back to article NSA warns that mobile device location services constantly compromise snoops and soldiers

The United States National Security Agency has issued new advice on securing mobile devices that says location services create a security risk for staff who work in defence or national security. The new guide [PDF], titled “Limiting Location Data Exposure”, notes that smartphones, tablets and fitness trackers “store and share …

  1. Lee D Silver badge

    Or just... don't allow phones in secured areas.

    1. pavel.petrman

      phones in secured areas

      In such a case you'd have a congestion of "going offline" events at the main entrance of your security area.

      1. LDS Silver badge
        Devil

        Re: phones in secured areas

        Just leave the phone on at home...

        1. Smooth Newt Silver badge
          Angel

          Re: phones in secured areas

          Just leave the phone on at home...

          And possibly walk to work too.

          Many cars have mobile telephony baked in - either upmarket vehicles for "connectivity features" (which will become increasingly mainstream), or for systems like eCall - which uses mobile telephony to contact the emergency services (and mandatory in the EU for new cars). And don't get me started on the network connectivity requirements of self-driving vehicles.

      2. Smooth Newt Silver badge
        Facepalm

        Re: phones in secured areas

        It would help if all the organizations that collected this data actually treated it as if it was sensitive rather than, as some are alleged to do, simply selling it to anyone who wants it. And that, in the US, is down to the US government itself to do something about.

        See Congress to FCC: Where’s the damn report on mobile companies selling location data?

      3. JimboSmith Silver badge

        Re: phones in secured areas

        A non techie friend asked about this very subject when he read another message/rant from the Tweeter in Chief of The USA. How if it was possible as I'd always claimed for tracking to be ubiquitous for Mr Trump to have a mobile phone whilst POTUS. I said it was easy to do in his case because you had the resources available to make it so. For example you know where he is most of the time because he's at the White House.

        So you could run your own WH base station (pico cell) that only he and senior staff* can use their work phones to connect to. You'd also restrict his phone so it cannot connect to any other base station. As he never travels alone you have the secret service communications vehicles (Roadrunners) contain other ones for his trips elsewhere. In the case of Trump you'd also need to have base stations at Mar a Lago, Bedminster etc. All of these would connect back to the Whitehouse and calls get routed through to the normal public network there. This would make his location far harder to track.

        * Just having one phone on the base station would be counter productive security wise.

        1. Anonymous Coward
          Anonymous Coward

          Re: phones in secured areas

          The problem is that Tango Man doesn't do 'normal'.

          Obama had, and occasionally used, a hardened Blackberry(?) during his terms but The Orange One had been twatting from an ancient Samsung during the early days of his draining and refilling the swamp with raw sewage. Getting him to do the right thing and use a hardened device is way down the list of priorities behind starting/spreading conspiracies, picking fights, walking down slopes....

    2. iron Silver badge

      Does not help when personell go for their daily run in a non-secure location or even just travel to & from secured areas.

    3. Cuddles Silver badge

      You may note that the article didn't mentioned secured areas at all. This has nothing to do with discovering the location of your super-secret headquarters, it's about being able to gather valuable information just by tracking people going about their daily lives. Things like Strava heatmaps giving away the precise perimeter of military bases are examples that have come up before. But the point of this article is that even if you try to deal with those more glaring examples, it's virtually impossible to prevnt any tracking from happening at all. You can tell people not to upload their runs to Strava, but you can't prevent the local telecoms company from noticing that 1000 new America-registered SIMs are suddenly connecting to their base stations. And you can't prevent spies from setting up their own fake base station to get the same information.

      Secured areas aren't relevant, because people don't spend their whole lives in secured areas. You can gain a lot of useful information just by seeing where people are and what they're doing the rest of the time. Block phones from your operating base or agency building all you like, you can't stop people being able to figure out where the living barracks are, changes in staffing levels, troop movements, and so on. It's similar to being able to figure out activity levels by looking at satellite photos of car parks. No matter what steps you take to try to hide things, at some point people need to get to work and that activity in the public space can be tracked. All you can do, as the NSA effectively say here, is try to at least make your opponents work a bit harder to get that information.

      1. JetSetJim Silver badge
        Black Helicopters

        > it's virtually impossible to prevnt any tracking from happening at all.

        Remove the word "virtually" and you'd be right. The network operator collects measurement reports from every mobile and analyses them to generate locations. These can then be used to help diagnose network quality issues. Equally, black-hats could, with access to the data, do all sorts of other shenanigans as you outline.

        The only way to not be tracked is to take the battery out (rumour has it there is special firmware that can be pushed to individuals that make it look like the phone is off when it is instead doing some tracking, but I've never seen concrete evidence of it)

        1. Anonymous Coward
          Anonymous Coward

          >"The only way to not be tracked is to take the battery out"

          And of course that's not possible with lots of newer devices. Taking the SIM out may help.

