The purpose of this CXTech Week 9 2023 newsletter is to highlight, with commentary, some of the news stories in CXTech this week. What is CXTech? The C stands for Connectivity, Communications, Collaboration, Conversation, Customer; X for Experience because that’s what matters; and Tech because the focus is enablers.
You can sign up here to receive the CXTech News and Analysis by email. Please forward this on if you think someone should join the list. And please let me know any CXTech news I should include.
Covered this week:
- Howard Watson, BT’s chief tech exec, is growing tired of the Gs
- OneAPI 2.0, GSMA’s Open Gateway initiative
- Fair Share: the definitive guide
- ChatGPT Review
- Meta unveils a new large language, LLaMA-13B reportedly outperforms ChatGPT-like tech despite being 10x smaller
- RTC Security Newsletter: February
- Paris IMSI-Catcher Mistaken for Bomb
- Signal would ‘walk’ from UK if Online Safety Bill undermined encryption
- Why all the Hype? Blame Marketing.
- People, Gossip, and Frivolous Stuff
Once a senior telecoms exec starts talking sense on technology, you know they’ll be retiring soon. I remember when now retired Hugh Bradlow (Telstra CTO) was pointing out some of the inadequacies in IMS.
For Howard, 6G will not be the massive investment of 5G, rather something more incremental, the same air interface with some millimeter wave hotspots. 5G needs to start generating a return before there’s a move to 6G.
And if being sensible on 5G/6G was not enough. On fair share, Howard pointed out operators could work together with games and video-streaming companies on storing content closer to customers (caching). Like they’ve been doing with Netflix and Akamai for almost a decade.
This is going to be a theme through this article, industry politics creating silly distractions from solving the hard problems – finding a role beyond internet access.
Here is another example of politics overriding common sense. To bolster their case for ‘fair-share’ telcos need to show they’re engaged with developers. Hence OneAPI 2.0, aka the GSMA’s Open Gateway Initiative. The GSMA really needs to cede any web stuff to an organization that understands the web, like W3C. TADHack is the largest global hackathon focused on programmable telecoms for over a decade. If they were really wanting to engage developers, you’d think they’d get involved with the largest community of telecom application developers?
Plus there’s a product sale linked to this. CAMARA is being used to justify telcos spending too much money on a NEF project (Network Exposure Function, think Parlay Gateway 2.0), plus all the marketing and travel expenses these projects seem to require. Hence many telcos will not adopt OGI, federation will only ever by partial. And the practical realities can not be solved through an API, see my discussion below on SIM swap.
Given all the many technical, operational and contractual differences between the telcos; the different regulatory regimes and compliance requirements. A business entity is required between the telco industry and developers. That’s why Syniverse, Sinch, Infobip, Telesign, Kaleyra, etc exist for over a decade. Imagine the scandal when a Chinese app developer using the GSMA’s OGI SIM swap API discovers members of the US Congress SIM swapping – you know the ones likely to be doing that 😉
OGI launches with eight universal network APIs: SIM Swap, QoD, Device Status (connected or roaming status), Number Verify, Edge Site Selection and Routing, Number Verification (SMS 2FA), Carrier Billing – Check Out, and Device Location (verify location). Additional APIs are set to be launched this year.
The APIs are defined, developed and published in CAMARA, the open-source project for developers to access network capabilities that is backed by the Linux Foundation in collaboration with the GSMA. “Working in CAMARA, APIs between telcos and developers can be delivered quickly, using developer-friendly tools and software code.”
Dean posted on this, see below, and I added some comments on the real-word issues.
Most of the CAMARA capabilities are not new. Location, phone ID / status, and 2FA are solved problems.
Taking SIM swap as a specific example. A company worried about SIM swap needs to worry about the phone number being ported-out or call-forwarded. Plus the identity / device could be connected via WiFi, not just the mobile network. Fraud detection and identity management is a complex problem, multiple data sources are required, potentially hundreds.
The time for a carrier to respond to a SIM swap request can be beyond what is reasonable API response time. Its a BOSS (Business and Operational Support) issue not an API issue. Hence why a multi network / database approach using WiFi / IP / IMEI (International Mobile Station Equipment Identity) data to red-flag (score) an interaction is critical. WiFi / IP / IMEI data can probably indicate fraud without the delayed SIM swap data.
Check out Telesign, https://www.telesign.com/products/phone-id, and Prove (who presented at TADSummit) https://blog.tadsummit.com/2023/01/11/telcos-and-programmable-communications/ (last presentation in article). There are many more providers, identity management and fraud detection is an old industry.
Telcos are already working with Telsign and Prove, the CAMARA API may be useful to them (I doubt it), but telcos sorting out the internal BOSS to be real-time would benefit the ecosystem more. Unless a telco buys Telesign or Prove, CAMARA is unlikely to offer a SIM swap solution that meets the needs of banks or big web brands. A CAMARA API does not come close to be relevant to a developer, see Sam Machin’s comments below for further endorsement. At the end of the article I have a piece on hype and the problem with technology marketing. The focus on an API, rather than the service, is an example of the problem caused by marketing.
