More smartphones shenanigans: Ireland and the unlocked phones

In my previous rant I have noted that in Ireland it’s next to impossible to buy unlocked phones. Indeed when I went to look for a phone to travel to China at Carphone Warehouse (which at least in the UK is owned by Samsung), while they had plenty of selections for the phones, they all came with contracts.

Contracts are useful for most people, since effectively the carrier is giving you a discount on a phone so that you commit to stay their customer for a certain amount of time. When you do this, they lock you to their network, so that you can’t just switch to another carrier without either giving them their due in subscriptions or paying back the discount they gave you on the phone. In general, I see this approach as reasonable, although it has clearly created a bit of a mess to the market, particularly on the cheaper phone scale.

I have to admit that I have not paid enough attention to this in Ireland up to now simply because I have been using my company-provided phone for most of my day to day travel. Except in China, where it would not be really appropriate. So when I had to go back to Shanghai, I found myself in need of a new phone. I ended up buying one at Argos because they could source one for me by the following day, which is what I needed, and they also had last year’s Sony flagship device (Xperia X) at a decent discount, particularly when compared to the not-much-better Xperia XZ. Alternatively, Amazon would have worked, but that would have taken too long, and the price was actually lower at Argos, for this particular model.

As it is usual for most Android phones, the device started running through a number of system software updates as it was turned up. Indeed, after three cycles the device, which started off with Android 6.0, ended up on 7.0. Not only that, but by now I know that Sony appears to care about the device quite a bit. While they have not updated to 7.1, they have pushed a new system software — I noticed because my phone started downloading it while in Changi airport, in Singapore, while connected to a power pack and the Airport’s WiFi! With this update, the phone is running Android security update as of May 1st 2017.

That made me compare it with the Xperia XA, the locked phone I bought from Three, and that I now managed to unlock. The phone came “branded” by Three Ireland, which for the most part appeared to just mean it splashed their custom logo at boot. Unlocking the phone did not make it update to a newer version, or de-brand itself. But despite being the cheaper version of the X, and theoretically the same generation, it was still stuck on Android 6.0.

Indeed, before the last update, probably released at the same time as the latest Xperia X firmware, the security patch level was reported as April 1st 2016, over a year ago! Fortunately the latest update at least brings it to this year, as now the patch level is January 5th, 2017. As it turns out, even the non-branded versions of the phone is only available up to Android 6.0. At least I should say hat tip to Sony for actually caring about users, at least enough to provide these updates. My Samsung Tab A is at security level 1st June 2016, and it had no software updates in nearly as much time.

There is officially no way to de-brand a phone, but there are of course a number of options out there on how to do that otherwise, although a significant amount of them relied on CyanogenMod and nowadays they will rely on… whatever the name of the new project that forked from that is. I did manage to bring the phone to a clean slate with somewhat sketchy instructions, but as I said even the debranded version did not update to Android 7.0 and I’m not sure if now I would have to manually manage software update. But since the phone does not seem to remember that the phone ever was branded, and there is no Three logo, I guess it might be alright. And since I did not have to unlock the bootloader, I’m relatively safe that the firmware was signed by Sony to begin with.

What I found that is interesting in from using the tool to download Sony’s firmware, is that most of their phones are indeed sold in Ireland, but there is no unbranded Irish firmware. There are, though, a number of unbranded firmwares for other countries, including UK. My (unbranded, unlocked) Xperia X is indeed marked down as a UK firmware. Effectively it looks like that Ireland is once again acting like “UK lite” by not having its own devices, and instead relying on the UK versions. Because who would invest time and energy to cather to the 4.5M people market we have here? Sigh.

My horrible experience with Three Ireland

I have not ranted about the ineptitude of companies for a while, but this time I have to go back to it. Most of the people who follow me on Twitter are probably already fully aware of what’s going on, so if you want to skip on reading this, feel free.

When I moved to Ireland in 2013, I evaluated quickly the mobile providers available and decided to become a customer of Three Ireland. I was already a customer of Three back in Italy, and they had the same offer here than they had there, which involved the ability to be “Three like at home”, roaming on foreign Three networks for free, using the same allowance of calls and data that you have on your own country. Since my expectation was to go home more often than I actually did, roaming to Three Italy sounded like a good deal.