          Incidentally, I'm told that on some models the "find your phone" functions can track the phone when switched off, and in some cases turn it on and take a photo etc.

          I know that some phones can be activated remotely by the corporate admins in order to install software updates or perform a security wipe and permanent deactivation. The fact that this is possible shows that even when "switched off" the phones are running, connecting, receiving data and executing commands, at least intermittently.

          1. John Brown (no body) Silver badge

            "And of course that's not possible with lots of newer devices. Taking the SIM out may help."

            To echo the first quoted sentence in relation to the second quoted sentence, "And of course that's not possible with lots of newer devices." because they use software SIMs. Not that it matters, because a SIMless phone can still make emergency calls therefore it's still connected and identifiable by the IMEI.

          2. hayzoos

            "switched off"

            Just the fact that pressing a button to "switch on" a phone should indicate that it is not truly off. Another indication is what happens when a phone is "switched off" then a charger is plugged in, voila, the display comes alive to show charging status.

            Hard toggle switches are going extinct. They are the only way a device can truly be switched off.

        2. Cynic_999 Silver badge

          What you say is true, but does not mean that it is impossible to prevent tracking. As the most obvious way, just prohibit people from bringing phones into the area. Another way would be for the people running the secure area to set up their own base station which is made secure so that nobody can get location data from that base station.

          1. doublelayer Silver badge

            "does not mean that it is impossible to prevent tracking."

            But in effect, it's really hard. To demonstrate this, let's see if your ideas work (not as well as we'd like).

            "As the most obvious way, just prohibit people from bringing phones into the area."

            This assumes we are talking about a specific secure area, but we can go with that assumption. Other comments have already explained the dangers of collection outside secure areas, so I'll limit myself to the secure ones. If you make people leave their phones outside the secure area, then a tracker can do several things. If they don't know where the secure area is, it's that place where lots of phones suddenly go offline when people put them into those isolation lockers. If no lockers, it's that place where a bunch of phones go to not move at all--if you have your phone on you, even if you're just moving around a room, the signal will change slightly. Not as much if it just sits on a table. Assuming they already know where the secure area is, they know now who goes there and when. They may not know what they do once inside, but they can track the phones as people travel to the secure area. This means you know when the area's personnel are away from their homes so you can search them, or when the area has most of its people so you can attack it for maximum destruction, or when the area is sparsely populated for some other type of activity like trying to plant bugs.

            "Another way would be for the people running the secure area to set up their own base station which is made secure so that nobody can get location data from that base station."

            So the area has its base station, and the data can't be intercepted. This doesn't necessarily mean that phones will switch to said station or that they won't also contact others. A lot of tower data comes from towers other than the primary one, which mostly comes from phones verifying that they're still on the best one. What happens if the station is on one side of the area while an attacker drives by the other side with a more powerful malicious station. They could easily convince several phones on that side to trust them instead. Of course, by that point, you may not have such a need for location information, but it could at least tell the attacker who works on that side of the area rather than the other side. If they have floor plans of the area, that data might be useful.

      2. Anonymous Coward
        Anonymous Coward

        >, it's about being able to gather valuable information just by tracking people going about their daily lives.

        In the good old bad old days when we had proper (IRA,RAF) terrorists and proper Russian baddies. Somebody at NATO HQ decided it was a bit obvious if all the top brass had army staff cars parked at home and so everyone was sold subsidised civie cars.

        That somebody obviously had an arrangement with a local dealer because everyone got identical white Merc E-class, the windscreens of which were all so full of brightly coloured NATO parking permits that you could barely see out of.

        That rows of these were neatly parked in the driveway of every house in a single Brussels suburb was about as obvious a target as you could wish for.

        1. Anonymous Coward
          Anonymous Coward

          The other big clue was the 'standard' license plates

    4. Anonymous Coward
      Anonymous Coward

      Thereby making it obvious where the secure areas are located and precisely who works there and where they live, where they dropped their kids at school etc?

      This is why all electronic devices are to be left at home, not in reception or the car park, etc, if your journey involves anything associated with work. Obviously this includes social meetings with colleagues in non-work locations, so you can't be linked to each other by correlating locations.

      On a related note it's becoming harder and harder to buy home appliances like TVs, speakers and so on that don't come with a built in surveillance device of some sort. Obviously having anything with cortana, alexa, siri etc. in the house is out of the question. Before long we'll be in a situation where people who work in this sector will have little choice but to live like some sort of luddite.

      1. Glen 1 Silver badge
        Holmes

        "live like some sort of luddite"

        Thus highlighting you as a person of interest.

        High paying job, but no phone? That's interesting. Routinely encrypt email (PGP etc), but have no overt background in computing? That's interesting. Only communicate via courier to an internet cafe...

        That's the thing about tradecraft, you need to look as "normal" as possible. Including leaked information. Bonus points for compromat consistent with any cover you're trying to cultivate.

