ARRSE User Security

#1
Following the upset that my job offer post caused I've written an article about ARRSE user security in the wiki and apologise for not having done so earlier.

http://www.arrse.co.uk/wiki/ARRSESecurity

I've also removed the job advert, and combined the threads that resulted into this single security thread.

Comments on the wiki article would be well received and I will ammend and act on any errors or ommissions.

Overall though, I stick to my initial guns by saying that I find it highly unlikely that a terrorist is about to behead you after a infiltration plot to gain access to the ARRSE email database. ie. Don't panic.

Do please read though, and "don't use crap passwords!".
 
#2
I fear the original job announcement thread is getting taken off track.

Perhaps further "applicant vetting " commentary could be lodged here.

Any security measures put in place should perhaps meet the oft cited maxims of being
"Proportional, Affordable and Reasonable".

Looking at past performance from some arrsers over the past 6 years, I think there are more pressing security needs in the PERSEC area than there are in how Arrse recruits it's full time staff.

A threat assessment would indeed cover all aspects of Arrse usage, not just the hiring of one employee.

The BS 7858: 2006 standard ( Security screening of individuals employed in a security environment. Code of practice ) would not be a bad start.
There are a number of potentially vulnerable young Cadets and recruits on Arrse. Whilst it has its limitations*, a CRB check may not be a bad idea as well.

The COs also know that they can turn to a ready-made panel of expertise who have been conducting reliability interviews and checks in NI, Bosnia, Sierra Leone, Iraq and Afghanistan for the past 40 years.

However The best form of personnel security is good man-management and pastoral care. The person could have DV with all the bells and whistles up to 49 PARA spec ops.

However, if they are not managed properly and made to feel part of the team, then no vetting in the world will do the job.

* Even Mrs Sonic has a current CRB cert with her name incorrecly spelt
 
#3
EX_STAB said:
As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?
Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I dont think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington. :roll:

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM dont 'DV' most of the civvies and they have the world at thier fingertips!
 
#4
Thanks for the sensible post on this, and the point about management is very true. A disgruntled employee could take an address list and sell it to a spam company.

I still don't see a valid threat because of email address compromise however. That doesn't mean we don't take the protection of them seriously - we do, and any request for one will be met with a refusal and 'court order only'. Even when we would love to give the requesting authority / legal representative the email address concerned.

I do not think however that my employing an IT graduate in Plymouth is a remotely serious threat to ARRSE users. Walking out of MOD main building every day, wearing your uniform home, becoming an executive director for a security company after retiring as CGS may do. Using ARRSE doesn't.
 
#5
Fair enough GCO, I share your views about the counter-productivity of all these conspiracy theories and it is sufficient simply to know that you have taken this possibility - however remote - into consideration. Your judgement prevails.
 
#6
I agree very much with what’s been said here so far, while security is a concern for any web site that deals with personal information, there really is a line where a company’s responsibility to its customer needs to be drawn. Personally, I think that a CRB check is a fairly reliable way of confirming that the potential employee is trustworthy. Anything further than this is very much overkill for a website Administrator job, especially when it’s likely to be filled by an ex-serviceman.

At the end of the day, this site isn’t part of the MoD’s web presence and as such can’t be held to the same standard as sites such as Armynet for security. It’s expensive, labour intensive and it’s not required, restricted information isn’t passed through the website and the emails present in the user database are unlikely to be SASTROOPER@MOD.CO.UK. Anything else is purely the user’s responsibility to his PERSEC, if you’re worried about being discovered to be an Army Cook or some such don’t demonstrate an in-depth up-to-date knowledge of the army cooking course on the website. It’s exactly the same as wandering around the city centre in your no.2s and then moaning about the police not providing a wheeled box to protect your identity.
 
#7
I agree.

Not much point going for CRB let alone S/C, S/C+ or DV (to use extreme examples) when commercial data centres are struggling to find staff of the right technical calibre in the first place.

With hindsight, I accept that the probability of any compromise occurring through access to IP addresses is pretty negligible. Most people don't have a static IP address anyway, as GCO points out.

Hopefully people are becoming more and more aware of the risks arising from posting email addresses, and are either using web based services or at least using them carefully (eg fred-dot-bloggsATaol.com).