Why not focus on something meaningful and beneficial to everyone like getting SNA (Silent Network Authentication) solved across all carriers? Do not know what SNA is? At TADSummit Special 21-23 March, Eric Nadalin of tru.ID will be talking about SNA, https://blog.tadsummit.com/2023/02/16/tadsummit-special/.
The GSMA’s OGI is yet another politically motivated distraction. There are lots of other opportunities telcos could address without repeating the mistakes of OneAPI.
After my comments in Dean Bubley’s post I received the usual mix of DMs. From the corporate mind-control police: “you were wrong on IMS, it happened, you’re wrong here.” Dunno why they think I said IMS would not happen, I predicted accurately the deployment timeline for IMS, yet I’m considered by some an IMS heretic for pointing out its inadequacies. It’s just a pity open source telecom app servers were not adopted like the rest of programmable communications.
Other DM’s were more perplexed: “but why would the GSMA repeat such an obvious mistake?” The answer is politics. It’s related to the silliness of “fair share.” Telcos need to be seen to be active with developers to lessen the claims of the web companies on Fair Share. So this is positioned as engaging developers. It will not, partners yes, but the value add there is small.
While we’re on industry politics, the energy debate is lip service only. If they meant to do something, 5G standardization was the time for action. Also moving the towers with their energy hungry RAN equipment off the books, along with some of their data centers to the cloud providers ensures on paper Telcos look good for energy consumption. However, it only takes a little bit of digging to work out the total energy consumption for a network, including all its subcontractors.
P.S. Sam Machin, Head of Developer Platform and Experience at Stacuity (thanks to a connection made at TADSummit 2022) added some excellent points to the discussion on the irrelevance of telco’s APIs for most developers.
The fundamental thing that all the various telco API initiatives have overlooked in the past is segmentation.
As an application developer I’m only interested in a solution that I can implement for either all my customers or an existing segment of my customers.
As far as I’m concerned which carrier they use is not a segment on my radar, Common segments are;
1) iOS / Android – Because I’m already likely maintaining 2 codebases and delivering the application via 2 different channels,
2) Country – Because of the nature of my product, billing, marketing & regulatory limits.
I’m not interested in creating further segmentation unless it delivers HUGE business value, unless you have 100% availability to one of those existing segments then stop wasting my time, that means ALL carriers in a given country.
Carriers (& Industry groups) totally overlook this, they have an outside-in view of the user-base where *their* customers are the only customers. And lets not even get started on how irrelevant the various carriers “global” footprints are outside of 18th century colonialism, they’re rarely even the same network, the only commonality is that they all use the same logo.Sam Machin, Head of Developer Platform and Experience at Stacuity
It’s a reasonably accessible summary on some of ‘fair share’ issues for the layperson. There are many more published works that go into much more detail on the telcos’ finances. Industry insiders will see this as biased. The quote from the document sums things up quite nicely.
It is interesting to see how the concept “you must co-finance my business without any legal basis” and “I don’t want my customers to pay a fair price for the product they purchase” has degenerated into and been labeled with the euphemism “fair“.
I look at this very simply. The industry has spent hundreds of billions on 5G, for no significant new revenues, because 4G is good enough. Unlike 4G there are no new revenues on the horizon, e.g. mobile internet access. By 2025 things are going to get a little heated in telcos’ boardrooms as the institutional shareholders express their dissatisfaction with the situation, heads will start to roll and activist shareholders will take advantage of the situation. Hence the desperate search for new revenues one way or another.
We live in a world where there is no shame in politics, politicians make factually incorrect statements to justify their argument, and there’s no mea culpa anymore. Fair Share is industry politics.
This MIT Review article explains the origins of ChatGPT, a timeline of its development, and its use in various applications. ChatGPT was trained on a massive dataset of text to understand and generate human-like language. The model has been used for chatbots, virtual assistants, and creative writing. The article discusses the challenges and ethical concerns associated with the use of language models like ChatGPT. Yes, I used ChatGPT to produce this summary, which I subsequently edited.
In my opinion DALL·E 2 is more impressive than ChatGPT. In CXTech Week 23 2022 I reviewed the Delft Blue Stormtroopers. It’s great for ideation. But the content is rarely ‘finished’. You still need a graphic designer / artist to bring it to fruition.
DALL·E 2 is a fun tool, I asked for “a Dutch man being dutch at the seaside.” The results were funny to a Brit, and of course the Dutch person I sent it too responded with “a British man being British in a speedo at the seaside.” Another friend was having their bathroom renovated, I asked for “a partially destroyed high-end bathroom with leaking faucets and missing tiles, photo realistic.” So when I asked how the renovation was going, I had a picture.
ChatGPT feels like an intern has done a web search on your question, and produced a ‘good enough’ summary with errors, sometimes significant errors as it lacks context to know what content is more accurate. I’ve seen people using it for many practical use cases. All of which a web search would reveal, and the great thing with a web search is you can differentiate between sources. I think part of the popularity is people like being told one definitive answer.
Take the origins of COVID as an example. It really does not matter if it was the live market or the lab leak, we’ll never know for sure. However, based on the collective peer reviewed scientific opinion, the live market is more likely, but that does not rule out a lab leak. This simple fact seems hard for people to accept, they want definitive answers. And that is why ChatGPT can be dangerous.
