
Trump’s cell phone use is security “nightmare” waiting to happen, lawmakers say - EleneShubladze
https://arstechnica.com/tech-policy/2018/04/trumps-cell-phone-use-is-security-nightmare-waiting-to-happen-lawmakers-say/
======
twblalock
I see this, as well as Hillary Clinton's use of a personal email server, as a
manifestation of a problem with the way we do security: when IT security
restrictions are a pain in the butt to comply with, people are going to try to
get around them.

A trivial example: IT requires users to change their passwords every N days.
So users start with "password", and when they are required to change it, they
use "password1", then "password2", and so on.

A non-trivial example: someone in a high government position is told they have
to use a crappy, outdated, locked-down Blackberry device to access their
official email, so they start using a personal email account or a personal
phone for official business.

Security doesn't work if it's hard to use, because people will find a way
around it, and some of those people will have enough power that you can't
force them to comply.

~~~
Lionsion
> as well as Hillary Clinton's use of a personal email server, as a
> manifestation of a problem with the way we do security: when IT security
> restrictions are a pain in the butt to comply with, people are going to try
> to get around them.

Wasn't that more of an effort to get around government records-retention and
transparency laws than an attempt to get around annoying and onerous security
requirements?

~~~
pasbesoin
My reading, at the time, led me to believe it was primarily a matter of access
and facility, for Clinton. She wanted her email "her way", and State technical
resources -- perhaps also dependent on cross-agency resources -- could not
easily nor readily make it happen.

So, she had one of her own staffers take it rogue, with this server
deployment.

Like a lot of senior executives, Hillary Clinton seems to have a pretty big
ego and a commensurate attitude that she knows what she's doing.

In a larger context, something that really bothers me about all this: The
Chelsea Manning problem arrived around the start of her tenure at State.
State, the President and administration, pretty much all the powers that be
were outraged over this event.

Again, from my reading, I gathered that the system these data were in was
fundamentally deficient with respect to the security needs that were outline.
Basically, two levels of acccess, with no compartmentalization nor, IIRC,
active auditing -- perhaps much of any auditing or audit trail at all.

Clinton was head of State for the better part of eight years. They remained
outraged at Manning and never ceased their push for punitive action.

But she very apparently never tackled and fixed the systems deficiencies that
allowed the problem, in the first place.

As her campaign proceeded, I read numerous stories about its fundamental
disorganization and corresponding disfunction.

To speak politically for a moment, I'd take this in a second compared to the
malicious disaster that is Trump and his crony clown car of an administration.

But neither did she acknowledge, accept responsibility for, and actually work
to fix the very tools her and State's work are now founded upon.

Go back twenty years. The intelligence services had a better scoped
information collection and analysis system that showed real promise, while
also better respecting privacy. Thin Thread.

Dick Cheney gets into the VP seat, and he wants to steer as much business as
possible to his cronies. Thin Thread gets shut down, and in its place we end
up with various proposals and tweaked formulations for what is called -- I
can't remember the program names, right now -- "total situational awareness".
That drowns in its own inefficiency, imprecision, and over-collection.

And in the gap, we also get 9/11 and a mis-lead if not dis-ingenuous ramp up
to a multi-front war on the other side of the globe.

These people don't care about good, proper systems. They and their agendas
vary; nonetheless, their agenda always takes primacy. And, invariably, the
shortcuts or biased choices they force through end up costing, down the line.

~~~
manicdee
“These people” such as Hillary, Bush, Cheney, usually started off a mail
service outside the Whitehouse to get their campaigns organised. Over time
their entire entourage is using that mail server.

Then they get into Government and we expect them to transplant their entire
support network into the new environment. That is not going to happen.

What is needed is for the mail server that someone starts up to support their
campaign to be secure be default with Whitehouse-level security made easier
than not using it at all.

The hard part is getting people to use S/MIME certificates so that messages
are encrypted end to end and you never have to quarantine cleartext on your
cloud service.

Surely there is an entrepreneur in the HN crowd ready to take this on?

------
coding123
Oh my if that's a "nightmare" then what is the rest of what is going on
considered?

