[sfor13thlegion]

Maybe but you have 600million ppl that will believe it. Also, if in fact it is true I would love for BlackBerry to offer a bbm protected package with secusmart integration for 10-20$/yr I bet 2-3million bbm users would pay for that you're looking at 20-60mil/yr in bbm rev just from consumers. They need top line growth.

I'd by two licences at 15 bucks a year for bbm protected. I'd do it in a heartbeat, without a second thought.

Posted via CB10

[mornhavon]

The post I was responding to was deleted, so I'll delete my content as well.

[Ment]

Man, there are a lot of people who love to argue for the sake of arguing. :-)

I'm going to say it one more time. Hopefully it sinks in.

Perhaps the reason why BlackBerry does have a back door is specifically by design ... to accommodate auditing at the enterprise level; and to accommodate country specific laws when court cases arise at a consumer level.

and

Even though WhatsApp has end-to-end encryption and claims they have "no back door", they may be operating in violation of local laws for circumstances like a court injunction; or they do have another means of solving the problem which means there is a way of extracting the information when a court injunction arrives.

Perhaps I'm wrong and this is simply a case of BBM having flawed security and falling behind. But perhaps there's also a reason for it.

And maybe WhatsApp became the king of distribution for kiddie porn on a global basis.

The bad guys will use encryption is the same argument the US government is using crying that default encryption for phones is going to kill children. Also the same argument for any tech to which governments want unfettered access: bad guys will use burners so lets scoop up all the mobile data.

If BB has global keys so they can play nice for government contracts and doesn't tell us via transparency reports how often they get accessed thats on them. As a consumer with a choice I'll use end-to-end and call on BB to do the same.

If India wants to ban WhatApp and prosecute individuals because they use the app then its up to the individual citizen there if they want to risk flouting the law not on BB to make end-to-end not part of the app. Doubt they'll have much success. Its legal here and I'll take advantage of it.

[RubberChicken76]

Actually, I deleted this post, because one below when I was writing this answered the question I had. But the point at the top still stands. Some people like to argue for the sake of it. :-)

The bad guys will use encryption is the same argument the US government is using crying that default encryption for phones is going to kill children. Also the same argument for any tech to which governments want unfettered access: bad guys will use burners so lets scoop up all the mobile data.

I'm not arguing for or against government intervention here. Just saying there are are laws that exist. I didn't make 'em. Only pointing out it's a factor today.

If BB has global keys so they can play nice for government contracts and doesn't tell us via transparency reports how often they get accessed thats on them. As a consumer with a choice I'll use end-to-end and call on BB to do the same.

Sure.

[mornhavon]

Before you suggest that WhatsApp uses weak encryption or has planted weaknesses to make it easy to decrypt, I should say that the TextSecure system seems to be quite robust.

You're making an argument where there isn't one from me. I'm sure WhatsApp is quite secure.

The only way that WhatsApp would be able provide message contents that had been encrypted end-to-end, lawful request or not, would be if there were encryption weaknesses (or a "back door" as you've referred to it, since a traditional back door wouldn't do anything to assist in decrypting end-to-end encryption). I interpreted your comments below as being uncertain that Whatsapp was "quite secure" in that respect. I'm not trying to argue, just explaining my rationale.

Not unless WhatsApp does have secret lawful access features to solve the problems mentioned in this thread.
...
Maybe the answer is, "There is a secret back door and you need a court order to access it"

Even though WhatsApp has end-to-end encryption and claims they have "no back door"

I'm not arguing for or against government intervention here. Just saying there are are laws that exist. I didn't make 'em. Only pointing out it's a factor today.

Can you point to any laws in countries where these tech companies operate that make end-to-end encryption illegal? Some less-than-freedom-loving counties may block a service if they can't decrypt it, but I'm not aware of any country with jurisdiction over major messaging clients that have laws forbidding it. "We can't provide what we don't have" is a legitimate response. Besides, countries that ban strong encryption are the same countries where users need it the most :-)

[RubberChicken76]

. I'm not trying to argue, just explaining my rationale.

Ahh - I see. Thank you for clarifying. This is a very interesting topic, I must confess.

Can you point to any laws in countries where these tech companies operate that make end-to-end encryption illegal?

