ARRSE User Security

Discussion in 'ARRSE: Site Issues' started by Good CO, Mar 24, 2008.

Welcome to the Army Rumour Service, ARRSE

The UK's largest and busiest UNofficial military website.

The heart of the site is the forum area, including:

  1. Good CO

    Good CO LE Admin

    Following the upset that my job offer post caused I've written an article about ARRSE user security in the wiki and apologise for not having done so earlier.

    http://www.arrse.co.uk/wiki/ARRSESecurity

    I've also removed the job advert, and combined the threads that resulted into this single security thread.

    Comments on the wiki article would be well received and I will ammend and act on any errors or ommissions.

    Overall though, I stick to my initial guns by saying that I find it highly unlikely that a terrorist is about to behead you after a infiltration plot to gain access to the ARRSE email database. ie. Don't panic.

    Do please read though, and "don't use crap passwords!".
     
  2. I fear the original job announcement thread is getting taken off track.

    Perhaps further "applicant vetting " commentary could be lodged here.

    Any security measures put in place should perhaps meet the oft cited maxims of being
    "Proportional, Affordable and Reasonable".

    Looking at past performance from some arrsers over the past 6 years, I think there are more pressing security needs in the PERSEC area than there are in how Arrse recruits it's full time staff.

    A threat assessment would indeed cover all aspects of Arrse usage, not just the hiring of one employee.

    The BS 7858: 2006 standard ( Security screening of individuals employed in a security environment. Code of practice ) would not be a bad start.
    There are a number of potentially vulnerable young Cadets and recruits on Arrse. Whilst it has its limitations*, a CRB check may not be a bad idea as well.

    The COs also know that they can turn to a ready-made panel of expertise who have been conducting reliability interviews and checks in NI, Bosnia, Sierra Leone, Iraq and Afghanistan for the past 40 years.

    However The best form of personnel security is good man-management and pastoral care. The person could have DV with all the bells and whistles up to 49 PARA spec ops.

    However, if they are not managed properly and made to feel part of the team, then no vetting in the world will do the job.

    * Even Mrs Sonic has a current CRB cert with her name incorrecly spelt
     
  3. Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I dont think Arrse has ever had one instance of a 'security breech'.

    I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington. :roll:

    And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM dont 'DV' most of the civvies and they have the world at thier fingertips!
     
  4. Good CO

    Good CO LE Admin

    Thanks for the sensible post on this, and the point about management is very true. A disgruntled employee could take an address list and sell it to a spam company.

    I still don't see a valid threat because of email address compromise however. That doesn't mean we don't take the protection of them seriously - we do, and any request for one will be met with a refusal and 'court order only'. Even when we would love to give the requesting authority / legal representative the email address concerned.

    I do not think however that my employing an IT graduate in Plymouth is a remotely serious threat to ARRSE users. Walking out of MOD main building every day, wearing your uniform home, becoming an executive director for a security company after retiring as CGS may do. Using ARRSE doesn't.
     
  5. Fair enough GCO, I share your views about the counter-productivity of all these conspiracy theories and it is sufficient simply to know that you have taken this possibility - however remote - into consideration. Your judgement prevails.
     
  6. I agree very much with what’s been said here so far, while security is a concern for any web site that deals with personal information, there really is a line where a company’s responsibility to its customer needs to be drawn. Personally, I think that a CRB check is a fairly reliable way of confirming that the potential employee is trustworthy. Anything further than this is very much overkill for a website Administrator job, especially when it’s likely to be filled by an ex-serviceman.

    At the end of the day, this site isn’t part of the MoD’s web presence and as such can’t be held to the same standard as sites such as Armynet for security. It’s expensive, labour intensive and it’s not required, restricted information isn’t passed through the website and the emails present in the user database are unlikely to be SASTROOPER@MOD.CO.UK. Anything else is purely the user’s responsibility to his PERSEC, if you’re worried about being discovered to be an Army Cook or some such don’t demonstrate an in-depth up-to-date knowledge of the army cooking course on the website. It’s exactly the same as wandering around the city centre in your no.2s and then moaning about the police not providing a wheeled box to protect your identity.
     
  7. I agree.

    Not much point going for CRB let alone S/C, S/C+ or DV (to use extreme examples) when commercial data centres are struggling to find staff of the right technical calibre in the first place.

    With hindsight, I accept that the probability of any compromise occurring through access to IP addresses is pretty negligible. Most people don't have a static IP address anyway, as GCO points out.

    Hopefully people are becoming more and more aware of the risks arising from posting email addresses, and are either using web based services or at least using them carefully (eg fred-dot-bloggsATaol.com).