        Mind you, If the impression you are trying to cultivate is "Security professional", then *not* raising those flags is suspicious.

        1. Claptrap314 Silver badge
          Boffin

          I'm just getting started!

        2. Charles 9 Silver badge

          "That's the thing about tradecraft, you need to look as "normal" as possible. Including leaked information. Bonus points for compromat consistent with any cover you're trying to cultivate."

          So what happens when "normal" is a Panopticon, like say China?

      2. Paul Hovnanian Silver badge

        "This is why all electronic devices are to be left at home, not in reception or the car park, etc,"

        Cars are electronic devices in their own right. I'm not going to pry the telematics module out of my brand new Tesla. And for all you people who purchased older cars on contracts: odds are that the dealer has installed a GPS tracker so the repo guy can tow it when you miss a payment.

      3. Anonymous Coward
        Anonymous Coward

        This is why all electronic devices are to be left at home, not in reception or the car park, etc

        So what you are saying is that anyone remotely involved in "security" or "defence" is not allowed a personal life as well ? As a rather junior such person (hence posting as AC), I'd be "rather irritated" if I had to be out of touch from family, friends, people who service the car, people I buy stuff from, etc, etc, etc for 10 for 11 hours a day. As it is, there is talk of making my office into what the MoD call an "Amber Zone" - meaning I'd need to leave the office and get my phone from a locker any time I wanted to see if anyone had tried to contact me.

        That means no being contactable should the carers who go to my elderly mother need to get in touch. No being able to contact (e.g.) the garage to arrange for a service and for them to tell me when it's ready to collect - or even more important, to ask what to do if they find a problem (e.g. X has failed, do you want us to replace it at a cost of £Y). No means for the builder's merchants to tell me they have the stuff I asked for, and when can they deliver it. Need I go on ?

        Of course, for me I can use my phone when I get home. What about those who live on such a location ? What if your home is a barracks - are you no longer allowed any device ?

        And a key thing not explicitly stated is that this can apply to "work" devices, not just personal. Note that carefully - it can apply to official devices. Your chances of persuading (e.g.) our MoD or armed forces that no-one can have a mobile regardless of need are on the low side of zero.

        TL;DR version - it really is not practical to simply turn the clock back a few decades.

        1. whitepines Silver badge
          Facepalm

          As it is, there is talk of making my office into what the MoD call an "Amber Zone" - meaning I'd need to leave the office and get my phone from a locker any time I wanted to see if anyone had tried to contact me.

          Even corporations are starting to wake up to the fact that this is a good idea*, especially when said company is handling PII, or developing a new technology they don't want stolen, or dealing with security sensitive things, etc **. You got used to a level of convenience and communication that is at odds with your job -- deal with it or change to a line of work that lets you communicate more often while being around less sensitive material, even if it means less pay. The last customer's burger order probably doesn't qualify as sensitive and you can text all you want!

          * I'm not allowed to carry a phone in many areas of the building I work at, due to security risk, and that's just for routine tech operations. Cameras and microphones are verboten in those spaces as well. Somehow, my desk phone, Email, Slack, IRC, etc. seem to suffice for communication needs during the work day, and that's a major step up from the 1980s when all you had, best case, was that single desk phone!

          ** Not me, sadly, but the rules still apply.

          1. John Brown (no body) Silver badge

            "and that's a major step up from the 1980s when all you had, best case, was that single desk phone!"

            And not all were important enough to warrant a phone on their desk unless that was part of the job, even that recently.

          2. JetSetJim Silver badge

            15 years ago, Huawei was the same. No camera phones allowed, all usb ports locked down on computers, no optical drives, and internal material never left the property. VIPs could grant exceptions, but that wasn't common.

            The meetings I had with engineers showed they had developed very impressive recall of technical docs.

        2. John Brown (no body) Silver badge

          "I'd be "rather irritated" if I had to be out of touch from family, friends, people who service the car, people I buy stuff from, etc, etc, etc for 10 for 11 hours a day.

          So? It's barely a generation since that was the norm. I understand your point, I just don't thinks it's as big a problem as you seem to do.

        3. Anonymous Coward
          Anonymous Coward

          > So what you are saying is that anyone remotely involved in "security" or "defence" is not allowed a personal life as well ?

          Not really - many don't handle anything sensitive enough to warrant such measures. There are degrees of risk of course, with appropriate control measures as you'll know from your local briefs.

          The current increase in WFH arrangements is a concern though, as I'm sure not everyone will remember/bother to unplug/disable all their "smart" devices before their telecons. How many are working in their lounge in front of a Samsung TV...?

          Amber zone should be ok. You can use a ptt to make outgoing calls to check in with the car garage or builder's merchant. You should be able to get a smart number to pass to people so you can be reached. You can also ask to be issued with a receive-only pager if necessary, which can be really useful on some establishments where peds are not permitted, although teaching your child's teenage nursery staff how to send a message to a pager could be fun.

