WhatsApp banned by MOD

The solution is a message platform controlled by the MoD with self-destructing messages, like Signal or Wikr.

It'd probably take some geek a day to make & cost F all. So I look forward to the MoD spending a couple of Billion on it & development being cancelled in a decade.
 
I think you'll find the policy makers are 20-30s civilians in MoD.
Indeed, it's the senior Officers (who to be extremely clear, are not A2) who get in an entire tizzwozz about "the interwebz" and go off on random things they've heard from "faceache" third hand, via their neighbours' friends' niece...
 

Sarastro

LE
Kit Reviewer
Book Reviewer
Doesn't work. If someone wants to find your device they can and will. Most of our peoples cyber (I hate that word) footprint is awful.

Some communities may have adopted that principle. They're doing that for speed and rarely repeat in the same place. Not so good for Maj Damage from MoD who works on Head Office and socialises in London.
Your first paragraph is a big and remarkably unbounded claim. It does work, but like everything it works under a specific set of parameters. Yes, having a "static" device being used over a long period is one of those, but in networking terms turning your device into a non-static one is trivially easy these days. You can also, if you set up your networks right, split your traffic so your public exit points are all over the place (and without Tor), all without significantly impacting the user. What's more, turning your device into an infinite series of brand new devices is pretty easy, just not very user friendly. All with free, civilian available tools.

Hiding in the noise is a very good security wrapper if you know how to use it, but it's not a solve-all. There are two broad problems. One, the security community are historically sniffy about security through obscurity it because it requires a lot of work from them and doesn't give a mathematically proveable answer. That ignores the fact that 99.99% of real world attacks target some form of low-hanging fruit, and the point of obscurity is to get yourself high up on the tree. It may not be theoretically sound, but it works in practice. Second, and probably what you are talking about, most users don't actually want to hide, but want to blurt data all over the internets.

That said, I know of several official organisations who have used or proposed a form of hiding in the noise for their network traffic, and I'd be really surprised if the secure internal networks of the big tech companies didn't do the same. It's not that it is a bad or unworkable idea, or that anyone can find any SPECIFIC device if they want (so very much not true, and damaging misinformation to suggest it is). It's that the professional understanding of mid-level securocrats who inform and make such decisions in places like the MOD is chronically poor, and their priorities are more about quantifying risk / responsibility and ease of technical implementation, than actually getting the best outcome.
 
Your first paragraph is a big and remarkably unbounded claim. It does work, but like everything it works under a specific set of parameters. Yes, having a "static" device being used over a long period is one of those, but in networking terms turning your device into a non-static one is trivially easy these days. You can also, if you set up your networks right, split your traffic so your public exit points are all over the place (and without Tor), all without significantly impacting the user. What's more, turning your device into an infinite series of brand new devices is pretty easy, just not very user friendly. All with free, civilian available tools.

Hiding in the noise is a very good security wrapper if you know how to use it, but it's not a solve-all. There are two broad problems. One, the security community are historically sniffy about security through obscurity it because it requires a lot of work from them and doesn't give a mathematically proveable answer. That ignores the fact that 99.99% of real world attacks target some form of low-hanging fruit, and the point of obscurity is to get yourself high up on the tree. It may not be theoretically sound, but it works in practice. Second, and probably what you are talking about, most users don't actually want to hide, but want to blurt data all over the internets.

That said, I know of several official organisations who have used or proposed a form of hiding in the noise for their network traffic, and I'd be really surprised if the secure internal networks of the big tech companies didn't do the same. It's not that it is a bad or unworkable idea, or that anyone can find any SPECIFIC device if they want (so very much not true, and damaging misinformation to suggest it is). It's that the professional understanding of mid-level securocrats who inform and make such decisions in places like the MOD is chronically poor, and their priorities are more about quantifying risk / responsibility and ease of technical implementation, than actually getting the best outcome.
I pull out two salient points from your post.
1. There is no single solution.
2. It takes a lot of effort to remain secure, and that’s where the issue lies for the MOD.
Which on rereading you have nicely summarised at the end!
 
I once sought advice on a situation similar to this, and the response was constant monitoring and loss of privileges for offenders. Very difficult to achieve on personal devices though.
 
My bad - Mobile Device Manager; it's a way of managing enterprise mobile devices (phones, tablets, laptops etc) and enforcing security policies, restrictions etc upon them. A good way to manage corporate capability.

MDM description
I have never heard that term before. We call it something else, although, in reality, it is a not a single 'manager' it is a range of resources. These include people, machines and sensors.

Nonetheless, I get the point and thanks for the clarification.
 

A2_Matelot

LE
Book Reviewer
I have never heard that term before. We call it something else, although, in reality, it is a not a single 'manager' it is a range of resources. These include people, machines and sensors.

Nonetheless, I get the point and thanks for the clarification.
You can buy an "MDM", and in that sense they are a 'thing', but I get the point there is a wider business process wrap that needs to be articulated.