Meta unveils a new large language, LLaMA-13B reportedly outperforms ChatGPT-like tech despite being 10x smaller
This is one of those articles that initially attracted my interest, then on further reading left me disappointed:
- It’s not open source (at least for commercial use); and
- It can run on a pc but from what I understand it doesn’t provide ‘production’ like perf and I am not clear what you need to get those (inference time, latency, etc…)
As always a great review of the latest in RTC Security from Sandro. Covering security reports involving FreePBX, FreeSWITCH, Chromium, BIG-IP and Oracle’s WebRTC session controller. And his highlights from FOSDEM, including:
Modernizing Authentication and Authorization in XMPP
This presentation by Matthew Wild covers XMPP authentication, starting with a great introduction to the topic in general. Then he describes the new authentication mechanism for XMPP called FAST, which stands for Fast Authentication Streamlining Tokens. This allows the use of things like WebAuthn, FIDO2 and Passkeys for authenticating to your XMPP account, bringing XMPP authentication up to date.
Watch the presentation: https://fosdem.org/2023/schedule/event/modern_xmpp_auth/
Secure payments over VoIP calls in the cloud
This is a talk by Nuno M Reis on how Talkdesk achieved PCI compliance with Open Source VoIP software – Kamailio and RTPEngine. He talked about how the proprietary solutions were difficult to work with, in contrast to using Open Source. This is an excellent presentation about designing and hardening a VoIP solution and limiting its security exposure. What I like about this is that, by choosing the right software and architecture, they seem to have obtained the level of control that was needed to certify their VoIP platform.
The last slide in this presentation was about the certification audit results which said pentests passed flawlessly; this of course made me smile. He did explain that while with the previous proprietary solution had various open issues (vulnerabilities), with the open-source solution this was no longer a problem.
This reflects our own personal experience where we were for some time testing the security of a proprietary VoiceXML solution that was meant to be PCI complaint. This had major security issues such as default passwords on administrative interfaces, and keeping such a system up to date with the latest security patches was described as a nightmare by the engineers!
One thing that I should mention is that PCI Penetration Testing is often extremely limited in scope and most security testers doing PCI pentesting are likely to simply look for vulnerabilities that are either detected by vulnerability scanners or web application security issues. Thus they are likely to miss VoIP-specific vulnerabilities through this approach.
Watch the presentation: https://fosdem.org/2023/schedule/event/secure_voip_payments/
I’m not going to name names on who supplies these IMSI catchers, they’re positioned for security / defense use cases. In the Paris situation is was being used for a health insurance smishing scam.
On December 30 the French police executed a controlled explosion on a device found in the back of a car, believing it to be a bomb, they subsequently identified it was an IMSI-catcher.
In another IMSI-catcher incident, an investigation by the Paris judicial police and COMCyberGEND, the cybercrime division of the Gendarmerie that was founded just two years ago. This investigation led to the identification, arrest and indictment of five men aged between 22 and 31. Five men were indicted on Thursday February 16 in Île-de-France for fraud in an organized gang after sending large-scale fraudulent SMS, franceinfo learned on Saturday from a judicial source.
They are suspected of having sent more than 400,000 bogus SMS messages linking to a health insurance website, according to a source familiar with the matter. To steal the phone numbers, the suspects relied on technology usually used by intelligence services and the fight against organized crime.
Their car carried an “IMSI-catcher”. This surveillance device, contained in a small suitcase, is capable of intercepting mobile communications by taking the place of a neighboring relay antenna. Their “IMSI-catcher” thus stole mobile phone numbers, and potentially data belonging to neighboring motorists.
The encrypted-messaging app Signal has said it would stop providing services in the UK if a new law undermined encryption.
If forced to weaken the privacy of its messaging system under the Online Safety Bill, the organisation “would absolutely, 100% walk” Signal president Meredith Whittaker told the BBC.
Element (Matrix.org), a UK company whose customers include the Ministry of Defence, told the BBC the plan would cost it clients.
Matthew Hodgson chief executive of Element, a British secure communications company, said the threat of mandated scanning alone would cost him clients.
He argued that customers would assume any secure communication product that came out of the UK would “necessarily have to have backdoors in order to allow for illegal content to be scanned”.
It could also result in “a very surreal situation” where a government bill might undermine security guarantees given to customers at the MoD and other sensitive areas of government, he added.
Tobias and I were having a discussion on Hype, is it inevitable? I decided to take an absolutist position of blame marketing and we need to rebuild technology marketing. Here are some great companies that do very little marketing – and I love some of these brands for that. I see many mistakes made by companies because they believed marketing, the mis-focus on APIs for the GSMA’s OGI, that adversely impacts their customers. Something needs to change in my opinion with respect to technology marketing.
People, Gossip, and Frivolous Stuff
Hugh Goldstein is available, previously with Sangoma, Subspace, Ecosmob / didXL, VoIP Innovations, Voxbone. And a great supporter of TADHack and TADSummit.
Edo Segal has left Amdocs.