Feeds

back to article GCHQ commits schoolboy security blunder

Exciting news from UK spooks at GCHQ - it's the new and improved "Guidance document on use of Smartphones in Government". The only problem with this riveting press release from GCHQ is that someone forgot to use the bcc function - instead, the message reveals the email address of every journalist on the list. The list comes from …

COMMENTS

This topic is closed for new posts.
WTF?

Tony Blackburn

Tony Blackburn did this with his Blackburn Xtra mailing list a few years ago. Well his producer Sammi did, anyway.

Then he did it again, sending out a CC email attempting to 'cancel' the first one!

So it's not just GCHQ - It's even Tony Blackburn!

2
0

This post has been deleted by a moderator

Alert

Why pick on Android?

"So it looks like Google's Android phones won't be winning many public sector contracts any time soon."

Neither will Microsoft or Apple.

3
1

Market Share

Presumably because the Android platform is now the market leader, and is set to increase to half the market according to Gartner. That's a pretty huge deal, and additional public sector contracts would certainly play a role in keeping Android dominant.

0
0
Silver badge
Thumb Up

because

you can count on some Android fanboy to whine about it and try to make out that everyone else is worse just because they didn't join his "gang".

Oh, hi.

3
8
Boffin

Actually...

It's (assuming it's the same in the UK as in another country I know of) because of the radio.

Android handsets suffer the same problem Microsoft Mobile and Microsoft Phone suffer - neither Google nor Microsoft make the hardware. This means that each hardware vendor must be accredited. Google is actually worse off, because the perception is that it's easier to put malicious code into open-sourced Android than WM or WP.

RIM can identify the supplier for every component in Blackberries, down to the last screw, which makes accreditation easy. Well, easy when compared with Android.

This makes Apple much more likely to get accreditation than Microsoft or Google.

2
2
Black Helicopters

Re: Actually...

It's not only can RIM account for every screw in their Blackberries but Governments can order the devices direct from RIM with a higher level of encryption (then standard Blackberries) and also preloaded with the OS version of Choice, pre configured to the specification of the ordered. I believe this is even down to the levels of having the WiFi hardware Disabled (not just the software option).

Normal companies may not see the benefit of having a BES server because they can set policies for their phones with ActiveSync and OWA. However when your on a domain that has Wifi, Mobile VPN, ActiveSync and OWA disabled due to conforming to the design standards set for the domain, BES is the only viable option.

There is also a reason why India threatened to ban the use of Blackberries and BES's, it's simply that any emails, Data or instant messages sent between the Blackberries can only be read by the other side and by the controlling BES. The other devices either get their devices routed through the service providers or don't have the same level of encryption through the data transaction.

I doubt there is enough of a market for the other companies to reinvent the wheel, I'm sure it's a market the others would like to get into but would there be enough of a return, that's the question.

AC

0
0
Anonymous Coward

Not just that

RIM has been using its own radio software for the last 7+ years and intends to do so when it moves to LTE. Some of it is written in the UK too (so much for the UK labour being "expensive").

So rather unsurprisingly it can get it certified much easier than others. It is a natural result of its strategic choices.

Frankly, we are entering a period when G8 (and not just UK) governments have started paying a much closer attention to what goes into "national infrastructure". In fact the UK govt has quite openly declared that it will stick its nose into private company business in the course of doing so. As a result companies which have moved key parts of their development outside their control may have to regret that as penny-wise, but pound-foolish.

RIM vs the rest is only one example. There will be more and more of this.

1
0
Anonymous Coward

Guidance pertains to data usage only

This government guidance is geared to data usage only. Voice calls, etc may only be used for unclassified data, so it actually would make no difference whether you used the default password for your voiemail or not, since the only data you should receive through your phone verbally that has any sensitivity would be your own personal data... if you cant be bothered to secure that by setting your voicemail PIN, then thats your problem.

What is going to be interesting is what happens when RIM move from the current Blackberry OS to their new OS based on QNX in the next year or so, since this is architecturally very different and much more similar to iOS or Android.

0
0
Anonymous Coward

err not interesting at all

>>What is going to be interesting is what happens when RIM move from the current Blackberry OS to their new OS based on QNX in the next year or so,

nope - not interesting at all. Until RIM get their new system accredited people who want crackberries to access their GSI email will have to use old models/OS/Enterprise Blackberry Servers.

AC cos well, it makes sense!

1
1
Unhappy

Android won't be winning any corporate contracts soon

..due to its piss poor calendaring support. Androids dirty little secret. Any journo fancy prodding google on this one?

http://code.google.com/p/android/issues/detail?id=2361

1
2
Flame

Calendars

"due to its piss poor calendaring support."

Strange. My Android pisses all over my work Blackberry for calendar. And email. And contacts. Actually everything!

The only thing RIM have got is a proper enterprise solution.

1
0
Anonymous Coward

rofl

"The only thing RIM have got is a proper enterprise solution."

is that all!? pah!

I would have thought that was actually quite a big thing really...

