White House Chief of Staff John Kelly's Cell Phone was Tapped

Politico reports that White House Chief of Staff John Kelly's cell phone was compromised back in December.

I know this is news because of who he is, but I hope every major government official of any country assumes that their commercial off-the-shelf cell phone is compromised. Even allies spy on allies; remember the reports that the NSA tapped the cell phone of German Chancellor Angela Merkel?

Posted on October 9, 2017 at 6:10 AM • 64 Comments

Comments

ActuallyOctober 9, 2017 6:38 AM

No off the shelf iPhone is compromised.

His personal phone must have been an android phone.

Jim KOctober 9, 2017 6:42 AM

So, I guess we have to figure whether the people on the other side of the table have the resources to gain access to such things.

Without getting too conspiratorial, do we know how widely such things are distributed within government? Does it filter down to the private sector if you ask nicely?

Mee 2October 9, 2017 7:02 AM

I more or less agree with @Actually that the iPhone is much less vulnerable to attack than Androids. At least that's what we are led to believe.

It would be good to know the particulars on Kelly's phone for that reason.

Why aren't our own electronic experts riding herd over politicians in regards to their devices?

NickOctober 9, 2017 8:18 AM

Amazing that a General in the U.S. military wouldn't have been more concerned about a cell phone not updating software properly.

BBOctober 9, 2017 8:56 AM


last comment about UnaPhone:

"The Darkbird X a month ago said:
The project is dead. Someone from the Unaphone team contacted me by phone. Reason given: external pressure (a good reader knows what that means...). They told me they would refund the backer's money. This is not a joke, no hoax, it's the truth: Unaphone Zenith project is dead."
https://tutanota.com/blog/posts/una-phone-zenith-crowdfunding

I am sure Chinease, Iranian and Russian governments are very happy about this decision above.

Sancho_POctober 9, 2017 10:10 AM

The original MSM article was doubtful and without significant information, close to FUD, but honest enough to use “unclear”.

@Bruce pushes it further by (the security expert) writing “was Tapped”,
which hints at a conspiracy against Kelly / White House, without additional info.
This is FUD.

”classified [security] briefings” - not only the Kremlin is impressed, LOL.
There(*)would(*)be(*)a(*)lot(*)to(*)discuss(*)and(*)take(*)away(*)from(*)the(*)incident.
(*) = classified

WaelOctober 9, 2017 10:28 AM

It's no secret that the mobile Attack Surface is huge. Government agencies need to shrink the Attack surface by:

  • Not allowing Cloud access or backup
  • Not allowing BYOD
  • Periodic and frequent physical inspection of devices. Perhaps the device needs to connect to a government backend server that scnans the device for anomalies: Root / Jail break detection, List of software components, Integrity Metrics with defined parameters, ...
  • Review of phone logs
  • Whitelist of allowed SW components
  • Double signature. Only allow software signed by the agency to be installed, and blacklist everything else, including questionable stock software components
  • ...

Mostly OpSec policy enforcement.

As for spy software that can keylog, exfilterate everything from text messages, emails, photos, ... there are a few robust spy solutions: For example mSpy is not easy to detect. It uploads all the information on a cloud that the "spy" can review at their leisure: pictures and videos on the phone, passcodes entered, emails, key strokes, locations and nearby SSIDs, phones called and received, ... the list is expanding. There are other tools as well. For full access it requires the iPhone to be jailbroken, otherwise it can have limited access to information via iCloud, if the account password is known. The same goes for Android devices, with the exeption that the device needs to be rooted rather than "jailbroken" -- symmantics...

[...] remember the reports that the NSA tapped the cell phone of German Chancellor Angela Merkel?

Yes, how could we forget! The incident is immortalized with a high-class piece of literature, right here!

Clive RobinsonOctober 9, 2017 11:48 AM

The article was as others have noted light on details thus reads speculative.

That said there was one sentance of note that just about everybody should take the implications of on board,

    Kelly’s travel schedule prior to joining the administration in January is under review.

For god sake don't take a normal work/personal phone across boarders, or close enough to a countries border that the phone registers with a network in another country.

If you have to go abroad buy a "2burn" phone that only alows calls and SMSs. When you get back take it back to the original retailer saying it was intermitent and kept dropping calls and ask for your money back. Failing that take it down to your local second hand shop.

If however you are one of those thoughtfull security minded souls that others think may be paranoid, read the last three paragraphs of the article and Bill Marczak, of the Uni ot Torobto's,"Citizen Lab" says. Thus take the "electro-light" diet and travel device free...

For business and even political people that have offices / Embassies in the country they are going to, then "electro-light" is the way to travel and pick up what you might need from the office / Embassy.

Let's be reasonable shall we?October 9, 2017 11:58 AM

@Sancho

"The original MSM article was doubtful and without significant information, close to FUD, but honest enough to use “unclear”.

Close to FUD? It's an ongoing investigation into a security breach at the highest levels, and you're wondering why the FIRST MEDIA REPORTS OF IT don't include a full technical breakdown and attribution to the actors?

Trumpies are crazy. There's no fixing that. But at least attempt to be reasonable!

The MSM didn't "fail you" by reporting this information which DOES check out and IS from vetted sources and IS NOT being denied by the WH.

YOU are failing YOURSELF by running distraction and calling out FUD where there is none.

Don't you dare try to blame Bruce for reporting on important things just because he doesn't have 100% of the details. That's unrealistic to the point of being FUD itself.

