With KRACK We'll Find Ou if BB10 is OFFICIALLY End-of-life
- Only you can assess your security needs. But before you do you should think about what you are using to make that decision and how reliable those metrics are. I will address one that keeps coming up, but no one gives it critical thought.
Frequent patches are necessary for security. Do you remember where that came from? Mainly Microsoft who after claiming that XP was the most secure couldn't keep up with the vulnerabilities in the system without going to a regular patch schedule. Othes climbed on and now it is accepted without, it seems any critical thought. To keep it short we have traded good software development practice for feature and bug rich code with rapid patching that one previous poster aptly called the red queen's race. We have been swindled. I have been developing high security, mission critical, security software since 1985. I have never been involved in a rapid patching cycle because we have very few bugs and almost all of them are mitigated by the depth of the security and defensive nature of the code. My employer values correct, secure and durable over frivolous features.
I had a chance to review the Wi-Fi protocol documents, some of the patches and how some devices managed to stay invulnerable because they were not implemented according to the specifications. Anyone coding the software who had knowledge of how cryptography works, and why would you not have someone like that coding this software, would have known that the specifications would result in a loss of cryptographic protection. I can say quite confidently that I would not have coded it per the specifications, but very much like what the patched code is like. I can say that because an equally bad cryptographic specification came across my desk not long ago and I refused to code it as written.
I don't know what happened in the QNX Wi-Fi driver, we will have to see. But I wouldn't be surprised if it was written in a safe way rather than as specified. As we know both patched, broken per the spec and broken in novel ways are all interoperable.
Unlike you I am not concerned by infrequent patches in the absence of evidence of the requirement. What does concern me is a monthly patch cycle that never makes any progress. But as I said, only you can decide what is safe enough for you.
LeapSTR100-2/10.3.3.2205
But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.
When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?
I certainly don't have the programming expertise or experience you do, but I'm not willing to stake my digital safety on a guess or a hunch that WiFi encryption protocols were implemented contrary to widely-used specifications. Your hunch may be right, but that's all it is - a hunch.
I really hope BlackBerry/QNX does confirm that they implemented the WiFi standard securely - contrary to the prevailing specifications. If they do, my faith in their pre-Android phones will have been restored, somewhat.
Edited to add: this is all moot, however, as I am currently using a Moto E4 with a patch level of May 2017, so I know for a fact this phone is vulnerable, whereas BB10 is still a big question mark. Maybe a big question mark would be preferable right now.Last edited by Newfangled; 10-18-17 at 04:41 PM.
10-18-17 04:29 PMLike 0 - That's not necessarily true, vulnerabilities are found in small platforms all the time. There were reported vulnerabilities in Windows Phone and Tizen this year for example. A good patching schedule certainly helps but it's not the greatest indicator for how secure an OS is. Windows Phone and Android both receive monthly patches yet I think many would argue the former is more secure.
At this point your best bet for a secure platform that's actively supported is iOS.10-18-17 04:32 PMLike 0 -
In my example I was referring to Microsoft/Windows.
They pushed the fix live last week for most, if not all, of their active platforms.anon(10321802) likes this.10-18-17 04:38 PMLike 1 - It will be interesting to see what BB says about this. When Blueborne was announced, BB announced their all clear (for BB10 and BBOS) about a week later.
I still think if they saw problems with the standard years ago, there was a missed opportunity there to bring it to the attention of the standards group. Other leaders in our industry do this all the time. This is how these groups work, especially in areas of security. As banks, we participate in these, too, and we always expect our technology company partners to behave in good faith and not willfully hide massive vulnerabilities that they found in the standard.
We do the same with ATMs and bank branches and our apps. If we see vulnerabilities we fix them, but then we *also* report them to our peers. It's the right thing to do, and we get a ton of value from the other top banks sharing that data with us and with our tech partners. We're all safer as a result.Last edited by app_Developer; 10-18-17 at 05:34 PM.
StephanieMaks likes this.10-18-17 05:06 PMLike 1 - Just wondering what the odds are if someone is using a BB10 phone and all the WIFI routers that you decide to use have been patched, that your phone would be hacked.
Posted via CB1010-18-17 05:33 PMLike 0 -
But again there are a few different related vulnerabilities here. We don't know, until BB tells us, if BB10 is vulnerable to 1 or 0 or 3 of them.anon(10321802) likes this.10-18-17 05:38 PMLike 1 -
-
Posted via CB1010-18-17 06:32 PMLike 0 -
-
- Just got a tweet back from @blackberryhelps that basically said they only found out about this vulnerability yesterday.