The issue of disgruntled staff is a valid one IMO, and the point about good management is perfectly valid.
 
#8
These factors are everywhere though in business and the public sector also, as with all things to do with persec and the internet i work on the simple fact of what ever i post may come back and haunt me...also if you use your primary email address for a web forum well...doh.

QED...if you you worry the net is compromising persec then don't use it.

The latest move by many ISPs to sell your stats is a bigger worry, if you worry about IP tracking and personal information. Personally though i really don't give a monkeys to be honest as to target me as an individual amongst the terrabytes of data means that its tinfoil time.

As i said if you have persec issues what the heck you doing online... :roll:
 
#9
Information security is a big concern for everyone, I used to be heavily involved with it in a commercial/professional capacity.

The bottom line is there is only so much a site owner of a public forum like this can do and any security measures have to be appropriate for the level of risk anticipated. It is freely open to the net and as long as the site is run professionaly, which it is, I am happy to continue to post here.

So, look at the risks, decide how to treat those risks and check at regular intervals.

Maybe in the welcome email that is used to confirm email address or somewhere prominant on the site could be a paragraph on security, tips and advice, what is the users responsibility and what is the site owners responsibility etc.
 
#10
Might be worth pointing out that, as a serving officer, I have as much of a vested interest in this as anyone else! It might be worth mentioning also that I declared my ARRSE activities(!) during my DV interview and it didn't seem to raise any eyebrows.

However, be under no doubts that whoever we employ will be scrutinised to ensure that all of our personal information is kept as closely guarded as it currently is. It may be worth pointing out that everyone needs to remain vigilant about who online has their personal details although I'd counsel against 'tin foil hat' paranoia. One of the best ways of doing this is to use an anonymous email address rather than give your personal one. Maybe something like 123456@yahoo.co.uk ......
 
#11
Bad CO said:
One of the best ways of doing this is to use an anonymous email address rather than give your personal one. Maybe something like 123456@yahoo.co.uk ......

Damn, thats me compromised......
 
#12
Good points all, particularly that last one. I am quick to forget that internet security is a very tricky area and there is a lot of myth and duff advice out there, maybe from me!

I will get the facts on this added to the site registration and FAQ in the wiki. The location-through-IP issue etc. (It is my understanding that) we are not tied to this sort of info by the Information Commissioner's regs because the data we hold is not considered 'personal information', but it is an area of interest to a lot and I could do with clearing the mist a bit.
 
#13
As the person who first questioned this I am glad that it is now being taken seriously.

Yes, I was naive when I registered on ARRSE. I used my ordinary email address. I wouldn't do that now. I don't know who can access my email address. CO? mods? I've no idea.

Providing information on these issues at the point of registration will be a good thing.

Introducing, maintaining and publishing a security policy would be an even better thing.

I hope this can be taken as a constructive comment.
 
#14
The-Lord-Flasheart said:
EX_STAB said:
As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?
Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I dont think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington. :roll:

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM dont 'DV' most of the civvies and they have the world at thier fingertips!
You see that is news to me although I suspected this was the case. Perhaps this will prompt a re-assessment of the current joining procedure?

I have little concern for my PERSEC as far as being targeted by jihadists is concerned! That said, ARRSE is widely understood to be an anonymous forum and members ought to me made well aware of the degree to which such anonymity may be void as regards administrators and moderators.

It's all new for all of us so this needn't be considered to be a failure, more a time for revision and re-assessment.
 
#15
EX_STAB said:
The-Lord-Flasheart said:
EX_STAB said:
As the post would provide access to the real email addresses of lots of servicemen and women whose units, rank and deployment is often clear from their posts, wouldn't some form of vetting be a very good idea, especially for those from a non-service background?
Hasn't ever been a problem for the mods who also have access to that information. Some of the mods are civvies through and through and I don’t think Arrse has ever had one instance of a 'security breech'.

I'm sure GCO can use his good judgement recruiting the right person without needing to call in Stella Rimington. :roll:

And surely a privacy clause in whatever contract is drawn up would cover concerns for untoward use of 'personal details'. For craps sake, MCM don’t 'DV' most of the civvies and they have the world at their fingertips!
You see that is news to me although I suspected this was the case. Perhaps this will prompt a re-assessment of the current joining procedure?