          > And a key thing not explicitly stated is that this can apply to "work" devices

          Of course - ultimately a somewhat accredited work phone is still a phone and so you don't want it in sensitive areas. Certainly not where there might be conversations above the level of its accreditation.

          Mobile phones are a relatively new invention; not having a mobile phone does not mean you are uncontactable or can't have a personal life. My early years on establishments there were no mobile phones anyway and we made do well enough with the payphones on site and the fixed phones in working areas.

          That's not to say that some jobs don't very much come with the difficulties you highlight.

          There are the sites where you can't take *any* electronic device, including a digital watch or remote car key. There are the projects for which all info must remain in a single secure room with no access to natural light or fresh air, and it's a right rigmarole to get in and out so you really can't just pop out for a phone call. There are the business trips where you can't provide any means of contact nor tell your family where you're going or how long you'll be gone.

          Ultimately sometimes there's no getting around the fact that some jobs are just not suitable for people with some kinds of responsibilities.

          But if you're going to stay in the sort of role where your name is in the directory you probably don't have to worry too much.

          1. Anonymous Coward
            Anonymous Coward

            Not really - many don't handle anything sensitive enough to warrant such measures. There are degrees of risk of course, with appropriate control measures as you'll know from your local briefs.

            Indeed. Most of us don't handle anything, or work with people who handle it, so as to justify the restrictions. And even when people are working on more sensitive stuff, it's not hard to temporarily up the status as required. Unfortunately, at my workplace it's being driven by politics with little regard for facts. One thing is for sure, if the people concerned do manage to push this through, I will take great delight in shopping them when they fail to abide by the rules themselves - which I know will not take long.

            You can use a ptt to make outgoing calls to check in with the car garage or builder's merchant

            Err, no. No outbound calling facility on work system, and if there was it would be work business only. And no personal devices.

            You should be able to get a smart number to pass to people so you can be reached

            Err, no. AIUI they've stopped handing those out anyway, plus it doesn't help if you don't have a desk phone to send it to.

            You can also ask to be issued with a receive-only pager if necessary

            And the business justification for that ? So no to a business pager, and they aren't differentiated from other PEDs as far as the rules are concerned - so no personal pager.

            Obviously it's going to be different for different people in different situations. Not having a desk phone means I am reliant on my mobile for personal stuff, either that or it's back to the old "ring this number, ask whoever answers it to send a carrier pigeon with a message for me" type of arrangement. And in "cough" decades, this is the first job where I've not had a desk phone I can be contacted on - though the reasons for that aren't security related.

      4. This post has been deleted by its author

    5. Anonymous Coward
      Anonymous Coward

      Or just... don't allow phones in secured areas.

      Oh, I worked at places where it would take under a minute for someone to wander in to ask to check if you really had phone and/or WiFi disabled. Their manner of enquiring was sufficient to reduce enthusiasm for any recurrences - let's just say they stopped being subtle after the second time :).

      I never really had a problems with it. Rules are rules - if you cannot handle sensible precautions you have no business being there in the first place.

      1. Charles 9 Silver badge

        What happened when the not-so-subtle reply was attempted on someone HIGHER than them?

        1. Anonymous Coward
          Anonymous Coward

          Then presumably their boss, who intentianally is someone with sufficient powers to get most to comply, will have a talk with them.

        2. Anonymous Coward
          Anonymous Coward

          You point out to the General that even Majors have to comply, so if the Captain could please hurry up before you take his Sargent stripes away...

        3. Anonymous Coward
          Anonymous Coward

          Let's just say that their authority came from an, er, "interesting" level, so I don't think that problem ever occurred.

          1. Charles 9 Silver badge

            HOW interesting? "No one can fire him" interesting or "you're under arrest" interesting?

    6. Fluffy Cactus

      Or maybe they could learn from Ghislaine Maxwell and wrap their phone in aluminum foil, after first wrapping it in lead-based foil.

      There's got to be a way to foil anything.

  2. pavel.petrman

    Re "using a VPN"

    It is very difficult to use a VPN properly and to your advantage, most people just end up inadvertently owning up to using one and in case of poorly designed VPN solutions even blowing the VPN for other users.

    Most people altogether, including most people NSA wrote their guidance for, need to interact personally with other people to be able to do their job. You can't realistically rely on everyone you are meeting with or inviting to your office/safe house to follow this guidance reliably. Hence you are happily VPN'd to, say, Norway, until your first informant comes to give you the parcel in a cafe in Beirut with their Android phone in their pocket. Your smart slabs get near each other, registering similar pattern in available wifi APs, and voila, you and possibly others on same VPN profile are no longer in Norway, you are in Beirut and on Santa's naughty list.