TatütataOctober 9, 2017 11:58 AM

@Wael:

In a recent "Satiresendung" (Extra3 or Heute-Show, I don't remember) there was a segment where the Frau Bundeskanzlerin was showing off her current personal communication device to kids: a Blackberry! She could have as well exclaimed: "das klotzt mich an".

More seriously, Dubya and Obama tapped European "wires" by going after the fixed infrastructure, not the devices themselves.

I'm echoing other commenters in noticing that I still don't understand what exactly happened to Kelly, or whether anything was actually compromised. And there is too much secrecy anyway, we need to have enough warning to head for shelters before Twitler/Nero/Caligula/Ubu stumbles into WW3.

It's not apolitical, it's comparative.October 9, 2017 12:03 PM

@Bruce

Did you censor my previous comment just now about OPSEC and the string of failures by this administration in that arena because it was too politically charged?

I kept the vitriol to a minimum I thought. I certainly stand by everything I said.

HRC had valid security OPSEC failures that people moaned about constantly for literally years, but the Trump administration has seen fit to REPEAT THEM EXACTLY and in fact has succeeded them demonstrably. This is AFTER the very public lesson, investigations, etc.

I said it before and I'll say it again, political thought it may be it is accurate :

If anyone chanted "lock her up" for HRC's valid security failings, they ought to be immolating now.

TatütataOctober 9, 2017 12:11 PM

Then there are the other sequences when Merkel sits totally bored in parliament, thumbing messages away... If she was writing "Seehofer is an effing moron" that would as much of a revelation as Tillerson venting his frustration with SCROTUS.

In the Dutch language domain I read this morning that there is at last a coalition in the Netherlands after 218 days of negotiations. They managed it faster than the Belgicans (541 days). I also saw that enough citizen signatures were gathered to organise a binding referendum on the "sleepwet" (surveillance act) which had passed first reading last July. I hadn't heard of this before today.

Gunter KönigsmannOctober 9, 2017 12:26 PM

There were no rules about spying on friends back then when Angela Merkel's phone was compromised. And the secret services had the task to gather all important pieces of information. So in retrospect that was bound to happen.

In the meantime at least the US, Germany and France (maybe others) have said they have added rules for this case so I expect that no more happens.

Trust, but verifyOctober 9, 2017 12:36 PM

"I guess we have to figure whether the people on the other side of the table have the resources to gain access to such things."

State sponsor --funds-> private sector security contractors --hack-> everything.
Bycatch is probably approaching 100%. One good hook is all that is needed.

They have the resources to hack android. They have the resources to hack windows.
They have the resources to hack ios (*). They have the resources to hack telcos.

It's not like people are 'inventing' a Russian blackhat capability. At all. People who don't read about APT actors and detest "that woman" can plausibly say they don't believe Russia would hack the US.gov directly, but they do so from a position of no information.
They need to pull their head out. This is a serious threat to our system.

In balance, realize we ARE a very serious threat to Putin's system. 24/7.

The information exists, it is vetted, there is some speculative stuff in it but that's the nature of information.

There is zero question Russia and other actors spend high-millions to billions on their efforts to infiltrate and control US tech assets. Android is low-lying fruit, frankly.

If they weren't doing it, that would be a sign of complete incompetence on their part.
Putin is not incompetent nor is he the boogie man. This stuff happens every day.
Read about it, know about it, trust but verify, both in realtime.

IsobelOctober 9, 2017 1:05 PM

Clive Robinson,

For god sake don't take a normal work/personal phone across boarders, or close enough to a countries border that the phone registers with a network in another country.

You don't count Washington DC as "close enough to a countries border that the phone registers with a network in another country"? I would. There's no actual border there, but there's also nothing to keep another country's network away. Nothing but the wrath of the FCC, which isn't a big concern once you've decided to spy on world leaders. It happened in Canada's capital recently.

WhiskersInMenloOctober 9, 2017 1:37 PM

Android or iOS the conversations can be tapped at the logical equivalent of a central office.
The bits can be trapped by a bogus cell tower.
Digital content commonly is flexible in how it is routed but can be forced to travel specific paths.

The international bit is murky. Some devices can be totally compromised with physical access others not so much. Businesses and governments need to address the special circumstances that presents. It is not smart to bring a smart phone on international travel especially if you are a medium to high profile individual.

Has Nokia shipped that retro phone yet?

Gunter KönigsmannOctober 9, 2017 1:40 PM

@Isobel: as long as there are imsi catchers every cellphone can be told to be near a border. In - I believe it was the Belgian capital that also holds big institutions of the European Union - they once found thousands of these devices to be active.

WaelOctober 9, 2017 2:00 PM

@Tatütata,

She could have as well exclaimed: "das klotzt mich an".

Yep!

More seriously, Dubya and Obama tapped European "wires" by going after the fixed infrastructure, not the devices themselves.

That and Billions of other things.

[...] still don't understand what exactly happened to Kelly,

Nothing happened to Kelly (yet.) "Something" happened to his device, we are made to believe :)

or whether anything was actually compromised.

Hard to tell. What if the "spy" listened to ambient conversations or such? How would one quantify the level of compromise?

And there is too much secrecy anyway...

They can't keep a secret. Best thing now is disinformation and fake news.

Let's be reasonableOctober 9, 2017 2:20 PM

"Dubya and Obama" -The executive need not have signed off on it directly, either way.

