[chris constantinou]

https://www.eff.org/node/82654

Posted via CB10

[thurask]

(Really) old news: http://forums.crackberry.com/general...report-973806/

[app_Developer]

Pretty good discussion about this here: http://forums.crackberry.com/general...apple-1089322/

[DroidBB]

Whether it's old news or not it doesn't change the fact that BBM lacks basic security that a lot of other products provide for free. The lack of end to end encryption is the biggest lapse (they do offer it with BBM Protected but they want you to pay for it jump through hurdles to get it).

Since BlackBerry has come out and said that they enjoy helping law enforcement "kicks$$" meaning they give up information to enforcement agencies and governments without warrants makes BBM a ridiculous choice for anyone concerned about their privacy.

Now that BBM is being developed by an Indonesian company, named Emtek I believe, it's just another reason to not use BBM.

Nevermind the amount of Indonesian spam you will receive along with ads for adult dating websites and nonsense games they want you to download.

[techhatesme]

...
Now that BBM is being developed by an Indonesian company, named Emtek I believe, it's just another reason to not use BBM.

Nevermind the amount of Indonesian spam you will receive along with ads for adult dating websites and nonsense games they want you to download.

Licenced by Emtek, who have committed to further development of BBM for Android and iOS only so far as creating new revenue streams, like nonsense games.
Does it really surprise you to see Advertisements on an OS that almost purely exists to data mine your personal preferences and feeds off the advertising revenue in return? Or do you prefer your app's to have hidden revenue streams like WhatsApp who shares your details and your contact's details with Facebook in order to provide you with ads on facebook.com?
If having ads on BBM for Android or iOS aren't to your liking, then maybe consider buying the ad-free subscription?
Or you could always come back to BlackBerry10 OS, which is the sub forum this thread is posted under.

And a Merry Christmas to all!

-- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.

[hobgoblin1961]

Never ever had advertising on my BBM using BlackBerry OS10 device since it started!
BBM Protected is as securely end-to-end as it can be in three stages, no other messengers around can match with that and only copied BBM security capabilities over the last three years as far I can see.

If someone is concerned about being flooded and or leached by common messenger like WA or any other app's created by Suggarboy or Google... well may consider using a proper BlackBerry device and BBM Protected for a change.

Posted either via -Passport -Classic / OS-10.3.++ is all you need

[hobgoblin1961]

By the way things like Video chat was available already in 2013 as well as Group chat with shared images and calendar functions.
Timed messaging, retreat posted message and so on, available for a long time now in BBM as well as end-to-end encryption, all features that are being copied by WA and others just recently or suppose to be coming in future.

Here what BBM offered already:


Posted either via -Passport -Classic / OS-10.3.++ is all you need

[hobgoblin1961]

Hey if someone wants to take the biscuit about security ;-)
Well may you look out for this app's in generally


Posted either via -Passport -Classic / OS-10.3.++ is all you need

[1khalid]

If having ads on BBM for Android or iOS aren't to your liking, then maybe consider buying the ad-free subscription?
Or you could always come back to BlackBerry10 OS, which is the sub forum this thread is posted under.

Lol, pay to use crappy BBM. Maybe if one lived in Indonesia, but here in North America nobody uses that crap Messenger service. And who wants to come back to BB10? Dead phone calling lol. It's an obsolete os with no future development. Why don't I just go back to Windows XP.

[Halifax Guy]

Lol, pay to use crappy BBM. Maybe if one lived in Indonesia, but here in North America nobody uses that crap Messenger service. And who wants to come back to BB10? Dead phone calling lol. It's an obsolete os with no future development. Why don't I just go back to Windows XP.

Excellent question. Why don't you?

Posted using a Q10, 10.3.2.2474.

[Richard Buckley]

So here is the executive summary of the relative pluses and minuses of the three main messaging protocols.

Standard BBM is not end to end encrypted, and before the introduction of BB10 the encryption between handset and server was essentially non-existent. However BlackBerry has never hid this and their target customers for security has always been enterprise. Both pre and post BB10 BBM messages are end to end encrypted when carried by BES because BES is end to end encrypted, keys are generated and managed by the customers' equipment, the BES server is also the BBM server for messages between devices on the BES. BBM Protected provides the same level of security outside of BES. Yes this costs extra, but as you will see the cost buys you things you don't get with the free or very inexpensive solutions.

WhatsApp uses the Signal Protocol, which is very secure when all its features are used. Unfortunately one of the most important is off by default which can be problematic. Which is why the Signal Protocol has it on.
https://www.eff.org/deeplinks/2016/0...-its-1bn-users

One of the settings the security-conscious should be sure to change is enabling security notifications. This ensures that if the encryption key for your contact changes, you will be notified of this change so that you'll know you have to verify security codes again. With Signal these notifications are always shown, but with WhatsApp they are optional and are switched off by default.

WhatsApp also has the privacy issues of using your phone number to identify you and now sharing contact data with Facebook unless you opt out. But if you have given Facebook your mobile number opting out probably doesn't help.

iMessage provides end to end encryption but Apple manages the keys. When you want to send a message to a contact the server provides the key(s). There is no way in the user interface to examine the keys. This means that the server could also give you a key for a third party who could then decrypt the message, without you ever knowing. But it is very easy to use.

