back to article Military infosec SNAFUs: What WhatsApp and bears in the woods can teach us

Fans of John le Carré’s Tinker Tailor Soldier Spy know how top military secrets are extracted from the enemy. Senior figures are turned in operations run by the most secret brains in the country, bluff and double-bluff mix with incredible feats of bravery, treachery and psychological manipulation. Not any more. If head KGB spy …

  1. Headley_Grange Silver badge

    "..ubiquitous, frictionless sharing"

    At least Bowman erred on the side of caution and made ubiquitous, frictionless sharing almost as difficult for the British army as it was for any spies trying to eavesdrop.

  2. chivo243 Silver badge

    No Sh1t

    It’s true you can’t spell shit without IT... Especially when your Org's name ends in "Sh" like mine!! In all the years of writing our Office name, nobody has caught it...!

    1. A Nother Handle
      Holmes

      Re: No Sh1t

      Great Ormond Street Hospital IT?

      1. Korev Silver badge
        Coat

        Re: No Sh1t

        Oh GOSH

        1. Anonymous Coward
          Anonymous Coward

          Re: No Sh1t

          I've mentioned this one before, but the rather amusing and accurate SVN username of our IT intern in Shanghai, shit-intern

  3. MarkET

    Encryption

    Plainly highlights that you have something to hide. I prefer the dark energy 7G band personally.

    1. W.S.Gosset Silver badge

      Re: Encryption

      Careful -- that causes COVID-38

  4. Potemkine! Silver badge

    “Three may keep a secret, if two of them are dead.” . So what about 80,000!

    Anyway, thinking that anything going through something belonging to FeckBook is secure is experiencing disillusion.

  5. Anonymous Coward
    Anonymous Coward

    Actually, Bowman worked *perfectly*...

    ...until the Ministry of Dunderheads started dicking around with the list of requirements. That's when it all went horribly wrong.

    See also every MoD progamme since about 1943...

  6. amanfromMars 1 Silver badge

    Special AIR Services with/for Advanced IntelAIgent Resources on Sensitive Operational Missions

    It was open to the MoD — it’s open to all enterprises — to build only the bits needed to do the specific job, and buy in the other components. Or, with open source, get the components for free and pay to learn the expertise to use it — a much better investment.

    That would be an Astute Agile ACTIVe AWEsome development, methinks, and both practically and virtually perfect for Special Operations Executions ..... SMARTR AIdDeployments ........ https://forums.theregister.com/forum/all/2021/04/29/google_safari_workaround_supreme_court/#c_4248463

    Tell me that is not a Master Key Project and we will disagree fundamentally.

    1. amanfromMars 1 Silver badge

      Re: Special AIR Services with/for Advanced IntelAIgent Resources on Sensitive Operational Missions

      And the gazillion dollar questions are ....... Is it to be an Exotic Erotic Eastern Triumph or Wild Wacky Western Delight, First and Foremost?

      cc MOD/CCP/FSB/DARPA.....MICE@darpa.mil [to name but four interesting parties for live engagement and future instruction]

      And sound logical advice to the likes of a DARPA? Up the ante ..... for $1,000,000 is peanuts whenever there are no limits or restraints available for what can now be so easily done with Advanced and Advancing IntelAIgent Technologies in ACTive Current Deployment Nowadays in 0Days Exploiting Endemic Systemic Vulnerabilities ...... aka Novel NEUKlearer HyperRadioProACTivated IT Opportunities.

      And you don't often get that sort of direct message freely shared openly for all to see and hear wherever they may be with the simplest of facilities available to reply to it too.

      But please, don't be like an earlier idiot taxpayer here again exhibiting obvious prime ignorance with a gratuitously offensive comment fully demonstrating no understanding of that which abounds around them. It is both unbecoming and misleading. Although I do accept that some folk one just cannot help because of their default retarding disposition/lack of necessary future intelligence facility and utility, and they just can't help themselves, which is a shame to try blame others for.

      @amanfrom Mars 1

      Just shut up. It's Friday right? Boozing time not bullshit time. ..... https://forums.theregister.com/forum/all/2021/04/29/google_safari_workaround_supreme_court/#c_4249462

  7. HildyJ Silver badge
    IT Angle

    Trust

    It all boils down to trust and I don't trust users.

