-
10.3.3.3057
I just noticed that during at least the automated email setup a blackberry server connects to the target email server independently of the device.
It then proceeds to successfully authenticate against the imap service.
The activity was seen in the mail server logs as unexpected connections while tracing the expected connections.
The ip address resolved to:
68-171-232-3.rdns.blackberry.net [68.171.232.3]
in this case. There are probably multiple such servers.
Having the device pass your email credentials to a blackberry server without disclosure is just not cool. Especially for a company that sells/sold itself on their great security.
Note that this was not a BIS/EXCHANGE setup but a plain jane IMAP account.
Now, if someone says this only happens during automated setup, I only resorted to the automated setup because advanced setup is not working!
I see the connects, then the popup tells me that it is not working. That is the height of bogosity as well as the inability to have the device just use user provided settings without checking as an option. Some people do know what they're doing.
And if someone wants to suggest that the email server is at fault, well it is a Mdaemon server which is sold by Alt-N which is a Blackberry subsidiary.
and again ....LSDBerry and anon(8679041) like this.01-26-18 03:33 AMLike 2 -
10.3.3.3057
I just noticed that during at least the automated email setup a blackberry server connects to the target email server independently of the device.
It then proceeds to successfully authenticate against the imap service.
The activity was seen in the mail server logs as unexpected connections while tracing the expected connections.
The ip address resolved to:
68-171-232-3.rdns.blackberry.net [68.171.232.3]
in this case. There are probably multiple such servers.
Having the device pass your email credentials to a blackberry server without disclosure is just not cool. Especially for a company that sells/sold itself on their great security.
Note that this was not a BIS/EXCHANGE setup but a plain jane IMAP account.
Now, if someone says this only happens during automated setup, I only resorted to the automated setup because advanced setup is not working!
I see the connects, then the popup tells me that it is not working. That is the height of bogosity as well as the inability to have the device just use user provided settings without checking as an option. Some people do know what they're doing.
And if someone wants to suggest that the email server is at fault, well it is a Mdaemon server which is sold by Alt-N which is a Blackberry subsidiary.
and again ....01-26-18 05:28 AMLike 0 -
- Way back when BB10 first came out, this was actually well known. BlackBerry hyped it as a way to automatically set your email up on the phone.
Yes, we talked about how passwords were going to BlackBerry - it was, therefore, definitely disclosed. Some didn't like it. Some didn't care. I set my email up manually and it worked just fine. IMAP and an Exchange account.
5 years later and less than 2 years before it all shuts down and you're complaining now?01-26-18 09:32 AMLike 0 -
-
- BlackBerry said then that the passwords are not stored, just accessed to set up the account with the right settings back on the phone.
Believe them or not, pretty much every email client does some form of that if you just put in the email address and password to set it up instead of doing it manually.
Remember too that every BB10 phone has a connection the BlackBerry NOC at all times. That's what that little 4-dot BB logo in the upper right corner means. So why worry about that one communication to the NOC, but not the permanent connection the rest of the time.anon(10218918) likes this.01-26-18 11:39 PMLike 1 - I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.
Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers. I bet even CrackBerry is on a Linux server.Mecca EL likes this.01-27-18 08:47 AMLike 1 - I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.
Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers. I bet even CrackBerry is on a Linux server.anon(8679041) likes this.01-27-18 09:32 AMLike 1 -
-
- I'm selling my BB KeyOne and sticking to Linux-based smartphones, computers and FOSS.
Anything else is just words. They say "trust us, we offer privacy and security" but then again they don't show their source code. Why? Will this make them less secure? I don't think so, otherwise no one would use Linux for their PCs, or servers.
This isn't to disparage open source software at all: my company uses quite a bit of it, but it's not a panacea. There's as much poorly maintained open source software available as there is closed source.
Posted via CB1001-28-18 07:13 PMLike 0 - Dealing first with the timing of the wrong, wrong is wrong no matter when it happens.