This is part of an ongoing mandate, it predates our modern politik. It's apolitical.
The intel agencies wax and wane with new laws/directives, but it's largely autonomous.

But they weren't targeting Merkel in any case, they were finding out what people she spoke with were saying. There was a lot going on in the world at that point and a lot riding. They need the straight dope and they will get it when they need it.

Do you think Kelly wouldn't have vociferously denied this report if it weren't true?
BS blanket denial is their go-to tactic when they think they can get away with it.

There's a reason Tillerson didn't sue those saying he called Trump a moron.
There's a reason Kelly isn't up in arms about "fake news" regarding his phone.

They could quash that straight away. *If it weren't provably true.

If one is pretending the media is making all this up, Occam's razor applies there too.
That would be even harder to believe than the incompetence in this administration.

"They™ can't keep a secret. Best thing now is disinformation and fake news."

Somehow I have more faith in the 17 US intel agencies than I do people supporting someone who has lied repeatedly, provably, to the American people over and over and over again about his administration's involvement with foreign adversaries, and who overtly appeals for violence against protesters and reporters alike in the meantime.

Yes, security regimes have HUMINT issues, all of them do. POTUS should never be among them but here we are, holding each other accountable instead of ourselves collectively.

BardiOctober 9, 2017 2:21 PM

How do we know Trump and "his" administration was not behind the hacking of Kelly's phone? There is so much perceived chaos and with Trump demanding "loyalty" (like he has any idea what that means) I might look to him and his gang for such work.

albertOctober 9, 2017 2:51 PM

@Bardi,

A Russian hacker and a Chinese hacker are sitting in a bar:

CH: We hacked into Kellys phone and guess what we found?

RH: What?

CH: You guys were already there!

RH: Well, guess what we found?

CH: What?

RH: The NSA was already there!

. .. . .. --- ....

Clive RobinsonOctober 9, 2017 5:59 PM

@ Albert,

You left off the punch line.

An NSA TAO wanders over to CH and RH and says "Guys you will never guess what we found?"

The CH and RH look on surprised and say "What?"

The NSA TAO looks around slowly and carefully before replying "A sticker under the battery that had the message "Snowden was here" on it.

...

WaelOctober 9, 2017 6:27 PM

@Clive Robinson, @albert,

Continuation...

Anonymous gov agent: Hurry! Send the phone for a colonoscopy procedure at NSA.

NSA proctologist: Don't waste time, people. Get the fiber optic enema prepared stat1, we need to clean this sh*t out! Turn the fan off, you idiots... stuff is hitting the fan.

Everyone, a little later: Holy crap... wtf! How did this phone ingest so much bamboos and bears?

“TAO, in Chinese means: The right way...”

[1] Stat means quickly.

Sancho_POctober 9, 2017 6:32 PM

@Let's be reasonable and so

”Trumpies are crazy.” is slightly too much for your handle, isn’t it?
I’m technician, neither interested in ‘religious’ hearsay nor in Donald vs HRC or whatever.

Fact is (hopefully):
Kelly, [not being a technician],
”… turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.”
and
”… told the staffers the phone hadn’t been working properly for months, according to the officials.”

It wasn’t said which type of phone, if he wasn’t satisfied since the beginning or when he encountered problems, if it was a technical problem or the device was tampered with in HW or SW.
So the serious story ends here: We simply don’t know now,
and very likely will never know because of “classified”.

Read the rest again and you will realize that any automated text aggregator may have copied hints out of other stories + out of context.

***

Well, you don’t think Kelly has bought that phone in a store, do you?

A serious reporter’s very first question would be:
Who donated the phone to Kelly? The Russian ambassador?

Also of interest would be:
- Why oh why did his security personnel allow him to carry a potential spy device with him (this is a serious question, because John Doe already knows about location services and so on, so we must assume that the enemy has penetrated his security staff).
- Didn’t the NSA probe and log all communication around him, at least his and his staff’s calls, to discover possible moles and (other) fake cell towers?
Are they sleeping at the wheel or was it “overseen” on purpose? Which purpose?
-> Without any answer the story is no story.

***

But there is another issue that bugs me since I heard of (yes, it’s hearsay again):
It was reported (please correct me if I’m wrong, I’m too lazy to look it up now) that HRC as Secretary of State wanted the same (secure) phone as Obama had, but she was told from WH staff that a SoS can’t have such a device because of blah blah [1].
- Who is responsible for deliberately keeping the WH security-wise dumb and the reds under the bed always informed?

[1]
To me personally this denial would have made me quit the job the very same day. Why didn’t she?

WaelOctober 9, 2017 6:54 PM

Two things:

One: Name one phone that isn’t 中国制造
Two: "Phone isn’t updating software” probably refers to the phone not alerting the user that a new version of the OS is available. mSpy disables these alerts; it only fully supports iOS up to version 9.1, and if the user is allowed to upgrade the OS, then the spy tool goes down the drain. After 9.1, there is no public known way to jailbreak an iPhone (I think.) This fact alone should have raised a red flag a long time ago.

OTGOctober 9, 2017 7:16 PM

"turned his fone into white house tech support... and immediately elevated his privileges."

Proving? Low end adversary, likely both sides.

IMOOctober 9, 2017 7:22 PM

Seconds,

In any scenario a true user level software /tap/ wouldn't have been detected considering how much user land would be accessible from root island. Embedding and spring boarding back into a newer firmware isn't that hard maybe the newest ones would be "difficult" to coerce but what's a single bit to a signed update?

