03-13-15 03:27 AM
227 ... 45678 ...
tools
  1. Jimberry Storm's Avatar
    Sorry to hear, hopefully things will turn around. It seems lately that they were more willing to listen then in previous years. Thanks for all the work you put in, I hope this doesn't chase you away.
    12-22-14 09:59 PM
  2. diegonei's Avatar
    Guys, let's not ask what the exploits are/what they affect. Any disclosure on that part could lead to SERIOUS issues (any hacker reading this would be pointed on the right direction and we would all be in danger).

    I'm no Bla1ze, but I forwarded this to somebody. Maybe he can help...

    And xsacha... Chill pal... We know who you are.
    George_B, Ealaionta and zephyr613 like this.
    12-22-14 10:18 PM
  3. Alain_A's Avatar
    Guys, let's not ask what the exploits are/what they affect. Any disclosure on that part could lead to SERIOUS issues (any hacker reading this would be pointed on the right direction and we would all be in danger).

    I'm no Bla1ze, but I forwarded this to somebody. Maybe he can help...

    And xsacha... Chill pal... We know who you are.
    if BB want to denies this then I am for the hacker to find it and I hope they do...that might teach a lesson to BB...so that way BB would act on it....that is not right for BB to shut the door to it...What about BB's philosophy "SECURITY" that is all bull???????? just to mislead people to it ( SECURITY)...
    12-22-14 10:35 PM
  4. CarbonKevin's Avatar
    Well isn't this just a lovely mess!

    Just a thought regarding the NDA: Were I a serious tech company who was approached by a security researcher such as Xsacha, I'd take a cautious, one-way approach to information flow with them, too.

    IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.

    Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.

    For Xsacha, that could well mean an end to the ability to release projects such as Sachesi, which I could see being fairly unattractive.

    Unfortunately, if word got out they were working with a private individual with no security clearance, and nothing restraining their ability to leak sensitive information, there would be hell to pay.

    Now, BlackBerry certainly could have better handled this better, but the NDA was a completely necessary attempt to strengthen the relationship.

    I suggest, XSacha, you reconsider your place in this situation, along with the opportunities you might be throwing away.


    Posted via CB10
    12-22-14 10:40 PM
  5. Alain_A's Avatar
    if sacha sign such nda that means that BB wants him to shut up and nothing would be fixed
    George_B likes this.
    12-22-14 10:44 PM
  6. RubberChicken76's Avatar
    if sacha sign such nda that means that BB wants him to shut up and nothing would be fixed
    Dude, that's ridiculous. Any company I've ever worked for gets into Non Disclosure Agreements during any discussions around IP, partnership, strategic discussions, aquisitions etc. Not having one (especially if you are publicly traded) opens up a whole world of pain and discussion.

    There is absolutely no way any fortune 500 company is going to discuss how their security works with anyone *unless* there's an NDA in place.
    12-22-14 10:52 PM
  7. SnapzGEG's Avatar
    Well isn't this just a lovely mess!

    Just a thought regarding the NDA: Were I a serious tech company who was approached by a security researcher such as Xsacha, I'd take a cautious, one-way approach to information flow with them, too.

    IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.

    Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.

    For Xsacha, that could well mean an end to the ability to release projects such as Sachesi, which I could see being fairly unattractive.

    Unfortunately, if word got out they were working with a private individual with no security clearance, and nothing restraining their ability to leak sensitive information, there would be hell to pay.

    Now, BlackBerry certainly could have better handled this better, but the NDA was a completely necessary attempt to strengthen the relationship.

    I suggest, XSacha, you reconsider your place in this situation, along with the opportunities you might be throwing away.


    Posted via CB10
    Absolutely correct in this. While the NDA may seem like an overkill to those not used to working with them it is a necessary evil to protect the free exchange of ideas and concepts without the fear of losing control of any sensitive info being disclosed or he may have access to.

    I however fully support Xsacha on his desire to see any security holes fixed in their OS and would love to see a more proactive approach to all of this but like anything else these days there is always another side or angle to the story.

    The NDA is a no brainer providing it does not limit his ability to what he has already been doing and does not claim his work going forward as theirs, but the company has a legal obligation to investors and itself to ensure those working with it can't just cut and run with their 'stuff' freely.
    As for his monies earned, hell they ought to pay up. That just ain't cool.
    12-22-14 11:53 PM
  8. Hai Bo's Avatar
    I hope to see some heads being removed soon and an announcement from BBRY saying fortunately we finally kick these incompetent irresponsible individuals out and never see them ever again.