There is no reason disclosure could not have been made on the very page that collects the input. If the concern was the amount of data stored permanently on a device with finite storage, they could very well have linked to a web page. In fact, the test itself could have been input on a web page.
As for what Blackberry has said about data retention, while the statement has been made, it is still a statement that is not provably true.
My choice to migrate to the Classic/Passport has nothing to do with whether the OS is EOL but rather the physical keyboard, build quality, and QNX as opposed to IOS/Android. Windows Mobile would have been a fine choice, but no physical keyboard.
As for open source, the touted security aspects are only true if you have the time and skills to audit every single line. Further, there is no one single person or organisation that can be held liable for damages if what is said is not true.
I notice that the rom signatures for BB10 use the Elliptic Curve based signatures. The very ones that are widely believed to be the most likely to have been backdoored by intelligence agencies, one in particular.
When it comes to privacy ... in myself i trust.CrackNutRun likes this.01-28-18 09:14 PMLike 1 -
When it comes to privacy ... in myself i trust.
LeapSTR100-2/10.3.3.2205Last edited by Richard Buckley; 01-29-18 at 03:46 PM.
01-29-18 08:20 AMLike 0 -
With closed-source you really have only one option - trust.
Mecca EL likes this.01-29-18 11:47 AMLike 1 - First, thanks to Richard for making HelloGPS available. It's great for priming the GPS system for the first time, or after extended off time. My "impression" is that in a Classic/Passport faceoff with fresh loads and no stored almanac data the Classic achieves a fix faster and has better sensitivity.
If you are using a product, you are implicitly trusting the provider of the product.
What is disturbing in the last decade or so is the increasingly prevalent attitude of developers and their organisations that it is quite acceptable to backdoor software for "quality metrics" or to force auto updates. In previous generations, those reponsible would have been black balled.
FOSS is a mess. It's like watching a herd of greased piglets who all want to work on their pet features, but never admit to, or much less work on a reported bug. All one has to do is look at the bug tracking systems of some major projects. Bugs languish for years while the dev's sniff that its not reproducible or by design and close them out.
Reading FOSS source code is an exercise in futility as it seems the use of comments is not a requirement.01-29-18 07:47 PMLike 0 - First, thanks to Richard for making HelloGPS available. It's great for priming the GPS system for the first time, or after extended off time. My "impression" is that in a Classic/Passport faceoff with fresh loads and no stored almanac data the Classic achieves a fix faster and has better sensitivity.
Life is a series of choices. I would just like them to be informed choices.
What is disturbing in the last decade or so is the increasingly prevalent attitude of developers and their organisations that it is quite acceptable to backdoor software for "quality metrics" or to force auto updates. In previous generations, those reponsible would have been black balled.
[/QUOTE]
FOSS is a mess. It's like watching a herd of greased piglets who all want to work on their pet features, but never admit to, or much less work on a reported bug. All one has to do is look at the bug tracking systems of some major projects. Bugs languish for years while the dev's sniff that its not reproducible or by design and close them out.
Reading FOSS source code is an exercise in futility as it seems the use of comments is not a requirement.[/QUOTE]
LeapSTR100-2/10.3.3.220501-30-18 04:08 AMLike 0 - Sometimes history is everything. Prior to BB10 there were two ways to get email onto a BlackBerry smartphone. You could use a BES server, or one of the derived products; or you gave BlackBerry your email credentials and they would download the email from your providers' servers and send it to your BlackBerry using BIS.
The main impetus for choosing the Classic over the 9900 was being able to pass data without needing a BIS enabled account independently of other consideratons.01-30-18 04:20 PMLike 0 -
@belfastdispatcher... where ya' at?
But, I had forgotten that BIS did store your credentials for the exact purpose of grabbing your email from your ISP so they could sent it to your phone.