0
1
Silver badge

Integration fail

My phone knows my birthday, and those of some of my friends. Wouldn't it be logical for anniversaries to appear in the calendar? Well, you'da thought...

0
0
Anonymous Coward

Let's get the terminology right...

Hardware does not get 'accredited' - IT systems get accredited. Individual bits of hardware can be 'certified' or 'approved' but not accredited...

1
1
Anonymous Coward

While we are about it

"won't be winning many public sector contracts any time soon"

Can anyone provide a sentence where "any time soon" can't be replaced by "soon"?

Unnecessary convoluted and complicate verbiage.

Why use big words when miniscule ones will do?

0
2
Thumb Down

Indeed....

"Why use big words when miniscule ones will do?"

Or indeed 'small' ones.

1
1
Anonymous Coward

Oh FFS

Can we PLEASE have an icon for those who fail to detect even the most blatantly intentional irony?

2
0

Even the toilet paper

is marked Restricted. So this is advice for lower bowel data and not for the truly secret stuff.

0
0
Thumb Down

Fail Story

MORE BREAKING NEWS:

EMAIL ON GOVERNMENT SYSTEM SENT TO ADDRESSES IN THE GAL.

---

Remind me why this is a story again?

"someone forgot to use the bcc function"

"The only people allowed to see the actual guidance are those with secure government intranet access."

1
1

Re: voicemail

I can't remember where I read this so not 100% sure if it's right, but I believe a lot of the tabloid voicemail hacking was possible not due to guessing the PIN, but due to stupidity in mobile operators systems.

AIUI the issue is that they trusted caller ID coming from other networks, hence whoever did it simply got a phone line where they could set the caller ID to whatever they wanted (which is difficult in the UK, and almost certainly against the terms of whoever provided the connection, but not impossible), set it to present the mobile number they were trying to hack, then dialled the operators voicemail system - as it thought it was a call straight from the phone it let them in without any PIN checking.

I believe the issue has now been fixed on all the major operators, so they no longer trust caller ID from outside their network in this way...

0
0
Pint

@Alex Brett

That sounds like a good theory, and in the next few months we may (or may not) find out whether that was the way it was done where non-default PINS were in use. But the theory I heard is much simpler - stooges in the mobileco call centre were motivated to reset PINs or whatever.

0
0

They do it all the time.

My emails from them regularly have other cc addresses on them, such 001@sis.gov.uk, 002@sis.gov.uk, etc.

1
0
Paris Hilton

Who is to blame here, user or coder?

I'm in two minds as to whether this is the fault of the software, or the fault of the user. Yes, us geeks know not to use CC for multiple addresses... but is it reasonable to expect the average appliance-user to know WHY that is bad practice?

Is a user of an electric shower supposed to study the differences between a TNC/S or a TT electrical supply before they use the appliance? Or, would they assume that provided they operate the controls correctly, they should be safe?

By the same token, suppose an 'appliance user' updates a CMS webpage and in doing so types an email address. The software they're using then automatically converts the address into a 'click to mail me' URL.

The user draws the conclusion that (a) this is marvellously helpful and brilliant software design, and (b) that there can't possibly be anything wrong with doing this, or the 'smart' software would surely have said so. On the strength of this, they decide to put all of their colleagues' email addresses on the webpage too. After all, why not, it's helping people to contact them is it not?

I shouldn't need to explain what the outcome of this will be. (Cue four vikings sitting in a cafe...)

When you think about the CC/BCC issue in the same context, maybe software should warn the user if they type more than a specified number of addresses into a CC field. Say, five or ten.

-Paris, because she knows what it's like to have your private stuff published all over the place.

1
0
Silver badge
Thumb Up

re: four vikings sitting in a cafe

You win.

0
0
Stop

Why not make the 'default' option

BCC? Especially with governmental email.

If you need the others to see who else got the email you can use CC or list all or some of the names. And for any 'disciplinary' or 'security' needs it's not exactly impossible to pull up a list of the recipients from the email server.

0
0
Bronze badge

'Restricted'

The classification 'Restricted' is hardly even chicken feed, so from that perspective alone the Blackberry can hardly be regarded as a secure enabled device.

At some point a government somewhere will wake up to the need for a device that can transmit at least Confidential, possibly even Secret data. Top Secret and the caveat UK Eyes only? I cannot imagine this happening ever. Then again if 20 years ago I'd been told that under a Labour government several gigabytes of sensitive information would have been variously lost, left on trains, lifted from insecure storage, then I'd have been disbelieving.

0
0
Big Brother

Cunning Plan

Clearly the journalists involved have no clue about how to run a spy department.

90% of the work is about dis-information.

Deliberately not using BCC means every journalist knows who every other journaist is on the mailing list. They will then be able to fight with each other for coverage of future news stories.

Meanwhile the real news goes unnoticed.

Or perhaps they just fucked up.

0
0
Thumb Up

Or perhaps!

They filled all the names into BCC and then added a bunch of dummy CC names!!! Extra cunning.

0
0
This topic is closed for new posts.