[anon(9821186)]

Here's the thing, people now days only want to watch TV and play video games and blackberry isn't meant for those things, people say there's better software on android and whatever, that depends on what you think is better, if all you do on your phone is a little texting here and there, a few emails and the rest of your battery life and data goes to playing around then Yea it's probably better for you but if you spend your time on your phone communicating with people then it's not. And as far as secure communication goes, I'm able to add all of my encryption keys for all of my email accounts to my passport without any apps but I couldn't find any way to do it on an android without a app, maybe there is a way but I couldn't find it .

Posted via CB10

[Richard Buckley]

Do you have a legit source for that? Because this article says something about the Samsung Note being dropped because iPhones were already widely spread throughout the MoD. No security issues. (See the "Update" part at the end of the article.)

And how a British mobile service provider should be able to improve the security of a closed-source operating system even they can't get their hands on, is beyond me. So there's that.

From the article you linked to in fact.

...
Describing the work as "going very well", he said BT originally began working with an Android device, the Samsung Note 4.

"But as more and more development and testing was done, the security associated with it wasn't deemed to be sufficient, so that's why we moved [to iPhone]."
...

That quote is a little too specific to be considered as retracted by the update. Sounds like someone spoke beyond his authority, that doesn't make it untrue.

LeapSTR100-2/10.3.3.2163

[mbirth]

From the article you linked to in fact.

This is how rumours start … because that they turned to iPhones because of security issues with the Android phones was mere speculation.

Update: In a statement issued after this article was published, a BT spokesperson challenged the assertion by Bunn that the MoD had determined the Samsung Note 4's security to be lacking and said the MoD is still testing various devices for suitability as a 'dual-persona' handset.

[Richard Buckley]

This is how rumours start … because that they turned to iPhones because of security issues with the Android phones was mere speculation.

The US DOD worked on an Android based secure phone for years. They finally gave up ultimately due to security. They found by the time they had sufficiently secured the OS it was so far from stock Android it could not follow the Android upgrade path.

So you could argue that the US didn't have a problem securing Android either. But if you can secure it but then no longer follow the upgrade path there are no savings in using an existing device.

LeapSTR100-2/10.3.3.2163

[BigBadWulf]

So, this is fake news?

[Troy Tiscareno]

The US DOD worked on an Android based secure phone for years. They finally gave up ultimately due to security. They found by the time they had sufficiently secured the OS it was so far from stock Android it could not follow the Android upgrade path.

This is all true, but not the truth.

The truth is that both Google and Samsung began to take higher levels of security seriously about 3 years ago - around the time that DoD was trying to do this themselves. And you're right - DoD could secure it, but then it was such a separate fork that it wasn't practically updatable. But once Google and Samsung started focusing on enterprise/government level security with Knox, which is updatable, it made no sense for DoD to continue with their own program to accomplish the same thing.

Today, Samsung Android phones (with Knox) are used in a number of agencies that require significant security. I'm not suggesting that they're used for "Top Secret" or state-level work - but then again, neither are Apple or BB - but for more routine, but still sensitive use, they do the job fine and are officially issued.

[Ronindan]

This is all true, but not the truth.

The truth is that both Google and Samsung began to take higher levels of security seriously about 3 years ago - around the time that DoD was trying to do this themselves. And you're right - DoD could secure it, but then it was such a separate fork that it wasn't practically updatable. But once Google and Samsung started focusing on enterprise/government level security with Knox, which is updatable, it made no sense for DoD to continue with their own program to accomplish the same thing.

Today, Samsung Android phones (with Knox) are used in a number of agencies that require significant security. I'm not suggesting that they're used for "Top Secret" or state-level work - but then again, neither are Apple or BB - but for more routine, but still sensitive use, they do the job fine and are officially issued.

I guess there are still BB fans who thought that BB was used by world leaders. Neglecting the fact world leaders and upper levels of government were issued with heavily modified devices that was developed by their respective security agencies.