Goodness... how long was that going on. Someone should sue...01-30-18 04:29 PMLike 0 -
For those wondering what life was like before application stores, that was it.02-01-18 12:07 PMLike 0 - The difference between enterprise BIS/BES services and standalone services is of course expectations. Anyone using BIS/BES is of course well aware that their traffic is transiting through Blackberry servers. No surprise there. My point was that when standalone, there is no inherent expectation that anything sensitive, like oh say ... credentials, will be sent to a blackberry server without some type of at least first time usage warning.
On the matter of Logicmail allegedly transiting across BIS, I think not. In support of that is the following CB thread which discusses using a previous generation BB without BIS:
https://forums.crackberry.com/blackb...ut-bis-996682/
The matter of RIM/Certicom involvement in encryption is just a red herring. After all the title of the thread is "blackberry backdoors email passwords during setup" and not anything else.02-02-18 01:21 AMLike 0 - All I can say is that when I first set up my Z10 back in late summer 2013, somehow I knew the deal. Maybe it was already discussed on these forums, but it was known.
Again, if you manually plug in your email information, then nothing gets sent to BlackBerry. I tried the automated way on my first try, and it didn't work. It worked manually, so that's what I've done ever since.
Bottom line, if you don't trust BlackBerry, then better find a solution you do trust. I just think there are much bigger, and more real, threats to worry about.02-02-18 09:18 AMLike 0 - The difference between enterprise BIS/BES services and standalone services is of course expectations. Anyone using BIS/BES is of course well aware that their traffic is transiting through Blackberry servers. No surprise there. My point was that when standalone, there is no inherent expectation that anything sensitive, like oh say ... credentials, will be sent to a blackberry server without some type of at least first time usage warning.
On the matter of Logicmail allegedly transiting across BIS, I think not. In support of that is the following CB thread which discusses using a previous generation BB without BIS:
https://forums.crackberry.com/blackb...ut-bis-996682/
The BlackBerry web browser works over wifi, but it may or may not work over the cellular network, depending on your provider.
Since the last version of LogicMail was written for BBOS 6.0 or higher it would not have been compiled with the 6.1 API needed to avoid the ROC.
Another clue to this is the fact that, despite being doubted by some on these boards, a number of BlackBerry 10 device users (including myself) were required to buy BlackBerry BIS enabled data plans to get wireless data services for their BB10 phones. How data is handled in the carriers' networks is entirely up to the carrier. Devices running BBOS 6.0 and below didn't have the code and protocols needed to participate on the data networks the way the iPhones of the day could. But even after versions 6.1, 7 and 10 came out some carriers continued to treat all BlackBerry devices the same; at least until recently.
The matter of RIM/Certicom involvement in encryption is just a red herring. After all the title of the thread is "blackberry backdoors email passwords during setup" and not anything else.
I agree a warning when you are asked to enter your credentials would be a welcome touch. But that isn't the way it is and it is not likely to change before BB10 is officially EOL. If you're going to use BB10 you will just have to live with it. Or you could migrate to another platform. Not idea choices.02-02-18 09:20 AMLike 0 - Just set up email manually with the server address and it's not an issue. This was put in place as a convenience feature for consumers who don't understand how email works and just wanted it setup.
Posted with my trusty Z10Last edited by bb10adopter111; 02-02-18 at 04:19 PM.
02-02-18 10:11 AMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
blackberry backdoors email passwords during setup
Similar Threads
-
my blackberry Z10 is unable to install android whatsapp
By MaryIJ in forum BlackBerry Z10Replies: 6Last Post: 03-31-18, 01:25 PM -
BlackBerry calendar
By double_fault in forum BlackBerry KEYoneReplies: 4Last Post: 02-07-18, 11:44 AM -
Password keeper on Motion..
By jdub1492 in forum Ask a QuestionReplies: 4Last Post: 01-26-18, 06:08 AM -
Blackberry World inoperative?
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 01-25-18, 01:16 PM
LINK TO POST COPIED TO CLIPBOARD