WhatsApp banned by MOD

How many OR7s are issued work smart phones?
Perhaps that should change. There seems to be a demand for them.

And MOD uses Apple, who aren't to keen on you jailbbreaking them to establish third party monitoring.
Then don't use Apple if they're a problem.

And a secure "properly encrypted" phone is a bit of overkill for a Tp SSgt organising a knock off parade.
Adequate ones are off the shelf and have been for many years. It's more a matter of controlling what software can be installed, installing apps from MOD controlled servers rather than public servers, controlling what access points the phone recognises and talks to, having the server side parts of the application running on MOD servers, and then make sure the underlying client software gets updated for the life of the phone.
 
Now here's a thing.

I got a whatsapp message telling me that i shouldn't be using whatsapp.
If a Roman tells you that all Romans are liars, do you believe him?
 
[snip] And MOD uses Apple, who aren't to keen on you jailbbreaking them to establish third party monitoring. [...snip]
Err, you are wrong on that. If you buy enough of them as a recognised customer, they will not only let you do it, but help you out with the toolset required. I know this because I have one that is managed in just this way.
 
Perhaps that should change. There seems to be a demand for them.


Then don't use Apple if they're a problem.


Adequate ones are off the shelf and have been for many years. It's more a matter of controlling what software can be installed, installing apps from MOD controlled servers rather than public servers, controlling what access points the phone recognises and talks to, having the server side parts of the application running on MOD servers, and then make sure the underlying client software gets updated for the life of the phone.
That sounds like a piece of piss to implement. We can't even use Sharepoint properly on our secured networks . As soon as you move from Apple your security issues increase, and for an application to be effective (accessible, up to date etc) it needs to be internet facing thus the threat remains unchanged. Oh, there's no money, no servicemen, and Brexit is ongoing.
 
Err, you are wrong on that. If you buy enough of them as a recognised customer, they will not only let you do it, but help you out with the toolset required. I know this because I have one that is managed in just this way.
I didn't say they wouldn't allow it. I'd be interested to understand the impact on the users privacy and how that is handled. Either way, right know all the App Store Apps are available to my work mobile phone, and that would cost money to change.
 
I didn't say they wouldn't allow it. I'd be interested to understand the impact on the users privacy and how that is handled. Either way, right know all the App Store Apps are available to my work mobile phone, and that would cost money to change.
I can't access the App Store on mine and the organisation has installed its own. There's not much in there though.
 
I can't access the App Store on mine and the organisation has installed its own. There's not much in there though.
That doesn’t get us past the issue of people using their own devices for work purposes, though it would reduce instances of people using work phones incorrectly. WhatsApp will be as secure as the next product that comes along which is going to be more secure than anything MOD pushes out. Whatever the answer is, not JIVE, it needs to be as good as the current crop of commercial apps and available for all.
 
So you're saying that we need to remove all modern IS from anyone connected to Defence. Not just those Serving, but our families and friends, our associates and others in the community?

That'll do wonders for recruiting and retention then.
No, but we need to inform, educate and control. People are told not to use them in sensitive compartments, they do; told not to publish location or taking details, they do. There has to be sufficient awareness of the threats that people alter their behaviours. Despite guidance on use of (provided) VPNs we still see people not using them. Christ, we still struggle to get people to take crypto management at sea and patching seriously.
 
Disagree. Our old chum liked Apple and that's why we moved from the previous devices. There was no significant difference with an MDM and the right policies enacted.
Fair comment but that’s not the route we’ve gone down. The MDM is good but doesn’t cover the entire OS. So whilst what you are saying is in the art of the possible it’s not really practicable.
 
No, but we need to inform, educate and control. People are told not to use them in sensitive compartments, they do; told not to publish location or taking details, they do. There has to be sufficient awareness of the threats that people alter their behaviours. Despite guidance on use of (provided) VPNs we still see people not using them. Christ, we still struggle to get people to take crypto management at sea and patching seriously.
Good luck with that, misuse is often explained as an ND on a range which is probably why it is never taken seriously (I’m referring to low level stuff not walking into an AS briefing with an iPhone). Peoples lack of understanding is too deep to assume that education will work, and we know that will only ever be a MATT.
 
Hiding in the noise is a very good security wrapper if you know how to use it, but it's not a solve-all. There are two broad problems. One, the security community are historically sniffy about security through obscurity it because it requires a lot of work from them and doesn't give a mathematically proveable answer. That ignores the fact that 99.99% of real world attacks target some form of low-hanging fruit, and the point of obscurity is to get yourself high up on the tree. It may not be theoretically sound, but it works in practice.
This is fundamentally at odds with everything we know about IT security. Security through obscurity is no security at all.
 