[thurask]

I guess there are still BB fans who thought that BB was used by world leaders. Neglecting the fact world leaders and upper levels of government were issued with heavily modified devices that was developed by their respective security agencies.

"Obama's BlackBerry" only looked like one.

[Ronindan]

Here's the thing, people now days only want to watch TV and play video games and blackberry isn't meant for those things, people say there's better software on android and whatever, that depends on what you think is better, if all you do on your phone is a little texting here and there, a few emails and the rest of your battery life and data goes to playing around then Yea it's probably better for you but if you spend your time on your phone communicating with people then it's not. And as far as secure communication goes, I'm able to add all of my encryption keys for all of my email accounts to my passport without any apps but I couldn't find any way to do it on an android without a app, maybe there is a way but I couldn't find it .

Posted via CB10

yep "tools not toys right". I mean google and apple must be struggling so hard to make decent profits since all their employees just do "is a little texting here and there, a few emails and the rest of your battery life and data goes to playing around" with their respective android phones and iphones. If they will just issue their staff BB's then they will be as successful as Blackberry.

crackberry logic

[Troy Tiscareno]

I guess there are still BB fans who thought that BB was used by world leaders. Neglecting the fact world leaders and upper levels of government were issued with heavily modified devices that was developed by their respective security agencies.

There are a handful - but they aren't straight BB's. Angela Merkel's SecuSmart BB10, for example. And Obama's heavily-modified Curve - which was replaced by a Samsung.

But while it used to be true that BB was the de facto smartphone for just about all government and enterprise in the early/mid 2000s, it hasn't been true in years - BB has been almost completely replaced in the US government and in US-based enterprises by Apple and Android phones. This belief that government and enterprise simply cannot survive without BB has been soundly proven wrong - yet a few still believe it despite all the evidence to the contrary.

The fact is that it was a lot easier for Apple and Google to improve their level of security than it was for BB (or Microsoft, et. all) to close the app gap.

[Ronindan]

There are a handful - but they aren't straight BB's. Angela Merkel's SecuSmart BB10, for example. And Obama's heavily-modified Curve - which was replaced by a Samsung.

But while it used to be true that BB was the de facto smartphone for just about all government and enterprise in the early/mid 2000s, it hasn't been true in years - BB has been almost completely replaced in the US government and in US-based enterprises by Apple and Android phones. This belief that government and enterprise simply cannot survive without BB has been soundly proven wrong - yet a few still believe it despite all the evidence to the contrary.

The fact is that it was a lot easier for Apple and Google to improve their level of security than it was for BB (or Microsoft, et. all) to close the app gap.

Yep there were just shells. When I was used to work for the federal government - I was just issued a Curve - just a straight up Curve - and was given security training that boils down to being warned not open emails from unknown sources. But then again, I was just analyst not a CIA operative ;-)

Seriously though - was most bb fans forget that, not every government employee handles national security files, but mostly mundane information.

[Sith_Apprentice]

Samsung Devices are able to be used, as a commercial off the shelf device, up to Top Secret.

What DoD and DISA were trying to do was folded into the NSA program Fishbowl, which later became the Winterking Architecture for secure communications. This architecture exists today, and Samsung has been working with Federal Civilian and DoD Agencies to deploy this for about 2 years. Others are now on board with this, MobileIron, Apple, LG, and BlackBerry are all either in progress or just received validation. Version 2 of the NSA architecture is currently under development, but is still generally still a COTS focused solution (there are some GOTS products).

If you want to look at the Commecial Solutions for Classified list, it is posted here:
https://www.nsa.gov/resources/everyone/csfc/

Validated Products:
https://www.nsa.gov/resources/everyo...mponents-list/

Also something interesting to read would be the NIAP Common Criteria program, and look at the products, they are here:
https://www.niap-ccevs.org/Product/

Only two EMMs are through the process entirely, Samsung's EMM, and MobileIron (Along with Apple's Device Agent). The rest are 'ongoing' and can stay in that state for a long time. But they will be eventually removed if they do not receive their validation.

