10-28-17 12:27 PM
40 12
tools
  1. David Tyler's Avatar
    Because governments have never, ever abused their authority to spy on their own citizens, right?
    Golly, no. Never that I can recall.

    Well -- not since last week, anyway.

    Sent from my BlackBerry 9900 using Tapatalk
    i_plod_an_dr_void likes this.
    10-27-17 10:24 AM
  2. Richard Buckley's Avatar
    If that is BB’s position, then Chen should have come out and said that? This stupid statement of “well, we promise to try but we might not be able to do it” doesn’t make anyone happy. The people who want strong encryption will say wait a minute, why would you try if you know your crypto is secure?

    And the people who want LE to have access are left wondering what Chen is actually saying. Can they or can’t they decrypt user content? The CEO of a tech company ought to have some better idea than saying he’s committed to trying but then shrugging his shoulders and saying he doesn’t even know if they can. Is your stuff secure or isn’t it? You should have some idea if you’re calling yourselves one of the top security companies in the world and that’s basically the bulk of your entire value add in life.

    I sold half my position in BB again today after looking again at the very odd results and guidance for IP licensing and then being reminded again that Chen is sort of an ***** a lot of the time.
    Because he has to be talking about Android, nobody cares about BB10, which isn't "his stuff". And breaking cryptography isn't about being better at maths, it is about finding mistakes in implementation. Does anyone really know how many implementation mistakes there are in Android alone that could help expose data? On top of that there were three very significant cryptography implementation errors exposed this week.

    LeapSTR100-2/10.3.3.2205
    10-27-17 03:42 PM
  3. app_Developer's Avatar
    Because he has to be talking about Android, nobody cares about BB10, which isn't "his stuff". And breaking cryptography isn't about being better at maths, it is about finding mistakes in implementation. Does anyone really know how many implementation mistakes there are in Android alone that could help expose data? On top of that there were three very significant cryptography implementation errors exposed this week.
    So the CEO of a self-proclaimed world leader in security just told the world that IF a court orders them to do so, THEN they will attempt to find holes in their own secure Android?

    Wouldn’t finding and patching holes in their own locked down secure version of Android be something they are doing every day? That’s their product!
    DrBoomBotz, FF22 and anon(8679041) like this.
    10-27-17 04:14 PM
  4. Invictus0's Avatar
    The problem is BB says they are the security experts. That’s their brand. Chen’s statement undermines the brand.
    The BBM stuff had probably already done that (which to be fair, predated Chen by a few years) but this is nail in the coffin type stuff for users that care about security and privacy. I mean,

    https://twitter.com/EFF/status/923625275555856384

    The real issue is that manufacturers will force legislators' hands if they're not careful.
    This article discusses that concept a bit further and why it won't work,

    https://www.engadget.com/2017/10/27/...le-encryption/
    10-27-17 04:45 PM
  5. Cyberops's Avatar
    Blackberry has always been a great device, even if people have said it's had its day! But why Mr Chen would come out with such a stupid statement is beyond me! People that have a Blackberry know what they want and how to get things done in their Business and Personal life, with the added security they can rely on. But his statement is not going to help things and would probably lose him sales.
    Blackberry users don't want their phone security messed with or broken.
    If he is trying to get me to buy an iPhone he can forget it!!!
    anon(8679041) likes this.
    10-27-17 07:17 PM
  6. i_plod_an_dr_void's Avatar
    Chen...Smart man: Sure I'll try to break the BlackBerry bb10.....I'll need a boatload of engineers and software developers...several thousand maybe...oh and infastructure...yeah I'll need that....oh and since 64 bit arm is the standard these days...I guess I should start by writing a bb10 for 64 bit, and then I get those same people to try to crack it, once they finished building it...we'll have to go out and sell a bunch though....cause what would be the point of breaking it otherwise. How much are you going to put up for us to try that again? Hmmm. that sounds about right. No guarantees we can break it, but I'm sure all those engineers will be diligently working away at bb11...oops I mean bb10.
    10-27-17 08:53 PM
  7. i_plod_an_dr_void's Avatar
    Why is forbes asking BlackBerry about wiretapping for the Feds?.....do they think that the Google/Android cartel was and is still using BlackBerry's secure phones to continue co-ordinating their Android monopolizing market cornering?
    anon(8679041) likes this.
    10-27-17 09:39 PM
  8. anon(8679041)'s Avatar
    This was the correct response. Hence, I switched to iOS instead of 'secret sauce' Android.
    I think I'll join you soon. lol
    Though my KeyOne will be for work only and not a single personal and sensitive data will be on it.
    And I'll have the iphone for personal use. I'll keep it clean of all Google/Facebook and other junk apps (junk not because they're bad, well, you know).
    10-28-17 03:38 AM
  9. kraidx's Avatar
    If that is BB’s position, then Chen should have come out and said that? This stupid statement of “well, we promise to try but we might not be able to do it” doesn’t make anyone happy. The people who want strong encryption will say wait a minute, why would you try if you know your crypto is secure?