Stranger things can happen from root.

DroneOctober 9, 2017 11:00 PM

@Nick said: "Amazing that a General in the U.S. military wouldn't have been more concerned about a cell phone not updating software properly."

Nowhere does the article say Gen. Kelly wasn't concerned.

Nowhere does the article say the cell phone was not updating software properly.

WaelOctober 10, 2017 1:03 AM

@Drone,

Nowhere does the article say the cell phone was not updating software properly.

The first link says:

Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

Peter A.October 10, 2017 3:27 AM

@Clive Robinson: "For god sake don't take a normal work/personal phone across boarders, or close enough to a countries border that the phone registers with a network in another country."

Very true. I have read an article in a newspaper recently about Russians hacking into NATO soldiers' smartphones via over-the-border fake base stations. No wonder actually, the interesting part was elsewhere.

The article continued with revelations that foot soldiers were forbidden to carry phones. But they did carry still, concealed. So the commanders, to discourage them from carrying non-approved electronics, randomly ordered them to jump into lakes in full gear. Then it transpired that soldiers still carried their phones, wrapped in condoms. I have no idea if this part of the story is true, but it is soooo human...

Marshall EubanksOctober 10, 2017 7:18 AM

The first time I ever went into a SCIF I got a lecture on cell phones and how insecure they are (you have to hand over everything like that to go in one, lest it be listening in). That was almost 2 decades ago. Wasn't Kelly listening to these lectures? Doesn't the WH have some means of hardening or at least testing the phones senior staff use? Have these people been asleep the last 20 years?

Clive RobinsonOctober 10, 2017 9:09 AM

@ Peter A.,

Then it transpired that soldiers still carried their phones, wrapped in condoms. I have no idea if this part of the story is true, but it is soooo human...

If you've not been in the British Army, you've probably not seen or heared about some of the things soldiers do with condoms to releive boredom or keep kit clean. It tends to supprise people.

What many do not know is that the British soldier gets given condoms almost large enough for an elephant. And certainly strong enough to carry half a gallon of water in. The history behind this is a little bit lost in the mists of time but is reputed to have been as a replacment for "The Devils in Skirts" of highland regiments supposadly not wearing under clothing, hence being in modarn parlance "in combat mode".

But as a party trick it is not unknon for certain squaddies to put a condom over their head and by using their mouth and nose inflate it to about two feet wide and three to four foot long without it bursting. Or to make "balloon animals" etc with them.

I used to use them to keep the tools in my box dry and stop them rattling when in combat and night patrols where I'd have to go repair kit at forward look out posts etc. I also used to put one over the flash arrester on the rifle (SLR) and hold it in place with black insulating tape. I also used to put the tape over the ejection port of the SLR to keep the dirt out.

Then there was fording rivers, if you put your socks in one they would stay dry, and you could also get them over your feet to have a chance of keeping your feet dry as well...

Squadies are inventive individuals and it's not been unknown to fill a condom with whisky or similar to drink on excercise.

Howevere... On some patrols it's "leave nothing behind" so you have to bring back your number one's and number two's in your back pack... As I said squadies are inventive, and what they can do with condoms may surprise most people. About the only thing they don't do with them is use them for "what it says on the packet" ;-)

Bruce SchneierOctober 10, 2017 11:41 AM

I am about to delete the various Trump vs. Clinton comments. Take them elsewhere.

phred14October 10, 2017 12:38 PM

At the end of the personal history / security ramble is a practical question about company security - but it needs context.

So for an ordinary citizen perspective... I carry my phone with me when I travel, and I don't buy a burner. Nor do I have any access on my phone to anything I consider really secure - that stays at home.

I purchased phones supported by Lineage OS, and load their signed firmware myself. That's the only way I can have confidence in keeping it up to date, because it appears that Android phone makers certainly don't. My old phones were several years old, and one of the first things I did when I got it was install Cyanogenmod. I got the new phones because Cyanogenmod imploded at the end of 2016, and I was getting uncomfortable being out of service.

When I got the new phones, they came pre-installed with Lollipop, and upon powerup the first thing they did was upgrade themselves to Marshmallow. However the Google service date on that Marshmallow was May 2016. My old phones, long out of official service, had a Google service date of November 2016, and another month or so of Cyanogenmod service past that. My new phones currently have a Google service date of Sept 6 2017, with a few weeks of Lineage OS service beyond that. After my wife gets home from her travel, I'll bring both up to date.

Now for the practical corporate question...

It would be handy to have my company ID on my phone. They're going to support "Android at Work" dual-personality within the next month. They require that the phone not be rooted, and I've been careful not to do so, so far. I'm not sure what their position is going to be on my loading my own firmware. I'm probably using the "most vamilla, most stock" current firmware available for the phone. I have this ugly feeling that they're not going to like it - that they'd rather I be running 18 month old Marshmallow that's still susceptible to BlueBourne, wifi takeover, and all of that stuff that are patched on my phone.

Any comments on corporate preferences for stock, or how I can convince them that I'm more secure than stock?

Lets touch the actual groundOctober 10, 2017 12:55 PM

At risk of re-basting the turkey, I was not and am not trying to be overtly DNC vs RNC.
I agree that is unproductive and belongs elsewhere.

Some people would like to pretend for political purposes that Russian blackhat groups either don't exist or are part of some grand conspiracy by the "MSM" and "Obummer" etc to discredit Trump's election victory. They want to pretend nothing printed can be true.