No, but we need to inform, educate and control. People are told not to use them in sensitive compartments, they do; told not to publish location or taking details, they do. There has to be sufficient awareness of the threats that people alter their behaviours. Despite guidance on use of (provided) VPNs we still see people not using them. Christ, we still struggle to get people to take crypto management at sea and patching seriously.
It's not that. the original point was that network and traffic analysis was sufficient for a strike to be called in, and that we should be much more secure in not allowing networks to be established.

The problem is, even without knowing what I'm talking about in my my personal messages, you could potentially track movements of units by the appearance (or disappearance) of a whole host of networks. And if you have a big enough dataset, you might be reasonably able to infer - by the network messages being sent by friends and relatives - of the return/leave date of units. If you want to completely break a chain between business and personal use - fine, but that comes with an overhead that the West isn't willing to pay (literally). And even then, unless you direct that no work is to be done at home (including taking home work mobiles/laptops) then you will be able to associate a personal phone with a work phone simply by geo-location (or the sudden presence of a VPN being routed through a personal IP address). And then Bob is your mother's brother, you're back in the network analysis game.

It's not for nothing that the most accurate source of submarine movements are the taxi drivers in Helensburgh. The taxi occupants can say nothing, but a sudden surge in taxis arriving (or being booked) on a specific day is a very good suggestion of when a boat arrives/departs.

There are ways around this, but none of them are palatable to us...
 
It's not that. the original point was that network and traffic analysis was sufficient for a strike to be called in, and that we should be much more secure in not allowing networks to be established.
Which can be true.

alfred_the_great said:
The problem is, even without knowing what I'm talking about in my my personal messages, you could potentially track movements of units by the appearance (or disappearance) of a whole host of networks. And if you have a big enough dataset, you might be reasonably able to infer - by the network messages being sent by friends and relatives - of the return/leave date of units.
That's fair, inferences and assumptions can always be made by activity or lack of activity - but do we have to accept people making adversaries lives easier by openly posting movements or OPDEFs, I think not.

alfred_the_great said:
And even then, unless you direct that no work is to be done at home (including taking home work mobiles/laptops) then you will be able to associate a personal phone with a work phone simply by geo-location (or the sudden presence of a VPN being routed through a personal IP address). And then Bob is your mother's brother, you're back in the network analysis game.
To identify a VPN in use you tend to have to be able to own the router (s) across which it is established.

alfred_the_great said:
It's not for nothing that the most accurate source of submarine movements are the taxi drivers in Helensburgh. The taxi occupants can say nothing, but a sudden surge in taxis arriving (or being booked) on a specific day is a very good suggestion of when a boat arrives/departs.
Overheads/NTM will mean anyone serious would already know. I don't disagree but the taxi drivers aren't broadcasting information where it can be harvested and used for further analysis/correlation. That's my wider point, we just need people and their immediate friends/families to understand the power behind OSINT.
 
If the current crop of MoD grownups and ministers dont understand WhatsApp or other methods of comms using encryption then the recent news that WhatsApp has been compromised will be of now importance at all will it?:roll:
 
No, but we need to inform, educate and control. People are told not to use them in sensitive compartments, they do; told not to publish location or taking details, they do. There has to be sufficient awareness of the threats that people alter their behaviours. Despite guidance on use of (provided) VPNs we still see people not using them. Christ, we still struggle to get people to take crypto management at sea and patching seriously.
Harsh punishment is needed. A few charges and careers going downhill and you'll soon see people doing as they are told.
 
That's my wider point, we just need people and their immediate friends/families to understand the power behind OSINT.
I'd submit that Defence needs to create a coherent policy on this. Do you want me to be active on social media, encouraging people to join up, using my lived experience to provide a source of truth for potential recruits (as recruiting and parts of the media teams want me to). Or do I completely remove myself from SM (and tell my friends/family to not mention it either) and thus negate a potential data point for OSINT aggregation (as some parts of defence security have advocated)?

Until we do that, and think through the implications, there's little point in telling people to be wary of the OSINT footprint.
 
Which is not going to happen...intelligent people still smoke.
We can widen OS monitoring, we can make sure there are consequences for transgressions Because it's is not sufficient not to do it.

In a recent Ex we played a phish/whaling component - the UK element clicked everything under the sun, almost seemed to take pride in it; the Danes, Norwegians, Germans all mostly spotted or ignored the bait. Their cultural awareness is far higher.
 
Last edited:
Thread starter Similar threads Forum Replies Date
Faded Mobile Phones 2
greenbaggyskin Mobile Phones 13
fltpilot Mobile Phones 10

Similar threads


New Posts

Latest Threads

Top