I'm not sure this qualifies by your definition as it's not approved but

FAQ - Lawful Access – Consultation Document - Summary of Submissions to the Lawful Access Consultation - Lawful Access FAQ

Specifically:

"Under the current laws, not all telecommunications service providers are required to design intercept capabilities into their networks. When a new technology or communication service is introduced, law enforcement and national security agencies often have to research and develop new methods to gain lawful access to those networks. The lack of a technical solution, or a delay in the ability to use it, hampers investigations and the prevention of serious crimes or threats to national security.

To address this issue, the government is proposing that service providers in Canada be required to ensure their networks or infrastructures have the technical capability to enable lawful access by law enforcement and national security agencies when the agencies are legally authorized to intercept a communication or search and seize data."

From the Canadian government of all places.

Cheers

[mornhavon]

I'm not sure this qualifies by your definition as it's not approved but
FAQ - Lawful Access � Consultation Document - Summary of Submissions to the Lawful Access Consultation - Lawful Access FAQ
Specifically:
"Under the current laws, not all telecommunications service providers are required to design intercept capabilities into their networks. When a new technology or communication service is introduced, law enforcement and national security agencies often have to research and develop new methods to gain lawful access to those networks. The lack of a technical solution, or a delay in the ability to use it, hampers investigations and the prevention of serious crimes or threats to national security.
To address this issue, the government is proposing that service providers in Canada be required to ensure their networks or infrastructures have the technical capability to enable lawful access by law enforcement and national security agencies when the agencies are legally authorized to intercept a communication or search and seize data."
From the Canadian government of all places.

By my understanding, and since the Canadian government hasn't gone after other end-to-end encrypted services (like BBM Protected) I suspect I'm reading it correctly, that only applies to access to the network in question in-so-far as the provider has access themselves, not to ban any encryption that the provider isn't able to decrypt. Anything other than that would be (will be?) a scary precedent. Interesting read though, thanks.

[LazyEvul]

I'm not sure this qualifies by your definition as it's not approved but

FAQ - Lawful Access – Consultation Document - Summary of Submissions to the Lawful Access Consultation - Lawful Access FAQ

Specifically:

"Under the current laws, not all telecommunications service providers are required to design intercept capabilities into their networks. When a new technology or communication service is introduced, law enforcement and national security agencies often have to research and develop new methods to gain lawful access to those networks. The lack of a technical solution, or a delay in the ability to use it, hampers investigations and the prevention of serious crimes or threats to national security.

To address this issue, the government is proposing that service providers in Canada be required to ensure their networks or infrastructures have the technical capability to enable lawful access by law enforcement and national security agencies when the agencies are legally authorized to intercept a communication or search and seize data."

From the Canadian government of all places.

Cheers

That proposal pertains only to service providers, and is talking about providers having to ensure the ability to intercept whatever's going over the airwaves. Whether or not the content on the airwaves is encrypted is not something that covers - service providers have no control over that.

I'm certain there are examples out there of what you're looking for, however. A number of countries have taken issue with BBM's encryption even in its current form, so I can't imagine they'd take kindly to end-to-end encryption. We'll have to see if they react to WhatsApp, but I suspect they took this into account when making the decision to do this - the loss of customers in some countries does not necessarily outweigh the improved service for millions of other customers.

Having said that, if the entire messaging industry moves towards end-to-end encryption, these governments may have no choice but to accept it - what will their citizens be left using if Hangouts, iMessage, BBM, Skype, Viber and WhatsApp are all using it one day?

[RubberChicken76]

That proposal pertains only to service providers

Yeah, the term "service providers" is a little loose in that it wasn't defined further. I first read it to assume "carriers" and "internet service providers", but without definition clarified could mean "messaging service providers" etc well. Can't read their mind, so I'll just call it ambiguous.

so I can't imagine they'd take kindly to end-to-end encryption. We'll have to see if they react to WhatsApp, but I suspect they took this into account when making the decision to do this - the loss of customers in some countries does not necessarily outweigh the improved service for millions of other customers.

They might also be taking a calculated business risk. I once had an aggressive business development manager make a potent statement: "If we only did what our lawyers said, we'd never do business at all". It will be interesting to see what happens.

