[zephyr613]

Very heavy thick brick walls..

[UnkownSoldier]

I know how you feel ! I was in a similar situation.

I've discussed many security vulnerabilities here at CB in the past. Exploits, SSL etc. and the first i dicovered were some very fast fanatic users ( new 1st posters ) who all said there are NO exploit or vulnerability and i have to show them the code or something to be true. I said, i never give them a "HowTo" hack a BB. A mistake... with lots of unnessecary visits of some goverment agents.

1. There are more and more growing big security issues within BBOS10 and in the apps hidden. Some of them are very old and well known to help goverments to go inside ANY BB quick,
dirty and cheep.

2. BB can not close these Backdoors due to "supporting" the goverments in many countries in the world.

3. If someone discovered one of them, they let you know how the game is played and who is the stronger player. ( i wonder your BB ID is not blocked ).

Advice : Post at 4chan and let "anons" know. You'll see how fast the holes are patched, if they are under some kind of massive activity...
You've warned BB officially and nothing happened. Some of you'll say it is toooooo hard, but it is for us, we want security and privacy. and we paied money for this crap.

Going to BB with such a nice list of issues is like finding photos with chen and some nude boys. They do everything to shut you up, these "players" are political influenced.
BBs "German goverment" extra security is a very good example here.

But please keep in mind that your "Sachesi App" ( BBOS or Win doesn't matter ) makes BIG and BIGGER server traffic to BB. ( the more users download and use it to check every nano second for a new leak ). So Sachesi is definetly some kind of pain in their a**.

Hope BB read it, too.

THIS IS NOT MEENT TO START ANY KIND OF ATTACK AGAINTS BlACKBERRY.

[gvs1341]

Unfortunately, going by the history of the tech world things don't change until push comes to shove.

CB10 @ Q5

[NtotheK]

My understanding is that xsacha doesn't work for BlackBerry. So why would he want to sign one just to volunteer his help?

It's an attempt at a gagging order, pure and simple.

Doesn't matter if he is paid or not. Security is BlackBerry's pride and joy. Its simply something I would expect if I was privy to sensitive information. As we can see BlackBerry is not open source and they want to keep it that way. I don't agree with how BlackBerry handled the situation but at some point you have to draw the line at "volunteering". I would have just asked for a job lol. If BlackBerry really doesn't care then this whole thing will blow up in time.

Posted via CB10

[Thesmartmale]

I know a channel that posts redeem codes almost daily

Posted via CB10

[JamieWilson01]

Refund requested and upon receipt will donate to sacha.

As we say in Glasgow Sacha " cheers big yin"

Via CB10 from Scotland using PassportSQW100-1/10.3.1.1154

[Deckard79]

Just read the developer thread that led to this.

Completely dumbfounded by BlackBerry's response, frankly.

Posted via CB10

[baarn]

Just read the developer thread that led to this.

Link, please!

[Deckard79]

Link, please!

http://forums.crackberry.com/blackbe...bworld-980486/


Posted via CB10

[LazyEvul]

This is really quite disappointing. Of all things, I expect BlackBerry to take security very seriously - for their own good, really, since they stake so much of their reputation on it. To see such an attitude towards someone trying to report exploits is appalling, and reminiscent of the culture of arrogance that nearly drove BlackBerry to its death in the first place. It seems that there may still be attitude issues to fix throughout the company, and I do sincerely hope this situation is addressed and never repeated.

Posted via CB10

[papped]

This is really quite disappointing. Of all things, I expect BlackBerry to take security very seriously - for their own good, really, since they stake so much of their reputation on it.

They do in some regards, but when it comes to things like the storefront, web access, etc they are easily 5 years behind anyone else and also unwilling to change...

[Deckard79]

This is really quite disappointing. Of all things, I expect BlackBerry to take security very seriously - for their own good, really, since they stake so much of their reputation on it. To see such an attitude towards someone trying to report exploits is appalling, and reminiscent of the culture of arrogance that nearly drove BlackBerry to its death in the first place. It seems that there may still be attitude issues to fix throughout the company, and I do sincerely hope this situation is addressed and never repeated.

Posted via CB10

I'm pretty sure that what xsacha showed us in his screenshots would NOT be possible on iOS, Android, Windows Phone etc.

That simply takes the biscuit and makes a complete mockery of their security claims.

Posted via CB10

[bmantz65]

Wow.

Just wow.

This needs to 'go public' and needs to be written about on the big sites.

I'm a BlackBerry supporter but quite frankly this stinks, and I'll not buy another BlackBerry product until we have strong assurances from independent sources advising that these security holes are properly plugged.

Xsacha - I've always admired the work you have done and your professional approach. I hope there's some way you can help to make them see the error in their ways and change their approach hereon.

Posted via CB10

Unfortunately, this would be another example of a company trying to cover something up and save face short term rather than just fix it. History is littered with examples but a recent one is the ignition key recall snafu with GM. Imagine if word got out that BlackBerry, most known (and maybe only thing known for right now) for their security and trying to make a comeback based on that security, has all these exploits and are really no better than Android or iOS. That would really damage their rep. Could you see their PR attempting a decent response? Sadly, I do not. Thus why I think they want to keep this hush hush..