Edit: I should have been more explicit about what I mean by manage keys. Apple maintains a public key repository to provide public keys to users so that they can encrypt messages. This is part is what makes iMessage so easy to use. What they don't provide is any way for the users to audit the public keys they are being sent to them. This in turn means they could -- not that they are -- send a public key that the FBI provides to them. In which case the FBI would then be able to read messages which were encrypted with the additional key.

So it remains up to you to decide how much you want to pay for what level of security or convenience. But remember that the cost is more than the subscription fees. You have to include the cost of the phone and the value of the personal data you are sharing. If we are truly in an information economy, you will want to make sure you are getting good value for the data you are sharing as much as you will want to make sure you are getting good value for the money you are spending.

LeapSTR100-2/10.3.3.2163

[LyounMen]

Get a grip people and wake up from delusion

https://pando.com/2015/03/01/interne...ry-of-the-bbg/

Posted via CB10

[thurask]

Get a grip people and wake up from delusion

https://pando.com/2015/03/01/interne...ry-of-the-bbg/

Posted via CB10

Yeah, let's stop using services which might be compromised by the government and go back to a service that willingly compromises itself to them!

[1khalid]

Excellent question. Why don't you?

Posted using a Q10, 10.3.2.2474.

Did the truth hurt!?

[Jamaa]

Did the truth hurt!?

Troll alert!

 Q10 SQN100-5/10.3.3.2049 T-Mobile with Wi-Fi calling

[Halifax Guy]

Did the truth hurt!?

What truth? What is the problem with people lately? When asked a simple question (in relation to a statement by the person posting), no one seems capable of any form of comprehension of the question.



Posted using a Q10, 10.3.2.2474.

[TheAuthority]

If you want secure BBM, then pay for it. Secure Enterprise BBM is just that: secure. Whatsapp is not even private, never mind secure when it's affiliated with facebook. How ridiculous to even think that it is. Apple's supposed secure messaging is a delusion; it's not secure when apple holds the encryption keys and can share them with anyone (governments, etc) without your even knowing.

[Elephant_Canyon]

Apple's supposed secure messaging is a delusion; it's not secure when apple holds the encryption keys and can share them with anyone (governments, etc) without your even knowing.

Apple doesn't hold the encryption keys to iMessage. Those keys are held on the device itself, and Apple doesn't have access to them unless it has your phone and your unlock code.

[Vistaus]

Apple doesn't hold the encryption keys to iMessage. Those keys are held on the device itself, and Apple doesn't have access to them unless it has your phone and your unlock code.

According to Richard Buckley, who explained Apple's ways on this same page, they do hold the keys on their servers. Richard has lots and lots of knowledge on security and stuff, as proven by his various admired posts around here, so I'm pretty sure that he's right about iMessage as well. How do *you* know he's wrong about iMessage?

Posted via CB10 using my amazing  Passport (OG Red)

[TheAuthority]

Apple doesn't hold the encryption keys to iMessage. Those keys are held on the device itself, and Apple doesn't have access to them unless it has your phone and your unlock code.

I refer you to Post #11 in the following topic:

http://forums.crackberry.com/blackbe.../#post12710443

Relevant text:

"iMessage provides end to end encryption but Apple manages the keys. When you want to send a message to a contact the server provides the key(s). There is no way in the user interface to examine the keys. This means that the server could also give you a key for a third party who could then decrypt the message, without you ever knowing. But it is very easy to use."

[app_Developer]

According to Richard Buckley, who explained Apple's ways on this same page, they do hold the keys. Richard has a lot of knowledge when it comes to security and stuff, as proven by his various admired posts, so I'm pretty sure that he's right about iMessage as well.

There's a difference here between "does" and "could". Apple distributes the public keys of users as part of the handshake. What that means is that Apple could cheat and distribute fake/incorrect keys for users such that they could listen to messages.

This is possible because there isn't a way for users to independently verify keys themselves. However, there have been 3rd party audits of iMessage done for banks and others who have asked Apple for this.

Again, this is a possible cheat that Apple could be doing. This doesn't mean they are actually doing this. If they are running their service as advertised, then they do not have the ability to decrypt user messages without access to the SE on the user's device.

Apple could be lying. And the 3rd party audits may have been invalid, incomplete, or wrong. But if Apple is doing this correctly, it is true that they can't read messages.

[Richard Buckley]

Apple doesn't hold the encryption keys to iMessage. Those keys are held on the device itself, and Apple doesn't have access to them unless it has your phone and your unlock code.

The private keys are held on the device so they can't be shared. However when you send a message to someone you have to get the public keys from somewhere. With iMessage the somewhere is the Aplle server. There is no visibility into the protocol for a user to see what public keys the server is sending. This means at any time Apple can add in a public key for which they, or someone else has the the corresponding private key, either for Apple's own purposes or because they have been forced through legal means.

Cryptography is a very complex subject area with many subtle pitfalls that can render what seems like a very secure system flawed.

Perhaps I should have been more explicit in my other post. I have edited it to provide some clarity.