  3. Chris G Silver badge

    This, coming from the people who want all of that location and tracking data on the rest of us because, they are apparently the good guys and the rest of us are not.

    1. Siberian Hamster

      This has parallels with government mandated backdoors to encryption but starting from the 'other side'.

    2. Spanners Silver badge
      FAIL

      @Chris G

      ...they are apparently the good guys...

      We are talking about the NSA here. They are not, by any reasonable use of the phrase "good guys".

      They are a criminal organisation. They may be from a nominally friendly government but they are in no way the good guys. They may, on occasion, do us a favour sometimes but so does the Mafia and even whatever the KGB is now called. They still want all our stuff and have no qualms about throwing anyone else under the bus if that is needed to complete their current mission.

    3. Claptrap314 Silver badge

      The NSA has two missions. They were kinda skipping on the second one for a couple of decades, but the congressional wrap on the knuckles has adjusted things a bit.

      Their second mission is to protect "our" communications and data. With the "our" being Americans', not just the government's. This is why, for instance, that the NSA is on record as opposing back door encryption.

  4. "Dead Eye"

    It might have been more honest for the NSA to say these things compromise everyone's security and even spooks and soldiers can't protect themselves...

    1. Charles 9 Silver badge

      So how do you protect yourself when you NEED the always-on availability that's essential in today's fast-paced society? And no, the answer to, "What did we do before cell phones?" will be, "Whatever it was, it didn't happen very quickly, and seconds count today."

      Plus, because of the way wireless communications work, whatever the technique you use, you WILL leave radio traces that alone can be useful tracking information. It's a problem similar to post/mail or any other two-way form of communications: both ends must be known for it to work, yet that alone is compromising information. Efficiency becomes its own drawback.

      We've essentially run into a nigh-intractable problem. How do you maintain two-way communication without the communication itself being tracked by a determined adversary?

      1. K

        Easy... 2 girls and 1 cu... no wait, 2 cups and a piece of string.

        On a serious note, this has been known for years, the ad-tracking is new advice, I also wonder how the tin-foil hat brigade will react now its "official"

        1. John Brown (no body) Silver badge
          Holmes

          I also wonder how the tin-foil hat brigade will react now its "official"

          I'm buying shares in Bacofoil :-)

          1. Anonymous Coward
            Anonymous Coward

            But those shares in Bacofoil are a dead giveway...

      2. "Dead Eye"

        Pagers can help although they're nowhere near a complete solution. It's transmitting that's the problem, including transmitting "ACK"s.

      3. tellytart

        Satellite phones would offer some level of protection. While the satellite cell configuration might be able to narrow down your position to perhaps a city, it wouldn't get any more accurate than that. Certainly not down to street/junction level that GSM triangulation might be able to get you.

      4. Cynic_999 Silver badge

        "

        How do you maintain two-way communication without the communication itself being tracked by a determined adversary?

        "

        Tradecraft 101. Leave coded messages in the classified ads section of a newspaper. The online equivalent being to leave the (PGP encrypted) messages on a public server that is only ever accessed via Tor (e.g. a Usenet group). Better even than classified ads because it's nearly impossible to determine who placed the message.

      5. Adrian 4 Silver badge

        Nobody NEEDs the always-on availability. A lot might find it convenient but that's negotiable as the discussion about secure working above shows.

        The only people who might be considered to NEED both (ie their job requires both communication and protection from the consequences of communication) are authority-sponsored types such as military. In that case, the essential communication is done using appropriate equipment : and a lot of money goes into providing that equipment.

        Seconds don't count any more than they used to. Yes, you might get someone with a heart attack who can be saved by fast action. A few years ago that person would have died regardless. Requiring that everyone who might benefit from such action is able to, is an edge case and a trade off.

        Currently, emergency services aren't protected from the consequences of leaking the location information. Perhaps some day that will be necessary, but at the moment the people who deliberately attack them don't appear to be organised to obtain location information - they're usually one-offs.

        1. Charles 9 Silver badge

          "The only people who might be considered to NEED both (ie their job requires both communication and protection from the consequences of communication) are authority-sponsored types such as military. In that case, the essential communication is done using appropriate equipment : and a lot of money goes into providing that equipment."

          The counter being it's probably going to waste, as the mere existence of radio equipment--ANY radio equipment--is a giveaway, and yes, I WAS actually thinking the military when I was referring to my "second count" post.

    2. pavel.petrman

      "even spooks and soldiers can't protect themselves" - spooks have always had hard time protecting themselves on radio. Britain's famous Peter Wright wrote in his memoir about detection and location pinpointing many decades ago. Only today we beep all around the place like R2D2 on stimulants and it costs virtually nothing to gather these signals and get large amount of useful information from them.

      1. keithpeter
        Coat

        Traffic analysis has been popular...

