Fi on a non-Google phone is like mowing your lawn with a weed eater….

Project Fi LogoI’ve seen the “can you use Project Fi with an XYZ model phone” question over and over. Invariably someone (or several someones) will reply “yeah, it works”. And while this answer is kind of / sort of technically correct (with caveats), it’s misleading!  When I see this I imagine  quotes around the word works… it “works” – unfortunately, a lot of people take it at face value.


Before we go any further, you need to understand a couple of basic issues.  GSM carriers (like T-Mobile and AT&T) use sims to provision service on their network. The sim’s unique id is what is activated by the carrier and ties the service to whatever phone it’s inserted in. On the other hand, CDMA carriers (Sprint) only use the sim to provision the data portion of their service (LTE) – the cell side is provisioned based on a unique id in the PHONE.

You also need to be aware that not all phones have all of the US cell bands that are used by T-Mobile and Sprint. For instance, the International versions of Nexus phones don’t have any CDMA bands.

Activating your Project Fi Sim

The first thing that happens when you start the Project Fi activation process is that the Project Fi app verifies that you are using a supported phone. If you aren’t on a supported phone, the app stops the activation process. In short, you can NOT activate a Project Fi sim on an unsupported phone ( to me this means it does NOT work).

If you are on a supported phone, the app activates service on T-Mobile using the sim’s ID and then activates the PHONE’s unique ID on the Sprint Network.

So, I’ll just activate my sim in my friend’s Google Phone

And now we head down the rabbit hole.  Yes, you MAY be able to do that – BUT, you will be activating your friend’s phone on Sprint. This has a couple of possible side effects:

  • Your friends phone may have issues if he tries to activate Sprint service (either Sprint, Project Fi or any Sprint MVNO).
  • When you change out the sim, your phone will not be able to utilize the Sprint network. It will basically be a T-Mobile ONLY sim.

OK, so I’ll use a “Data Only Sim” Instead

Not so quick. The “Data Only Sim” is an ADD ON to a full sim, so if you can’t activate your primary sim, you won’t be able to use the data only one. This sim is intended as a way to get access to a SECOND device (like a tablet), not as your primary service.

Additional Things To Consider

  • Google will NOT support Project Fi on an unsupported phone.
  • Google has stated in the Network Policies section of their TOS that all “supported devices” will be listed on the Project Fi website and that they “reserve the right to suspend any device that we reasonably determine is unsupported”.  So, yes, they have the option of terminating your service for using a non-approved phone.


Basically, it’s like asking a group of guys “can I mow my lawn with a weed eater”?  There will be at least one guy that will says “sure, you can do that”. And while he is technically correct, and may be doing it himself; it is only kind of “working”.

Regardless of what you’ve heard – No, Project Fi sims do not work (note the lack of quotes) on unsupported phones! You probably need to consider a T-Mobile plan (or one of it’s MVNO’s – like Straight Talk).

Have fun and enjoy Project Fi!



Project Fi – What is a “Key” and why should I care?

What does the “KEY” mean?

I’ve seen several new (and some not so new) Project Fi users asking “what’s a key?”  So I thought I would take a crack at explaining what it is anProject Fi Logod why you should care.

First off, the “key” simply means that Project Fi’s WiFi Assistant is using an open WiFi hotspot to route all of your data through a Google VPN (see diagrams 2 and 4 below).  What this means to you is that your data is encrypted from your phone all the way to Google’s VPN server.

While we don’t know all of the rules for when Google’s WiFi Assistant will automatically connect, we do know that (at current) it only works on open hotspots with no “captive portal”.  What does that mean?  It means that if you have to provide a passphrase (WEP / WPA2 password for the router) or you have to acknowledge a Terms Of Service or click through a “Welcome” page (captive portal), WiFi Assistant won’t automatically connect and the vpn won’t be used.

Beyond that, we’ve been told that hotspot owners can “opt out” of providing this service and that Project Fi uses “a network quality database to help determine which networks are high quality and reliable.”  I’ve also seen the WiFi Assistant connect in a location one day but then not the next day – general consensus is that the location may or may not be “WiFI Assistant” material on a given visit based on connectivity at that time.

Why do you call it a “KEY” and how do I know if I get one?

If you are connected via a VPN, you will see a key (key) on your Project Fi status bar.

I’ve got a “KEY”, why do I care?

Well, the primary reason is that the key means that your data is encrypted from your phone to Google.  In the diagram below, this means that you don’t have to worry about “points of attack” A through E below.

Secure Data Transfer




What are the likely points of attack?