These are the basis for the NSA CSfC list, and represent independent validation of the security of the devices or systems.

The Secure BlackBerry devices of the past used third party crypto from a company called KeyW. The newer BB10.3 devices may satisfy the requirements on their own, I have not personally read their Security Target or their Certification.

[Tre Lawrence]

Samsung Devices are able to be used, as a commercial off the shelf device, up to Top Secret.

What DoD and DISA were trying to do was folded into the NSA program Fishbowl, which later became the Winterking Architecture for secure communications. This architecture exists today, and Samsung has been working with Federal Civilian and DoD Agencies to deploy this for about 2 years. Others are now on board with this, MobileIron, Apple, LG, and BlackBerry are all either in progress or just received validation. Version 2 of the NSA architecture is currently under development, but is still generally still a COTS focused solution (there are some GOTS products).

If you want to look at the Commecial Solutions for Classified list, it is posted here:
https://www.nsa.gov/resources/everyone/csfc/

Validated Products:
https://www.nsa.gov/resources/everyo...mponents-list/

Also something interesting to read would be the NIAP Common Criteria program, and look at the products, they are here:
https://www.niap-ccevs.org/Product/

Only two EMMs are through the process entirely, Samsung's EMM, and MobileIron (Along with Apple's Device Agent). The rest are 'ongoing' and can stay in that state for a long time. But they will be eventually removed if they do not receive their validation.

These are the basis for the NSA CSfC list, and represent independent validation of the security of the devices or systems.

The Secure BlackBerry devices of the past used third party crypto from a company called KeyW. The newer BB10.3 devices may satisfy the requirements on their own, I have not personally read their Security Target or their Certification.

Sith, you can't be posting this voodoo stuff about Android being used in secure environments. You'll turn CB on its head.

[Uzi]

Here's the thing, people now days only want to watch TV and play video games and blackberry isn't meant for those things, people say there's better software on android and whatever, that depends on what you think is better, if all you do on your phone is a little texting here and there, a few emails and the rest of your battery life and data goes to playing around then Yea it's probably better for you but if you spend your time on your phone communicating with people then it's not. And as far as secure communication goes, I'm able to add all of my encryption keys for all of my email accounts to my passport without any apps but I couldn't find any way to do it on an android without a app, maybe there is a way but I couldn't find it .

Posted via CB10

Many high level Job in my place I see using either iPhone or Samsung they are bank manager, restaurants supervisor..i don't think they spending their time playing games with their phone

Posted via CB10

[Richard Buckley]

So, this is fake news?

No, it's advertising.

LeapSTR100-2/10.3.3.2163

[BigBadWulf]

No, it's advertising.

LeapSTR100-2/10.3.3.2163

That doesn't address the accuracy of their advertising.

[Richard Buckley]

This is all true, but not the truth.

The truth is that both Google and Samsung began to take higher levels of security seriously about 3 years ago - around the time that DoD was trying to do this themselves. And you're right - DoD could secure it, but then it was such a separate fork that it wasn't practically updatable. But once Google and Samsung started focusing on enterprise/government level security with Knox, which is updatable, it made no sense for DoD to continue with their own program to accomplish the same thing.

Today, Samsung Android phones (with Knox) are used in a number of agencies that require significant security. I'm not suggesting that they're used for "Top Secret" or state-level work - but then again, neither are Apple or BB - but for more routine, but still sensitive use, they do the job fine and are officially issued.

This is all good. In fact I've said for a long time, since I was involved in assessing the security of the first Android devices, that only with Google involved could Android be secured.