Fast forward four years, and I ended up having to give up and moved to a new provider altogether. This all precipitated since Three Ireland took effectively four months to fix up my account so I could actually use it, but let’s take one step at a time.

Back in January this year, my Tesco credit card got used fraudulently. Given I have been using Revolut for most of my later trips to the States, I can narrow down where my card was skimmed as one of three places, but it looks like the MIT Coop store is the most likely culprit. This is a different story, and luckily Tesco Bank managed to catch the activity right away, cancelled my card and issued me a new one. This is something I talked about previously.

The main problem was migrating whatever was still attached to that card onto a different one. I managed to convert most of my automated debits onto my Ulster Bank MasterCard (except Vodafone Italy, that’s a longer story), but then I hit a snag. My Three Ireland account was set up to auto-top-up from my Tesco Bank card €20 every month. This was enough to enable the “All you can eat data” offer, which gave me virtually unlimited data in Ireland, UK, Italy, and a few other countries. Unfortunately when I went to try editing my card, their management webapp (My3) started throwing errors at me.

Or rather, not even throwing errors. Whenever I would go to list my payment cards to remove the now-cancelled card, it would send me back to the service’s homepage. So I called them, and I’ll remind you this is January, to ask if they could look into it, and advised I won’t be able to take call because I was about to leave for the USA.

The problem was clearly not solved when I got back to Ireland, and I called them again, told me I would be contacted back from their tech support and they will give me an update. They called me, of course always at awkward times, and the first thing they asked me was for a screenshot of the error I was shown, except I was shown no error. So they had to go back and forth a couple of times with them, both on the phone and over Twitter (both publicly and over direct messages).

At some point during this exchange they asked me for my password. Now, I use LastPass so the password is not actually sensitive information by itself, but you would expect that they would have built something in place where they can act as one of their customers, for debugging purposes, or at least be able to override the password, and just ask me to change it afterwards. Since the second auto-top-up failed and required me to make a manual payment, I decided to give up, and send them screenshot of both the loading page and the following landing page, and send it to them as requested.

Aside note here: the reason why these auto-top-up are important, is that without these, you get charged for every megabyte you use. And you don’t get any notification that your all-you-can-eat expired, you only get a notification after you spent between €5 and €10 in data, as that’s what law requires. So if the auto-top-up failed, you end up just using your credit. Since I used to spend the credit on Google Play instead (particularly to pay for Google Play Music All Access — my, what a mouthful!), this was not cool.

By end of March, when the third auto-top-up failed, and I ended up wasting €15 for not noticing it. I called them again, and I managed to speak to the only person in this whole ordeal who actually treated me decently. She found the ticket closed because they did not receive my screenshot, so she asked me to send them directly to her address and she attached them to the ticket herself. This reopened the ticket, but turned out not to help.

At this point I’ve also topped up the €130 that were required to request an unlock code for my Sony Xperia XA phone, so I decide to request that in parallel while I fight with trying to be able to configure my payment cards. Since the phone is Sony, the unlock code comes directly from them and Three advises is going to take up to 21 working days. When I send the request, I get an email back telling me the unlock request was not successful, and to contact the customer support. Since I was already bothering them on Twitter, I do so there, and they reassure me that they took care of it and sent the request through.

Also, this time I give up and give them my password, too. Which became even funnier, because as I was dictating it to them I go to “ampersand” and they reply “No that’s impossible, it’s not a valid character for the password!” — as it happens it is indeed not a valid character, now. When I set my password it was valid, but now it is not. I found out after they fixed the problem, because of course by then I wanted to change my password, and LastPass generated another one with the & character.

It took another month for them to finally figure out the problem, and another three or four requests for screenshots, despite them knowing my password. And a couple of times asking me to confirm my email address, despite it already being in the system and all. But at least that part got fixed.

Now remember the unlock code request above? 21 working days in most cases mean around a month. So a month after my unlock code request I call them, and they inform me that the 21 working days would expire the next day, a Friday. The reason is to be found in Easter and bank holidays being present, reducing the number of working days in the month. Fair enough, I still ask them what’s going to happen if the 21 days promise is breached, and the guy on the phone denies it is even possible. Of course the day after I got to chat with them again, and they realize that there was no update whatsoever and there should have been at least one.