    And the people who want LE to have access are left wondering what Chen is actually saying. Can they or can’t they decrypt user content? The CEO of a tech company ought to have some better idea than saying he’s committed to trying but then shrugging his shoulders and saying he doesn’t even know if they can. Is your stuff secure or isn’t it? You should have some idea if you’re calling yourselves one of the top security companies in the world and that’s basically the bulk of your entire value add in life.

    I sold half my position in BB again today after looking again at the very odd results and guidance for IP licensing and then being reminded again that Chen is sort of an ***** a lot of the time.
    Kind of shooting yourself in the foot

    Posted via CB10
    10-28-17 03:47 AM
  10. kraidx's Avatar
    In the end, they got someone else to do it anyway.

    This whole discussion is senseless. Use end to end encryption or don't. Use Telegram to nuke private chats after a set time, or don't.

    Anything BlackBerry CAN decrypt, countless other agencies can already.

    Chen is just trying to contribute to the global discussion to stave off mandatory, legislated rules for backdoor keys.
    They did with an older version of ios


    Chen doesn't seem like a CEO of a company that says that security it's in their core
    He shouldn't be making this type of statements

    But hey he sells androids now so..........

    Posted via CB10
    10-28-17 03:53 AM
  11. Richard Buckley's Avatar
    So the CEO of a self-proclaimed world leader in security just told the world that IF a court orders them to do so, THEN they will attempt to find holes in their own secure Android?

    Wouldn’t finding and patching holes in their own locked down secure version of Android be something they are doing every day? That’s their product!
    No, he said when a court orders them to do so they will try to help law enforcement access the data. I can't read Chen's mind, but it has always been BlackBerry policy to assist law enforcement. They have not made a secret of that.

    I'm not sure what all the fuss is about. A bank will go on at length how secure their vaults are; but will open a safe deposit box when presented with a valid court order.

    Anyone who has looked at the Signal Protocol knows that any proper implementation (like just compiling the source without changes) would not be vulnerable to cryptographic attacks. Any systems that carry the data, particularly ones that handle key material or mixed plain and cypher text may be vulnerable to other types of attacks.

    BlackBerry really doesn't have 'their own Android'. As a developer you should be able to make this connection on your own, BlackBerry should have been able to make the connection before they claimed they would make Android the equal to BB10 in security, but for those who can't here is the reason. There is only so much any development team can do to change a code base controlled by a different team. At some point the code bases become so different that what they have, whether they want it or not, are two forks of the code. Maintaining a fork of Android substantially different from the main trunk would be a huge undertaking. People keep saying BlackBerry doesn't have the resources to patch BB10, do they have the resources to maintain a fork of Android that would be secure and meet Google requirements? Even if they did, the financial advantage of using the Android code base would be wiped out. The simple fact is that it would be cheaper ti continue development of BB10 than it would be to patch all the problems that we can infer exist in Android.

    Could they examine the code, find vulnerabilities and submit them to Google to be patched? Sure, and they probably do. But again there is the resource disparity. What is the total impact of BlackBerry vs Google on the Android code base. What are the business implications of BlackBerry trying to do more than Google. If they could wipe out all the Android security problems in a short time and still make a profit, what does that say about Google.

    One of the features of the security landscape of large code bases like Android is that it is more profitable to cherry pick bugs where they are likely to be found, and likely to be valuable. If law enforcement is asking, there is going to be value.

    LeapSTR100-2/10.3.3.2205
    anon(8679041) likes this.
    10-28-17 09:33 AM
  12. conite's Avatar
    No, he said when a court orders them to do so they will try to help law enforcement access the data. I can't read Chen's mind, but it has always been BlackBerry policy to assist law enforcement. They have not made a secret of that.

    I'm not sure what all the fuss is about. A bank will go on at length how secure their vaults are; but will open a safe deposit box when presented with a valid court order.

    Anyone who has looked at the Signal Protocol knows that any proper implementation (like just compiling the source without changes) would not be vulnerable to cryptographic attacks. Any systems that carry the data, particularly ones that handle key material or mixed plain and cypher text may be vulnerable to other types of attacks.

    BlackBerry really doesn't have 'their own Android'. As a developer you should be able to make this connection on your own, BlackBerry should have been able to make the connection before they claimed they would make Android the equal to BB10 in security, but for those who can't here is the reason. There is only so much any development team can do to change a code base controlled by a different team. At some point the code bases become so different that what they have, whether they want it or not, are two forks of the code. Maintaining a fork of Android substantially different from the main trunk would be a huge undertaking. People keep saying BlackBerry doesn't have the resources to patch BB10, do they have the resources to maintain a fork of Android that would be secure and meet Google requirements? Even if they did, the financial advantage of using the Android code base would be wiped out. The simple fact is that it would be cheaper ti continue development of BB10 than it would be to patch all the problems that we can infer exist in Android.