[Deckard79]

Unfortunately, this would be another example of a company trying to cover something up and save face short term rather than just fix it. History is littered with examples but a recent one is the ignition key recall snafu with GM. Imagine if word got out that BlackBerry, most known (and maybe only thing known for right now) for their security and trying to make a comeback based on that security, has all these exploits and are really no better than Android or iOS. That would really damage their rep. Could you see their PR attempting a decent response? Sadly, I do not. Thus why I think they want to keep this hush hush..

Their email response to the vulnerabilities he raised is absolutely comical. Wow. "We got this wrong, it's not fixed, sorry... same with this... and this...".

Then they ask HIM for more help testing! As if they aren't confident/competent to test their own work.

Amateur hour.

I work in software support - that's just appalling.

Sorry, I'm still quite shocked!

Posted via CB10

[Alain_A]

why isn't there anybody that send a link to some big reviewer??????????????

[Alain_A]

someone should make a thread for "how to hack a Blackberry".....lol

[Skyforever]

Whatever is going on at BlackBerry's end, they need to manage and address this kind of incompetent response and behaviour. I'm hoping Chen will be on top of this to implement healthy, safe, pro-active responses instead of attitude from this segment of staff. It's BlackBerry. Security is in its' DNA right?! BlackBerry should be more respectful, and diligent in problems solving, whenever, and wherever. Where is Chen?!

[LazyEvul]

They do in some regards, but when it comes to things like the storefront, web access, etc they are easily 5 years behind anyone else and also unwilling to change...

And that is nothing short of unacceptable.

[Smitty13]

I honestly cannot believe the unprofessional, incompetent, and severely petty response BlackBerry has given in response to this situation.

Alas, BlackBerry seems to be following the contemporary trend of tech companies punishing those who find security holes in their infrastructure rather than rewarding them. As a web developer, this makes me sick to see this trend. If I were to publish anything with security in mind and had a guru come along to correct any bugs in my coding (free of charge no less), I would be thanking my lucky stars he disclosed this to me rather than using it maliciously. BlackBerry should be ashamed of how they handled this.

Is there some massive chip on someone's shoulder at BlackBerry? I cannot think of what other reason would rationally explain this.

Sacha, you have been done a great injustice here. BlackBerry's response is nothing short of childish and chalk full of intimidation tactics. It is doubly astounding, even after everything, these security holes still exist. You have gone through all of the proper channels only to be meant with ridiculousness on their end. If it is one take away message I can give you, Sacha, please do not let this impact your development of any other stellar tools you want to grace the BlackBerry community with. It would be a shame to lose a brilliant mind amongst this mess.

[Benjamin Black]

Are the security exploits you have found only exploits of BlackBerry app world's vendor portal or have you actually exploited security holes in the os and/or kernel?

I can kinda understand them not wanting to devote resources to fixing a dying consumer focused app'store......kinda....


Posted via CB10

[ZanBB]

I am sorry things ended up like this after that bar thread. At this point I might as well consider publishing apps on Amazon store and just develop for both markets at the same time.
I do have some hope for it being properly addressed in the future - we need to keep in mind BB just underwent restructuring and a lot of people from this field were laid-off.
However government meddling is not the most encouraging sign. In the end BB could have tied hands in this matter. Hopefully this won't be another CoolReapper story.

[Toodeurep]

Just read the developer thread that led to this.

Completely dumbfounded by BlackBerry's response, frankly.

Posted via CB10

You mentioned that you read the thread, I read the thread the other day and it has been mentioned more than once that the back doors exist on iOS and Android as well. Admittedly, I DO NOT KNOW, only that others mention they exist on the other big players app stores as well.

I am not going to re-read every post on the subject post #87 mentions it, #112 reiterates it. Time to find a different stool...

[LazyEvul]

You mentioned that you read the thread, I read the thread the other day and it has been mentioned more than once that the back doors exist on iOS and Android as well. Admittedly, I DO NOT KNOW, only that others mention they exist on the other big players app stores as well.

I am not going to re-read every post on the subject post #87 mentions it. Time to find a different stool...

I think he was talking about the vendor portal screenshots (where he was able to access the vendor portal posing as a vendor that he is not, by the looks of things), not the issue with links straight to .BAR files. The latter is indeed possible on other platforms, which is why things like Snap and APK Downloader exist.

[Deckard79]

You mentioned that you read the thread, I read the thread the other day and it has been mentioned more than once that the back doors exist on iOS and Android as well. Admittedly, I DO NOT KNOW, only that others mention they exist on the other big players app stores as well.

I am not going to re-read every post on the subject post #87 mentions it, #112 reiterates it. Time to find a different stool...

Think there's some confusion - I wasn't referring to that exploit. I was referring to the screenshot found earlier in this thread, that I'm sure you'll agree looks altogether worse.

Posted via CB10

[Toodeurep]

Think there's some confusion - I wasn't referring to that exploit. I was referring to the screenshot found earlier in this thread, that I'm sure you'll agree looks altogether worse.

Posted via CB10

I quoted an irrelevant post, I editted my post.

As far as agreeing, we'll see. I tend to let my whiskeys age too...