~~~
craftyguy
I think that died when people realized that email is inherently insecure
unless you jump through a LOT of hoops (e.g. pgp)

------
akhilcacharya
I remember when email security was a top concern to folks.

~~~
neo4sure
Well what happened arnt we concerned about clasified info being hacked?

~~~
akhilcacharya
It can't get hacked by our adversaries if we just tell them when they visit
the oval office!

------
comboy
Oh I don't think it's waiting.

~~~
travmatt
Yea, seriously.

>or the fortuity of foreign agencies not knowing his personal cell number

I find it incredibly difficult to believe that professional intelligence
services don’t have his cell phone number already.

------
osrec
I'm not the most clued up on US politics, but is it his personal phone? If it
is, this could give rise to a situation not dissimilar to the one caused by
Hilary Clinton's private email server!

~~~
cvwright
Only if he's illegally conducting official business on it.

------
patrickg_zill
Thought: it would be possible to make the phone reasonably secure by having
one of the SS agents (who are always around him) carry a secured WiFi access
point, which the phone connects to (and it doesn't connect to anything else).

Then the access point is VPN-ed and firewalled back to an endpoint that is
secured, from which phone calls are then connected directly to e.g. Verizon /
ATT / Level3 for termination to the dialed number.

i.e. network topology is

TrumpPhone <\--> WifiAP <\--> VPN to <\--> Secured endpoint <\-->
telco/bandwidth .

More security could be added by e.g. configuring a virtual phone number which
lives "on the switch" then forwards to a securitized softphone. This would
mean that the phone number attached to a physical phone would never be used;
and multiple phones configured identically could be set up ahead of time,
audited, upgraded, etc.

------
forapurpose
An hypothesis: There are idea bubbles, just like there are financial bubbles.
In fact, arguably a financial bubble is just one application of idea bubble -
for example, 'real estate always goes up'; 'tulips are worth more than gold',
'crypto-currency doesn't need regulation', etc. That is, the evidence for idea
bubbles seems obvious: they are widely known in finance, technology (hot
trends, etc.), angry mobs, and elsewhere. I'm just classifying them as a way
of thinking about them.

More specifically, I hypothesize that there is a bubble right now in political
thinking: It doesn't matter what evil, incompetent, or highly risky things we
do, as long as our side 'wins' in the immediate term. We can safely ignore the
longer term consequences. A successful businessperson who relies heavily on
international trade told me recently: 'Trump is vile, but I voted for him and
I'd vote for him again - because I'm a businessperson and business is good.'
In that statement they believe there is a problem but choose to ignore its
consequences, even the ones that will directly affect their business (e.g.,
trade problems).

And that property seems to apply to all idea bubbles in all areas: Ignore the
consequences. I can see how bubbles work up close: The mechanism seems to be
that when everyone joins the bubble, 1) it's exciting and engaging, and 2)
nobody is making us think about the consequences; the social pressure to
exercise judgment band behave is gone, because nobody will judge you for it.
The parents are gone - let's party! Pick up your pitchforks and torches! This
is gonna be Awesome!!!

 _Reality is that which, when you stop believing in it, doesn 't go away._ \-
Philip K. Dick[0]

[0] Attributed; I don't have time to find the source.

------
WhompingWindows
>Last year, Trump reportedly had an iPhone with just one app on it: Twitter.

Can someone with more knowledge explain how is this a security nightmare? If
he's not using it for email, if it's just for him posting his opinions onto
Twitter, I'm not sure I follow why it's so bad?

~~~
maltalex
It’s a smart device with known (and unknown) vulnerabilities that’s always
near the president. It probably has a browser, a camera, gps, and a microphone
and it is always connected to Apple’s cloud. It’s a large attack surface if
you’re a nation state. Oh, it’s also a phone. It makes un-encrypted calls, and
is capable of sending and receiving messages.