They decide to request an urgent unlock, since on the Thursday I would be leaving for China, and they promise me the unlock code would be there by Monday. Goes without saying it didn’t work. When I called on Monday they told me that only Sony can provide the unlock, and since it was a long weekend they were not going to answer until at least the day after (May 1st was bank holiday, too). At this point I was pissed and asked to speak with a manager.

Unfortunately the person at the phone was not actually human, but rather was replaced by one of those call center scripts kind of drone and not only kept telling me that they had nothing personal against me, which I did not care if they did, to be honest, but refused to redirect me to a manager when I pointed out that this was ludicrous after fighting four months to get the other problem solved. They kept saying that since the ticket is closed, there was nothing they could talk to me about. They also insisted that since the unlock code hasn’t arrived they couldn’t even offer me a trade-in with an unlocked phone, as that is only available if the unlock code fails to work.

I ended up having to buy myself a new phone, because I could not risk going to China with a locked phone again. Which turned out to be an interesting experience as it looks like in Ireland, the only places to buy unlocked phones are either corner shops selling Chinese phones, or Argos. I ended up buying an Xperia X from Argos, and I’m very happy of the result, although I did not intend to spend that money. But that’s a story for another day, too. Of course the unlock code arrived the day after I bought my new phone, or should I say the day after I gave up on Three Ireland, and moved to Tesco Mobile.

Because at that point, the drone got me so angry that I decided to just spend all of my credit (minus €20 because I hit the usage limit) buying movies and books on Google Play, and when I picked up the phone on Tuesday, I also picked up a SIM for Tesco Mobile. I found out that MNP in Ireland takes less than an hour and just involves a couple of confirmation codes, rather than having to speak with people and fill in forms. And I’m indeed happy on Tesco Mobile right now.

Why am I so riled up? Because I think Three Ireland lost a big opportunity to keep a customer, the moment when I expressed my dissatisfaction with the service and with the lack of unlock code. They could have offered me a trade-in of the current phone. They could have given me the credit I spent because of their issue back. They could have even offered me a new, any new phone, locked to their network, to make it harder for me to leave them. Instead they went the road of saying that since the problem has been solved at all, there was never any problem.

I found this particularly stupid particularly compared to the way Virgin Media and Sky Ireland seem to have it down to practice: when I called Sky to ask them if they had any better offer than Virgin, back when I used TV service, they told me they couldn’t do better broadband, but they would offer me a lower price on the TV package so that I could unbundle it from Virgin. When I called Virgin to remove the TV package (because at the time they were going to increase the monthly fee), they offered to lower their price for a year to make it still more convenient for me.

Personal Infrastructure Services Security and Reliability

I started drafting this post just before I left Ireland for Enigma 2017. While at ENIGMA I realized how important it is to write about this because it is too damn easy to forget about it altogether.

How secure and reliable are our personal infrastructure services, such as our ISPs? My educated guess is, not much.

The start of this story I already talked about: my card got cloned and I had to get it replaced. Among the various services that I needed it replaced in, there were providers in both Italy and Ireland: Wind and Vodafone in Italy, 3 IE in Ireland. As to why I had to use an Irish credit card in Italy, it is because SEPA Direct Debit does not actually work, so my Italian services cannot debit my Irish account directly, as I would like, but they can charge (nearly) any VISA or MasterCard credit card.

Changing the card on Wind Italy was trivial, except that when (three weeks later) I went to restore to the original Tesco card, Chrome 56 reported the site as Not Secure because the login page is served on a non-secure connection by default (which means it can be hijacked by a MITM attack). I bookmarked the HTTPS copy (which load non-encrypted resources, which makes it still unsafe) and will keep using that for the near future.

Vodafone Italy proved more interesting in many ways. The main problem is that I could not actually set up the payment with the temporary card I intended to use (Ulster Bank Gold), the website would just error out on me providing a backend error message — after annoying Vodafone Italy over Twitter, I found out that the problem is in the BIN of the credit card, as the Tesco Bank one is whitelisted in their backend, but the Ulster Bank is not. But that is not all; all the pages of the “Do it yourself” have mixed-content requests, making it not completely secure. But this is not completely uncommon.

