Skip to content

The security apprentice

This originally appeared in a post at Sophos’ Naked Security blog.

There have been two recent occasions on which my computing life has been influenced by Lord Sugar, the business mogul in charge of Amstrad and star of BBC One’s reality show The Apprentice.

The first was on a visit to the National Museum of Computing at Bletchley Park, where I got to use a computer Amstrad produced back in the 1980s, that went by the catchy name “CPC 6128”. It was running a Tetris clone called Blocks created—as was proudly proclaimed on the game screen—by an upstart programmer called “G Cluley”.

The second was this weekend, when the device you see in the picture showed up in a charity shop. This is the E-mailer Plus, a sort of executive phone/internet thing released by Amstrad in 2002. Being a fan of old computers, especially oddball ones like the E-mailer, I bought it.

The key feature of this phone was that it also had e-mail and web capabilities, albeit delivered via a premium rate number that lined Lord Sugar’s pockets with every mail check. Users could configure the phone to automatically fetch their mail to be read on the attached LCD screen.

And, indeed, someone had used this E-mailer for e-mail. Somone I shall call “Colin” had set up two accounts on the device. How do I know this? Because Colin hadn’t deleted these accounts before taking his phone to the charity shop.

As I said, the E-mailer relies on a dial-up service which was discontinued earlier this year by its ultimate owners, BSkyB. That means that I couldn’t, should I want to, fetch Colin’s new e-mail messages. But there were messages already stored on the phone that I could have read. More surprisingly, the configuration screens let me see passwords assigned to Colin’s accounts: has he used the same passwords on any other services?

Hopefully you’re aware of the need to ensure there’s no sensitive information stored on old computers before you dispose of them, particularly if you’re going to sell them on to other users. My new (or should I say Colin’s old) E-mailer shows that this goes for any device that stores or accesses your data, including phones both smart and retro.

I now imagine a scene in Lord Sugar’s office. “Colin, you made a basic error. By failing to delete your accounts before giving away your phone, you put your e-mail messages and your passwords at risk. You compromised the privacy of your own and your company’s data, and for that reason, you’re fired.”