The real question is if this is a from the metal up security overhaul or just another means of restricting use of the phone to known safe sources of data. In other words has either Google or Samsung done a complete code review of the Multimedia library and other rich sources of OS vulnerabilities? Before you mention it, I know one of the features in BlackBerry's solutions is the ability to restrict access to reduce the threat surface, and I'm not saying Knox shouldn't do the same thing. But those restrictions can be circumvented. Layering "hardening" on top of flawed software is not an effective way to secure a system. If they have done extensive code review of the entire Android code base, that should have been released in the spirit of openness this is all supposed to be done in.

Does this mean, for example, that phones with this software installed will be getting a different set of patches than standard Android? Or better still that standard Android will be getting much smaller patch sets because Google and Samsung have put their considerable resources to work on cleaning up the all the projects that make up Android?

It is interesting how one example of how not concentrating on code quality from the start can have unforeseen consequences years later can stir up a hornets nest. It is almost like I'm posting on a Android fan thread.

LeapSTR100-2/10.3.3.2163

[Richard Buckley]

That doesn't address the accuracy of their advertising.

It answered your question.

LeapSTR100-2/10.3.3.2163

[Sith_Apprentice]

This is all good. In fact I've said for a long time, since I was involved in assessing the security of the first Android devices, that only with Google involved could Android be secured.

The real question is if this is a from the metal up security overhaul or just another means of restricting use of the phone to known safe sources of data. In other words has either Google or Samsung done a complete code review of the Multimedia library and other rich sources of OS vulnerabilities? Before you mention it, I know one of the features in BlackBerry's solutions is the ability to restrict access to reduce the threat surface, and I'm not saying Knox shouldn't do the same thing. But those restrictions can be circumvented. Layering "hardening" on top of flawed software is not an effective way to secure a system. If they have done extensive code review of the entire Android code base, that should have been released in the spirit of openness this is all supposed to be done in.

Does this mean, for example, that phones with this software installed will be getting a different set of patches than standard Android? Or better still that standard Android will be getting much smaller patch sets because Google and Samsung have put their considerable resources to work on cleaning up the all the projects that make up Android?

It is interesting how one example of how not concentrating on code quality from the start can have unforeseen consequences years later can stir up a hornets nest. It is almost like I'm posting on a Android fan thread.

LeapSTR100-2/10.3.3.2163

Knox doesnt layer software on top of software in the sense you are thinking, and yes NSA has evaluated SEAndroid (and helped develop it). The last two years Knox has been rated the most secure mobile OS as well. The BlackBerry devices of old were different, but for now, Samsung Android with Knox is king of secure spaces.


Knox Workspace is hardware backed, has trusted boot, real time kernel protection, and a host of other features to reduce or eliminate the attack surface. Also, There is a one time writable 'warranty bit' that once tripped (during root or by the system itself), Knox workspace can NEVER be created again. This requires a full board replacement for that device to get workspace again.

I have lived in both worlds security wise (BB7- and BB10+), worked with the Government on countless BB deployments, had influence over the direction of BB within the most secured spaces. I have done the same for other OS from other OEMs as well. I have worked with companies going through the security validation process from conception to reality. BB is not the only horse in the race, and they are falling further and further behind the competition.

[Halifax Guy]

That doesn't address the accuracy of their advertising.

Since when is advertising accurate and honest?

Posted using a Q10, 10.3.2.2474.

[Sith_Apprentice]

It answered your question.

LeapSTR100-2/10.3.3.2163

You two.. lol


Air Force Partners with Samsung as Tablets Take Over in Rugged Environments | FedTech Magazine


There, not advertising by Samsung.

[Sith_Apprentice]

https://defensesystems.com/articles/...y-note-ii.aspx


And this one shows the multi device approach DoD is using now. BlackBerry devices are on the way out. BES may remain since it can manage other devices, but the devices themselves are rapidly being replaced.

[Richard Buckley]

Knox doesnt layer software on top of software in the sense you are thinking, and yes NSA has evaluated SEAndroid (and helped develop it). The last two years Knox has been rated the most secure mobile OS as well. The BlackBerry devices of old were different, but for now, Samsung Android with Knox is king of secure spaces.