What was uncommon and scary was that while I was trying to force them into accepting the card I got to the point where Chrome would not auto-fill the form because not secure. Uh? Turned out that, unlike news outlets, Vodafone decided that their website with payment information, invoices, and call details does not need to be hardened against MITM, and instead allows stripping HTTPS just fine: non-secure cookies and all.

In particular what happened was that the left-side navigation link to “Payment methods” used an explicit http:// link, and the further “Edit payment method” link is a relative link… so it would bring up the form in a non-encrypted page. I brought it up on Twitter (together with the problems with changing the credit card on file), and they appear to have fixed that particular problem.

But almost a month later when I went out to replace the card with the new Tesco replacement card, I managed to find something else with a similar problem: when going through the “flow” to change the way I receive my bill (I wanted the PDF attached), the completion stage redirects me to an HTTP page. And from there, even though the iframes are then loaded over HTTPS, the security is lost.

Of course there are two other problems: the login pane is rendered on HTTP, which means that Chrome 56 and the latest Firefox consider it not secure, and since the downgrade from HTTPS to HTTP does not log me out, it means the cookies are not secure, and that makes it possible for an attacker to steal them with not much difficulty. Particularly as the site does not seem to send any HTTP headers to make the connection safe (Archive.is of Mozilla Observatory).

Okay so these two Italian providers have horrible security, but at least I have to say that they mostly worked fine when I was changing the credit cards — despite the very cryptic error that Vodafone decided to give me because my card was foreign. Let’s now see two other (related) providers: Three Ireland and UK — ironically enough, in-between me having to replace the card and writing this post, Wind Italy has completed the merge with Three Italy.

Both the Threes websites are actually fairly secure, as they have a SAML flow on a separate host for login, and then a separate host again for the account management. Even though they also get a bad grade on Mozilla Observatory.

What is more interesting with these two websites is their reliability, or lack thereof. For now almost a month, the Three Ireland website does not allow me to check my connected payment cards, or change them. Which means the automatic top-up does not work and I have to top-up manually. Whenever I try to get to the “Payment Cards” page, it starts loading and then decides to redirect me back to the homepage of the self-service area. It also appears to be using a way to do redirection that is not compatible with some Chrome policy as there is a complicated warning message on the console when that happens.

Three UK is slightly better but not by much. All of this frustrating experience happened just before I left for my trip to the USA for ENIGMA 2017. As I wrote previously I generally use 3 UK roaming there. To use the roaming I need to enable an add-on (after topping up the prepaid account of course), but the add-ons page kept throwing errors. And the documentation suggested to call the wrong number to enable the add-ons on the phone. They gave me the right one over Twitter, though.

Without going into more examples of failures from phone providers, the question for me would be, why is that all we hear about security and reliability comes from either big companies like Google and Facebook, or startups like Uber and AirBnb, but not from ISPs.

While ISPs stopped being the default provider of email for most people years and years ago, they are still the one conduit we need to connect to the rest of the Internet. And when they screw up, they screw up big. Why is it that they are not driving the reliability efforts?

Another obvious question would be whether the open source movement can actually improve the reliability of ISPs by building more tools for management and accounting, just as they used to be more useful to ISPs by building mail and news servers. Unfortunately, that would require admitting that some times you need to be able to restrict the “freedom” of your users, and that’s not something the open source movement has ever been able to accept.

My time abroad: Dublin tips

I’m actually writing this while “on vacation” in Italy (vacation being defined as in, I took days off work, but I’ve actually been writing thousands of words, between the blog, updates to Autotools Mythbuster and starting up a new project that will materialize in the future months), but I’ve been in Ireland for a few months already, and there are a few tips that I think might be useful for the next person moving to Dublin.