        ...since olden days, c.f. Gordon Welchman's The Hut Six Story: Breaking the Enigma Codes

        Coat: off out with my personal locator beacon to get some exercise

        1. Yet Another Anonymous coward Silver badge

          Re: Traffic analysis has been popular...

          Pity the Germans weren't beer fans

          Beer rating app reveals homes and identities of spies and military bods

    3. Doctor Syntax Silver badge

      The way it was done doesn't specifically alert politicians.

  5. Mike 137 Silver badge

    Open shared infrastructures are ...

    Open. This is inevitable, so open shared infrastructures should not be used where their openness can lead to hazard. I would have thought this was blindingly obvious. Not for nothing was frequency hopping point to point radio invented and widely used for secure communications before the "smart phone" took over the planet.

  6. Anonymous Coward
    Anonymous Coward

    Trump tells Putin where you are

    Turning off your phones won't help. Trump shares battlefield intel with Putin and Putin is the one paying to get you shot. He knows where you were deployed. When he has enough coffins for a photo-op, Trump will withdraw troops from Afghanistan and hand over those bases to Putin.

    It's a repeat of Syria.

    NSA needs to get all back doors closed now. They should never have left kit vulnerable.

    It's wishful thinking to believe this treason will end in January.

    1. Wellyboot Silver badge

      Re: Trump tells Putin where you are

      Russian troops going back into Afganistan is less likely than Putin mooning congress from the speakers chair.

      1. Anonymous Coward
        Anonymous Coward

        Re: Trump tells Putin where you are

        Business is business:

        https://www.bbc.com/news/world-asia-43500299

        "Russia 'arming the Afghan Taliban', says US"

        "Russia is supporting and even supplying arms to the Taliban, the head of US forces in Afghanistan has told the BBC."

        "In an exclusive interview, Gen John Nicholson said he'd seen "destabilising activity by the Russians."

        "He said Russian weapons were smuggled across the Tajik border to the Taliban, but could not say in what quantity. Russia has denied such US allegations in the past, citing a lack of evidence.

        "But the new claims come at a sensitive time in Russia's ties with Nato powers.

        "Britain and Russia are locked in a dispute over claims that Russia was behind an attack on a former Russian spy and his daughter on UK soil using a deadly nerve agent.

        "Meanwhile a US Congressional Intelligence Committee has just published a report concluding that Russian provocateurs meddled in the 2016 election.

        1. Ken Hagan Gold badge

          Re: Trump tells Putin where you are

          None of which puts a single Russian boot on Afghan soil.

  7. Boris the Cockroach Silver badge
    Big Brother

    We'll file this one

    under "no shit sherlock"

    Then fire the people who forget to turn their phones off at "super secret volcanic lairs"... and that will hopefully solve the "just opened an e.mail attatchment from an unknown source" problem too

    1. Flocke Kroes Silver badge

      Re: Who to punish

      This problem was solved decades ago back when default passwords were a thoroughly understood security disaster. First of all, leave the default passwords as they are. Do not warn people about default passwords. Do not warn people about easy to guess passwords. Do absolutely nothing to people responsible for changing default passwords or using easily guessed passwords. Ignore all the logins originating from hostile powers. Find a couple of foreign scapegoats in countries with one-sided extradition treaties, blame the scapegoats for everything and lock them up as warning to everyone.

    2. Anonymous Coward
      Anonymous Coward

      Re: We'll file this one

      Pah, what sort of super secret volcanic lair doesn't have a large shark tank where peons who have failed to meet standards can be asked to "go and feed the fishies"?

      1. Charles 9 Silver badge
        Joke

        Re: We'll file this one

        Gotta be careful, though. May find one of those where the fishies feed him instead.

  8. Anonymous Coward
    Anonymous Coward

    Talyrand: they forgot nothing and learned nothing!

    Oh dear......the NSA spends gazzillions of dollars tracking the citizens who stump up the gazzillions of dollars......and then start to worry that the tracking THEY ARE DOING might be a problem for their own people!!!!

    *

    So how about a SIMPLE avoidance scheme for the NSA (at no charge!):

    1. Buy a dozen pre-owned phones for cash in the local High Street.

    2. Buy two dozen SIMs for cash, with vouchers for minutes also paid for in cash in the local High Street.

    3. Make sure that there is no CCTV covering items #1 and #2.

    4. Distribute burner phones and burner minutes to spooks.

    5. Train said spooks ONLY EVER TO USE SAID BURNER PHONES IN PUBLIC SPACES WITH NO CCTV.

    5A. Train said spooks to install SIMS when in a location NOT TRACEABLE TO THE INDIVIDUAL SPOOK (e.g. a coffee shop, an internet cafe)

    6. Train said spooks to use said burner phones ONLY EVER TO CALL OTHER SAID BURNER PHONES.

    7. Train said spooks to stay off their personal page(s) e.g. Facebook!

    8. Repeat from #1 as required.

    *

    The real problem (in an age of rampant narcissism) will be items #5, #5A, #6, and #7.

