[plumsauce]

10.3.3.3057

I just noticed that during at least the automated email setup a blackberry server connects to the target email server independently of the device.

It then proceeds to successfully authenticate against the imap service.

The activity was seen in the mail server logs as unexpected connections while tracing the expected connections.

The ip address resolved to:

68-171-232-3.rdns.blackberry.net [68.171.232.3]

in this case. There are probably multiple such servers.

Having the device pass your email credentials to a blackberry server without disclosure is just not cool. Especially for a company that sells/sold itself on their great security.

Note that this was not a BIS/EXCHANGE setup but a plain jane IMAP account.

Now, if someone says this only happens during automated setup, I only resorted to the automated setup because advanced setup is not working!

I see the connects, then the popup tells me that it is not working. That is the height of bogosity as well as the inability to have the device just use user provided settings without checking as an option. Some people do know what they're doing.

And if someone wants to suggest that the email server is at fault, well it is a Mdaemon server which is sold by Alt-N which is a Blackberry subsidiary.

and again ....

[anon(10218918)]

10.3.3.3057

I just noticed that during at least the automated email setup a blackberry server connects to the target email server independently of the device.

It then proceeds to successfully authenticate against the imap service.

The activity was seen in the mail server logs as unexpected connections while tracing the expected connections.

The ip address resolved to:

68-171-232-3.rdns.blackberry.net [68.171.232.3]

in this case. There are probably multiple such servers.

Having the device pass your email credentials to a blackberry server without disclosure is just not cool. Especially for a company that sells/sold itself on their great security.

Note that this was not a BIS/EXCHANGE setup but a plain jane IMAP account.

Now, if someone says this only happens during automated setup, I only resorted to the automated setup because advanced setup is not working!

I see the connects, then the popup tells me that it is not working. That is the height of bogosity as well as the inability to have the device just use user provided settings without checking as an option. Some people do know what they're doing.

And if someone wants to suggest that the email server is at fault, well it is a Mdaemon server which is sold by Alt-N which is a Blackberry subsidiary.

and again ....

These servers are placed in Great Britan and the GCHQ has full access ... The GCHQ is as the NSA part of the "five eyes" .

[anon(10218918)]

Use Tutanota or Protonmail for secure Email !

[joeldf]

Way back when BB10 first came out, this was actually well known. BlackBerry hyped it as a way to automatically set your email up on the phone.

Yes, we talked about how passwords were going to BlackBerry - it was, therefore, definitely disclosed. Some didn't like it. Some didn't care. I set my email up manually and it worked just fine. IMAP and an Exchange account.

5 years later and less than 2 years before it all shuts down and you're complaining now?

[brookie229]

5 years later and less than 2 years before it all shuts down and you're complaining now?

Well, he is new-to Crackberry anyway and perhaps BB10.

[erguduju]

So if it is an old issue then is OK?

[joeldf]

BlackBerry said then that the passwords are not stored, just accessed to set up the account with the right settings back on the phone.

Believe them or not, pretty much every email client does some form of that if you just put in the email address and password to set it up instead of doing it manually.

Remember too that every BB10 phone has a connection the BlackBerry NOC at all times. That's what that little 4-dot BB logo in the upper right corner means. So why worry about that one communication to the NOC, but not the permanent connection the rest of the time.

[anon(8679041)]

I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.

Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers. I bet even CrackBerry is on a Linux server.

[Mecca EL]

I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.

Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers. I bet even CrackBerry is on a Linux server.

Because you'd get to see that their "hardening" of Android is snake oil. BlackBerry just flipped on a couple of kernel switches, that other OEM's don't use, and that's the hardening. If they shared source, you too could "harden" any BlackBerry android device.

[Chris Chin]

And hasn't even replied to any of the replies here


Chris - ClassicSQC100-4/10.3.3.2205

[Chuck Finley69]

And hasn't even replied to any of the replies here


Chris - ClassicSQC100-4/10.3.3.2205

This has led to account being hacked and locked out. ;-) JK

[rthonpm]

I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.

Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers.

Yet open source has been shown to be just as insecure as proprietary software. Being able to look at source code is all well and good, but if you don't know what you're looking for, or don't have the time to move through thousands, if not more, lines of code, what good does it do?

This isn't to disparage open source software at all: my company uses quite a bit of it, but it's not a panacea. There's as much poorly maintained open source software available as there is closed source.

Posted via CB10

[plumsauce]

Dealing first with the timing of the wrong, wrong is wrong no matter when it happens.

There is no reason disclosure could not have been made on the very page that collects the input. If the concern was the amount of data stored permanently on a device with finite storage, they could very well have linked to a web page. In fact, the test itself could have been input on a web page.

As for what Blackberry has said about data retention, while the statement has been made, it is still a statement that is not provably true.

My choice to migrate to the Classic/Passport has nothing to do with whether the OS is EOL but rather the physical keyboard, build quality, and QNX as opposed to IOS/Android. Windows Mobile would have been a fine choice, but no physical keyboard.

As for open source, the touted security aspects are only true if you have the time and skills to audit every single line. Further, there is no one single person or organisation that can be held liable for damages if what is said is not true.

I notice that the rom signatures for BB10 use the Elliptic Curve based signatures. The very ones that are widely believed to be the most likely to have been backdoored by intelligence agencies, one in particular.

When it comes to privacy ... in myself i trust.

[Richard Buckley]

notice that the rom signatures for BB10 use the Elliptic Curve based signatures. The very ones that are widely believed to be the most likely to have been backdoored by intelligence agencies, one in particular.

Are you sure you aren't confusing elliptic curve cryptography with the Dual Elliptic Curve Pseudo Random Number Generator? Elliptic Curve signing is widely accepted to be very secure and is computationally less expensive to use.

When it comes to privacy ... in myself i trust.

If you are using a product, you are implicitly trusting the provider of the product.

LeapSTR100-2/10.3.3.2205

[anon(8679041)]

If you are using a product, you are implicitly trusting the provider of the product.

Except open source.

Being able to look at source code is all well and good, but if you don't know what you're looking for, or don't have the time to move through thousands, if not more, lines of code, what good does it do?

There are a ton of options available to you for checking the source code. Starting from knowing it yourself and ending with huge communities who can help. You also don't have to check every single line of code. You can perform specific searches, say search for IPs in the source code, then you study why those IPs are there and if any data is sent to them. And that's just one example.

With closed-source you really have only one option - trust.

[plumsauce]

First, thanks to Richard for making HelloGPS available. It's great for priming the GPS system for the first time, or after extended off time. My "impression" is that in a Classic/Passport faceoff with fresh loads and no stored almanac data the Classic achieves a fix faster and has better sensitivity.

If you are using a product, you are implicitly trusting the provider of the product.

Life is a series of choices. I would just like them to be informed choices.

What is disturbing in the last decade or so is the increasingly prevalent attitude of developers and their organisations that it is quite acceptable to backdoor software for "quality metrics" or to force auto updates. In previous generations, those reponsible would have been black balled.

FOSS is a mess. It's like watching a herd of greased piglets who all want to work on their pet features, but never admit to, or much less work on a reported bug. All one has to do is look at the bug tracking systems of some major projects. Bugs languish for years while the dev's sniff that its not reproducible or by design and close them out.

Reading FOSS source code is an exercise in futility as it seems the use of comments is not a requirement.

[Richard Buckley]

First, thanks to Richard for making HelloGPS available. It's great for priming the GPS system for the first time, or after extended off time. My "impression" is that in a Classic/Passport faceoff with fresh loads and no stored almanac data the Classic achieves a fix faster and has better sensitivity.

You are welcome. There is no secret sauce there, if HelloGPS outperforms anything else it is only because I read all the documentation and where the was any doubt, experimented to determine the effect of design choices. HelloGPS is nothing more than my laboratory.