I think there is a real effort by these people to disingenuously challenge FACTS.
We really can't have a very productive discussion with that kind of FUD injected.

Bruce's use of "tapped" is the EXACT SAME as Trump's use of "tapped" and whether or not we're dealing with spliced POTS lines or unsecured AP's, the concept is the same.
Exactly the same, and everyone knows what these words mean. Yes, even you Sancho.

It's disingenuous to suggest that is confusing or intentionally inaccurate, and then to try to use that to throw doubt-balls at the PUBLISHED AND VETTED FACT THAT IT HAPPENED and citing as evidence "Oh, the MSM of course" without anything behind it? It's absurd.

We don't have to go deep into the left/right political side of things, that's unproductive and nobody is ever moved by that. What we HAVE TO do in my view is hold up to the light those things that are being challenged, scrutinize them, find the value and excise the falsehoods.

To that end : General Kelly's phone was compromised since December. He's the "gatekeeper" to the POTUS, he handles who gets to see him and what he reads.

These are facts. One can have contrarian opinions, but not a contrary reality.
Where this discussion goes from here is hopefully much less mundane and repetitive.

rOctober 10, 2017 1:06 PM

I do get the feeling this is considerably more mundane than your average Monday.

Over hyped == "tapped"

?

Sancho_POctober 10, 2017 1:12 PM

@R_Ante, re security in the WH (or: How to keep the nation insecure)

Thanks, exactly what I meant.
But is it evidence that the NSA doesn’t want the WH to be really secure?
Encrypted com devices with secure NOBUS backdoor, a fiction they demand only from COTS industry?

Encrypted and really secure devices aren’t an option because also Putin couldn’t tap them?
GBA!

HmmOctober 10, 2017 1:24 PM

@phred14

All of those are good practices.

What do you do if replacement screens for your phone h/w have h/w backdoors installed?
What do you do if the entire hardware procurement chain isn't as secure as you are?

http://www.telegraph.co.uk/technology/2017/08/21/hackers-can-take-control-smashed-android-phones-using-replacement/

https://arstechnica.com/information-technology/2017/08/a-repair-shop-could-completely-hack-your-phone-and-you-wouldnt-know-it/

Is there even a single phone that is 100% securely sourced? Best practices are best, but they ultimately all fail completely if even one loose link in the entire chain fails.

So maybe instead of trying to secure and privatize that which is by definition made to touch the public world and be accessible and has laws mandating it to be searched, is it at all possible to have some such paradigm shift where we could NOT store this important mission/life critical data on PHONES?

DroneOctober 10, 2017 1:50 PM

@Wael, You are right - I stand corrected. Thank You...

The first link says:

Tech support staff discovered the suspected breach after Kelly turned his phone in to White House tech support this summer complaining that it wasn’t working or updating software properly.

WaelOctober 10, 2017 1:55 PM

@Drone,

No worries. It happens to me all the time; you’re such a sport! We’re all in the same boat, and we’re all seasick.

Tired of this crapOctober 10, 2017 2:29 PM

This is not about Trump, Clinton, Russians or whatever current event or boogieman some of you are tying this to.

This is about the government being stupid with computers by prioritizing convenience over security. How hard is that to get? It's like you can't mention anything about politics these days without the idiots warming up their keyboards with blaming Trump, Clinton, Russia, North Korea, Feminists, Video Gamers, the KKK, a poorly-drawn cartoon frog or $CURRENT_BOOGIEMAN for whatever $CURRENT_EVENT is set to. Ugh, it gives me a headache.

Better infosec policy could have prevented this, no matter what president is in the white house, no matter what party said president belongs to, and no matter how crafty 'dem reds are 'dese days. Just stop treating high-ranking generals like VIPs who are above having their phones regularly searched, scanned, validated, updated, replaced, pentested, etc. In fact, submit them to these hassles and inconveniences more often, for the very reason that they are VIPs, and therefore are high-priority targets who would be more likely to be compromised. Can't someone explain these concepts to the politicians, slowly and with picture books if necessary, so they understand the importance of these pain-in-the-butt procedures? Just make some rules and enforce them. No, you have to use computers this way now, or you're fired. Simple as that. Hey, chalk one up for job creation, right? I'm sure tons of us who post here wouldn't mind following some sane, respectable security procedures for a sweet government paycheck.

This has been a problem long before Donald Trump became president, long before Clinton's email server got exploited, long before Snowden and Manning made their respective leaks. So please, to those of you who keep grinding this dull axe, I beg you once more, stop herping derps about Trump and Russia and blah blah blah, because your lack of age and experience in this world is showing. Badly.

Bottom line is, if anyone compromised Kelly's phone, that's a problem. Doesn't matter who did it, why they did it or what country it was done from/for. Doesn't matter who Kelly salutes as his commander-in-chief. The. Phone. Was. Compromised. Which means, theoretically, anyone could have done it. Oh sure, it could've been a Russian diplomat who installed spyware on his phone... or one of his coworkers within the U.S. government, or a domestic servant (maid/housekeeper/etc.), or whatever "genius" who recently serviced his phone at the Apple store, or his wife, or her private investigator. The point is that the door was open and someone walked in. THIS IS THE PROBLEM. Clear enough?

Someone should have caught this and it's stupid that they didn't. I'd like to think the rest of the world's governments are laughing, but they're probably bricking instead, wondering how many of their own this sort of thing happened to, because I doubt policies are much better anywhere else.

