Last week Jon Espenschied wrote an article in Computerworld describing 10 significant security risks with today's smart phones. The article, while more than a bit geeky, makes an important point: today's smart phones are general-purpose computers and, as such, they are vulnerable to all the same security problems as other general-purpose computers. Specifically:

They may not be running the code that you think they're running (and that includes viruses, Trojan horses, and the like);

Many of the communications on and off the phone are not properly encrypted, if they are encrypted at all;

If you delete a file on the phone, it can probably be recovered;

It's easy for a motivated hacker to spy on your phone.

Espenschied's article makes good, alarming reading, but if anything, it underplays the risks of mobiles. That's because his article stresses the security problems unique to smart phones but ignores the risks to phones in general.

Back in 2003 I wrote a brief tidbit, "Understanding Cellular Telephone Security and Privacy," for a human-rights group that I was doing some work with. Instead of stressing the risks specific to smart phones, this document stresses the risks posed to any cell phone.

According to an article by David Leppard, Scotland Yard has uncovered evidence that Al Qaeda operatives were going to blow up Telehouse Europe, a large colocation facility in Britain that is the country's largest Internet hub. Suspects who were recently arrested had conducted reconnaissance against Telehouse and had planned to infiltrate the organization and blow it up from inside.

I've toured colocation and peering facilities in the past; I even had a tour of MAE West in 1996, back when it was still a major Internet exchange point. At the time I wrote that "security at MAE West is good, but not great ... Some luddite terrorist using my name could easily have called MFS, arranged the tour, and then blown up the gigaswitch with a pipe bomb."

In Leppard's article, representatives for Telehouse reassure that "strategically important organisations" such as Telehouse are well defended against terrorists. We're also told that the organization went to higher states of alarm when it was alerted.

But let's be honest here: Telehouse may have the greatest security in the world, but it's just insanity for the United Kingdom to have a single Internet hotel where all the bits flow in and out. A big truck bomb could drop the building. A dirty bomb or biological hazard could simply render the building uninhabitable. Sometimes even accidents can turn a building into a wasteland. Late last year, for example, a building in Cambridge, MA, a block from the Technology Review offices had to be evacuated when a transformer in the basement blew up. It wasn't terrorism, just an electrical accident. The building was closed and all the companies in it had to find new places to go. A lot of computer equipment was left behind--some of it running and still accessible by the network, but other equipment was turned off and irretrievable. I'm told that the building would have had to have been condemned as an environmental hazard if the transformer had contained PCBs. Fortunately, it didn't.

It's certainly nice and economical for England to put most of its external Internet connectivity in a single location. But it's in the country's long-term interests to have multiple peering points--each with a diversity of organizations. This protects against both terrorist threats and insider attacks from one of the companies.

Redundancy is a good idea, but it's expensive. One of the roles of government should be to enforce safety and reliability standards. We've all learned that the free market does a really bad job when it comes to planning for high-outcome, low-probability events.

A trio of interesting stories about computer hackers crossed my laptop this morning.

Randall Schwartz was a system administrator at Intel back in 1993, when he was arrested for running a password-cracking program called "crack" on one of Intel's computer systems. I knew of Schwartz because he was the author of the best-selling O'Reilly book Learning Perl. How could another O'Reilly author be a criminal?

Although the facts of Schwartz's case are confusing, we know that he had basically tried to crack the password file of Intel's Supercomputer Systems Division (SSD) after he had terminated a consulting job with that part of Intel and moved on to another. In his defense, he said that he had been upset about the poor status of the group's security and was trying to demonstrate the problem. That explanation didn't fly with the court, and Schwartz was convicted of a felony. It was widely believed at the time that Schwartz was attacked by members of his old group because of bad blood: they wanted to run an internal group with little security, and he wanted to demonstrate that their actions were materially jeopardizing the company. Well, after 10 years as a felon, Schwartz has finally been granted a pardon and had his sentence expunged. He's no longer a felon. CNET has a summary of the article.

The big lesson here is to remember that, as a consultant, you have fewer rights at a company than an employee does. And don't ever white-hack without a get-out-of-jail-free card, which is an authorization from the company to do what you want to expose its weaknesses.

Joanna Rutkowska is an impressive hacker in Europe who has made her name by finding low-level exploits based on the architecture of modern computer systems. She created a "red pill/blue pill" set of exploits that used the new virtualization instructions on modern computers as a super "rootkit" that's very hard to detect (because it's running outside of the operating system). I love her work! Now she has given a demonstration of how rootkits can defend themselves against computer forensic tools that use direct memory access to read their memory. You can read about it in Techworld too.

Photo Credit: Dave Bullock

Unnamed hacker in France has broken into a computer system used by Jean-Marie Le Pen and leaked the names of elected officials in France who have promised to endorse him in an upcoming election. According to Dan Goodin's article, "Le Pen needs the endorsement of 500 of France's 42,000 elected officials by March 16 in order to run." What a weird election system they have in France.

Goodin's article, incidentally, was written in San Francisco for the U.K.-based Register. Oh, how I love the Internet.