back to article GCHQ commits schoolboy security blunder

Exciting news from UK spooks at GCHQ - it's the new and improved "Guidance document on use of Smartphones in Government". The only problem with this riveting press release from GCHQ is that someone forgot to use the bcc function - instead, the message reveals the email address of every journalist on the list. The list comes …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    WTF?

    Tony Blackburn

    Tony Blackburn did this with his Blackburn Xtra mailing list a few years ago. Well his producer Sammi did, anyway.

    Then he did it again, sending out a CC email attempting to 'cancel' the first one!

    So it's not just GCHQ - It's even Tony Blackburn!

  2. Matt Hawkins
    Alert

    Why pick on Android?

    "So it looks like Google's Android phones won't be winning many public sector contracts any time soon."

    Neither will Microsoft or Apple.

    1. trarch

      Market Share

      Presumably because the Android platform is now the market leader, and is set to increase to half the market according to Gartner. That's a pretty huge deal, and additional public sector contracts would certainly play a role in keeping Android dominant.

    2. dogged
      Thumb Up

      because

      you can count on some Android fanboy to whine about it and try to make out that everyone else is worse just because they didn't join his "gang".

      Oh, hi.

    3. Spearchucker Jones
      Boffin

      Actually...

      It's (assuming it's the same in the UK as in another country I know of) because of the radio.

      Android handsets suffer the same problem Microsoft Mobile and Microsoft Phone suffer - neither Google nor Microsoft make the hardware. This means that each hardware vendor must be accredited. Google is actually worse off, because the perception is that it's easier to put malicious code into open-sourced Android than WM or WP.

      RIM can identify the supplier for every component in Blackberries, down to the last screw, which makes accreditation easy. Well, easy when compared with Android.

      This makes Apple much more likely to get accreditation than Microsoft or Google.

      1. Anonymous Coward
        Black Helicopters

        Re: Actually...

        It's not only can RIM account for every screw in their Blackberries but Governments can order the devices direct from RIM with a higher level of encryption (then standard Blackberries) and also preloaded with the OS version of Choice, pre configured to the specification of the ordered. I believe this is even down to the levels of having the WiFi hardware Disabled (not just the software option).

        Normal companies may not see the benefit of having a BES server because they can set policies for their phones with ActiveSync and OWA. However when your on a domain that has Wifi, Mobile VPN, ActiveSync and OWA disabled due to conforming to the design standards set for the domain, BES is the only viable option.

        There is also a reason why India threatened to ban the use of Blackberries and BES's, it's simply that any emails, Data or instant messages sent between the Blackberries can only be read by the other side and by the controlling BES. The other devices either get their devices routed through the service providers or don't have the same level of encryption through the data transaction.

        I doubt there is enough of a market for the other companies to reinvent the wheel, I'm sure it's a market the others would like to get into but would there be enough of a return, that's the question.

        AC

      2. Anonymous Coward
        Anonymous Coward

        Not just that

        RIM has been using its own radio software for the last 7+ years and intends to do so when it moves to LTE. Some of it is written in the UK too (so much for the UK labour being "expensive").

        So rather unsurprisingly it can get it certified much easier than others. It is a natural result of its strategic choices.

        Frankly, we are entering a period when G8 (and not just UK) governments have started paying a much closer attention to what goes into "national infrastructure". In fact the UK govt has quite openly declared that it will stick its nose into private company business in the course of doing so. As a result companies which have moved key parts of their development outside their control may have to regret that as penny-wise, but pound-foolish.

        RIM vs the rest is only one example. There will be more and more of this.

  3. Anonymous Coward
    Anonymous Coward

    Guidance pertains to data usage only

    This government guidance is geared to data usage only. Voice calls, etc may only be used for unclassified data, so it actually would make no difference whether you used the default password for your voiemail or not, since the only data you should receive through your phone verbally that has any sensitivity would be your own personal data... if you cant be bothered to secure that by setting your voicemail PIN, then thats your problem.

    What is going to be interesting is what happens when RIM move from the current Blackberry OS to their new OS based on QNX in the next year or so, since this is architecturally very different and much more similar to iOS or Android.

  4. Anonymous Coward
    Anonymous Coward

    err not interesting at all

    >>What is going to be interesting is what happens when RIM move from the current Blackberry OS to their new OS based on QNX in the next year or so,

    nope - not interesting at all. Until RIM get their new system accredited people who want crackberries to access their GSI email will have to use old models/OS/Enterprise Blackberry Servers.

    AC cos well, it makes sense!

  5. keith 9
    Unhappy

    Android won't be winning any corporate contracts soon

    ..due to its piss poor calendaring support. Androids dirty little secret. Any journo fancy prodding google on this one?

    http://code.google.com/p/android/issues/detail?id=2361

    1. Anonymous Coward
      Flame

      Calendars

      "due to its piss poor calendaring support."

      Strange. My Android pisses all over my work Blackberry for calendar. And email. And contacts. Actually everything!

      The only thing RIM have got is a proper enterprise solution.

      1. Anonymous Coward
        Anonymous Coward

        rofl

        "The only thing RIM have got is a proper enterprise solution."

        is that all!? pah!