First of all, get a local SIM card. It’s easy and quick to get a prepay (top up) card. I actually ended up getting one from Three Ireland, for a very simple reason: their “Three like home” promotion allows me to use the card in Italy, the UK and a few more countries like if it was a local one. In particular, I’ve been using HSDPA connection with my Irish account while in Italy, without risking bankruptcy — the Three offer I got in Ireland is actually quite nice by itself: as long as I top up 20 euro per month, whether I spend it or keep it, they give me unlimited data (it shows up in my account as 2TB of data!). The same offer persists in Italy.

I’ve also found useful to get a pre-paid mobile hotspot device, for when guests happen to stop by: since it does not make sense for them to get an Irish SIM, I just hand them the small device and they connect their phone to that. When my sister came to visit, we were able to keep in touch via WhatsApp.. neither of us spent money with expensive international SMS, and she could use the maps even if I was not around. I decided to hedge my bets and I got a Vodafone hotspot; the device costed me €60, and came with a full month prepaid, I can then buy weekly packages when I get guests.

Technology-wise, I found that Dublin is surprisingly behind even compared to Italy: I could find no chainstores like Mediaworld or Mediamarkt, and I would suggest you avoid Maplin like a plague — I needed quickly two mickey-mouse cables with UK plugs, so I bought them there for a whopping €35 per cable… they are sold at €6 usually. I’ve been lucky at Peats (in Parnell Street) but it seems to be a very hit and miss on which employee is following you. Most of everything I ended up getting through Amazon — interestingly enough I got a mop (Mocio Vileda) through Amazon as well, because the local supermarkets in my area did no carry it, and the one I found it at (Dunnes in St Stephen Green) made it cumbersome to bring it back home; Amazon shipped it and I paid less for it.

Speaking of supermarkets, I got extremely lucky in my house hunting, and I live right in the middle of two EuroSpar — some of their prices are more similar to a convenience store than a supermarket, but they are not altogether too bad. I was able to find buckwheat flakes in their “healthy and gluten free” aisle, which I actually like (since I’m not a coeliac, I don’t usually try to eat gluten free — I just happen to dislike corn and rice flakes).

I also found out that ordering online at Tesco can actually save me money: it allows me to buy bigger boxes for things like detergents, as I don’t have to carry the heavy bags, and at the same time they tend to have enough offers to make up for the delivery charge of €4. Since they have a very neat mobile app (as well as website — they even ask you the level of JavaScript complexity you want to use, to switch to a more accessible website), I found that it’s convenient for me to prepare a basket over there, then drop by the EuroSpar to check for things that are cheaper over there (when I go there for coffee), and finally order it. For those who wonder why I still drop by the EuroSpar, as I said in a previous post they have an Insomnia coffee shop inside, which means I go there to have breakfast, or for a post-lunch coffee, whenever I’m not at work. Plus sometimes you need something right away and you don’t want to wait delivery, in which case I also go to there.

Anyway, more tips might follow at a later time, for the moment you have a few ideas of what I’m spending my time doing in Dublin…

New phone – looking for a new provider

So, today I received my new phone, a shiny (well, not shiny because it’s opaque) Motorola V1075. I love it, good form factor, big but not too big, and I hear well during phone calls.

Now the problem is to choose a provider. I originally thought of using Vodafone, as that’s what most of my friends use, but I got a bad surprise when I looked up for a tariff plan: all the old ones, that were created with the name Omnitel, before Vodafone acquired it from Olivetti group, are still in place (and are the ones used by my friends), but cannot be activated; all the new ones have all the calls, to any provider, at the same price (like I have now on the Wind number).. but to one time and a half the price I have now! The only good things are the promotions, but they are temporised, and I should still pay a monthly quota even if I don’t use them.. yes, maybe I would pay less on some things, like SMS to Vodafone users, but whenever I actually do a phone call, I would spend all my savings.

I’ve asked my sister to procure me a SIM for my current provider, Wind, that although having limited services, it’s quite good with respect to tariffs it seems. My current plan is €.10/minute to every national provider (with €.10 at the answer), and €.10 for SMSs to any provider, national and international (tried that already, and it’s true). The bad side is that the coverage on this area is pretty bad on its own, and there’s no UMTS signal here.

The other alternative it 3, that covers this area with 3G signal, and has a similar tariff, but I’m not sure about this either. I got reports of bad practises from them in the past, and that causes my doubts.