Life is a series of choices. I would just like them to be informed choices.

What is disturbing in the last decade or so is the increasingly prevalent attitude of developers and their organisations that it is quite acceptable to backdoor software for "quality metrics" or to force auto updates. In previous generations, those reponsible would have been black balled.

Sometimes history is everything. Prior to BB10 there were two ways to get email onto a BlackBerry smartphone. You could use a BES server, or one of the derived products; or you gave BlackBerry your email credentials and they would download the email from your providers' servers and send it to your BlackBerry using BIS. BB10 was the first time the average consumer could use a BlackBerry for email without BlackBerry having access to everything. So if you believe that they should have been louder and more obvious about how the automatic set up works, that is your option, but don't be surprised if others disagree.

[/QUOTE]
FOSS is a mess. It's like watching a herd of greased piglets who all want to work on their pet features, but never admit to, or much less work on a reported bug. All one has to do is look at the bug tracking systems of some major projects. Bugs languish for years while the dev's sniff that its not reproducible or by design and close them out.

Reading FOSS source code is an exercise in futility as it seems the use of comments is not a requirement.[/QUOTE]



LeapSTR100-2/10.3.3.2205

[plumsauce]

Sometimes history is everything. Prior to BB10 there were two ways to get email onto a BlackBerry smartphone. You could use a BES server, or one of the derived products; or you gave BlackBerry your email credentials and they would download the email from your providers' servers and send it to your BlackBerry using BIS.

So Logicmail went through BES? Even so, you weren't passing those credentials to someone else.

The main impetus for choosing the Classic over the 9900 was being able to pass data without needing a BIS enabled account independently of other consideratons.

[joeldf]

So Logicmail went through BES? Even so, you weren't passing those credentials to someone else.

The main impetus for choosing the Classic over the 9900 was being able to pass data without needing a BIS enabled account independently of other consideratons.

Don't tell that to the those who swore their lives to the greatness of BIS back when BB10 was introduced.
@belfastdispatcher... where ya' at?

But, I had forgotten that BIS did store your credentials for the exact purpose of grabbing your email from your ISP so they could sent it to your phone.

Goodness... how long was that going on. Someone should sue...

[Richard Buckley]

So Logicmail went through BES? Even so, you weren't passing those credentials to someone else.

The main impetus for choosing the Classic over the 9900 was being able to pass data without needing a BIS enabled account independently of other consideratons.

Would have gone through BES if you had it. Otherwise it would have gone through BIS, and been readable by RIM unless they used device side encryption which needed BIS/B. But then the keys would have been generated on the device, by RIM/Certicom code, so if you are now not trusting BlackBerry with your creds would you trust them to encrypt your data? I had forgotten about logic mail since I never used it, but did see a lot of traffic on sites like this discussing it. Surprisingly it is still available: LogicMail for BlackBerry

For those wondering what life was like before application stores, that was it.

[joeldf]

For those wondering what life was like before application stores, that was it.

I remember.

I also remember hunting for Google Maps for BlackBerry on the Google site before they stopped carrying it.

[plumsauce]

The difference between enterprise BIS/BES services and standalone services is of course expectations. Anyone using BIS/BES is of course well aware that their traffic is transiting through Blackberry servers. No surprise there. My point was that when standalone, there is no inherent expectation that anything sensitive, like oh say ... credentials, will be sent to a blackberry server without some type of at least first time usage warning.

On the matter of Logicmail allegedly transiting across BIS, I think not. In support of that is the following CB thread which discusses using a previous generation BB without BIS:

https://forums.crackberry.com/blackb...ut-bis-996682/

The matter of RIM/Certicom involvement in encryption is just a red herring. After all the title of the thread is "blackberry backdoors email passwords during setup" and not anything else.

[joeldf]

All I can say is that when I first set up my Z10 back in late summer 2013, somehow I knew the deal. Maybe it was already discussed on these forums, but it was known.

