[givechanceachance]

https://www.blackberry.com/us/en/com...fense-networks

So what is DoD using today along with all their partner three letter organizations?

[conite]

https://www.blackberry.com/us/en/com...fense-networks

So what is DoD using today along with all their partner three letter organizations?

Apple and Knox.

BB10 didn't get any real traction in government or enterprise.

[TrumpetTiger]

https://www.blackberry.com/us/en/com...fense-networks

So what is DoD using today along with all their partner three letter organizations?

It depends on how secure they need to be. I suspect that DoD is still using Blackberry for most of the three-letter organizations that truly need security, but if anyone has evidence to the contrary I'm happy to look at it.

[Erik_1991]

Not sure but I imagine if they use any BlackBerry system it will be BES but with BYOD (?)

[Elephant_Canyon]

It depends on how secure they need to be. I suspect that DoD is still using Blackberry for most of the three-letter organizations that truly need security, but if anyone has evidence to the contrary I'm happy to look at it.

Unlikely, at this point. The DoD is probably rolling their own solutions for the highest security applications, and using Knox for lower-value employees. BBOS is completely outdated at this point, and there's no evidence that BB10 was ever in widespread use at the DoD, in spite of simply being approved for use.

[Dunt Dunt Dunt]

There were a few test programs with BB10 early on. And they did get some wins at State Department, White House and Senate.

BB10 really never saw much adoptions.... I expect for security reasons they have all been decommissioned. Some here might like hiding their head in the sands of obscurity and believing that no bad guys will come knocking. But that isn't how an responsible departments look at outdated software...

[bb10adopter111]

I have reason to suspect that both BBID and BB10 are still being used in a handful of critical government programs where access to third party apps is prohibited. I don't expect anyone to take my word for it, but I am not comfortable sharing the circumstantial evidence I'm aware of.

It would explain why the back-end services are still being supported past 12/31/19. BlackBerry's government clients are likely the reason support for BB10 has been as good as it has been since 2014.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[bb10adopter111]

There were a few test programs with BB10 early on. And they did get some wins at State Department, White House and Senate.

BB10 really never saw much adoptions.... I expect for security reasons they have all been decommissioned. Some here might like hiding their head in the sands of obscurity and believing that no bad guys will come knocking. But that isn't how an responsible departments look at outdated software...

FYI, the last published vulnerability unique to BB10 was published in 2014 and mitigated in 10.3.3. The Meltdown, Spectre, and other microprocessor side-channel vulnerabilities as well as the KRACK WiFi exploit have largely been addressed to by he same extent on BB10 as they have on Android and iOS, and are only relevant in combination with other security gaps.

Simplicity is good in security, and a "locked-down" implementation of BB10 in a controlled environment would likely be as or more secure than it would be with Android or iOS.

What would make BB10 vulnerable is use of the Android runtime and use of vulnerable apps from BlackBerry World. Obviously, those limitations make BB10 a non-starter in most organizations and for almost 100% of consumers. But there are plenty of professional use cases where, if already deployed, the only issue would be replacement devices at this time.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[Dunt Dunt Dunt]

FYI, the last published vulnerability unique to BB10 was published in 2014 and mitigated in 10.3.3. The Meltdown, Spectre, and other microprocessor side-channel vulnerabilities as well as the KRACK WiFi exploit have largely been addressed to by he same extent on BB10 as they have on Android and iOS, and are only relevant in combination with other security gaps.

Simplicity is good in security, and a "locked-down" implementation of BB10 in a controlled environment would likely be as or more secure than it would be with Android or iOS.

What would make BB10 vulnerable is use of the Android runtime and use of vulnerable apps from BlackBerry World. Obviously, those limitations make BB10 a non-starter in most organizations and for almost 100% of consumers. But there are plenty of professional use cases where, if already deployed, the only issue would be replacement devices at this time.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

Got it... no new list means no vulnerabilities.

[zer0ten]

I wish I could find the video but I do recall watching one of Trumps press briefings and hearing the default BB10 ringtone go off during the meeting. Was pretty cool.

[bb10adopter111]

Got it... no new list means no vulnerabilities.

Correct, just like saying there is no disease you can catch that will make your head explode. You can never prove a negative, but the absence of positive confirmation after a detailed search means something is either rare or nonexistent.

Specifically, it means no security researcher in the world has published any potentially exploitable vulnerabilities in BB10 (approximately 15,000 are published each year (about 300 per week).

So, there may be vulnerabilities, but they haven't been found by most of the best hackers on the planet yet. The same is true for every other piece of software in the world.

For more about the "list" check out
cve.mitre.org



From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[Elephant_Canyon]

So, there may be vulnerabilities, but they haven't been found by most of the best hackers on the planet yet.

They haven't been found by most of the best white hat hackers. Who are focusing their energies on the platforms that don't have less than 0.1% of the world's userbase.

If there's someone using BB10 inside the government with access to sensitive information, you can bet some malicious state actor somewhere in the world is hammering away, finding vulnerabilities and keeping them to themselves.

[app_Developer]

Correct, just like saying there is no disease you can catch that will make your head explode. You can never prove a negative, but the absence of positive confirmation after a detailed search means something is either rare or nonexistent.

Specifically, it means no security researcher in the world has published any potentially exploitable vulnerabilities in BB10 (approximately 15,000 are published each year (about 300 per week).

So, there may be vulnerabilities, but they haven't been found by most of the best hackers on the planet yet. The same is true for every other piece of software in the world.

For more about the "list" check out
cve.mitre.org



From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

How many WebOS vulnerabilities have researchers found (and published) in the past few years?

Researchers obviously focus their work where their impact would the greatest.

[bb10adopter111]

How many WebOS vulnerabilities have researchers found in the past few years?