  • A – between your phone and the WiFi hotspot.  This is the easiest point of attack because the attacker doesn’t need physical access to any of the network hardware.  He can simply “listen to” (sniff) your WiFi radio connection.  Also keep in mind that some WiFi encryption protocols have been successfully hacked – for instance WEP is basically useless.  Just because the hotspot you are connected to uses WEP or WPA2 doesn’t mean it can’t be sniffed.
  • B – at the “hotspot”.  Hotspots are basically computers. It’s quite possible to embed malicious code in a hotspot to compromise data. This is reportedly common at some “cyber cafes” and other “public” hotspots.
  • C – between the hotspot and the ISP.  This isn’t very likely because it would require physically tapping the connection (think Police / NSA).
  • D – at the hotspot’s ISP.  Remember that while you trust your ISP, not all hotspot owners are using trustworthy upstream providers. A small provider with a rogue employee has access to 100% of the the unencrypted traffic going through their servers.
  • E – between the ISP and the “internet”.  Ok, this is kind of the same thing as G below, but I mention it specifically because it is one of the hack points the NSA has used to log traffic going into / out of the backbone.
  • F – the internet.  When you connect to a web site,  you don’t connect “directly” to that site.  Your data bounces from server to server (sometimes 10-20 “hops”) before getting to the other end. If your data isn’t encrypted, it can be compromised at any of these hops.
  • G – between the internet and the web server.  This would usually be used to see who is using a specific web server.  Police would use this to log users connecting to illicit servers and hackers would target this to get “high value” data going to a specific server.

Possible Connection Scenarios 

I’m going to arbitrarily assign weights to each of the 7 points of attack above (based on my opinion how likely each is).

A=4, B=2, C=0.5, D=1.5, E=0.5, F=1, G=0.5

So, if you are still with me (I’m surprised I haven’t bored you to death), let’s look at the 6 scenarios above and security rating (based on the scale above 0-10 with higher being better):

  1. Using an open WiFi Hotspot with HTTP protocol.  In this case, your data can be captured at any point (A-G).   Rating:  0
  2. Using an open WiFi Hotspot with HTTP protocol and a “KEY” (Google VPN).  In this case, you are protected from your phone to Google.  This will defeat the vast majority of sniffing attempts. Rating:  7
  3. Using open WiFi + HTTPS (SSL).  This is as good as SSL is (which pretty good).  There has been some talk that SSL may be compromised by the government, but I’ve not seen any definitive documented examples (but I’m going to knock off a point just in case). Rating: 9
  4. Using open WiFi + HTTPS (SSL) and VPN. This is about as good as it gets.  Your data is double encrypted through steps A-E). Rating: 10
  5. Using WEP / WPA2 encrypted hotspot with HTTP.  This is very similar to option 1 except you get 3 out of 4 on the first step (it looses a point for possible compromise.  Rating: 3 (EDIT: I was reminded that it’s not actually fair to group WEP with WPA2 or WPA3  since WEP it seriously flawed, so I’m going to change my rating).  Rating WEP: 0, Rating WPA2/3: 3
  6. Using WEP / WPA2 encrypted hotspot with HTTPS (SSL).  Pretty darned good.  Rating: 9.5

Are there any other ways the VPN could protect me?

Yes, there is (at least) one way.  When you directly connect to a remote host, the host (and every hop in between) sees your public facing IP address (your Comcast / AT&T provided router address).  If you use a VPN, the remote server will see a Google provided IP address.  What this means is that it would be quite a bit harder for the remote server to identify who you are.  Anonymity can be a good thing. 🙂

Ok, so where do I go to find a key?

There is a crowdsourced map of locations where keys have been seen.  Keep in mind that locations where keys have been seen may still not show a key for you if the connectivity at the hotspot isn’t “good enough”

Project Fi WiFi Spots

I don’t want Google knowing that much about me

I know many people are concerned about how much Google “knows” about them.  While I haven’t been able to locate the specific privacy policy related to the Google VPN, I’m pretty sure you are safer using Google than any of the “free VPN” services.  Google is a big corporation with a reputation to uphold, “Johnny’s Free VPN” service is only as good (and reputable) as Johnny is.


Project Fi’s “Key” or VPN is a cool free feature that you should be happy to see.

I hope you found something in here useful.

Down the SDR Rabbit Hole

I’ve always been intrigued by Amateur Radio.  I’m not specifically talking about HAM radio even though that is certainly part of it.