When it comes right down to it WhatsApp, iMessage, BBM on BB10 and several other chat applications provide all the security that the average user needs, and probably more. If your needs vary from the average then you really need to do a formal threat risk analysis for your situation. In which case comparative tables from the EFF and the opinions expressed on fan bulletin boards (even mine) are the wrong place to gather data. I provided this information as an example of how three different companies approached securing chat in three different ways, and how those different methods can all have negative impact depending on who you are.

Arguably WhatsApp did the best job except for two points that could be disastrous depending on the risks:
1. They defaulted off one of the most important features of the Signal Protocol, requiring advanced knowledge to get full protection (they have nevertheless prominently advertised their use of the protocol).
2. WhatsApp leaks the phone numbers of their users. If you don't know why this is a problem you are either an average user or you need to re do your threat risk assessment.

LeapSTR100-2/10.3.3.2163

[techhatesme]

The private keys are held on the device so they can't be shared. However when you send a message to someone you have to get the public keys from somewhere. With iMessage the somewhere is the Aplle server. There is no visibility into the protocol for a user to see what public keys the server is sending. This means at any time Apple can add in a public key for which they, or someone else has the the corresponding private key, either for Apple's own purposes or because they have been forced through legal means.

Cryptography is a very complex subject area with many subtle pitfalls that can render what seems like a very secure system flawed.

Perhaps I should have been more explicit in my other post. I have edited it to provide some clarity.

When it comes right down to it WhatsApp, iMessage, BBM on BB10 and several other chat applications provide all the security that the average user needs, and probably more. If your needs vary from the average then you really need to do a formal threat risk analysis for your situation. In which case comparative tables from the EFF and the opinions expressed on fan bulletin boards (even mine) are the wrong place to gather data. I provided this information as an example of how three different companies approached securing chat in three different ways, and how those different methods can all have negative impact depending on who you are.

Arguably WhatsApp did the best job except for two points that could be disastrous depending on the risks:
1. They defaulted off one of the most important features of the Signal Protocol, requiring advanced knowledge to get full protection (they have nevertheless prominently advertised their use of the protocol).
2. WhatsApp leaks the phone numbers of their users. If you don't know why this is a problem you are either an average user or you need to re do your threat risk assessment.

LeapSTR100-2/10.3.3.2163

Well put Richard, thanks for the clarification.

Would you mind pointing out the flaws in BBM Protected, other then the subscription fee, for me/us?

-- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.

[Richard Buckley]

Well put Richard, thanks for the clarification.

Would you mind pointing out the flaws in BBM Protected, other then the subscription fee, for me/us?

-- Give me a keyboard, a 5 star rated Browser and a fulcrum point and I could move the world.

I am not aware of a independent third party review of BBM Protected (now known as BBM Enterprise) of the same quality as the examination of iMessage and WhatsApp that revealed the issues I spoke of. I also don't have access to BBM Protected myself to evaluate what potential issues there may be, but I suspect BBM Protected without a professional management could easily run into the same problem as WhatsApp. That is simplifying the UI or turning off features to the point that security can be easily compromised. There are no convenient ways to verify keys.

If you go back to the early cold war days, or before, a great deal of effort was invested in keeping keys and encryption algorithms secret. Even plain text that was sent under encryption had to be kept secret because not doing so could lead to a known text attack. If you pay close attention to "The Imitation Game" or read "Spy Catcher" by Peter Wright you will see some historically accurate, if somewhat dressed up examples of this.

Since the 1970s we have had public key cryptography and symmetric encryption based on Feistel networks. The former allows us to publish encryption keys publicly, the latter allows us to do the same with symmetric encryption algorithms. Many people assume that this is all that you need to bring unbreakable cryptography to the masses. Unfortunately there is still a third thing that needs to be solved. We still need a way to authenticate public keys. The web Certificate Authorities would like us to believe that they have solved this, but they really haven't. The level of security people are talking about on this thread requires an ability to authenticate the keys being used to chat with. The best solution anyone has come up with is "trust us" which usually comes after "pay us".

According to BlackBerry (blackberry.com/protected) which takes you to BBM Enterprise, keys are managed through an Enterprise Management Console. That is a good solution for people who are in a position to assign that function to a person or team. But not something an independent user can take advantage of. The signal protocol has the ability to authenticate keys if you can come up with a secure side channel, but that is not always possible or convenient. So you end up trusting WhatsApp (Facebook). Trusting Apple is really your only choice with iMessage, or any iProduct really.

So if you need really hard core security and can't meet everyone you want to chat with the way Threema requires for the top level of authentication BBM Enterprise is probably the best solution, except for BBM Enterprise and a BES which is probably the best. If I was concerned that someone was spying on my chats with the aim of reading the content, I would probably write a application like Threema for BB10.

Of course all of this assumes your hardware and OS is secure. Which is a whole other argument.

LeapSTR100-2/10.3.3.2163

[Vistaus]

The best thing BBM could do to up its security is implement OTP support for every message. That way, no message can be decrypted from the outside. But that would require BlackBerry to invest heavily in more powerful servers than they currently have.

Posted via CB10 using my amazing  Passport (OG Red)