BWT your moniker still makes me chuckle
 

A2_Matelot

LE
Book Reviewer
It's not that it is a bad or unworkable idea, or that anyone can find any SPECIFIC device if they want (so very much not true, and damaging misinformation to suggest it is). It's that the professional understanding of mid-level securocrats who inform and make such decisions in places like the MOD is chronically poor, and their priorities are more about quantifying risk / responsibility and ease of technical implementation, than actually getting the best outcome.
There are parts I agree and disagree with. Exploitation of SS7 weaknesses with commercially available tools allows a huge amount of options for the "commercial entities" in this field of work and when you layer on top the capabilities of Nation States and State Sponsored actors there is little that is impossible noting the phone alone won't help, other vectors are almost always needed. And if a tower has been compromised or a spoofed (al la Stingray) then you're in a world of pain.

What is unhelpful, and you're entirely right about MoD in many ways, is the downplaying of the risks that really do exist.
 
Last edited:
There are parts I agree and disagree with. Exploitation of SS7 weaknesses with commercially available tools allows a huge amount of options for the "commercial entities" in this field of work and when you layer on top the capabilities of Nation States and State Sponsored actors there is little that is impossible noting the phone alone won't help, other vectors are almost always needed. And if a tower has been compromised or a spoofed (al la Stingray) then you're in a world of pain.

What is unhelpful, and you're entirely right about MoD in many ways, is the downplaying of the risks that really do exist.
Let's be honest. If a state organ, not even necessarily domestic, is targeting you as a private person, you are practically defenceless.
 
Having previously been in the business of knowing what other people do not, I hate phones.

What could be managed with a simple device read out and excel was viewed by others in my office as black magic. I am sure much more can be achieved now with the onwards march of data driven science, I merely made do with excel and some basic pivot tables which were good enough to be used in criminal interview.

I am sure now, people would be loose on phones running much better data science.

Stuff like this is free.

https://www.edx.org/course/python-basics-for-data-science-2

Why more people aren't into it is beyond me.
I once worked for a very large and well known European multi-national. They got themselves into a bit of legal bother at one point (not that it was their only experience with that) and in the aftermath they sent a senior team around to all of their locations to give speeches repeating corporate policy statements and the usual other waffle to show that the senior management were suitably chastened by the experience of "a few junior people acting without authority" (or rather being careless enough to get caught at it).

One of the team was a lawyer and when his turn to speak came up his advice was short and to the point. It could be basically summed up as in future we should put fewer things in writing and conduct more business face to face. None of the others disagreed with that recommendation.

To comment more generally, people who think that security in the modern age can work on the principle of "I'm so insignificant that nobody will make the effort of spying on me" don't seem to realise that in the modern age where spying is automated, it can be easier to simply target everyone than to manually home in on specific targets. Yes it can be worth while targetting "whales" (key people) as well, but the automated end of things can be left to do what it does best, which is to grind through huge masses of information to filter out the bits that may be significant by automatically correlating seemingly meaningless information with other seemingly meaningless information to build up a complete picture.

The point I'm trying to make is that relying on being secure by being unnoticed doesn't work in the modern age. The opposition is now a cluster of computers sifting through everything, not some foreign fellow in a uniform sitting in an office trying to connect lines on a blackboard with chalk.

Ah!, but some people will cry. This sort of analysis is "nation state level", as if that in itself removes all responsibility from our own shoulders.

However, even if the "nation state" excuse were in itself somehow relevant, it is an outdated view. The cutting edge research for analysing huge masses of data is being done by the advertising and marketing industries, and the by-products are working their way into many other fields of business. The salaries being paid in this field by industry dwarf those in the public sector and so they attract all the top talent. The underlying software is often open source and free. Huge computing clusters are available to anyone with a credit card on demand courtesy of cloud computing.

Loads of information on you is for sale from data brokers, ready to be correlated with other information from other data brokers. This is an international business, and privacy regulations, quaint as they may be, are routinely ignored with impunity.

And phone and computer hacks themselves are typically developed by independent third party security researchers who sell them to the highest bidder, whether that is a government or a company such as NSO Group, or a criminal or terrorist organisation. NSO Group were reportedly offering hundreds of thousands of dollars for a good zero day exploit on phones. There is an entire industry which has grown up around basement dwelling hackers in places such as eastern Europe developing exploits and selling them to the highest bidder.

I could write a lot more on this, but the important point is that those people who count on being unnoticed are I believe living in the past. The opponent isn't some guy in an office in Moscow. The opponent is a cluster of computers which is tireless and relentless in waiting for you to make that one mistake which will expose you. The only real basis for security is that which can be mathematically proven and whose implementation is kept up to date by a dedicated team of qualified and experienced people.

And as others have pointed out, this isn't a purely theoretical problem. Artillery strikes have been called in and people killed in Ukraine because someone was careless with their phone which tagged them at point 'A' so that when their ID number cropped up at point 'B' in range of artillery they and their associates got malleted.
 