    Can I bill someone for consulting advice? ...but then free advice is worth what you pay for it!

    1. You aint sin me, roit Silver badge
      Black Helicopters

      What they want, and what they don't want you to have

      If the nsa are properly paranoid then they will want to track everything their "operatives" are doing. As well as snooping on everyone else.

      So they have to square the circle of having a way to know everything while preventing opposing operatives from knowing anything.

      Let's face it, they are only highlighting these concerns because it is what they have been doing for ages. You can be sure they would only make public techniques that have been superseded by new snooping capabilities...

    2. 96percentchimp

      Re: Talyrand: they forgot nothing and learned nothing!

      Anonymous burner phones are not available in every country, especially the ones where the NSA is most likely to want to conduct clandestine business.

      1. Cynic_999 Silver badge

        Re: Talyrand: they forgot nothing and learned nothing!

        "

        Anonymous burner phones are not available in every country

        "

        Not *officially* available. But reasonably easy to get in every country I know of. Phones can be bought second-hand without giving your identity, and a local SIM can be obtained by giving a local a modest tip to get one for you. Not that you need to buy the phone itself in the restrictive country.

        You can even buy a SIM for just about any country in the World from Amazon. Just use an account that can't be traced to you.

        In any case, even if you follow all the country's rules, the phone will still be anonymous to everyone except the government of that country.

        1. Claptrap314 Silver badge

          Re: Talyrand: they forgot nothing and learned nothing!

          And have that SIM delivered where?

    3. doublelayer Silver badge

      Re: Talyrand: they forgot nothing and learned nothing!

      Your biggest problem isn't 5-7, it's just 5. Spies can always place calls from public areas without CCTV, well not very easily but we'll come back to that, but where will their recipients be? The person receiving the call won't know they need to receive a call, so they'll be wherever they were before, which is potentially exposing. They will have to keep their burner phone turned on to receive said calls, meaning it will be able to track their location if someone ever identifies that phone as a device of interest. If you were planning that the conversations are always preplanned, so both ends can go to a public place, how does spy A indicate to spy B that spy A has urgent information that spy B needs to know when they don't have a scheduled meeting for several days?

      Now, a public place to make a call without surveillance cameras. I really hope no spies ever go to London or most cities really. There are cameras everywhere. If you find a place without cameras, someone could check feeds for the cameras near the place to find the person who spent the right amount of time in that place before leaving. The other problem is that, if you make a call in public, you have to say all your secret stuff in public. People can hear your conversation which either includes incriminating things or cryptic things, which might cause your listener to report you or listen in.

  9. Pascal Monett Silver badge
    Stop

    How terrifying

    "Commercially available rogue base stations allow anyone in the local area to inexpensively and easily obtain real-time location data and track targets.

    Just a minute there : am I supposed to understand that there are rogue base stations implemented everywhere ? Controlled by who ?

    Because if that is not the case, then they are being implemented to track someone who is already known, and that is state-level spycraft, so doesn't concern me.

    1. You aint sin me, roit Silver badge
      Holmes

      They make it your problem

      "You don't want those Chinese getting hold of your information. Do you, citizen?"

      1. Spanners Silver badge
        Alert

        Re: They make it your problem

        "You don't want those Chinese getting hold of your information. Do you, citizen?"

        I have difficulty in explaining just how little I care. I do, however, not like the idea of the NSA, CIA, FBI or any other TLA getting my personal information.

        "What's the difference?" some may ask. It's what happens to it afterwards that makes me vary between extreme apathy and extreme unhappiness.

        When the NSA or whatever criminal organisation you want has finished with my stuff, there is a good chance it will make its way to the private sector and could be used for anything from advert targeting, predicting my financial activities to simple corporate fraud.

        When the Chinese spooks have finished looking at me the information will be filed - and that's it. The only direct contact with a Chinese seller I have ever had is Wish. Are they what DT considers a dangerous tool of the CCP?

    2. chivo243 Silver badge

      Re: How terrifying

      Just a minute there : am I supposed to understand that there are rogue base stations implemented everywhere ? Controlled by who ?

      I wouldn't say everywhere, but I wouldn't be surprised if most big cities have some such state monitored\sponsored gear in sensitive areas? Near capitol buildings, important gov't locations. Places that used to have large crowds? Lastly, transportation hubs, airports, train stations...

    3. doublelayer Silver badge

      Re: How terrifying

      Well, most states have proven that they have and like that tech. There are also cases where someone was operating it, but the police never found out exactly who it was. Most of those I've seen were presumed to be state actors, but since we can't prove that, it's always possible that it was someone else. Since the hardware can be built by a nonstate person, it's not that surprising that some people have done this. It doesn't have to be a concerted effort for some new concerted effort to pick up the practice.

