[118921] in Cypherpunks
Re: Unplugged! The biggest hack in history (fwd)
daemon@ATHENA.MIT.EDU (Dave Emery)
Sun Oct 10 16:33:57 1999
Date: Sun, 10 Oct 1999 16:16:40 -0400
From: Dave Emery <die@die.com>
To: Jim Choate <ravage@einstein.ssz.com>
Cc: cypherpunks@einstein.ssz.com
Message-ID: <19991010161639.A1384@die.com>
Mail-Followup-To: Jim Choate <ravage@einstein.ssz.com>,
cypherpunks@einstein.ssz.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199910100056.TAA12373@einstein.ssz.com>; from Jim Choate on Sat, Oct 09, 1999 at 07:56:34PM -0500
Reply-To: Dave Emery <die@die.com>
On Sat, Oct 09, 1999 at 07:56:34PM -0500, Jim Choate wrote:
>
> > Date: Sat, 9 Oct 1999 20:38:57 -0400
> > From: Dave Emery <die@die.com>
> > Subject: Re: Unplugged! The biggest hack in history (fwd)
>
> > For US Robotics modem firmware the ATI6 and ATI11 commands
> > return this information.
>
> And it's worth noting that by the time you get them out of the modem they're
> worthless. They tell you what the modem did, not what it is doing.
>
One does *NOT* have to disconnect the modem from the call to get
this information. It is possible to suspend the data transmission, go
into command mode, read out the current information and go back into
data mode without hanging up the call. Would not be an overwhelmingly
difficult hack to something like Linux pppd to do this every so many
minutes.
But even if you have the informationn only after the call is
completed, if it shows that you were connected to a local modem with
minimal delay and constant echo characteristics when you though you
were connected to London the information would certainly help tip
you off that something was fishy. Certainly better late than never.
> > Echo (or perhaps more properly near end transmit signal)
> > cancellation is done for the entire talking path both to the far end and
> > back from the far end. Every component of this path could potentially
> > generate echos of the modems own transmit signal, all of which have to
> > be calculated from the known transmit data and subtracted out to yeild
> > the signal from the other side. While it is true that the purely 4
> > wire digital portions (virtually all US telco toll trunking these days)
> > of the connection do not in general generate echoes, it is not true that
> > echoes of the near end signal are only generated on the local loop
> > between the modem and the CO.
>
> Which as I stated "get's aggragated with the switch". Bottem line the
> scenario you describe is strictly only accurate if the two modems are
> connected by a 2-wire dry pair.
Sorry Jim, you are apparently misinformed. Most all long
distance connections are two wire to the switch, then four wire
(separate talking paths in each direction with no interconnection)
through the toll trunking and then two wire at the other end of the
connection. What this means is that most of the echo of the transmit
signal is either local with short delays in the sub millisecond area, or
remote with delays equal to the electrical length of the long distance
connection, which can easily be 20-40 milliseconds or more. Far end
echo is very real and very important to modem operation. There is no
mechanism in place in the telco network to cancel echo from the far end
on a data call, the echo suppressors that are used on some voice calls
are automaticly turned off by the modem connect tones (the initial bleep
noise) so they don't interfere with data.
No current switches do anything but sample the data on the
local loop and pass those samples onward - and accept samples from
the far end. Switches do not do "noise cancellation" or anything
else with the audio they pass.
It's the exact same reason you can't get
> anything over 44k on a 56k in a real world scenario. You also leave out the
> active noise cancellation that the subscriber board at the switch does, which
> despite your claim to the contrary does in fact reduce the effect of the modem
> at the far end.
I am most puzzled as to what "active noise cancellation" you
think the line cards of a typical local CO do... It is true that the
line cards contain a directional interface called a hybrid, that
separates out the audio coming in from the audio going out by virtue of
the relationship of current direction and voltage on the line... This
analog circuit is usually implemented with a special transformer and
some passive components (though there are some ways of doing it just
with analog op amps in a codec chip). But this is not an adaptive,
sophisticated noise canceller but merely a directional coupler to the
line which reduces the pickup of outgoing signal by the circuit
receiving incoming signal. Without this the line would oscillate or
"sing". A typical hybrid cancels the opposite direction by 20 or 25
db, and it should be noted that all modems contain very similar hybrids
for exactly the same purpose as those at the CO end.
If telephone lines were perfect, and terminated in perfect
matched terminations there would be no echo of transmitted signal back
down the line in the other directions and no transmitted echo
cancellation in the modem would be needed as no residuum of the
transmitted signal would get reflected back to contaminate the signal
from the other end. But all kinds of imperfections due to the physical
realization of the line as a pair of wires (impedance mismatches) cause
reflections and the actual return loss of a typical line is 20-25 db and
not infinate. So echo cancellation is needed in order to transmit
data in both directions at once in the same frequency bands both
ways, which is what modern (v.32 and V.34 and V.90) DSP based
modem standards depend on.
No CO's that I have ever heard of do any other kind of active
noise cancellation on a normal subscriber line. I suppose that there
may be some exceptions to this for analog cellular and a few other
special cases, but active noise cancellation tends to chew up data
signals unless carefully coordinated with the modems involved, so it is
unlikely to be turned on for data calls even if it is used for voice.
It is also true that until very recently implementing active noise
cancellation was expensive because it required a DSP and significant
memory and other support chips, so having something like this on every
line was cost prohibitive until the era of ASICs with DSP cares in them
(last couple of years). It is true that digital cellular switches
typically do far end echo cancellation similar to what a modem does
because the vocoder processing delay for digital cellular is enough so
echoes from the far end have audible delay and interfere with speech.
But sending data over a vocoded line with a normal modem is essentially
imposible so these cases can be ruled out as irrelevant.
As for the reason why 56 k modems do less than 56 k... there are
two things at work here. Many lines have too poor a signal to noise
ratio or too much loss or too irregular a frequency response for the
high speed signalling algorithm to work reliably at full speed. Basicly
the algorithm backs off information bits and subtitutes more error
correction bits as line conditions get worse. So only very clean lines
have almost all the bits used for information and few for parity.
Completely separate from this, full amplitude signalling going rail to
rail in the possible u-law amplitudes generates a signal on the analog
side that contains more peak and average power than typical telephone
cables were designed for. If such full amplitude signals were allowed
on typical multipair cables, there could be crosstalk with other lines
on the cable and interference from the data signal to other users of the
same cable bundles. For this reason the FCC has mandated that the full
amplitude signal not be used, which limits speeds to 53K rather than
56K.
>
> I deleted the rest of your comments because they rest on your description of
> the telco connection model which is inaccurate.
>
I beleive I have described telephone lines as currently implemented
correctly.
It is true that if the other end of the line is an ISP running a
4 wire digital T1 connection to the network and digital DSP based modems
that process the sample stream from the far end line card entirely in
the digital domain (typical of an ISP equiped for 56 K V.90 service)
there will be no far end echo unless the DSP algorithm in the ISPs
modems deliberately inserts some (or unless there is a 4 wire to 2 wire
conversion in the middle of the connection somewhere). Perhaps this is
what you are trying to point out. Certainly some connections are of this
type and for those connections the modem's estimate of the far end delay
may not be accurate (though I think the actual algorithm used has a way
of figuring this out in the V.90 case - I have not read the V90 spec
carefully and could be wrong on this).
Thus I still maintain that the modem line measurements are
a meaningful clue as to whether there is a man in the middle or not.
--
Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass.
PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18