I once worked for a very large and well known European multi-national. They got themselves into a bit of legal bother at one point (not that it was their only experience with that) and in the aftermath they sent a senior team around to all of their locations to give speeches repeating corporate policy statements and the usual other waffle to show that the senior management were suitably chastened by the experience of "a few junior people acting without authority" (or rather being careless enough to get caught at it).

One of the team was a lawyer and when his turn to speak came up his advice was short and to the point. It could be basically summed up as in future we should put fewer things in writing and conduct more business face to face. None of the others disagreed with that recommendation.

To comment more generally, people who think that security in the modern age can work on the principle of "I'm so insignificant that nobody will make the effort of spying on me" don't seem to realise that in the modern age where spying is automated, it can be easier to simply target everyone than to manually home in on specific targets. Yes it can be worth while targetting "whales" (key people) as well, but the automated end of things can be left to do what it does best, which is to grind through huge masses of information to filter out the bits that may be significant by automatically correlating seemingly meaningless information with other seemingly meaningless information to build up a complete picture.

The point I'm trying to make is that relying on being secure by being unnoticed doesn't work in the modern age. The opposition is now a cluster of computers sifting through everything, not some foreign fellow in a uniform sitting in an office trying to connect lines on a blackboard with chalk.

Ah!, but some people will cry. This sort of analysis is "nation state level", as if that in itself removes all responsibility from our own shoulders.

However, even if the "nation state" excuse were in itself somehow relevant, it is an outdated view. The cutting edge research for analysing huge masses of data is being done by the advertising and marketing industries, and the by-products are working their way into many other fields of business. The salaries being paid in this field by industry dwarf those in the public sector and so they attract all the top talent. The underlying software is often open source and free. Huge computing clusters are available to anyone with a credit card on demand courtesy of cloud computing.

Loads of information on you is for sale from data brokers, ready to be correlated with other information from other data brokers. This is an international business, and privacy regulations, quaint as they may be, are routinely ignored with impunity.

And phone and computer hacks themselves are typically developed by independent third party security researchers who sell them to the highest bidder, whether that is a government or a company such as NSO Group, or a criminal or terrorist organisation. NSO Group were reportedly offering hundreds of thousands of dollars for a good zero day exploit on phones. There is an entire industry which has grown up around basement dwelling hackers in places such as eastern Europe developing exploits and selling them to the highest bidder.

I could write a lot more on this, but the important point is that those people who count on being unnoticed are I believe living in the past. The opponent isn't some guy in an office in Moscow. The opponent is a cluster of computers which is tireless and relentless in waiting for you to make that one mistake which will expose you. The only real basis for security is that which can be mathematically proven and whose implementation is kept up to date by a dedicated team of qualified and experienced people.

And as others have pointed out, this isn't a purely theoretical problem. Artillery strikes have been called in and people killed in Ukraine because someone was careless with their phone which tagged them at point 'A' so that when their ID number cropped up at point 'B' in range of artillery they and their associates got malleted.
If someone launches an artillery strike on A Tp Lines Tidworth Barracks because the Tp SSgt has used WhatsApp to post parade timings I’d be impressed. The two ends of the spectrum here with plenty of points in between and Availability of information is required throughout.
 
Ah. Sadly.

To be fair, OWASP lists almost every platform as vulnerable to such attacks

Buffer Overflows - OWASP
He thinks being able to access the FT means it's vulnerable though, without any knowledge of the Paywall model in use and why they let you through.
 
If someone launches an artillery strike on A Tp Lines Tidworth Barracks because the Tp SSgt has used WhatsApp to post parade timings I’d be impressed. The two ends of the spectrum here with plenty of points in between and Availability of information is required throughout.
Someone harvests the Tp SSgt's WhatsApp contact list (see the current story), uses that to find more targets to harvest more contact lists, and then uses that to build up a diagram of who is connected to whom and in what way. They then combine this with geographic information (see the previous thread on fitness tracking apps) to find their patterns of movement and observe them for changes which may indicate upcoming major events. This is the basic sort of work which every military intelligence organisation tries to gain, and there's no point in simply handing it to them on a platter.

Now that they know in detail who is connected to whom, you only need one person in that group to be careless in the field and you have your artillery strike inbound.
 
So you're saying that we need to remove all modern IS from anyone connected to Defence. Not just those Serving, but our families and friends, our associates and others in the community?

That'll do wonders for recruiting and retention then.
 
He thinks being able to access the FT means it's vulnerable though, without any knowledge of the Paywall model in use and why they let you through.
Sorry, I had my head up my OS and was a bit pre-occupied playing with technical toys!
 
Thread starter Similar threads Forum Replies Date
Faded Mobile Phones 2
greenbaggyskin Mobile Phones 13
fltpilot Mobile Phones 10

Similar threads


New Posts

Latest Threads

Top