~~~
sli
I thought it was determined (well, alleged, with data) that Trump uses an
Android device[1]. Has that changed?

[1]: [http://varianceexplained.org/r/trump-
tweets/](http://varianceexplained.org/r/trump-tweets/)

------
DoreenMichele
Headline is misleading. It should say _smart phone use_ , not _cell phone
use._ A lot of this is about his use of the internet via his phone, not about
voice calls per se. The ability to pull a phone out of your pocket and call
someone, almost any time, any where, is just another layer of the issue. But
his use of twitter would be problematic even if it was all done from a PC.

When I had a job at an insurance company, where we had to comply with HIPAA et
al, most people in the department hated making phone calls. I was there a
fairly long time before I got any training on handling phone calls.

Phone call themselves are an information security nightmare waiting to happen
in part because it is live conversation. It is hard enough to write a letter
that is HIPAA compliant. Certain kinds of letters, like those advising
customers of a HIPAA breach related to their policy, had to be written using a
form letter and then reviewed by the legal department to make sure it was in
compliance and this all went through your boss.

In the claims department, it was common for people to speak colloquially of
'paying claims' because most claims were paid, not denied. But the correct
term is _processing claims._ I had a coworker get in trouble because she
called a customer, said something like "We need this information so we can pay
your claim" (instead of saying "so we can process your claim") and then the
claim was actually denied.

President Reagan helped bring the presidency into the video age. He was a
former actor and was constantly aware of surroundings and what was in the
background behind him, what was framing his image. This changed the way the
presidency was portrayed in visual media, both pictures and film. If you go
look at presidential images preceding his administration and those following
it, they are dramatically different.

My impression is that Trump made a concerted effort to go where the people
were and adopt the channels of communication they used, including twitter. It
wasn't his thing, personally. No surprise that he has no clue what he is
doing.

Perhaps this is the presidency where we need to figure out how the president
uses the internet and social media. Perhaps they need to develop some
protocols around it. I don't believe there are previously established good
protocols.

This is another venue for communicating with the people. Hopefully we woo't
throw out the baby with the bath water in trying to resolve the issues this
presents.

------
everdev
Agreed, but didn't Obama use his famously during his presidency?

~~~
gizmo385
I think it's quite the opposite. He (reportedly [1]) didn't have a smartphone
until 2016, and it was pretty locked down.

[1] [http://fortune.com/2016/06/10/president-obamas-new-
smartphon...](http://fortune.com/2016/06/10/president-obamas-new-smartphone-
is-more-like-a-toddler-phone/)

~~~
everdev
I remember when he got elected in 08 he didn't want to give up his
"Crackberry"

~~~
asdsa5325
They made sure his blackberry was secure. There was no security problems with
him using it.

------
pbreit
This is such a yawner. Everything about Trump is a disaster or a nightmare or
incompetent, blah, blah blah. (Hillary had a barely secured email server in
here closet!!)

And here we are, decent economy, relative peace, no collusion, functioning
government. Trump may be unconventional but there's nothing wrong with that
(in fact many, including detractors, praise that quality) and it seems to be
working OK so far.

Disclaimer: I loathe Trump but believe the criticism he gets is frequently
unwarranted.

~~~
krageon
Didn't he recently just wake up and decide to fire some rockets on Syria? You
call that relative peace?

Why are you trying to downplay how incompetent one president it is by
highlighting another candidate? Maybe it is true that they would both have
been relatively incompetent, but that is not the point being made here. The
example you're giving also does not serve to put things in perspective, as it
is also an egregious offense.

~~~
pbreit
I was going to say peace but qualified it with relative. The Syria thing is
pretty minor war-wise, imo.

I only threw in the "Hillary email" thing because the subject is
communications security.