[undone]

In a regulated corporate setting a BBM-type of IM will be preferable. Both secure and being able to be audited. If you can't audit it, you can't use it.

In the case of WhatsApp it wasn't that long ago that they transmitted in the clear and some other attempts at encryption by said company weren't looked on favorably. From Feb 2014 The problem with WhatsApp?s privacy boasts: They?re not true | PandoDaily . Did they do it right this time? Who knows, only time will tell. But personally I wouldn't take there word for it.

[byex]

In a regulated corporate setting a BBM-type of IM will be preferable. Both secure and being able to be audited. If you can't audit it, you can't use it.

In the case of WhatsApp it wasn't that long ago that they transmitted in the clear and some other attempts at encryption by said company weren't looked on favorably. From Feb 2014 The problem with WhatsApp?s privacy boasts: They?re not true | PandoDaily . Did they do it right this time? Who knows, only time will tell. But personally I wouldn't take there word for it.

wireshark and whatsapp. It was fun while it lasted.

Posted via CB10

[anon8656116]

In a regulated corporate setting a BBM-type of IM will be preferable. Both secure and being able to be audited. If you can't audit it, you can't use it.

In the case of WhatsApp it wasn't that long ago that they transmitted in the clear and some other attempts at encryption by said company weren't looked on favorably. From Feb 2014 The problem with WhatsApp?s privacy boasts: They?re not true | PandoDaily . Did they do it right this time? Who knows, only time will tell. But personally I wouldn't take there word for it.

Perhaps they did learn from it. More privacy and security will be the few remaining avenues for WhatsApp's future growth. If it does this right, there will be no need for many other apps anymore.

[anon(6168981)]

Is this included in the BB10 version?

[Sequester#WN]

Isn't it ironic that there is a big uproar in the forums that now it can be seen if and when a message was read in WhatsApp? There are rumours that this will be made optional soon or removed at all because of these user concerns.

When reading forums regarding BBM there is always the complaint that this feature was missing in the past at WhatsApp. Seems like the majority does not agree in this respect. They also have end to end encryption now - something very important as far as I am concerned and massively covered by the media - albeit not at crackberry.

I love my BlackBerry phones and have converted a few to switch (back). But BBM is dead, at least in mainland Europe.


Posted via CB10

[kevets]

I just hope the one on one video calling becomes a widespread feature. Love meetings right where it's at

Posted via CB10

[gogogadgets]

Encryption != security. Those messages travel over the open Internet, not a private network like BlackBerry's. They can be Man-in-the-middled all day long and probably are. This could explain the slowness of WhatsApp or iMessage, in fact.

[mornhavon]

Encryption != security. Those messages travel over the open Internet, not a private network like BlackBerry's. They can be Man-in-the-middled all day long and probably are. This could explain the slowness of WhatsApp or iMessage, in fact.

You're absolutely right, decrypting end-to-end encryption is easy once you've intercepted the traffic. To prove it, how about someone decrypts my message below, a simple message posted in standard AES128 encryption:
<Encrypted>
ZUql3CJRxlBs7SWlWkOoVHxXuFdIE81jtt5Vl/A2fsvphXe+3d1nRJYYS9O/Ry7oVCW8/Xto7OvX9Z//
PVB4aiEbEbhQ6nSD1+8mf5Gisn0=
</Encrypted>

[gogogadgets]

<Encrypted>
ZUql3CJRxlBs7SWlWkOoVHxXuFdIE81jtt5Vl/A2fsvphXe+3d1nRJYYS9O/Ry7oVCW8/Xto7OvX9Z//
PVB4aiEbEbhQ6nSD1+8mf5Gisn0=
</Encrypted>

Hey, no fair, you put a password on it! If I have your password or key, I can decode it. If I have root on your device, I have your key.

[mornhavon]

It says "bad magic number"

Nope. It is in English though :-)

Sorry, just having some fun trying to prove a point. If proper encryption were easy to read just because it was intercepted, there would be little to no point in encryption.

[mornhavon]

Hey, no fair, you put a password on it! If I have your password or key, I can decode it. If I have root on your device, I have your key.