    Could they examine the code, find vulnerabilities and submit them to Google to be patched? Sure, and they probably do. But again there is the resource disparity. What is the total impact of BlackBerry vs Google on the Android code base. What are the business implications of BlackBerry trying to do more than Google. If they could wipe out all the Android security problems in a short time and still make a profit, what does that say about Google.

    One of the features of the security landscape of large code bases like Android is that it is more profitable to cherry pick bugs where they are likely to be found, and likely to be valuable. If law enforcement is asking, there is going to be value.

    LeapSTR100-2/10.3.3.2205
    BlackBerry is not trying to maintain a forked version of Android, nor are they analyzing and patching vulnerabilities - that's up to Google and component suppliers.

    BlackBerry is implementing their own take on Kernel hardening, implementing and expanding the Qualcomm root of trust, and providing Integrity Detection algorithms to detect changes to system files and monitor odd behaviour. Basically "we're going to make it harder to get in, but if you do get in, we're going to lock you out".

    One can argue statistically that this approach would be no more risky to an enterprise than BB10, thus making the case that they are both equally secure.
    Last edited by conite; 10-28-17 at 12:17 PM.
    10-28-17 10:06 AM
  13. Invictus0's Avatar
    No, he said when a court orders them to do so they will try to help law enforcement access the data. I can't read Chen's mind, but it has always been BlackBerry policy to assist law enforcement. They have not made a secret of that.

    I'm not sure what all the fuss is about. A bank will go on at length how secure their vaults are; but will open a safe deposit box when presented with a valid court order.
    I think the issue here is that they're claiming they'd try to break their own encryption if asked whereas Apple refused to do this (and Google, Microsoft, etc supported Apple's stance). I don't think anyone is saying BlackBerry shouldn't comply with court orders (the other OEM's do after all), but this offering seems to be unique.

    https://www.theverge.com/2016/3/30/1...ne-court-order

    Separate from this, the claims in this article (if true) that BlackBerry is bypassing Canadian officials to deal with court orders is worrying. How can BlackBerry know that they're helping catch criminals and not political activists or wrongfully detained people? And if they do have a way to determine that, how does it compare to what officials would do?

    BlackBerry hands over user data to help police 'kick ***,' insider says - Technology & Science - CBC News
    10-28-17 10:21 AM
  14. anon(8679041)'s Avatar
    Could they examine the code, find vulnerabilities and submit them to Google to be patched? Sure, and they probably do. But again there is the resource disparity. What is the total impact of BlackBerry vs Google on the Android code base. What are the business implications of BlackBerry trying to do more than Google. If they could wipe out all the Android security problems in a short time and still make a profit, what does that say about Google.
    Well formulated.
    As I said in this thread, https://forums.crackberry.com/blackb...oogle-1126681/ "I really think google can do it's job to protect all of android smartphones itself" from outside risks and we need real value added from BlackBerry which would be a game changer. If they can't for whatever reason then I don't see why they'd label their android phones with "most secure" or "... privacy" tags.
    10-28-17 11:46 AM
  15. Richard Buckley's Avatar
    BlackBerry is not trying to maintain a forked version of Android, nor are they analyzing and patching vulnerabilities - that's up to Google and component suppliers.

    BlackBerry is implementing their own take on Kernel hardening, implementing and expanding the Qualcomm root of trust, and providing Integrity Detection algorithms to detect changes to system files and monitor odd behaviour. Basically "we're going to make it harder to get in, but if you do get in, we're going to lock you out".

    One can argue statistically that this approach would be no more risky to an enterprise than BB10, thus making the case that they are both equally secure.
    I didn't say they were, just explaining why the can't do those things.

    As far as finding and reporting Android vulnerabilities, it is Google's jobs, but many other organisations are involved.

    LeapSTR100-2/10.3.3.2205
    10-28-17 12:27 PM
40 12

Similar Threads

  1. BlackBerry Passport replacement battery?
    By matthias_h in forum BlackBerry Passport
    Replies: 3
    Last Post: 11-08-17, 04:12 PM
  2. When will the Motion be available in Canada?
    By True Canadian in forum BlackBerry Motion
    Replies: 40
    Last Post: 11-07-17, 10:44 PM
  3. Advice - which device to get "off the grid" and exorcise all things Apple from my life?
    By JoannaDanielle in forum General BlackBerry Discussion
    Replies: 11
    Last Post: 10-28-17, 05:20 AM
  4. Hub only accepts invitations inside Blackberry Calendar?
    By Fred Wu in forum BlackBerry HUB+ Suite
    Replies: 0
    Last Post: 10-26-17, 09:48 PM
  5. Replies: 1
    Last Post: 10-26-17, 08:29 PM
LINK TO POST COPIED TO CLIPBOARD