Just in case you had any doubts about how much of a security risk your mobile phone presents, have a read of Jacob Appelbaum's interview with N+. Jake's with both the Tor and Wikileaks projects, and has been detained and scrutinized to a fare-thee-well.
Appelbaum: Cell phones are tracking devices that make phone calls. It's sad, but it's true. Which means software solutions don't always matter. You can have a secure set of tools on your phone, but it doesn't change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It's a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody's cell phones will automatically jump onto the tower, and if the phone's unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.
Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?
Appelbaum: Maybe. But iPhones, for instance, don't have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.
Resnick: And how easy is it to create something like to that?
Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.
You may be saying here, "Huh, I'm sure glad that I'm not doing anything that would get me targeted by US spooks!" Think again. First, there's the possibility that you'll be incorrectly identified as a bad guy, like Maher Arar< who got a multi-year dose of Syrian torture when the security apparatus experienced a really bad case of mistaken identity.
But second, remember that whatever governments can do with technology, organized criminals can do too (this is doubly true of back-doors that governments mandate in telecoms equipment and software to make spying easier — they can be used by anyone, not just "good guys").
And finally, remember that whatever the leet haxxors of the mafia are doing today on the cutting edge will be reduced to a short script that can be run by fatfingered noobie script kids tomorrow, in automated attacks that are indiscriminately ranged against tens of millions of devices in the hopes of finding a few that are vulnerable.
Or as Jake says:
The first response people have is, whatever, I'm not important. And the second is, they're not watching me, and even if they were, there's nothing they could find because I'm not doing anything illegal. But the thing is, taking precautions with your communications is like safe sex in that you have a responsibility to other people to be safe—your transgressions can fuck other people over. The reality is that when you find out it will be too late. It's not about doing a perfect job, it's about recognizing you have a responsibility to do that job at all, and doing the best job you can manage, without it breaking down your ability to communicate, without it ruining your day, and understanding that sometimes it's not safe to undertake an action, even if other times you would. That's the education component.
So security culture stuff sounds crazy, but the technological capabilities of the police, especially with these toolkits for sale, is vast. And to thwart that by taking all the phones at a party and putting them in a bag and putting them in the freezer and turning on music in the other room—true, someone in the meeting might be a snitch, but at least there's no audio recording of you.
(via /.)