Posted via CB1010-18-17 06:48 PMLike 0 - Just got a tweet back from @blackberryhelps that basically said they only found out about this vulnerability yesterday.
Posted via CB1010-18-17 06:59 PMLike 0 -
- As I said, you have to decide what is best for you. There is only so much I can tell you.
But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.
When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?
I certainly don't have the programming expertise or experience you do, but I'm not willing to stake my digital safety on a guess or a hunch that WiFi encryption protocols were implemented contrary to widely-used specifications. Your hunch may be right, but that's all it is - a hunch.
I really hope BlackBerry/QNX does confirm that they implemented the WiFi standard securely - contrary to the prevailing specifications. If they do, my faith in their pre-Android phones will have been restored, somewhat.
Edited to add: this is all moot, however, as I am currently using a Moto E4 with a patch level of May 2017, so I know for a fact this phone is vulnerable, whereas BB10 is still a big question mark. Maybe a big question mark would be preferable right now.
The big take away is that there is a lot of smoke, and at the moment not much fire.
ROCA on the other hand might end up eating everyone's lunch while they worry about KRACK.
ROCA - Exploit Worse Than KRACK - Puts Millions of Crypto Keys at Risk10-18-17 09:29 PMLike 0 -
I think I understand where you're coming from. In a perfect world, software would be written in such a way that it doesn't require constant security patching and bug fixing.
But what reason do we have to believe that BB10 doesn't require it? Their software is closed-source, so all we have to go on is whatever they tell us...or don't tell us. I think BlackBerry's dearth of updates for BB10 has more to do with the fact that it's a deprecated OS that is no longer being actively developed or supported, not because it's any more "hardened" or impervious to emerging security threats than any other mobile OS.
When it comes to security, until we hear otherwise from BlackBerry/QNX, the safest assumption is that BB10 is vulnerable, is it not?
Don't take BlackBerry's word that BB10 is secure, check the vulnerability announcements. These come out from a 3rd parties and say which platform has which known vulnerabilities. There are plenty of sites which maintain databases of this stuff and it looks like BlackBerry has much fewer than most others. Of course it is entirely possible people are hammering on BlackBerry and not revealing the holes, however, when you look back at the list of vulnerabilities when BlackBerry was at its peak and had most of the marketshare, those numbers are still low.
In this particular instance, I would agree that the safest assumption is that BB10 is vulnerable. but also unfortunately, not everything is in BlackBerry's hands. It sounds like if the router you are connected to is unpatched, then you are vulnerable as well.10-18-17 11:44 PMLike 0 - I have not seen any BB10 at the DoD. I have not checked lately, but also did not see it on the approved purchase list.10-18-17 11:49 PMLike 0
- I would hope that this is the kind of thing that would be discussed at a security summit. BlackBerry happens to be hosting one in London next week. Anyone going?
https://us.blackberry.com/enterprise...-summit/london10-19-17 03:34 AMLike 0 -
LeapSTR100-2/10.3.3.2205aiharkness likes this.10-19-17 03:52 AMLike 1 -
-
-
- I know US military DISA personnel were still using BB10 and even BBOS in very limited secured devices as of few months ago. Don't know about new device requests.10-19-17 07:20 AMLike 0
- Forum
- BlackBerry 10 Phones & OS
- BlackBerry 10 OS
With KRACK We'll Find Ou if BB10 is OFFICIALLY End-of-life
« replace battery on Passport?
|
Newbie with failing / non-working native BB10 apps - WhatsApp etc »
Similar Threads
-
How secure really is the Keyone finger sensor
By dorsetshaw in forum BlackBerry KEYoneReplies: 19Last Post: 10-27-17, 08:53 PM -
KRACK WPA2 Vulnerability on BB10
By EFats in forum BlackBerry 10 OSReplies: 8Last Post: 10-18-17, 01:38 PM -
how to stop auto download of mail attachment in hub
By madh263362 in forum BlackBerry Android OSReplies: 2Last Post: 10-17-17, 08:51 AM -
KEYone Keyboard scrolling issue with ads on articles
By Turborat in forum BlackBerry Android OSReplies: 0Last Post: 10-17-17, 07:56 AM -
Problem with finger sensor on may K1
By mikimike2 in forum BlackBerry Android OSReplies: 1Last Post: 10-17-17, 05:49 AM
LINK TO POST COPIED TO CLIPBOARD