- Sorry to hear, hopefully things will turn around. It seems lately that they were more willing to listen then in previous years. Thanks for all the work you put in, I hope this doesn't chase you away.12-22-14 09:59 PMLike 0
- diegoneiRetired Mod & AmbassadorGuys, let's not ask what the exploits are/what they affect. Any disclosure on that part could lead to SERIOUS issues (any hacker reading this would be pointed on the right direction and we would all be in danger).
I'm no Bla1ze, but I forwarded this to somebody. Maybe he can help...
And xsacha... Chill pal... We know who you are.12-22-14 10:18 PMLike 3 - Guys, let's not ask what the exploits are/what they affect. Any disclosure on that part could lead to SERIOUS issues (any hacker reading this would be pointed on the right direction and we would all be in danger).
I'm no Bla1ze, but I forwarded this to somebody. Maybe he can help...
And xsacha... Chill pal... We know who you are.12-22-14 10:35 PMLike 0 - Well isn't this just a lovely mess!
Just a thought regarding the NDA: Were I a serious tech company who was approached by a security researcher such as Xsacha, I'd take a cautious, one-way approach to information flow with them, too.
IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.
Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.
For Xsacha, that could well mean an end to the ability to release projects such as Sachesi, which I could see being fairly unattractive.
Unfortunately, if word got out they were working with a private individual with no security clearance, and nothing restraining their ability to leak sensitive information, there would be hell to pay.
Now, BlackBerry certainly could have better handled this better, but the NDA was a completely necessary attempt to strengthen the relationship.
I suggest, XSacha, you reconsider your place in this situation, along with the opportunities you might be throwing away.
Posted via CB1012-22-14 10:40 PMLike 7 -
There is absolutely no way any fortune 500 company is going to discuss how their security works with anyone *unless* there's an NDA in place.12-22-14 10:52 PMLike 3 - Well isn't this just a lovely mess!
Just a thought regarding the NDA: Were I a serious tech company who was approached by a security researcher such as Xsacha, I'd take a cautious, one-way approach to information flow with them, too.
IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.
Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.
For Xsacha, that could well mean an end to the ability to release projects such as Sachesi, which I could see being fairly unattractive.
Unfortunately, if word got out they were working with a private individual with no security clearance, and nothing restraining their ability to leak sensitive information, there would be hell to pay.
Now, BlackBerry certainly could have better handled this better, but the NDA was a completely necessary attempt to strengthen the relationship.
I suggest, XSacha, you reconsider your place in this situation, along with the opportunities you might be throwing away.
Posted via CB10
I however fully support Xsacha on his desire to see any security holes fixed in their OS and would love to see a more proactive approach to all of this but like anything else these days there is always another side or angle to the story.
The NDA is a no brainer providing it does not limit his ability to what he has already been doing and does not claim his work going forward as theirs, but the company has a legal obligation to investors and itself to ensure those working with it can't just cut and run with their 'stuff' freely.
As for his monies earned, hell they ought to pay up. That just ain't cool.12-22-14 11:53 PMLike 5 - I hope to see some heads being removed soon and an announcement from BBRY saying fortunately we finally kick these incompetent irresponsible individuals out and never see them ever again.
Is this the same reason which has driven BBRY to barely existing in the market?12-23-14 12:38 AMLike 3 - It all depends on what's in the NDA. If it is the standard stuff...you own what you own and I own what I own and we promise to keep each other's confidential information confidential...unless it becomes public through no fault of the receiving party not including items distributed illegally by a 3rd party...blah blah blah
If it is more than that, then don't bend over.12-23-14 12:59 AMLike 4 - It all depends on what's in the NDA. If it is the standard stuff...you own what you own and I own what I own and we promise to keep each other's confidential information confidential...unless it becomes public through no fault of the receiving party not including items distributed illegally by a 3rd party...blah blah blah
If it is more than that, then don't bend over.
When I was consulting, a third party wanted to make a presentation to the company that I was working for. It was one-way, and simply said -- anything [[meaning everything]] we say is confidential; no exceptions for other leaks or public sources; no copy of what was claimed confidential. I didn't sign,,,the other 'sheep' all signed -- the third party knew this, and made his pitch knowing that I had not signed.
Since, from the note to Sacha in the OP listing status only gave status and not the hack or remaining hack, that needs no NDA. With Sacha giving details on the exploit directly, the only reason for an NDA would be Sacha's NDA showing that BB received info from him...but since he was freely producing it, there was no need for NDA, and BB probably wouldn't sign it anyway.
