Military infosec SNAFUs: What WhatsApp and bears in the woods can teach us Fans of John le Carré’s Tinker Tailor Soldier Spy know how top military secrets are extracted from the enemy. Senior figures are turned in operations run by the most secret brains in the country, bluff and double-bluff mix with incredible feats of bravery, treachery and psychological manipulation. Not any more. If head KGB spy …
It was open to the MoD — it’s open to all enterprises — to build only the bits needed to do the specific job, and buy in the other components. Or, with open source, get the components for free and pay to learn the expertise to use it — a much better investment.
That would be an Astute Agile ACTIVe AWEsome development, methinks, and both practically and virtually perfect for Special Operations Executions ..... SMARTR AIdDeployments ........ https://forums.theregister.com/forum/all/2021/04/29/google_safari_workaround_supreme_court/#c_4248463
Tell me that is not a Master Key Project and we will disagree fundamentally.
And the gazillion dollar questions are ....... Is it to be an Exotic Erotic Eastern Triumph or Wild Wacky Western Delight, First and Foremost?
cc MOD/CCP/FSB/DARPA.....MICE@darpa.mil [to name but four interesting parties for live engagement and future instruction]
And sound logical advice to the likes of a DARPA? Up the ante ..... for $1,000,000 is peanuts whenever there are no limits or restraints available for what can now be so easily done with Advanced and Advancing IntelAIgent Technologies in ACTive Current Deployment Nowadays in 0Days Exploiting Endemic Systemic Vulnerabilities ...... aka Novel NEUKlearer HyperRadioProACTivated IT Opportunities.
And you don't often get that sort of direct message freely shared openly for all to see and hear wherever they may be with the simplest of facilities available to reply to it too.
But please, don't be like an earlier idiot taxpayer here again exhibiting obvious prime ignorance with a gratuitously offensive comment fully demonstrating no understanding of that which abounds around them. It is both unbecoming and misleading. Although I do accept that some folk one just cannot help because of their default retarding disposition/lack of necessary future intelligence facility and utility, and they just can't help themselves, which is a shame to try blame others for.
@amanfrom Mars 1Just shut up. It's Friday right? Boozing time not bullshit time. ..... https://forums.theregister.com/forum/all/2021/04/29/google_safari_workaround_supreme_court/#c_4249462
It all boils down to trust and I don't trust users.
At every level you find users who will want to save the decrypted output "just in case." And the higher up the command (or management) chain you go, the more likely it is.
The reason you can't spell shit without IT is that IT is where the shit flows to.
"Does your endpoint have a Share button to the internet? You probably want to write that yourself."
You probably want to disable that, I think you mean. Features you don't want is basically the problem with something like WhatsApp. Here's an idea. Instead of outsourcing, the MoD should train their signals people to code, and develop their messaging app internally. I bet the MoD would be really good at the large software systems from days of yore. Death march, anyone?
I fear we're missing the point here. Yes, there are ways for content to leak from WhatsApp, but isn't the real issue that the metadata give Zuckerberg & co. the ability to map UK military structures and communications flows in real time? I wouldn't bet on WhatsApp or Facebook being very secure from that perspective, so we have to assume that both our enemies and our allies have exploited this opportunity.
There's an OPSEC concern there, certainly. But those communications are likely to be voluminous and noisy enough that the practical value of traffic analysis is low. And while traffic flows on public networks can be obfuscated (as with Tor), some information will always leak.
That said, WhatsApp seems like a poor choice. They could at least have gone with Signal instead. (I realize WhatsApp has many features Signal doesn't, which is itself a security issue, because of the "Availability" aspect of the CIA triad and because users will seek to circumvent systems which they perceive as failing to meet their needs. But disciplined organizations can overcome those problems.)
There are a number of security analyses of WhatsApp. Here's one summary of some results.
The Signal protocol covers only the 1st step. Beyond the end (of end to end encryption) often lies a 2nd wide open end. Typing on a phone is crummy and you don't see much on a small screen. So many people I know use the WA browser frontend that's a lot more comfortable with mouse and real keyboard.
They could have implemented that by putting a web server on the phone, so only a browser in the same LAN could connect (which excludes BYOD setups). Instead, the browser conveniently (for their eavesdropping) talks to their server. Fun fact: the notification on the PC pops up easily one second before the phone beeps.
So any chat where at least one party uses the browser is wide open to WA.
Astoundingly in Germany they are obeying the restraining order against their planned data grab. Despite their threats to lock me out for not accepting their constant nagging about their new conditions, they still haven't.
I have to quibble with this bit in a generally fine piece: "Like those Soviet decrypts, on paper WhatsApp looks secure — if you think in standard security terms."
"Standard" security – whether we're talking about security engineering, secure systems analysis, threat modeling, what some people refer to as a "security mindset", etc – would most definitely not stop at WhatsApp's (alleged) communications security.
No competent security professional would imagine for a moment that COMSEC is the full scope of any communications system. And encryption isn't the whole of COMSEC, either. Other posters have already mentioned traffic analysis and the risks of metadata capture by Facebook or other actors. But more importantly, historically COMSEC has more often been bypassed by OPSEC failures or compromising people involved in the system. HUMINT generally beats SIGINT.1
Many years ago Bruce Schneier famously remarked: "If you think cryptography will solve your problem, you don't understand cryptography and you don't understand your problem". To a first approximation that remains true.
WhatsApp is "secure" in a popular or naïve sense, perhaps. Not in any sense that should be called "standard security".
1ObUNIX: Yes, SIGKILL beats SIGINT too.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