LockdownOctober 10, 2017 2:31 PM

https://motherboard.vice.com/en_us/article/wjx3e4/t-mobile-website-allowed-hackers-to-access-your-account-data-with-just-your-phone-number

"Until last week, a bug on a T-Mobile website let hackers access personal data such as email address, a customer's T-Mobile account number, and the phone's IMSI, a standardized unique number that identifies subscribers. On Friday, a day after Motherboard asked T-Mobile about the issue, the company fixed the bug. The flaw, which was discovered by security researcher Karan Saini, allowed malicious hackers who knew -- or guessed -- your phone number to obtain data that could've been used for social engineering attacks, or perhaps even to hijack victim's numbers. "T-Mobile has 76 million customers, and an attacker could have run a script to scrape the data (email, name, billing account number, IMSI number, other numbers under the same account which are usually family members) from all 76 million of these customers to create a searchable database with accurate and up-to-date information of all users," Saini, who is the founder of startup Secure7, told Motherboard in an online chat. "That would effectively be classified as a very critical data breach, making every T-Mobile cell phone owner a victim," he added." /. summary.

Begs the question, what cell network provider do these people use for their unsecured private phones anyway?

P and NPOctober 10, 2017 2:43 PM

@ Tired of crap

Yes, we're all tired of the crap.

It's actually a standard tactic for those trying to obfuscate from provable things to use other unproven allegations and present them as if they have equal weight and validity.

However, IIRC we had about 2~ years of very public hearings and public shaming of HRC's valid security failures. That was a major talking point that dominated all discussions. Her secret server and cell phones we all collectively agreed was unacceptable, right?

So, you would THINK the people raising that and shaking that tree to death wouldn't directly repeat the EXACT SAME MISTAKE VERBATIM within months of it, right?

I fully agree it's apolitical, but the climate here is leaning toward completely unaccountable while throwing accusatory fingers and chanting for prison time.

Facts :

Russia (and others) hack and did in fact hack to influence the election or attempt to.
HRC and DJT and others have used insecure practices that are technically illegal.
HRC's transgressions were brought to light in a public high-profile way, hearings.
The same cannot be said of "fair and balanced" folks who did the exact same things.

If we're going to present things as equals let's weigh them appropriately.

And let's not lump all conspiracy theories with all valid accusations either.
That serves no purpose except obfuscation.

Why would it not matter?October 10, 2017 11:37 PM

"Doesn't matter who did it, why they did it or what country it was done from/for."

Doesn't it? Think about that for half a second.

To know who was behind hacking the CHIEF OF STAFF OF THE EXECUTIVE BRANCH for weeks to months during the rest of this hacking/disinformation/blackmail(?) campaign, you think is unnecessary to even inquire into? Do you really.

It's up there with the passive listening device in that wooden carved trojan-seal.
If it was actually Russian intel on the other end of his phone, that's a major coup.
-Or a massive self-inflicted security failure, depending on which side you're on.

Everywhere Kelly goes, everything he says is a national security concern.
Anything he overhears. Anything mic/speakers can transmit in ultrasound.

Phone was first noticed to have been "odd" in December 2016.
Presumably nobody takes this phone from him as he went about.
He decides who does that or not.

Specific to this case, with what we know of the Trump admin's secret extensive contacts with Russian interested parties that they just_keep_forgetting_about_somehow, even including allowing unscreened personnel into the Oval Office and only copping to it when a photo was made public against their wishes at the request of V. Putin... https://www.usatoday.com/story/news/2017/05/11/russians-fail-disclose-its-official-photographer-works-tass-news-agency/101543498/

It does actually matter who had an ear in John Kelly's pocket the whole time.

Clive RobinsonOctober 11, 2017 8:53 AM

@ Why would...,

Doesn't it? Think about that for half a second.

I think you may have a different point of perspective to others here.

Your perspective is about the effects of a single instance event, whilst most here are looking at the cause that would give rise to any number of such events.

Hence the point of,

    Doesn't matter who did it, why they did it or what country it was done from/for

Is perfectly logical security view point, when considering the cause and how to stop it in future, rather than the ramifications of this singular event which is more political in nature.

amygdala highjackingOctober 11, 2017 9:50 AM

@ Tired of crap
I totally agree with you! I too am tired of the "wedge issues" drum constantly being pounded. All governments play this game including ours. We act shocked when we hear they are successful. The only shock should be they got caught.

Real security professionals will see constant bombardment from all the global players. China doesn't even bother to hide it anymore.

Instead of falling prey to all the social engineering political talking points, we should be working to keep all APT out. Next time you hear a political party telling you about the boogie man look up "amygdala highjacking". Then calm down and get back to work.

Dan HOctober 11, 2017 10:35 AM

Hillaryous Clinton refused to use a State-issued phone and preferred to purchase hers off-the-shelf. It was also assumed by the NSA she was hacked on her first Asian trip as SoS.

She even received a scathing memorandum once from State Diplomatic Security regarding her practices, to which she replied "I get it" and then continued on as usual.

But this is what foreign intelligence services are supposed to do, hence all government officials need to use secure communications at all times.

Foisted @ PetardOctober 11, 2017 11:22 AM

Colin Powell, Jeb Bush, a slew of literally hundreds of folks did the same exact thing.

That's why HRC wasn't prosecuted, because the precedent had been set already that they weren't going to go heavy book throwing at this offense - and because of the equal protection under the law they couldn't justify suddenly starting to do so.