    Is this the same reason which has driven BBRY to barely existing in the market?
    12-23-14 12:38 AM
  9. hennesseystealth's Avatar
    It all depends on what's in the NDA. If it is the standard stuff...you own what you own and I own what I own and we promise to keep each other's confidential information confidential...unless it becomes public through no fault of the receiving party not including items distributed illegally by a 3rd party...blah blah blah

    If it is more than that, then don't bend over.
    George_B, thedose, wehttam and 1 others like this.
    12-23-14 12:59 AM
  10. George_B's Avatar
    It all depends on what's in the NDA. If it is the standard stuff...you own what you own and I own what I own and we promise to keep each other's confidential information confidential...unless it becomes public through no fault of the receiving party not including items distributed illegally by a 3rd party...blah blah blah

    If it is more than that, then don't bend over.
    I've spoken with outsiders under my company's NDA...bilateral...it said that "to be covered, the discloser had to provide the recipient with a copy of the covered proprietary information, within a short time. If information became publicly available through no fault of theirs, they could use it. Never had any refusals.

    When I was consulting, a third party wanted to make a presentation to the company that I was working for. It was one-way, and simply said -- anything [[meaning everything]] we say is confidential; no exceptions for other leaks or public sources; no copy of what was claimed confidential. I didn't sign,,,the other 'sheep' all signed -- the third party knew this, and made his pitch knowing that I had not signed.

    Since, from the note to Sacha in the OP listing status only gave status and not the hack or remaining hack, that needs no NDA. With Sacha giving details on the exploit directly, the only reason for an NDA would be Sacha's NDA showing that BB received info from him...but since he was freely producing it, there was no need for NDA, and BB probably wouldn't sign it anyway.

    In some situations, possibly BB would want to ask a question, ex, With AAA exploint, what if the hacker does ZZZ? Well BB is asking for work to be done, and should pay,...and if Sacha wanted to sign a very limited NDA just on that...well, possibly...but if BB came on like gangbusters, as companies often do, I'd do the same as Sacha...politely say goodbye, and likely not even remind them of what they're missing.
    Soul_Est and Wigley458 like this.
    12-23-14 02:39 AM
  11. baarn's Avatar
    Just a thought regarding the NDA: Were I a serious tech company who was approached by a security researcher such as Xsacha, I'd take a cautious, one-way approach to information flow with them, too.
    Of course this is true. Without building a formal relationship with an external researcher there would be a need to restrict the information flow.

    IF I needed to discuss information in a two-way fashion, or maybe even ask that individual to test a potential fix for the exploit they'd found, you bet your *** I'd require them to sign an NDA, and it would be iron-clad and all-encompassing.

    Sorry, but not sorry. A publicly traded company with Authority to Operate within some of the most sensitive organizations on Earth has a responsibility to shareholders, partners, governments, and who knows who else to control the information they release, and to whom they release it.
    Xsacha doesn't know the internal information on implementation of features, only their external publicly viewable face. It is perfectly reasonable fr BlackBerry not to discuss potential solutions with him. Why would they anyway : they already have their own security experts to validate solutions. (don't they?)
    Asking him to test fixes is also unnecessary : he will do that anyway.

    This is what he claims to have asked for:

    There were some unfortunate side-effects, however. My security contact at Blackberry will no longer discuss any security exploits with me. I had asked for simple status updates and queried about exploits that they had stated were fixed but obviously still worked. After weeks of quiet, I was told that if I wanted to discuss any security exploits with him I would need to sign an NDA. An NDA for information I am providing is non-sensical.
    **

    The information he requested was status updates for vulnerabilities *he* had found and queries as to why claimed fixes have not materialised. Unless his BlackBerry contacts are so loose lipped that they would dribble confidential information in reply to such queries, then I don't see any need for a NDA.

    Further, this information does not constitute an additional security vulnerability for a BlackBerry customer. No, it constitutes a vulnerability in BlackBerry 's business when they are unwilling or unable to fix it.

    Unfortunately, if word got out they were working with a private individual with no security clearance, and nothing restraining their ability to leak sensitive information, there would be hell to pay.
    Every time every BlackBerry employee talks to anyone outside the company there is a risk of disclosure of security or business sensitive information.

    I suggest, XSacha, you reconsider your place in this situation, along with the opportunities you might be throwing away.
    The same could be said for BB.
    If they have sacked most of their key security personnel as some posters have claimed, then they should be pleased to be getting freebies from an apparent white hat.
    In short, don't shoot the messenger.
    D3C0D3R, Soul_Est, bozzg86 and 2 others like this.
    12-23-14 02:51 AM
  12. unbreakablej's Avatar
    I think you shld find out more about the nda before not signing it. It makes sense for them to have to make you do it before they divulge more info to you right?

    I mean from a legal pov it totally makes sense...

    Posted via CB10
    12-23-14 02:56 AM
  13. pbeaul's Avatar
    Wow, this is incredibly disappointing. Shame on BlackBerry.

    Anyone claiming that NDAs are necessary and that Xsacha should sign one, are fools. Xsacha is not their employee, unless he's being compensated for his work/assistance BlackBerry has no grounds to demand an NDA. BlackBerry would be wise to negotiate with him and get him some compensation for his efforts and make an NDA as a condition of that.