Researchers obviously focus their work where their impact would the greatest.

Absolutely. That's completely valid. But remember, BlackBerry completed their NIAP certification (not renewed, for obvious reasons) a few years ago, and they wouldn't have done that long after giving up on the market unless they had secure government clients demanding it, so it is likely better researched than WebOS.

For what it's worth, the last WebOS CVS was published in 2011.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.

[TrumpetTiger]

Unlikely, at this point. The DoD is probably rolling their own solutions for the highest security applications, and using Knox for lower-value employees. BBOS is completely outdated at this point, and there's no evidence that BB10 was ever in widespread use at the DoD, in spite of simply being approved for use.

Quoting myself: if anyone has actual evidence to the contrary, I'm happy to look at it.

Given the prevalence of Blackberry in the DoD over the years, I doubt very much that they are using anything else for the groups that truly NEED security. It is confirmed that the Defense Information Systems Agency still supports Blackberry.

[Chuck Finley69]

Quoting myself: if anyone has actual evidence to the contrary, I'm happy to look at it.

Given the prevalence of Blackberry in the DoD over the years, I doubt very much that they are using anything else for the groups that truly NEED security. It is confirmed that the Defense Information Systems Agency still supports Blackberry.

DISA supported BBOS and BB10 as of 12-18 months ago but was allowing/encouraging/pushing users to Android Knox solutions. Centcom and Socom also have gone this route over the last 12-18 months with custom application in addition to Knox and BlackBerry UEM solutions in all these areas. If you’re still using BB10 in these areas, that’s going away if your area isn’t already switched over by now.

[TrumpetTiger]

DISA supported BBOS and BB10 as of 12-18 months ago but was allowing/encouraging/pushing users to Android Knox solutions. Centcom and Socom also have gone this route over the last 12-18 months with custom application in addition to Knox and BlackBerry UEM solutions in all these areas. If you’re still using BB10 in these areas, that’s going away if your area isn’t already switched over by now.

Again quoting myself: if anyone has any actual EVIDENCE to the contrary, I'm happy to hear it.

In other words Chuck, that's great that you believe DISA, CENTCOM, and SOCOM have that position. But what is your evidence for believing it?

Mine is DISA's own statements regarding continued support for BB10, to which I can link if necessary.

[Chuck Finley69]

Again quoting myself: if anyone has any actual EVIDENCE to the contrary, I'm happy to hear it.

In other words Chuck, that's great that you believe DISA, CENTCOM, and SOCOM have that position. But what is your evidence for believing it?

Mine is DISA's own statements regarding continued support for BB10, to which I can link if necessary.

I don’t believe, I know. It can’t be posted. Everyone’s probable reasons for the BB10 statement of continued support is related. There are some large customers that had supported BBOS and BB10 and the off migration is behind schedule. It will be supported until it’s not is how it’s been explained. The primary issue has been the lack of active development and upgrade of BBOS and BB10 to support newer type security methods.

As was explained to me, I don’t believe newer UEM solutions including from BlackBerry are developed with BBOS and BB10 compatibility versions as well as for other OS like Windows Mobile anymore. It’s Android/iOS going forward with additional critical security technology solutions through BlackBerry and similar companies. The purchase of Cylance is part of this overall strategy.

Would you provide that link though? It would be interesting to read the official statement.

[Chuck Finley69]

Again quoting myself: if anyone has any actual EVIDENCE to the contrary, I'm happy to hear it.

In other words Chuck, that's great that you believe DISA, CENTCOM, and SOCOM have that position. But what is your evidence for believing it?

Mine is DISA's own statements regarding continued support for BB10, to which I can link if necessary.

Hey TT,

Can you send me that link? I fell asleep in front of the iPhone like Rip Van Winkle under tree.

[Dunt Dunt Dunt]

As was explained to me, I don’t believe newer UEM solutions including from BlackBerry are developed with BBOS and BB10 compatibility versions as well as for other OS like Windows Mobile anymore. It’s Android/iOS going forward with additional critical security technology solutions through BlackBerry and similar companies.

That's what I've understood as well.... iOS and Android have both made some changes as requested to allow for specific UEM features. It's one reason that many IT Departments are now requiring iOS 12 or Android 9 as a minimum going forward.

Certifications expire.... BlackBerry has a site for their products, but sadly it doesn't look like BB10 is listed anymore.

You can check out NIAP.... and while BlackBerry spent a good year getting BB10 certified. That was several years ago, and it isn't listed anymore.

[bb10adopter111]

That's what I've understood as well.... iOS and Android have both made some changes as requested to allow for specific UEM features. It's one reason that many IT Departments are now requiring iOS 12 or Android 9 as a minimum going forward.

Certifications expire.... BlackBerry has a site for their products, but sadly it doesn't look like BB10 is listed anymore.

You can check out NIAP.... and while BlackBerry spent a good year getting BB10 certified. That was several years ago, and it isn't listed anymore.

All good points. Just to clarify, NIAP is a cert designed to support the purchase of secure products by the US and its allies. Since BB10 is no longer offered for sale, it would be silly for BlackBerry Limited to pay for additional 3rd party certifications. The absence of BB10 on the list in no way implies that it is less secure than it was.

The idea that newer systems are inherently more secure is not supported by evidence. The biggest single factor in security is a solid security architecture implemented consistently, with an absolute minimum of workarounds or exceptions.

BB10 with old Android apps from unofficial sources cannot possibly be secured. BB10 with BlackBerry software may be more secure than the most recent Android because it has a much smaller attack surface to exploit.

It's an apples to oranges comparison, as the scale of the two systems is so completely different. But it would not be unreasonable that there are still sensitive government teams running BB10 intentionally.

From the screen of my trusty Z10 using the exceptional BlackBerry VKB.