1. AmritD's Avatar
    I think I will get oreo on my essential phone before my keyone, just a feeling.
    Quite possible.
    Essential isn't going to Harden the OS.
    BlackBerry will. That takes time.

    Posted via CB10
    10-11-17 02:28 AM
  2. mfk2901's Avatar
    I like how all these people are defending a comoany that literally called their customers lab rats by selling them test dtek phones. as a consumer and the guy that is putting my own money into a company I dont care what agreements they have between themselves. if I paying full premium price for a phone I expect some minor support from the company. you can never bring any argument to defend their position. they are going the cheap way of releasing a new premium phone with an outdated os so that when they bring us the next os we will have to be thankful. just like they did with the priv.
    10-11-17 03:18 AM
  3. mister2d's Avatar
    You do understand that Oreo only came out of beta 6 weeks ago, and it takes several months to harden the OS, right?
    ...
    Unless you are using one of the first personal computers to compile the kernel, it doesn't take months to harden.

    They are just using a custom .config file for hardening in addition to the root of trust hardware. Nothing special that isn't easily replicated in the time span of an evening of work (yes I know this).

    The processes for hardening are easily repeatable on purpose.
    10-11-17 03:59 AM
  4. iUser's Avatar
    Here is what is going to happen. They will release the motion with android 7. And then couple months later we will start complaining why no android 8. Then 1 year later when android 9 is out they will give us android 8 and say thats it we will not update the phone anymore. I will not buy blackberry anymore. I am writing this from my priv that has the same story.
    Why did you write your story here? If you don't want to buy BlackBerry anymore, it's fine.

    It's like you want that someone will argue to make you buy BlackBerry again.
    10-11-17 04:30 AM
  5. conite's Avatar
    Unless you are using one of the first personal computers to compile the kernel, it doesn't take months to harden.

    They are just using a custom .config file for hardening in addition to the root of trust hardware. Nothing special that isn't easily replicated in the time span of an evening of work (yes I know this).

    The processes for hardening are easily repeatable on purpose.
    The BlackBerry developers would refute this. It's a big job for a non-Samsung sized team.
    10-11-17 06:17 AM
  6. mister2d's Avatar
    The BlackBerry developers would refute this. It's a big job for a non-Samsung sized team.
    Of course they would. They want customers to believe that a "special sauce" exists.

    The truth is that any software developer shop will have a CI/CD pipeline to automate builds for deployment. It really isn't special once you do this sort of thing for a living.
    10-11-17 06:22 AM
  7. conite's Avatar
    Of course they would. They want customers to believe that a "special sauce" exists.

    The truth is that any software developer shop will have a CI/CD pipeline to automate builds for deployment. It really isn't special once you do this sort of thing for a living.
    I'm sorry, but we'll just have to leave it at "fervently disagree".
    10-11-17 06:25 AM
  8. mister2d's Avatar
    Of course we will. That's how things get when they are exposed. Blackberry talks about their special sauce in blogs, but it really is nothing more than hardening. Hardening that's easily repeatable and doesn't take months as you claim.

    And one doesn't need to be as big as Samsung. Even the little guy can spin up a development pipeline and scale it up these days.

    https://aws.amazon.com/getting-start...i-cd-pipeline/

    It would actually be reasonable to assume that BBM uses Amazon (or other cloud provider) to host their services.
    10-11-17 06:42 AM
  9. Chuck Finley69's Avatar
    Of course they would. They want customers to believe that a "special sauce" exists.

    The truth is that any software developer shop will have a CI/CD pipeline to automate builds for deployment. It really isn't special once you do this sort of thing for a living.
    So then we can buy this security from different OEM. Which company will be doing this so I don't have to wait?
    10-11-17 07:11 AM
  10. tickerguy's Avatar
    Of course they would. They want customers to believe that a "special sauce" exists.

    The truth is that any software developer shop will have a CI/CD pipeline to automate builds for deployment. It really isn't special once you do this sort of thing for a living.
    Meh.

    As a guy who has run custom FreeBSD kernels all the way back to the original days in the mid 1990s (when it first became viable), including as the base of my operation of an ISP, it's a bit more work than you describe.

    Especially when the baseline changes, and it does. I still have a modest custom patch set that goes against FreeBSD 11.1, and every time the upstream rolls in certain areas I have to go back and re-do the work, usually with some additions or deletions. The current issue I have with the codebase isn't security-related, it's filesystem performance related, specifically in ZFS, and if you get THAT one wrong you either get kernel panics or worse, silent data corruption.

    I'm one guy so my risk is my data. If I was deploying that into tens or hundreds of thousands of customer devices you can bet that I'd be pretty sensitive about testing it, and that's not a trivial process.

    Of note with regard to BlackBerry's hardening is that the folks to break into these things for fun and profit over XDA have all failed. I've failed too, and I have a pretty-decent success rate getting root on Android handsets for my personal purposes.

    Not in this case.
    10-11-17 07:31 AM
  11. mister2d's Avatar
    So then we can buy this security from different OEM. Which company will be doing this so I don't have to wait?
    It's been done since Android 6.0. No real need for a specific OEM to do this.

    The real reason to do secure boot on smartphones is to lock out Joe User from rolling his own ROM and extending the functionality of his phone. Can't have planned obsolescence if you leave it open.
    10-11-17 07:43 AM
  12. conite's Avatar
    It's been done since Android 6.0. No real need for a specific OEM to do this.

    The real reason to do secure boot on smartphones is to lock out Joe User from rolling his own ROM and extending the functionality of his phone. Can't have planned obsolescence if you leave it open.
    So BlackBerry Android and Samsung Knox are BS?