But my point was that even after 2~ years of hearings, public finger wagging and constant media attention *that NOBODY CALLED FAKE NEWS mind you, HRC had been quite thoroughly investigated - to the point that it was (intentionally) dragged right up to the election itself, and she was damaged by the ongoing focus without question. I think rightly so.

Now that's the past, that political lesson is freshly inked, but the very people who lead the chants of "lock her up" are committing the exact same offenses once again as if none of it ever happened. Isn't that a little odd? And instead of calling for hearings ad nauseam and drilling down through every possible recipient and exploring every possible angle as they did before, trying to calculate the potential damage? It's like some want to pretend it's legal when they do it, like HRC tried to do.

So without going "more" political about a political issue, if there's anyone with a shred of contiguous spinal growth who wants to hold people accountable equally in an ongoing basis for things they've found serious and pressing in the recent past, I'd sure love to hear some chanting or at least some acknowledgement of the similarities.

But I won't hold my breath for "fair and balanced" accountability. I'm old enough to know better than to expect that from the crowd in question.

Foisted @ PetardOctober 11, 2017 11:36 AM

@ amygdala

To be fair, the conclusion of the 17 US intel agencies is distinct in both evident rigor and tone from any "wedge issue" being pushed by "social engineering talking points."

Russia hacked our electoral districts, paid for fake ads to spread disinformation, specifically targeted and invested in swing states where their illegal actions had the most possible effect, hacked into the emails of both campaigns and decided to disseminate information from one of the two, and has long-lasting business ties with one of two campaigns (including the former chairman, now under indictment) which have been completely denied without a shred of credulity by the current administration.

If the shoe were on the other foot, people would be crying bloody murder.

It's funny that you should bring up China as if they have a comparable effort in undermining the free and fair election process, but that has not happened. Not even the red herring factory that is Fox News is pretending that's an equal comparison.

The only reason I think you would bring that up is to run distraction for the Kremlin's successful capture of the sitting American President. That's what we have now.

It's not a "political wedge issue" in a R vs D sense, because Trump has undermined both.
Pretending it's all fake news is for kowtowing morons, pardon my French. You'll note I used nicer language than the Secretary of State did.

phred14October 11, 2017 11:41 AM

@Hmm - I'm aware of the hardware hack possibilities. I haven't had to make that decision yet - to repair or replace.

I'm also aware that there is code in the SIM, probably a completely separate baseband firmware that's complete opaque, and no doubt a bunch of binary blobs. It's a rabbit-hole, and if you dive down it, there's no telling how deep it will go or how much time it will take.

So I go back to the old joke about the two guys and the grizzly. One guy says to the other, "I don't have to run faster than the grizzly, I just have to run faster than you."

From a security point of view, it's an interesting position on a spectrum. Too easy and you're trivially owned. Too hard and you become "interesting", a target just because you're suspiciously hard. I'm sure it's also possible to be hard while appearing easy, and I've done a bit of that myself. (reject packets with tcp-reset)

So I try to be considerably harder than average, but not suspiciously hard. No custom code on my phone, just what I consider to be very good firmware, well updated. I'm trying to keep it un-rooted, because while rooting may be convenient for me, it also increases my attack surface.

None of my banking is on my phone, nothing that can reach into my finances. At the same time, I'd like (but don't yet) have things like PayPal or maybe Android pay for convenience, as long as they require me to push from my bank, and can't pull from it.

I believe there are reasonable points along the spectrum, and hope that bad guys will simply go for someone easier than me, and there's no supply shortage.

amygdala highjackingOctober 11, 2017 1:04 PM

@Foisted
I believe you're missing the point. Yes the Russians tried to influence the election just as US does.

The US overthrows governments like Iraq and Libya. US gets gets involved in campaigns like in Israel, France and Germany. It is how the world works so get off your soap box and realize that the US internal noise is just each party looking for power through votes. Political parties hire a lot of Social Scientist to dive through their databases built from data mining companies to put out taking points. They even brag about their Data Scientist. They know process works because of people like you that hear it on whatever news channel you listen to and repeat it. Fox News, CNN, MSMBC etc...

And don't just assume because I'm calling you out for just regurgitating talking points I'm a fan of one party or the other.

ModeratorOctober 11, 2017 2:06 PM

@Foisted, you've made your point re HRC; please take further discussion of the subject elsewhere. Also, please don't keep changing your handle from one comment to the next on a single discussion thread. Other visitors deserve to know whether they are talking to one person or many.

Soapboxes = democracyOctober 11, 2017 2:32 PM

@amygdala

"The US overthrows governments like Iraq and Libya."

France lead the charge on Libya but you digress... Iraq definitely, twice, both times based on known lies. Afghanistan. Iran. Vietnam. Grenada. Panama. Mexico. Honduras. Nicaragua. Cambodia. Thailand. Indonesia. Dominica / Haiti both. Cuba attempted too of course, with little success. I'm forgetting a bunch. Hawaii.

Nobody say Puerto Rico, the President's "men" will accuse me of "talking points"...

I think comparing the US to other national empires in the modern era is actually kind of missing the larger point - we're definitely the boogeyman - with China as the runner up in all likelihood. Putin is happy enough to be a fat #3's living King.

That doesn't mean he can't screw us up pretty good meanwhile, from that asymmetric position of defensive strength. He IS the dictator Trump wishes he could be, unconstrained. The problem is Trump is importing that here, attempting to.