Knox Workspace is hardware backed, has trusted boot, real time kernel protection, and a host of other features to reduce or eliminate the attack surface. Also, There is a one time writable 'warranty bit' that once tripped (during root or by the system itself), Knox workspace can NEVER be created again. This requires a full board replacement for that device to get workspace again.

I have lived in both worlds security wise (BB7- and BB10+), worked with the Government on countless BB deployments, had influence over the direction of BB within the most secured spaces. I have done the same for other OS from other OEMs as well. I have worked with companies going through the security validation process from conception to reality. BB is not the only horse in the race, and they are falling further and further behind the competition.

So just to be clear, I never said Android or Knox would not be adequate to some security environments. You have to do a TRA and determine what products meet your needs. Some use cases, even military or government use cases can be satisfied by some fairly weak products.

My point is that if you care about mitigating risk you have to do the TRA for yourself, you can't point at some other user ans say, if it is good enough for them it is good enough for me, unless you can look at their TRA and it does address all your requirements.

An important part of any TRA has to be the amount of un-verified code. Some of that comes from third party developers (which is why an important component is control of application installation). Android includes a bunch of un-verified code. So the impact of undetected flaws and the mitigation of them should be part of the TRA. That US Airforce is using Android tablets tells me that for their use case, including all the operational policies surrounding their use, the solution satisfies the US Airforce TRA. Maybe that means they can pass mine, or someone else's, maybe not. And the answer to that will depend on basic analysis of the proposed solution in the use case, not on advertising, or someone else's usage.



LeapSTR100-2/10.3.3.2163

[Sith_Apprentice]

So just to be clear, I never said Android or Knox would not be adequate to some security environments. You have to do a TRA and determine what products meet your needs. Some use cases, even military or government use cases can be satisfied by some fairly weak products.

My point is that if you care about mitigating risk you have to do the TRA for yourself, you can't point at some other user ans say, if it is good enough for them it is good enough for me, unless you can look at their TRA and it does address all your requirements.

An important part of any TRA has to be the amount of un-verified code. Some of that comes from third party developers (which is why an important component is control of application installation). Android includes a bunch of un-verified code. So the impact of undetected flaws and the mitigation of them should be part of the TRA. That US Airforce is using Android tablets tells me that for their use case, including all the operational policies surrounding their use, the solution satisfies the US Airforce TRA. Maybe that means they can pass mine, or someone else's, maybe not. And the answer to that will depend on basic analysis of the proposed solution in the use case, not on advertising, or someone else's usage.



LeapSTR100-2/10.3.3.2163

I understand what you are saying, and not all of these deployments contain unverified code. Samsung among others allows for low level policies to be applied directly to SE Android, as well as entire custom OS. I can personally tell you that these have been evaluated by a number of different groups for use in the most highly secured environments (special operations, Presidential comms, entities within the IC, etc). I am by no means saying that other devices have not (Apple for instance just received approval for use on classified), but this is going to show that the security nut can be cracked by anyone that sees enough reward at the end of the tunnel. It is a long process, sometimes taking years of reworking devices and code, but can be done.

[Richard Buckley]

I understand what you are saying, and not all of these deployments contain unverified code. Samsung among others allows for low level policies to be applied directly to SE Android, as well as entire custom OS. I can personally tell you that these have been evaluated by a number of different groups for use in the most highly secured environments (special operations, Presidential comms, entities within the IC, etc). I am by no means saying that other devices have not (Apple for instance just received approval for use on classified), but this is going to show that the security nut can be cracked by anyone that sees enough reward at the end of the tunnel. It is a long process, sometimes taking years of reworking devices and code, but can be done.

I consider open source code that has not been code reviewed by the authors or an independent body to be un-verified. The Multimedia library (formerly known as StageFright) is the best known of these. The number and frequency of vulnerabilities found in this library indicates ti me that the code hasn't been verified. You can make your own decisions, of course.

LeapSTR100-2/10.3.3.2163