        I would have thought that was actually quite a big thing really...

    2. heyrick Silver badge

      Integration fail

      My phone knows my birthday, and those of some of my friends. Wouldn't it be logical for anniversaries to appear in the calendar? Well, you'da thought...

  6. Anonymous Coward
    Anonymous Coward

    Let's get the terminology right...

    Hardware does not get 'accredited' - IT systems get accredited. Individual bits of hardware can be 'certified' or 'approved' but not accredited...

    1. Anonymous Coward
      Anonymous Coward

      While we are about it

      "won't be winning many public sector contracts any time soon"

      Can anyone provide a sentence where "any time soon" can't be replaced by "soon"?

      Unnecessary convoluted and complicate verbiage.

      Why use big words when miniscule ones will do?

      1. It wasnt me
        Thumb Down

        Indeed....

        "Why use big words when miniscule ones will do?"

        Or indeed 'small' ones.

        1. Anonymous Coward
          Anonymous Coward

          Oh FFS

          Can we PLEASE have an icon for those who fail to detect even the most blatantly intentional irony?

  7. asiaseen

    Even the toilet paper

    is marked Restricted. So this is advice for lower bowel data and not for the truly secret stuff.

  8. This post has been deleted by its author

  9. Alex Brett

    Re: voicemail

    I can't remember where I read this so not 100% sure if it's right, but I believe a lot of the tabloid voicemail hacking was possible not due to guessing the PIN, but due to stupidity in mobile operators systems.

    AIUI the issue is that they trusted caller ID coming from other networks, hence whoever did it simply got a phone line where they could set the caller ID to whatever they wanted (which is difficult in the UK, and almost certainly against the terms of whoever provided the connection, but not impossible), set it to present the mobile number they were trying to hack, then dialled the operators voicemail system - as it thought it was a call straight from the phone it let them in without any PIN checking.

    I believe the issue has now been fixed on all the major operators, so they no longer trust caller ID from outside their network in this way...

  10. Anonymous Coward
    Pint

    @Alex Brett

    That sounds like a good theory, and in the next few months we may (or may not) find out whether that was the way it was done where non-default PINS were in use. But the theory I heard is much simpler - stooges in the mobileco call centre were motivated to reset PINs or whatever.

  11. moonface

    They do it all the time.

    My emails from them regularly have other cc addresses on them, such 001@sis.gov.uk, 002@sis.gov.uk, etc.

  12. Anteaus
    Paris Hilton

    Who is to blame here, user or coder?

    I'm in two minds as to whether this is the fault of the software, or the fault of the user. Yes, us geeks know not to use CC for multiple addresses... but is it reasonable to expect the average appliance-user to know WHY that is bad practice?

    Is a user of an electric shower supposed to study the differences between a TNC/S or a TT electrical supply before they use the appliance? Or, would they assume that provided they operate the controls correctly, they should be safe?

    By the same token, suppose an 'appliance user' updates a CMS webpage and in doing so types an email address. The software they're using then automatically converts the address into a 'click to mail me' URL.

    The user draws the conclusion that (a) this is marvellously helpful and brilliant software design, and (b) that there can't possibly be anything wrong with doing this, or the 'smart' software would surely have said so. On the strength of this, they decide to put all of their colleagues' email addresses on the webpage too. After all, why not, it's helping people to contact them is it not?

    I shouldn't need to explain what the outcome of this will be. (Cue four vikings sitting in a cafe...)

    When you think about the CC/BCC issue in the same context, maybe software should warn the user if they type more than a specified number of addresses into a CC field. Say, five or ten.

    -Paris, because she knows what it's like to have your private stuff published all over the place.

    1. Anonymous Coward
      Thumb Up

      re: four vikings sitting in a cafe

      You win.

    2. Anonymous Coward
      Stop

      Why not make the 'default' option

      BCC? Especially with governmental email.

      If you need the others to see who else got the email you can use CC or list all or some of the names. And for any 'disciplinary' or 'security' needs it's not exactly impossible to pull up a list of the recipients from the email server.

  13. Scorchio!!

    'Restricted'

    The classification 'Restricted' is hardly even chicken feed, so from that perspective alone the Blackberry can hardly be regarded as a secure enabled device.

    At some point a government somewhere will wake up to the need for a device that can transmit at least Confidential, possibly even Secret data. Top Secret and the caveat UK Eyes only? I cannot imagine this happening ever. Then again if 20 years ago I'd been told that under a Labour government several gigabytes of sensitive information would have been variously lost, left on trains, lifted from insecure storage, then I'd have been disbelieving.

  14. Anonymous Coward
    Big Brother

    Cunning Plan

    Clearly the journalists involved have no clue about how to run a spy department.

    90% of the work is about dis-information.

    Deliberately not using BCC means every journalist knows who every other journaist is on the mailing list. They will then be able to fight with each other for coverage of future news stories.

    Meanwhile the real news goes unnoticed.

    Or perhaps they just fucked up.

    1. Anonymous Coward
      Thumb Up

      Or perhaps!

      They filled all the names into BCC and then added a bunch of dummy CC names!!! Extra cunning.

This topic is closed for new posts.

Other stories you might like