Literally it is an international effort towards unaccountable fascism under the guise of nationalism and "the way it used to be." These people are morons. I hope they are the first to die in their wars and no one remembers their names. But they never fight themselves, they blame bone spurs and get 5 deferments. Young Dick Cheney.

"calling you out for just regurgitating talking points"

Are those talking points? Go ahead and show me the link to anyone saying what I said.
No rush, take your time. Flesh that accusation out. I'll wait. I'll be here.


" It is how the world works so get off your soap box and realize that the US internal noise is just each party looking for power through votes. Political parties hire a lot of Social Scientist to dive through their databases built from data mining companies to put out taking points. They even brag about their Data Scientist. They know process works because of people like you that hear it on whatever news channel you listen to and repeat it. Fox News, CNN, MSMBC etc.."


I'm absolutely for rigor in media. Call out a lie, prove it, excise it.
I don't trust any single source of information and rarely are there only 2.

-- But if you can PROVE these sources are lying, DO SO NOW. --

And if you equate "the media" to the collective assessment of the 17 US intelligence agencies, *(yes, some will say only 4 actually had their own investigations, the point stands as all agree) then you're dismissing both the state and the 4th pillar.
That tells me you're not much a believer in a free democratic republic.

The valid bipartisan effort towards free and fair elections was undermined entirely by the W. Bush appointee to the SCOTUS, Chief Justice Roberts, in his frankly unprecedented Citizens United decision, which verily equated free speech of individuals with the rights of MULTINATIONAL CORPORATIONS to dump money into ANY election operations.

Some heroes have tried to overturn this disaster, John McCain probably one of the most prominent of them on the Republican side, and he has my 100% support on that.

Serve and protect the Constitution. That oath outweighs ANY chain of command du jour.

The ultimate threat to our system is that we lose faith in it and give up on regulating it internally. Not Putin, not China, not NK. We are failing ourselves by allowing liars to take control of our massive enterprise and use it against its charter.

Again and again, Amen. Wave the flag and start over. It's time to call it out.

I know there are people who can and will agree on many common sense low-level points despite their political idealist differences. Well, you need to do your part folks.

You need to be the one ON THE SOAPBOX, who dares his fellows to take it and do better.
Well the soapbox is yours, welcome to free speech - Cheers to Bruce for the forum.

I don't think I'm quoting anyone. You tell me, you show me.

Handle_XOctober 11, 2017 2:36 PM


@Bruce

You're right it's not fair to change the name, I didn't think about that aspect.
I'll try to remember this handle, I apologize for not using my full given name.

I'll try not to harp on the R vs D, I really am trying to avoid "that" itself.
A few years ago I was criticizing the other side when they were in office.

I know, I'm not trying to devolve your forum. I respect the tolerance and limits.

ModeratorOctober 11, 2017 3:21 PM

@Handle_X, you don't need to use your full given name, or any part of it, if you don't want to.

Inside Threat ModelOctober 12, 2017 12:41 AM

It is interesting to see how many breaches are coming to light. Except the Imran Awan breach. No-one on the right side of history wants to talk about Awan, right?

handle_zzzOctober 12, 2017 5:49 AM


"No-one on the right side of history wants to talk about Awan, right?"

Per her explanation/excuse, Schultz kept him on to keep him visible to investigators and not trigger him to cover his tracks. It's another situation where we don't know.

She isn't trustworthy beyond her throwable measure, as my personal standard, but you can be sure that people were looking at Awan very, very closely afterward. Sometimes in their calculus you let a fish get away to catch a whale. The public hears about the whale.

Best case.

Inside Threat ModelOctober 12, 2017 8:03 AM

@Handle_zzz
dws threatened capitol police with consequences in order to protect awan. There is a recording of the threats being directed at Verderosa by dws floating around the propaganda site formerly known as youtube.

It seems like an overt attempt to protect awan and indirectly the politicals in cahoots with his ops team. Just like the silence from usually verbose breach commentators.

handle_xOctober 12, 2017 2:47 PM

"It seems like an overt attempt to protect awan and indirectly the politicals in cahoots with his ops team."

DWS did attempt that, I don't think anyone is arguing that point. The motive and rationale behind defending the staffer can be seen as self-serving, but the supplied narrative is that the FBI had told her to keep him on for monitoring in situ. She wasn't thrown in prison for perjury or obstruction (yet) so I imagine that washed for now. I don't know what is true in this case.

I do see she got fired from that position. That's a level of accountability higher than we're seeing from people caught in "unseemly behavior" these days, though you're right there does need to be an investigation with teeth and people should go to prison if warranted by law. No exceptions, no party shielding.

*(How did we go back in time to be talking about DWS again? Is she in the news now?
I think everyone realizes she was in the tank for HRC and abused her position...)

But we're not seeing that accountability you wanted and called for. We see a Republican Congress willing to allow someone to FLAUNT THE LAW, FLAUNT THE CONSTITUTION on major obvious points that haven't been seen in the modern American era.

It's far beyond unsafe email handling or illegal cell phone use, far beyond giving up the questions ahead of a debate to a favored candidate, it's beyond even the leaking of sensitive or classified documents or details. We're way beyond any of that now.
We're talking about literal treason, graft, blackmail, obstruction of justice... and the 25th Amendment being used potentially to remove an insane person's hand from a button.

But sure, DWS should face an investigation. Absolutely. Get in line for that.


Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.