  10. Anonymous Coward
    Anonymous Coward

    Irony on GPS

    Let us all remember half of the gigantic GPS budget was meant for a completely passive (ie, stealth) system, to allow submarine ICBM launchers to know precisely where they were at the time of launch, in order to calculate trajectories, and precisely hit a target.

    And now, the same GPS info is broadcasted all over the place through apps, cloud or not, revealing everyone's location !

    Ain't life great ?

  11. Mark192 Bronze badge

    The only way to protect oneself is to ensure that we never have a government that we would need to protect ourselves from.

    Careful who you vote for.

    1. Cynic_999 Silver badge

      The problem being that politicians rarely state that they intend to do bad things in their election manifesto. You will have no idea that you are voting for a dictator, genocidal maniac and/or control freak until after it's too late.

      1. Ken Hagan Gold badge

        Citation needed? I'd say that all the elected dictators I can think of were clearly unsuitable personality types long before they were elected. The problem is that not all the electorate agree on what "unsuitable" means.

  12. heyrick Silver badge
    WTF?

    My God, if they're spooks then they ought to be about paranoid enough to only use a crappy little GSM type phone while at work.

    Trying to "do secret shit secretly" with a smartphone in a pocket is going to be about as successful as herding kittens.

    1. doublelayer Silver badge

      "My God, if they're spooks then they ought to be about paranoid enough to only use a crappy little GSM type phone while at work."

      Antiespionage report, section 12: mobile device usage among clearance candidates

      Most candidates for this position are using off-the-shelf smartphones. They will be treated with normal scrutiny. Four candidates are using phones without smartphone capability. Two of these are old and are using old devices. While it will be assumed that these people dislike smartphones, these candidates will still be treated with elevated scrutiny. The remaining two are using newer devices without that functionality and will be treated with severe scrutiny. Two candidates are using atypical smartphones, namely candidate 280 is running a Linux-based mobile OS on a device from Pine64, a known provider of secure devices for technical users and candidate 393 is using Lineage OS, a variant of Android with additional privacy features. Candidate 393 will be subject to severe scrutiny. Candidate 280 will be denied clearance and will be further investigated for potential criminal tendencies.

      Sometimes, if you want to blend in, you have to do things that everyone else is doing even when you don't want to or they're dangerous for your attempt.

      1. Charles 9 Silver badge

        "Sometimes, if you want to blend in, you have to do things that everyone else is doing even when you don't want to or they're dangerous for your attempt."

        So what if you have to infiltrate a Panopticon where "normal" is pretty much guaranteed to give you away?

  13. Mr Dogshit

    Well DUH

  14. Marketing Hack Silver badge
    Trollface

    I'm waiting for the NSA to completely "lose it" on this issue...

    And denounce U.S. corporations as amateurs on this issue while rattling on about "THAT'S not how you get and use location data! THIS is how you get and use location data!!"

    (I'll obviously have to come up with a way to protect all data being transmitted to and from or stored on devices. I have some ideas on the subject, using a mathmatical procedure I have tentatively named "nkripshun". I still have more work to do on that, but I am sure that, once it is ready, all the U.S. three-letter agencies and intelligence and law enforcement throughout the western world will become big advocates of its use by the public!!)

  15. shovelDriver

    Who IS NOT Location Tracked

    Think about this: Prime Ministers, Presidents, Secretarys of . . . Everything, Bank Presidents, Stock Brokers, Wells Fargo Employees; you get the idea, I'm sure. Do they use cellular devices? Do they own and drive vehicles with satellite radios and bluetooth transceivers? Do their spouses and kids? Guards? Drivers? Advisors?

    Does anyone really believe the various security services have not thought this through? And proceeded to design, build, buy only devices that are encrypted and which only use approved - separate - frequencies?

    For example, the schedule of various world leaders and other not-really-so-important politicians are classified, to protect them and their activities from scrutiny. Yet their security apparatus doesn't even try to keep them from using cell phones?

    Yeah, and I've got a bridge for sale . . .

    Rather than reinvent the wheel, we should require that all cellular devices be provided with the same capabilities for privacy protection that government already has.

    Though that would certainly defeat the purpose . . .

    1. Ken Hagan Gold badge

      Re: Who IS NOT Location Tracked

      They may have such devices, but that doesn't mean they can force their bosses to use them. Example: UK cabinet meeting held over Zoom. Earlier example: Trump refusing to use the phone offered by his three-letter-agency because he prefers the one he has. Still earlier example: Clinton's email server.

      1. CrackedNoggin

        Re: Who IS NOT Location Tracked

        Or Jeff Bezos' phone getting hacked.

  16. Martin-73 Silver badge
    Black Helicopters

    Snoopy snoopers don't like being snooped on.

    Colo(u)r me not caring about their safety in the least.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020