I have little concern for my PERSEC as far as being targeted by jihadists is concerned! That said, ARRSE is widely understood to be an anonymous forum and members ought to me made well aware of the degree to which such anonymity may be void as regards administrators and moderators.

It's all new for all of us so this needn't be considered to be a failure, more a time for revision and re-assessment.

It’s as anonymous as any other web forum or as anonymous as any member wants to make it. You cannot unfortunately educate those who either don’t care or leave a paper trail a Down Syndrome away-day party could follow. One would like to think that those who are potentially at threat would have the basic common sense to comply with the same basic persec they would observe in the real world. The only 'info' a mod can glean from his or her privileges are IP and email address (from posts in their own forum). And correct me if I'm wrong, Admin only have the same info. A member is only required to submit an email address and that is all. As has been discussed, an IP will not give a position of a person away and an email address is limited unless that address has a trail across other mediums on the net.

I don’t think it is the responsibility of Admin to make people aware of security other than what is permissible to post. It is the individuals responsibility to ensure that if they don’t want to be compromised, they ensure they are squeaky. It is very easy to ping some people on here even to the extent of getting a house address and phone number. Thats not down to mod powers, thats down to weak persec and the power to use logic with google.

You have to ask 'what info could an insider get'? Very little...unless the user wishes to give it.

Employing someone in the scope Arrse Admin wish doesn't require MI type clearances or deep vetting. I would imagine some sensible wording in whatever contract is drawn up would be sufficient.


B/GCO. Have you thought about contracting it out to Delhi?
 

oldbaldy

LE
Moderator
#16
Good CO said:
The position starts on 15th April
That is very close & would surely rule out anyone already in employment!
 
#17
to put my 2pence in... i know of a frim that will take on the responsibility outlined above for about quater of the salary mentioned..

Only problem is that the work will have to be done remotely.

PS: why in this day and age does a website developer need to be tied down to a location?

Let me know if your interested...
 
#18
Most of it has been said already but your personal security when using any internet forum is down to you.

- Use an anonymous email address from Hotmail, Yahoo, etc.
- Use different usernames on different forums
- And most importantly use different passwords on different forums and particularly don't use the same password for an online forum that you would use with your internet banking, PayPal, eBay account, etc.!

If you're really worried about a forum admin or mod seeing your IP then it is easy to set-up your browser to use a Proxy server, however, it is a pointless exercise really and you should be careful where that Proxy server is located.

As GoodCO mentioned on the other thread, the biggest threat to your PERSEC is through social engineering.
 
#19
Priority attribute of the potential candidate/employee has been woefully missed out Good!

'a sound sense of humour and ability to shield oneself against humiliation and general strawberry Mivvie bashing from your ARRSE employers each Friday POETS DAY Happy Hour' oh! and a sound Knowledge base of ARRSEpedia would be highly recommended... 8) I propose they also go through an ARRSE employee initiation ceremony - ideas of the content for this to be added to in this Thread: I propose they must Shotgun a can of Red followed swiftly by a Can of green, play in a game of 'Freckles' and 'Soggy Biscuit' with all other candidates, complete a timed circuit in and out of the Flags and around Smeaton's Tower and back on the Hoe, carrying a jerry can of water in each hand and dressed in Dress Code 14.5 "70's Spotters Gear" build a raft out of 45 Gallon Oil Drums, planks of wood and some lengths of cordage (ARRSE DS taking particularly close attention to detail with good Square Lashings all round) and race out to Drake's Island, twice around and back again at all times shouting or whistling the tune to Hawaii 5 'O'....

Thus endeth Day One of their week long Pre ARRSE Selection Board...

:wink:
 
#20
Just a quick bump so yesterday's contributors know where this thread has gone, otherwise I'll be accused of all sorts or underhanded evil-doing.

I'm sure there are plenty of users with IT security experience and I am very open to comments about my summary (see first post and here http://www.arrse.co.uk/wiki/ARRSESecurity ):
 

Similar threads

Latest Threads

Top