Again, if you manually plug in your email information, then nothing gets sent to BlackBerry. I tried the automated way on my first try, and it didn't work. It worked manually, so that's what I've done ever since.

Bottom line, if you don't trust BlackBerry, then better find a solution you do trust. I just think there are much bigger, and more real, threats to worry about.

[Richard Buckley]

The difference between enterprise BIS/BES services and standalone services is of course expectations. Anyone using BIS/BES is of course well aware that their traffic is transiting through Blackberry servers. No surprise there. My point was that when standalone, there is no inherent expectation that anything sensitive, like oh say ... credentials, will be sent to a blackberry server without some type of at least first time usage warning.

The IT security world would be a nicer place if this were true. Unfortunately a more pragmatic view point is that absent of a specific -- and verifiable if warranted -- statement to the contrary assume any data provided to an application is available to the provider of the application. It has been a while since I looked at ThunderBird and iOS email products in this light, but when I did they behaved the same way. That may have changed recently, but as many people on these boards will remind you BlackBerry no longer has anyone working on the code to change this kind of behaviour.

On the matter of Logicmail allegedly transiting across BIS, I think not. In support of that is the following CB thread which discusses using a previous generation BB without BIS:

https://forums.crackberry.com/blackb...ut-bis-996682/

What Shuswap is talking about is using a BlackBerry without a BIS enabled data plan, not using a BlackBerry while avoiding the BIS. The difference is subtle but important. Starting with BBOS 6.1 it was possible under certain conditions to make some connections without going through the BIS, but not all products had this built in. A key point in that post is:

The BlackBerry web browser works over wifi, but it may or may not work over the cellular network, depending on your provider.

The reason for that is the BlackBerry web browser in all versions of BBOS up to and including 10 could still utilize the BIS data connection. On wifi that is simply a network connection to the ROC. On wireless it is more complex and depends on the carrier back-haul network configuration. If you had a BIS enabled data plan all Internet bound traffic would be routed through the RIM/BlackBerry forward deployed server in the carrier network and end up in the ROC. If you didn't have a BIS enabled plan they could block traffic from your BlackBerry device or they could allow you to use an Internet APN and route your traffic just like they would for an iPhone or later Android. But once on the Internet, where the packets went depended on how the application was written. They could fetch up at the ROC and be handled just as they would be if the first hop was wifi.

Since the last version of LogicMail was written for BBOS 6.0 or higher it would not have been compiled with the 6.1 API needed to avoid the ROC.

Another clue to this is the fact that, despite being doubted by some on these boards, a number of BlackBerry 10 device users (including myself) were required to buy BlackBerry BIS enabled data plans to get wireless data services for their BB10 phones. How data is handled in the carriers' networks is entirely up to the carrier. Devices running BBOS 6.0 and below didn't have the code and protocols needed to participate on the data networks the way the iPhones of the day could. But even after versions 6.1, 7 and 10 came out some carriers continued to treat all BlackBerry devices the same; at least until recently.

The matter of RIM/Certicom involvement in encryption is just a red herring. After all the title of the thread is "blackberry backdoors email passwords during setup" and not anything else.

At the time BlackBerry smart phones were made by RIM who used cryptographic libraries provided by Certicom. RIM acquired Certicom and became BlackBerry. If you are truly worried about BlackBerry doing something undocumented and nefarious with your email credentials, they have access to all the encryption keys generated or used by your device. If they are prepared to do undocumented and nefarious deeds they can get up to a lot more mischief by making a back door to your encryption keys.

I agree a warning when you are asked to enter your credentials would be a welcome touch. But that isn't the way it is and it is not likely to change before BB10 is officially EOL. If you're going to use BB10 you will just have to live with it. Or you could migrate to another platform. Not idea choices.

[bb10adopter111]

Just set up email manually with the server address and it's not an issue. This was put in place as a convenience feature for consumers who don't understand how email works and just wanted it setup.

Posted with my trusty Z10