As opposed to the encryption that DOESN'T use keys? Yes, like any encryption, if you have the key you can decrypt the contents, the problem is getting the private key. You could always brute force it if you get some time on a supercomputer or if you've got a few thousand years with your current computer ;-)
If you have root on my device, you still aren't any closer to having a properly stored private encryption key. And besides, you were talking about decrypting messages from intercepted traffic, not some fantasy scenario where you have my device, figured out my password and managed to root it without wiping the device, all of which still wouldn't get you the private keys.

[byex]

The whatsapp has stated that their encryption creates a unique key for every message sent known as forward secrecy. But if it creates a unique key per message, that unique key would have to be derived from a fixed key. No?
Now would this fixed key be on their servers or within the app? And is this fixed key like a master key and is the same for all whatsapp users? If it is, then more than likely It would be stored on the whatsapp servers. If not and the fixed key is on the phone then it would have to create a unique key with an algorithm maybe using the phone number as a variable? Or something.
If it does this then this would also provide not only forward but even backwards secrecy?
Sounds like DUKPT cryptography but no where online do they even mention it. Unless I'm seeing similarities where there are none. Also sounds like the encryption used when entering your pin number at an ATM, that provides a unique key for every transaction but I think they change the fixed keys every 12-24 hours.

If their encryption is all what it's made out to be then good luck to those that try to break it. Unless you are a government agency it ain't happening.
But maybe it's susceptible to a replay attack. Not like such an attack would lead to anything valuable.

Posted via CB10

[Soulstream]

Encryption != security. Those messages travel over the open Internet, not a private network like BlackBerry's. They can be Man-in-the-middled all day long and probably are. This could explain the slowness of WhatsApp or iMessage, in fact.

For BB10 (as well as iOS, Android and WP8), BBM messages travel through the same cables until they reach the BB servers. The messages are encryped, yes, but they use the same path (cable) as any other internet traffic.

[gogogadgets]

I was talking about MITM attacks which are possible in many many ways. The point I was making is that the encrypted traffic is only as secure as its endpoints. It could be a random number generator that's not so random. It could be a lot of things.

As for private keys, I wouldn't need to physically gain access to your device or figure out your password to "root" it. On Android, privilege escalation is a fairly well known and documented fact, and you're just plain wrong if you think the private keys are not stored on the device and 100 percent visible to root.

WhatsApp messages sent over the open internet via Android and iOS devices should not be considered secure. Kudos to WhatsApp for doing what little it can though.

BBM is in the same boat out of the box, by the way: not highly secure. Can be made so though, unlike just about anything else. iMessage, I am convinced, is nothing but one big MITM attack. It's so incredibly slow and unreliable -- big tipoff that something is going on in transit.

[midnightdoom]

BlackBerry needs to step up here. iMessage and now WhatsApp do this, it's time for BBM to follow suit with their free messenger.

There's a snowball's chance in hell that I'll convince my friends to pay for an encrypted BBM when free alternatives are available. Heck, they're all on Android and giving Google their data anyway.

Not gonna lie, it does intrigue me to give whatsapp a second look.. I deleted it for bbm thinking it's better, but now I'm not so sure, especially if BlackBerry isn't putting out transparency reports like American companies are..

I would like to hear from BlackBerry how from a consumer stand point who can't get BES or bbm protected, how our files and data are still more secure with BlackBerry vs whatsapp and apple now that they are both going with "we even can't see their info" encryption

*Z30 STA100-5 10.2.1.2977/3247*

[gogogadgets]

Not gonna lie, it does intrigue me to give whatsapp a second look.. I deleted it for bbm thinking it's better, but now I'm not so sure, especially if BlackBerry isn't putting out transparency reports like American companies are..

I would like to hear from BlackBerry how from a consumer stand point who can't get BES or bbm protected, how our files and data are still more secure with BlackBerry vs whatsapp and apple now that they are both going with "we even can't see their info" encryption

*Z30 STA100-5 10.2.1.2977/3247*

I would also like BlackBerry make a statement about that, but the TOS is very clear. As for "even we can't see their info" encryption -- I doubt it strongly. And I wouldn't expect high security without paying a pretty penny for it. A false sense of security (iMessage/WhatsApp) is worse than weak security (BBM out of the box) or no security (SMS). As a general rule, I would tend to trust BBM Protected over the others if only for the network and secure endpoints. You're not going to get high security without paying for it, and the average person doesn't need it anyway.