    The issue of disgruntled staff is a valid one IMO, and the point about good management is perfectly valid.
     
  8. These factors are everywhere though in business and the public sector also, as with all things to do with persec and the internet i work on the simple fact of what ever i post may come back and haunt me...also if you use your primary email address for a web forum well...doh.

    QED...if you you worry the net is compromising persec then don't use it.

    The latest move by many ISPs to sell your stats is a bigger worry, if you worry about IP tracking and personal information. Personally though i really don't give a monkeys to be honest as to target me as an individual amongst the terrabytes of data means that its tinfoil time.

    As i said if you have persec issues what the heck you doing online... :roll:
     
  9. meridian

    meridian LE Good Egg (charities)

    Information security is a big concern for everyone, I used to be heavily involved with it in a commercial/professional capacity.

    The bottom line is there is only so much a site owner of a public forum like this can do and any security measures have to be appropriate for the level of risk anticipated. It is freely open to the net and as long as the site is run professionaly, which it is, I am happy to continue to post here.

    So, look at the risks, decide how to treat those risks and check at regular intervals.

    Maybe in the welcome email that is used to confirm email address or somewhere prominant on the site could be a paragraph on security, tips and advice, what is the users responsibility and what is the site owners responsibility etc.
     
  10. Bad CO

    Bad CO LE Admin Reviews Editor Gallery Guru

    Might be worth pointing out that, as a serving officer, I have as much of a vested interest in this as anyone else! It might be worth mentioning also that I declared my ARRSE activities(!) during my DV interview and it didn't seem to raise any eyebrows.

    However, be under no doubts that whoever we employ will be scrutinised to ensure that all of our personal information is kept as closely guarded as it currently is. It may be worth pointing out that everyone needs to remain vigilant about who online has their personal details although I'd counsel against 'tin foil hat' paranoia. One of the best ways of doing this is to use an anonymous email address rather than give your personal one. Maybe something like 123456@yahoo.co.uk ......
     

  11. Damn, thats me compromised......
     
  12. Good CO

    Good CO LE Admin

    Good points all, particularly that last one. I am quick to forget that internet security is a very tricky area and there is a lot of myth and duff advice out there, maybe from me!

    I will get the facts on this added to the site registration and FAQ in the wiki. The location-through-IP issue etc. (It is my understanding that) we are not tied to this sort of info by the Information Commissioner's regs because the data we hold is not considered 'personal information', but it is an area of interest to a lot and I could do with clearing the mist a bit.
     
  13. As the person who first questioned this I am glad that it is now being taken seriously.

    Yes, I was naive when I registered on ARRSE. I used my ordinary email address. I wouldn't do that now. I don't know who can access my email address. CO? mods? I've no idea.

    Providing information on these issues at the point of registration will be a good thing.

    Introducing, maintaining and publishing a security policy would be an even better thing.

    I hope this can be taken as a constructive comment.
     
  14. You see that is news to me although I suspected this was the case. Perhaps this will prompt a re-assessment of the current joining procedure?

    I have little concern for my PERSEC as far as being targeted by jihadists is concerned! That said, ARRSE is widely understood to be an anonymous forum and members ought to me made well aware of the degree to which such anonymity may be void as regards administrators and moderators.

    It's all new for all of us so this needn't be considered to be a failure, more a time for revision and re-assessment.
     

  15. It’s as anonymous as any other web forum or as anonymous as any member wants to make it. You cannot unfortunately educate those who either don’t care or leave a paper trail a Down Syndrome away-day party could follow. One would like to think that those who are potentially at threat would have the basic common sense to comply with the same basic persec they would observe in the real world. The only 'info' a mod can glean from his or her privileges are IP and email address (from posts in their own forum). And correct me if I'm wrong, Admin only have the same info. A member is only required to submit an email address and that is all. As has been discussed, an IP will not give a position of a person away and an email address is limited unless that address has a trail across other mediums on the net.

    I don’t think it is the responsibility of Admin to make people aware of security other than what is permissible to post. It is the individuals responsibility to ensure that if they don’t want to be compromised, they ensure they are squeaky. It is very easy to ping some people on here even to the extent of getting a house address and phone number. Thats not down to mod powers, thats down to weak persec and the power to use logic with google.

    You have to ask 'what info could an insider get'? Very little...unless the user wishes to give it.

    Employing someone in the scope Arrse Admin wish doesn't require MI type clearances or deep vetting. I would imagine some sensible wording in whatever contract is drawn up would be sufficient.


    B/GCO. Have you thought about contracting it out to Delhi?