    I have no idea on the severity of these issues, but Xsacha being the developer of a very useful tool doesn't strike me a someone that wouldn't be able to assess the relative severity of the issues discovered.

    BlackBerry should get in front of this before it ends up somewhere with FAR more visibility.
    12-23-14 03:03 AM
  14. tecumseh1895's Avatar
    Edit:
    I've got good news. I should be getting better communication with Blackberry and Sachesi will be restored on Blackberry World.

    Thanks everyone for your support, especially Gilbert.
    *Push*

    Posted via CB10
    baarn, Pcmx, D3C0D3R and 1 others like this.
    12-23-14 03:57 AM
  15. baarn's Avatar
    Glad to hear that some progress has been made.
    Less glad about the censorship of the thread, but I guess there is give and take on both sides.

    Let's hope for a more amicable relationship that benefits xsacha, BlackBerry and the wider community.
    Merry Christmas!
    RA-HA and Paisley Pirate like this.
    12-23-14 04:12 AM
  16. MeerMusik's Avatar
    That is good to hear Sacha

    Via CB10 App. STL100-2 @ 10.3.1 Beta
    12-23-14 06:07 AM
  17. kevets's Avatar
    Need a xsacha filter button. Do not have.
    Edit. Nevermind!
    12-23-14 09:05 AM
  18. Blacklatino's Avatar
    Edit:
    I've got good news. I should be getting better communication with Blackberry and Sachesi will be restored on Blackberry World.

    Thanks everyone for your support, especially Gilbert.
    I echo what has already been said. Thank you!
    moody and Mecca EL like this.
    12-23-14 11:43 AM
  19. MrGlenn's Avatar
    Good luck on your new job as Cyber Security Manager at BlackBerry!?

    All kidding aside, it worries me a bit it took this public approach again before they actively reached out to you. I hope you worked out something constructive!

    BlackBerry Passport signed @ C0007CC89
    moody, Mecca EL and 00stryder like this.
    12-23-14 12:00 PM
  20. hennesseystealth's Avatar
    This is a prime example of why I buy BB devices. When push comes to shove, the CB community always delivers. It's not BB corporate, it is the members of this community.
    12-23-14 12:07 PM
  21. rajeevluv's Avatar
    This is a prime example of why I buy BB devices. When push comes to shove, the CB community always delivers. It's not BB corporate, it is the members of this community.
    Agreed.

    Sent from my Q10 using Tapatalk
    12-23-14 12:14 PM
  22. rajeevluv's Avatar
    Xsacha,

    Ecstatic to hear the update.

    We all support you for your initiatives and cause.

    Sent from my Q10 using Tapatalk
    12-23-14 12:16 PM
  23. Easypants's Avatar
    Are the security exploits you have found only exploits of BlackBerry app world's vendor portal or have you actually exploited security holes in the os and/or kernel?

    I can kinda understand them not wanting to devote resources to fixing a dying consumer focused app'store......kinda....


    Posted via CB10
    Agree 100%

    Posted via CB10
    12-23-14 12:47 PM
  24. kevets's Avatar
    "he's the hero CB deserves, but not the one it needs right now."...

    "he's a silent guardian. a watchful protector."
    12-23-14 01:46 PM
  25. xsacha's Avatar
    Blackberry have, on Christmas day for me, reneged on this agreement. They are now saying they will permanently remove Sachesi from Blackberry World. Also, they will remove my vendor account.
    There are no terms breached or quoted but they have the right to remove anyone they want without reason as it is their own marketplace.
    So, I will informally agree to a Christmas Day truce. I will respect their wishes and I will no longer report any security concerns to Blackberry, as I have identified that it was reporting these issues that has upset them.

    Merry Christmas everyone.
    bungaboy, Pcmx, moody and 5 others like this.
    12-24-14 01:06 PM
227 ... 45678 ...

Similar Threads

  1. Whos excited for the Blackberry Classic Bronze edition?
    By 7onZ in forum BlackBerry Classic
    Replies: 28
    Last Post: 03-08-15, 12:28 PM
  2. Replies: 5
    Last Post: 01-03-15, 03:54 PM
  3. Is there a BlackBerry 9981 hybrid?
    By CrackBerry Question in forum Ask a Question
    Replies: 1
    Last Post: 12-24-14, 09:38 PM
  4. Why is a suitable charge for my BlackBerry Z10?
    By simplykartik07 in forum Ask a Question
    Replies: 6
    Last Post: 12-22-14, 10:14 PM
  5. Gta 3 or vice city for blackberry Q10?
    By Gabriel Bohorquez in forum BlackBerry 10 Games
    Replies: 1
    Last Post: 12-22-14, 10:55 AM
LINK TO POST COPIED TO CLIPBOARD