 90ºC/W, my calculations put the operating conditions at 88ºC/W. Additionally, the wireless section of the Fonera is also converting a lot of energy into heat.

The measurements

After I finished my tests, I got a comment from Pobletewireless, regarding his own measurements of the heat problem, which are shown in very cool thermographs (no pun intended!) – much nicer than my rather rudimentary method.

I measured the temperature of the Fonera using a thermocouple connected to a Fluke 123 Scopemeter via an 80TK thermocouple module. The thermocouple was placed in between the heatsink and RF shield, the case closed, and the Fonera powered, as can be seen in this picture:

After 10 minutes operating normally, the temperature had risen to an average of 72ºC, with a peak of 80ºC.

The second batch of measurements were performed drilling four small holes to allow the thermocouple into the casing, the locations are shown in the following picture:

Maximum temperature at one corner was 43ºC. Next, an attempt was made to melt the white lid of the Fonera, by exposing it to a high temperature airflow from a paint-stripping gun, and at the same time, applying slight pressure from below. The thermocouple was used to measure at which point the plastic became maleable, and deformation started. At around 100ºC, the plastic was soft enough that a solid object could change its shape – this is in line with ABS plastic thermal properties, which state a deflection temperature around 100ºC, depending on specific material composition.

As the deflection point test resulted as expected, the lid was then exposed to an airflow at 280ºC for two minutes. The result of this exposure is shown in the pictures below:

It’s obvious that some deformation has taken place, with discoloration and charring on the point where heat was directly applied. However, the front side of the lid had mostly retained its shape.

Conclusions

The Fonera does indeed run very hot, much hotter than it should, if anything, for the good of the internal parts. Electronic components are sensitive to heat, with maximum ratings given by each manufacturer in terms of storage and operating conditions. The higher the temperature, the lower the service life of any given component. Some are affected more than others, most notably, electrolytic capacitors have a high sensitivity to heat, as it can evaporate the electrolyte quicker, causing it to fail. The capacitors in the Fonera are made by Taicon, a taiwanese manufacturer, and are max-rated for 105ºC. From the datasheet [PDF], at this temperature, the capacitor will fail after some 2000 hours, around 83 days. Following Arrhenius’ Law, and since the area around the capacitors was found to be at around 52ºC, their expected life would be 7800 hours, or about 325 days – what a coincidence, almost a full year, after which your warranty has expired. Comparing the Fonera to a Meraki Mini, one realises that there is a serious design flaw, as apart from the Mini having a switched-mode regulator, the wireless section shares exactly the same design as the Fonera. The temperature measured outside the casing of the wireless section indicates that the junction temperature of the components inside has to be ridiculously high. So, one conclusion is that the Foneras will eventually fail due to overheating, and it will probably happen sooner than later.

On the deformation / melting video – in my opinion, it’s not real. At least, it couldn’t have happened without the Fonera reaching temperatures around the whole casing that would have caused some components to blow up (for example, the capacitors). The Fonera could not have undergone such an extreme temperature, and still function as shown on the video. The temperature gradient between the heatsink and one corner of the case is almost 2:1, thus, to reach a deformation temperature of say 200ºC at the corner, the heatsink must have been running at 400ºC! A final bit of evidence – the sticker. If you look closely at the video, the sticker on the bottom of the Fonera looks almost unscathed. Here is a picture of what it looks like after applying a 250ºC airflow for 30 seconds, which causes the plastic to deform:

Obviously, a more prolongued exposure would have damaged it even more. In all honesty, I would love to get more details from the guy who made the video, as it stands right now, I’d call it a hoax.

I got a tip today that Fon is looking at launching a new router with a LAN port, apart from the WAN port found in the current Fonera (they seem to privately admit not having a LAN passthrough was a rather big mistake).

With the current Fonera, you cannot access devices on the wired side of the network (such as a SAN drive or printer) from the wireless side, be it using the public or private SSID, you are effectively NATted from your own network. A LAN port would solve this the same way as it is done in higher quality devices such as the Linksys WRT54 series.

What really surprised me was to see that these routers have already been shown by Accton, the OEM that manufactures the Fonera on their website for a few weeks. Check out these links, datasheets in PDF available, for a white-label Fonera, a Fonera with LAN passthrough, and what looks to be the Fon Liberator, having a USB port and BitTorrent client built-in! Martin Varsavsky recently put the release date of the Liberator back a few months, originally scheduled for Christmas 2006, citing technical difficulties.

Now, either Accton wants to score a goal taking advantage of the publicity offered by Fon, or Fon didn’t pay an exclusivity fee for the design of these routers, or both. One million routers by 2010 is nothing by asian manufacturer standards, but they do allow buyers to secure exclusive designs. Copies could still be found, but not as prominently and by the same manufacturer making their own.

I wasn’t sure that Accton was the designer behind the Fonera, and gave Fon the benefit of the doubt of actually having developed something themselves in the electronics field, but now it seems clear that Accton is the designer of the hardware platfom, so there wasn’t that much development by Fon after all (the firmware was created by the hackers behind DD-WRT and OpenWRT).