As a boy I traded a telescope for a OLD “world band” radio and spent a lot of time doing stupid stuff like setting the EXACT time on my watch to the WWVB signal.  Honestly, there wasn’t really much to listen to in North West Arkansas in the 70’s on a 50’s era radio, but I tried.  Keep in mind that we didn’t have the internet, so the only way you could find a station was to slowly tune through the bands listening for something that wasn’t static – which meant you had to tune over the station WHILE it was broadcasting (which can be a bit of a trick when only a few stations broadcast 24×7).  Of course you COULD buy a book or subscribe to a magazine that listed some frequencies to try out if you had the money to spend.

Later, I found a copy of an Amateur Radio Relay League (ARRL) book in a thrift store and spent hundreds of hours looking though it, dreaming about how cool it would be to be able to actually do the stuff they were talking about.  Unfortunately, the cost of getting into amateur radio was a deal breaker for me.

In high school I actually went “all in” and bought a CB radio with “significant” antenna and got my CB license (yes, they actually licensed that back in the day).  My call sign was KAKJ4409.

Since then I’ve always found an excuse NOT to get too involved in radio (yeah, I’ve bought a low end Radio Shack scanner, the not so occasional FRS and digital $35 world band receiver at Walmart, etc.  – but I’ve not gotten “into it”).  I’ve considered getting my ham license, but I’ve always found an excuse not to – I didn’t want to learn Morse code, the radios were too expensive, etc.

By this point I bet you are wondering where this is going, well…  I’ve recently gone down the Software Defined Radio (SDR) rabbit hole and I want to document my decent.  For those of you who don’t know, SDR uses computer software to decode a digital version of the radio spectrum.  To do this, you need a device to receive the radio waves and convert them to digital.  Until fairly recently this piece of equipment was incredibly expensive and really only available to the military and research folks, but not any more.

Several years ago, several companies started producing hobby SDR cards.  Then a security researcher figured out that a USB TV tuner that costs about $15 can function as an SDR radio when paired with the right software.  This is the specific rabbit hole I’m headed down.

I’ll post follow up articles as I work my way though the jungle of open source SDR software and I’ll try to leave enough bread crumbs that you can follow my path if you find yourself so inclined.

Happy DX’ing.

Android WebKit Car Analogy

The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License.Google throws nearly a billion Android users under the bus” and “Why Google won’t fix a security bug in almost a billion Android phones” but what I haven’t seen is an article that explains the situation in a way that people who WANT to blame Google seem to be able to understand so I’m going to try to explain this using an automobile analogy.

Imagine that Google makes automobile motors that many auto manufacturers use in the cars they sell. Some manufacturers want higher performance motors, so they replace the standard intake and cam with “improved” versions.  Other manufactures want more creature comforts in their cars, so they strap on AC units and other accessories.

Now it turns out that there was a problem with the motors that Google provided to manufacturers 18 months ago. To make things more interesting, the manufacturers didn’t actually have to pay ANYTHING to Google for the motors Google provided. Additionally, Google has offered to replace all of  their previous models at no additional charge twice since the faulty motors were shipped.

The manufacturers have chosen to not replace the faulty motors because they thought they were “good enough” and they would have to apply their chosen modifications to the replacement motors before sending them out. Besides, if people really want a new motor, they need to buy a new car. Right?

Keep in mind that this analogy is flawed.  For instance it implies that Google is actually providing hardware. They aren’t.  A more accurate analogy (but one less likely to be understood) is that Google is providing the software for the car’s computer.  All of the mechanical parts (including the electronics for the computer) are produced by the car manufacturer, but there is a bug in the code that Google made available to the manufacturer. Google doesn’t even know what kind of computer the manufacturer has chosen to install in their car.

My question to you is:  when you buy a car and it has problems with the motor (or computer), who do you go to for service?  I expect the vast majority of people would say the manufacturer (or it’s dealers) but many of these same people seem to want to put 100% (or more) of the blame on Google for the webkit issue. Logic seems to elude some people….

Is Google responsible for the bug? Sure, it was in their code. Is Google responsible for the bug not being fixed in your phone? Nope! They fixed the bug in later releases and your phone manufacturer choose not to release that fix.

Blocking Facebook Game Invites

So, you are tired of getting inundated with invites to Facebook games and want people to stop sending them to you…  Well, you have two options:  post a plea asking people to stop (sorry, it’s not going to work) or you can block the invites.

Unfortunately, Facebook has made it a bit harder than it used to be – but you can still do it.  Here’s how:


Step 1: you need to choose the “Lock” icon on the Facebook status bar.

Step 2: select “See More Settings” at the bottom of the “Lock” menu.

FB_Block_Step2Step 3: Choose the “Blocking” menu option on the left menu.