    At every level you find users who will want to save the decrypted output "just in case." And the higher up the command (or management) chain you go, the more likely it is.

    The reason you can't spell shit without IT is that IT is where the shit flows to.

  8. yetanotheraoc

    Why, yes it does!

    "Does your endpoint have a Share button to the internet? You probably want to write that yourself."

    You probably want to disable that, I think you mean. Features you don't want is basically the problem with something like WhatsApp. Here's an idea. Instead of outsourcing, the MoD should train their signals people to code, and develop their messaging app internally. I bet the MoD would be really good at the large software systems from days of yore. Death march, anyone?

    1. fajensen Silver badge

      Re: Why, yes it does!

      Nah. For the sake of efficiency, we want everything to be posted in PowerPoint to "battlespace.org" with just one click. How else can our superb generals inject the glorious progress of the operations into the 24/7 news cycle??

  9. Stuart Moore
    Pint

    That's real spycraft, not just going through the motions.

    That deserves one of these -->

  10. Tired and grumpy

    It's not about the message, it's about the metadata

    I fear we're missing the point here. Yes, there are ways for content to leak from WhatsApp, but isn't the real issue that the metadata give Zuckerberg & co. the ability to map UK military structures and communications flows in real time? I wouldn't bet on WhatsApp or Facebook being very secure from that perspective, so we have to assume that both our enemies and our allies have exploited this opportunity.

    1. Michael Wojcik Silver badge

      Re: It's not about the message, it's about the metadata

      There's an OPSEC concern there, certainly. But those communications are likely to be voluminous and noisy enough that the practical value of traffic analysis is low. And while traffic flows on public networks can be obfuscated (as with Tor), some information will always leak.

      That said, WhatsApp seems like a poor choice. They could at least have gone with Signal instead. (I realize WhatsApp has many features Signal doesn't, which is itself a security issue, because of the "Availability" aspect of the CIA triad and because users will seek to circumvent systems which they perceive as failing to meet their needs. But disciplined organizations can overcome those problems.)

      There are a number of security analyses of WhatsApp. Here's one summary of some results.

  11. Anonymous Coward
    Anonymous Coward

    Why do people pretend it's secure, just because of Signal protocol?

    The Signal protocol covers only the 1st step. Beyond the end (of end to end encryption) often lies a 2nd wide open end. Typing on a phone is crummy and you don't see much on a small screen. So many people I know use the WA browser frontend that's a lot more comfortable with mouse and real keyboard.

    They could have implemented that by putting a web server on the phone, so only a browser in the same LAN could connect (which excludes BYOD setups). Instead, the browser conveniently (for their eavesdropping) talks to their server. Fun fact: the notification on the PC pops up easily one second before the phone beeps.

    So any chat where at least one party uses the browser is wide open to WA.

    Astoundingly in Germany they are obeying the restraining order against their planned data grab. Despite their threats to lock me out for not accepting their constant nagging about their new conditions, they still haven't.

  12. Michael Wojcik Silver badge

    standard security terms

    I have to quibble with this bit in a generally fine piece: "Like those Soviet decrypts, on paper WhatsApp looks secure — if you think in standard security terms."

    "Standard" security – whether we're talking about security engineering, secure systems analysis, threat modeling, what some people refer to as a "security mindset", etc – would most definitely not stop at WhatsApp's (alleged) communications security.

    No competent security professional would imagine for a moment that COMSEC is the full scope of any communications system. And encryption isn't the whole of COMSEC, either. Other posters have already mentioned traffic analysis and the risks of metadata capture by Facebook or other actors. But more importantly, historically COMSEC has more often been bypassed by OPSEC failures or compromising people involved in the system. HUMINT generally beats SIGINT.1

    Many years ago Bruce Schneier famously remarked: "If you think cryptography will solve your problem, you don't understand cryptography and you don't understand your problem". To a first approximation that remains true.

    WhatsApp is "secure" in a popular or naïve sense, perhaps. Not in any sense that should be called "standard security".

    1ObUNIX: Yes, SIGKILL beats SIGINT too.

  13. EnviableOne Silver badge

    the system they need exists

    have a look at Hospify (hospify.com)

    it was designed for a medical environment, but it stops stuff going into General device storage and encrypts user to user

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021