In some situations, possibly BB would want to ask a question, ex, With AAA exploint, what if the hacker does ZZZ? Well BB is asking for work to be done, and should pay,...and if Sacha wanted to sign a very limited NDA just on that...well, possibly...but if BB came on like gangbusters, as companies often do, I'd do the same as Sacha...politely say goodbye, and likely not even remind them of what they're missing.12-23-14 02:39 AMLike 2 -
IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.
Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.
Asking him to test fixes is also unnecessary : he will do that anyway.
This is what he claims to have asked for:
There were some unfortunate side-effects, however. My security contact at Blackberry will no longer discuss any security exploits with me. I had asked for simple status updates and queried about exploits that they had stated were fixed but obviously still worked. After weeks of quiet, I was told that if I wanted to discuss any security exploits with him I would need to sign an NDA. An NDA for information I am providing is non-sensical.
The information he requested was status updates for vulnerabilities *he* had found and queries as to why claimed fixes have not materialised. Unless his BlackBerry contacts are so loose lipped that they would dribble confidential information in reply to such queries, then I don't see any need for a NDA.
Further, this information does not constitute an additional security vulnerability for a BlackBerry customer. No, it constitutes a vulnerability in BlackBerry 's business when they are unwilling or unable to fix it.
If they have sacked most of their key security personnel as some posters have claimed, then they should be pleased to be getting freebies from an apparent white hat.
In short, don't shoot the messenger.12-23-14 02:51 AMLike 5 - I think you shld find out more about the nda before not signing it. It makes sense for them to have to make you do it before they divulge more info to you right?
I mean from a legal pov it totally makes sense...
Posted via CB1012-23-14 02:56 AMLike 0 - Wow, this is incredibly disappointing. Shame on BlackBerry.
Anyone claiming that NDAs are necessary and that Xsacha should sign one, are fools. Xsacha is not their employee, unless he's being compensated for his work/assistance BlackBerry has no grounds to demand an NDA. BlackBerry would be wise to negotiate with him and get him some compensation for his efforts and make an NDA as a condition of that.
I have no idea on the severity of these issues, but Xsacha being the developer of a very useful tool doesn't strike me a someone that wouldn't be able to assess the relative severity of the issues discovered.
BlackBerry should get in front of this before it ends up somewhere with FAR more visibility.12-23-14 03:03 AMLike 4 -
- Glad to hear that some progress has been made.
Less glad about the censorship of the thread, but I guess there is give and take on both sides.
Let's hope for a more amicable relationship that benefits xsacha, BlackBerry and the wider community.
Merry Christmas!RA-HA and Paisley Pirate like this.12-23-14 04:12 AMLike 2 -
- Good luck on your new job as Cyber Security Manager at BlackBerry!?
All kidding aside, it worries me a bit it took this public approach again before they actively reached out to you. I hope you worked out something constructive!
BlackBerry Passport signed @ C0007CC8912-23-14 12:00 PMLike 3 - This is a prime example of why I buy BB devices. When push comes to shove, the CB community always delivers. It's not BB corporate, it is the members of this community.12-23-14 12:07 PMLike 6
- Are the security exploits you have found only exploits of BlackBerry app world's vendor portal or have you actually exploited security holes in the os and/or kernel?
I can kinda understand them not wanting to devote resources to fixing a dying consumer focused app'store......kinda....
Posted via CB10
Posted via CB1012-23-14 12:47 PMLike 0 - Blackberry have, on Christmas day for me, reneged on this agreement. They are now saying they will permanently remove Sachesi from Blackberry World. Also, they will remove my vendor account.
There are no terms breached or quoted but they have the right to remove anyone they want without reason as it is their own marketplace.
So, I will informally agree to a Christmas Day truce. I will respect their wishes and I will no longer report any security concerns to Blackberry, as I have identified that it was reporting these issues that has upset them.
Merry Christmas everyone.12-24-14 01:06 PMLike 8
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
BlackBerry and their (lack of) Security
Similar Threads
-
Who�s excited for the Blackberry Classic Bronze edition?
By 7onZ in forum BlackBerry ClassicReplies: 28Last Post: 03-08-15, 12:28 PM -
Unboxing video for BlackBerry Classic, from TechnoBuffalo
By aha in forum BlackBerry ClassicReplies: 5Last Post: 01-03-15, 03:54 PM -
Is there a BlackBerry 9981 hybrid?
By CrackBerry Question in forum Ask a QuestionReplies: 1Last Post: 12-24-14, 09:38 PM -
Why is a suitable charge for my BlackBerry Z10?
By simplykartik07 in forum Ask a QuestionReplies: 6Last Post: 12-22-14, 10:14 PM -
Gta 3 or vice city for blackberry Q10?
By Gabriel Bohorquez in forum BlackBerry 10 GamesReplies: 1Last Post: 12-22-14, 10:55 AM
LINK TO POST COPIED TO CLIPBOARD