Step 4:  Block app invites from user

Once you block app invites from someone, you’ll automatically ignore future app requests from that friend. To block invites from a specific friend, click the “Ignore All Invites From This Friend” link under your latest request.FB_Block_Step4

Step 5: Block apps

Once you block an app, it can no longer contact you or get non-public information about you through Facebook.FB_Block_Step5

And that’s it!  I hope this helps someone!  🙂

Twitter spam may NOT be associated with Gawker

I’m sure that by now you’ve heard that the sudden spike in Twitter spam “appears to be due to the Gawker compromise”.  I’m not so sure.  I have a twitter account that has like 9 followers and it ended up with 2 outgoing spam messages on it.  However, I don’t have a Gawker account (nor any of the other web sites associated with it).  Yeah, I know I might have forgotten that I set one up on one of the many Gawker related sites, but when I enter my e-mail address (OK, addresses) I get a not found on all of them.  Add to this Gawkers assurance that the passwords were encrypted and the fact that my Twitter user ID is not the same as any of my other user ids, and I find it VERY suspicious.

So, if it wasn’t the Gawker leak that explains the Twitter storm today, what does?  My guess is that someone either hacked Twitters account system (or one of the software programs that posts Twitter messages for you) or there is a new way to send a Tweet that is attributable to someone else.  Who knows….

Why is Twitter blaming Gawker?  It could be as simple as “because they can”….

Cry from Laughter after watching this baby – Facebook Trojan

Well, it seems we have a new wave of Facebook Trojans loose on the internet. The one that I researched while writing this post, links to a web site that is actually a phishing scheme that presents a FAKE Facebook login screen.  If you provide your Email and Password, it starts spamming your friends on Facebook with links to it. It appears that it also does the more typical thing and installs a Facebook application for you that will spam your friends with links to it (and sometimes other links).

If you fell for this (or a similar scam), the first thing to do is to change your Facebook password and then go to “Account / Privacy Settings / Applications and Websites / Applications You Use / Edit Settings” and remove everything you don’t recognize (watch the video below for step by step instructions on how to remove unwanted Facebook apps)!

I’ve also seen some posts that suggest that at least some of these links attempt to install the Koobface Virus, however I can’t confirm this.  The article I linked to implies that this virus is virulent across Windows, OS X and Linux.

If you are on Windows, it’s highly recommended that you have a good virus checker installed and current.  I personally recommend AVG Free, which (as the name implies) is free and quite good.

BTW, if you use FirefoxChrome and / or Open DNS (Family Shield is free and awesome), you will be presented a warning page for this site that tells you it’s a phishing site BEFORE you get the login page.

Sophos has a good video on how to remove applications (like “Stop Txting Lk Ths”, “NFee”, etc.) that you have already set up (if you aren’t already a fan of Sophos, I would recommend doing it as they tend to notify you of Facebook scams pretty quickly and give good general security advice).  Here’s their video:


Oh, and in case you didn’t know, Facebook has stated clearly, that Facebook Profile Trackers DO NOT Exist!  If you installed one, you need to follow the suggestions in this article to remove the scam application that was installed.

Facebook post:  Funniest baby a live you must watch !!!   Cry from Laughter after watching this baby.  See all the funniest videos on the net in one place!!!  My gosh you have to see this baby its the funniest thing every!!!  Baby sitting on the toilet reading a newspaper. This American GUY must be Stoned to Death for doing this to a GIRL. 10 things every GIRL wants in a MAN! This Teen Killed Herself After her Dad Posted This On Her Facebook! OMG this father crashed and died after THIS message from is daughter on his blackberry! See Who Is Viewing Your Profile!

Buzz Cason at Thirst N’ Howl

For those of you who don’t know who Buzz Cason is, he’s a singer / songwriter that has written songs (like “Everlasting Love”) for a bunch of groups you have probably heard of  (The Beatles, U2, Pearl Jam, Mel Tillis, The Oak Ridge Boys, Martina McBride and Dolly Parton, Gloria Estefan and Brenda Lee).

Buzz will be playing Saturday 11/13 at Thirst N’ Howl (14710 Cantrell Road, Little Rock, AR) .  This is an “all ages” show with no cover charge.  I would get there early and eat dinner if you want a seat, this place is pretty small and tends to fill up early.  🙂

Have fun!

Buzz Cason’s Home Page

Buzz Carson’s ReverbNation Page

Thirst N’ Howl’s Home Page

Thirst N’ Howl’s Google Places

[mappress mapid=”5″]

Web Hosting