It will not surprise some people, but after the online newspaper El Mundo, the most read online news source in Spain, ran a poll to rank the best and worst  companies of 2006, FON came as the winner in the ‘worst’ category (scroll down a bit, about half way down). With comments such as ‘a project with no future’ and ‘hot air’, readers gave enough bad marks to put FON in the spot. The poll was open, so people could vote for any company they wanted, there was no shortlist or closed options.

I have been very critic with FON in the past, and I have also been accused of all sorts of things in relation to the criticism, but I know there are a lot of people out there upset with the way things have been running. They have had many chances to fix their problems, it’s not that hard to implement a decent customer service, or to fulfill orders in reasonable time, it just takes good management and a competent team. I am sure there are many very competent people at FON, who work really hard every day to make things happen, but their efforts have sadly not transpired.

As for the picture, I hope it doesn’t offend anyone, but since there was no response by Martin to my comments on his blog after his acid post, or after reporting the vulnerability in their maps service, I don’t have any moral issue about making fun of FON (no pun intended…well…sort of).

It was only a matter of time until the developers of open-source firmware OpenWRT and DD-WRT managed to port the OS to the Fonera, which is based on an Atheros chipset. As described in this thread of the DD-WRT forums, there is a firmware package available for download, which can be flashed onto the Fonera, thus replacing FON’s original firmware and functionality. I think it will be a matter of time until we see reflashed Foneras on eBay, just like we saw Linksys once upon a time.

The hack is not for the faint-hearted, and so you risk bricking your router if the flashing fails – there is still a way to de-brick using the serial port, but in any case, don’t try this at home unless you know what you are doing. We are on the cutting edge of the development, which eventually trickles down into easier-to-follow HOWTOs and step-by-step guides.

You probably remember the post I made regarding FON’s figures, and how much I thought they differed from reality. It got quite a lot of attention, particularly from detractors, and from Martin Varsavsky himself. Many comments were posted on my blog and some others, which pointed towards the fact that I am involved in a startup which supposedly is a clone of FON, and thus I was biased and in no position to comment on FON. To cut a long story short, Martin posted a rather vicious personal attack on his blog, which I answered, he counter-commented, to which I again answered, but he never conceded a bit.

During my investigations that led to the statistics post, I also discovered a serious flaw in the maps management system, which would allow anyone to re-position any FON hotspot and change its address without first logging into the user area.

All that was required was the node’s ID and the hotspot owner’s user ID, both easily obtainable from the public queries that maps.fon.com launches against the database where hotspot data is held, and which I used to gather the statistics. For a determined attacker, it would have been very easy to place every single FON hotspot right in the middle of 1600 Pennsylvania Avenue, Washington DC.

I could have very easily posted about this, but I refrained from doing so for a reason – while I do not work full-time in the IT security industry, I have done quite a bit of consultancy work in the past, related to IT security, particularly in the wireless field. This means that I am fully aware of the industry-approved vulnerability disclosure procedure, which can be explained simply as:

• Document the vulnerability, and inform the company about the fact that you have found it.
• Wait for an initial response, establish contact points, and work a schedule for fixing the issue.
• Work with the company to help them solve the issue.
• Once the issue has been fixed, make a public disclosure on both sides about the vulnerability, giving credit to the person or company that discovered it.

You can find more references to this policy at Microsoft’s Security Response Center, here and here. A PDF from oisafety.org also describes this process in detail. A perfect example on how not to do things is the recent disclosure of a code injection vulnerability, which allowed manipulation of FON’s routers without even having to open them – even though their points are valid, they should have given FON the chance to fix the problem before going public.

In this case, I contacted FON’s support email first September 27th, and received a response on the 29th. This was really generic, only wanting to know about the details, and not acknowledging the normal procedure as I have explained above. On October 2nd, I emailed them again, asking to confirm that they understood the procedure, and on the 3rd they replied that they agreed on following the procedure.

I started compiling the information I had into a working document, but after becoming so frustrated at the attacks received as a result on my post about the statistics, the decision was to simply let the issue go, forget about FON, and concentrate on my own project. A couple of days ago, browsing around for stuff to clean up on the laptop, I came across the half-written report, and decided to finish it and send it to FON support, with CC to Martin, just to close the case. I received a reply today that they have in fact fixed the vulnerability, with a short ‘thanks’ (actually, quoting his email in full: “thanks Mike, i understand its been fixed”) from Martin.

The public acknowledgement of the discovery posted by FON is found in this forum post. Only in the English forums, by a user created apparently for this particular purpose, as this is his first post ever, where it is not likely to draw much attention. This would be fine by me, had not there been the precedent of Martin’s fierce replies to my statistics post, followed by countless attacks by FON’s followers, including an unfortunate incident better left forgotten. What I really cannot understand is that, when I criticize FON, I get such a huge public lashing, whereas when I help them out, I get a three-line remark in a forum where it will go mostly unnoticed. The end result may well be that other vulnerabilities, and it is likely they exist, go unreported.

Whatever the case, this should show those who accused me of unfair, biased attacks on FON that I really just call the shots as I see them, when I smell bullshit, I will point to it, when I see a hole, I will help them fix it – again, IMHO, blogging is not about being or not biased, it is about being ethical and maintaining a set of standards. In my view, it should also prompt Martin to write an apology, but I am not holding my breath. Not that I care much either, what is most important is my work; this is my blog, where I spend part of my spare time, which is not actually that much.