    Sorry, but I don't think you have a handle of what it is they do.
    10-11-17 07:48 AM
  13. Chuck Finley69's Avatar
    It's been done since Android 6.0. No real need for a specific OEM to do this.

    The real reason to do secure boot on smartphones is to lock out Joe User from rolling his own ROM and extending the functionality of his phone. Can't have planned obsolescence if you leave it open.
    So BlackBerry phone security is no different than anyone else's phone security. I thought you couldn't root a BlackBerry Android. Has that happened now or have others now stopped their devices from getting rooted?
    10-11-17 07:59 AM
  14. mister2d's Avatar
    Meh.

    As a guy who has run custom FreeBSD kernels all the way back to the original days in the mid 1990s (when it first became viable), including as the base of my operation of an ISP, it's a bit more work than you describe.
    ...
    Indeed there is work to be done. But once it's done, you make the process repeatable. That was the whole theme of my posts. If it takes you months to harden, then you are doing things wrong and on the wrong hardware.
    10-11-17 08:03 AM
  15. mister2d's Avatar
    So BlackBerry Android and Samsung Knox are BS?

    Sorry, but I don't think you have a handle of what it is they do.
    No one said BS. There just isn't the special sauce that everyone tastes. It's more like MSG. If you remember, MSG was added to food to make it taste better than it actually does.
    10-11-17 08:05 AM
  16. mister2d's Avatar
    So BlackBerry phone security is no different than anyone else's phone security. I thought you couldn't root a BlackBerry Android. Has that happened now or have others now stopped their devices from getting rooted?
    See my secure boot post above.
    10-11-17 08:06 AM
  17. conite's Avatar
    Indeed there is work to be done. But once it's done, you make the process repeatable. That was the whole theme of my posts. If it takes you months to harden, then you are doing things wrong and on the wrong hardware.
    If only the team of BlackBerry developers feverishly working on this over the course of months could have your expertise.
    10-11-17 08:26 AM
  18. tickerguy's Avatar
    Indeed there is work to be done. But once it's done, you make the process repeatable. That was the whole theme of my posts. If it takes you months to harden, then you are doing things wrong and on the wrong hardware.
    That's just total nonsense; you're assuming the base code never changes and thus it's a patch set that is applied and then the code built.

    That's not how the real world works, however. The base code changes constantly, and any of those changes might impact your patch set. You thus must go examine all of the deltas on the base code to see if there's an interaction and, if you detect that there might be, no matter how small the risk, your entire validation process has to be re-run from the top down.

    Needless to say there has to be a reason for me to go back through that today with my code. Unfortunately for BlackBerry that process is an every month hassle, since Android is riven through like swiss cheese (look at the monthly CVE sets) and every month there's another batch of surprises. Google ought to be strung up by their testicles for the outrageously insecure base code they've run for more than a decade, along with Qualcomm which is equally bereft of QA/QC when it comes to security from a standpoint of the number of problems in those monthly CVE lists.

    But that is what it is, and since people wouldn't buy phones that wouldn't run Google's crap this is what BlackBerry (and now BlackBerryMobile/TCL) got stuck with. The alternative is don't make phones at all.

    I've only been been doing this since the 1990s, by the way; I think I know just a wee bit about it.
    valer466 likes this.
    10-11-17 08:40 AM
  19. app_Developer's Avatar
    I'm somewhere in between you guys on the hardening thing and how long it should take. First of all, the kernel between the first developer releases of Oreo and the GM had hardly any revs, and is actually not very different at all from Nougat . So if they really did wait until the final public release of Oreo, then they waited way too long IMO.

    The secure bootloader is also not something that needs to change very much between Android versions. Its job in loading Oreo is the same as it is in Nougat or earlier: Verify the signatures of each and everything it loads. It should not be very dependent on what is being loaded (if it were then even minor updates to the OS would be very difficult!). The loader just needs to verify sigs.

    I don't know what other hardening they are doing. So I don't know what would delay their version so many months behind Google. The first developer release was in March, and the again the kernel hasn't changed much at all from March to Oct.
    Last edited by app_Developer; 10-11-17 at 09:46 AM.
    Uzi and StephanieMaks like this.
    10-11-17 09:13 AM
  20. tickerguy's Avatar
    The hardening is materially-more than just the secure chain of trust on the boot sequence, or at least BlackBerry claims it is.

    Now if you wish to refute that then take their software load (it's not encrypted), decompile it all to SMALI and go through it. It would make a hell of expose' if it turns out they did nothing, but I suspect you're going to be rather disappointed after expending a lot of work.

    Figuring out how to mitigate on a forward basis the issues with MediaServer, for example, is both a moving target and not all that easy. That sort of mitigation can be done but it's hardly easy and the bad news is that with each new iteration you have to back through what you did and what's in there now at the layer underneath (that you're trying to protect from) and see if you need to make changes or whether it's all still ok.

    That the BlackBerry phones haven't been rooted yet is fairly decent evidence that they've taken effective action at "wrapping" dangerous things in a way that prevents them from being used. Then again I don't have the ability to look at their repos and evaluate what they did; I'm only looking at results (or in this case the last thereof by those who would use said holes to gain root, even for non-nefarious purpose.)

    BTW if you think that sort of thing is "fun" try writing code to talk to EAS. Microsoft has been known for decades as the company that breaks RFCs on a regular basis and yet they're the "reference" implementation. I had the "joy" of dealing with that garbage more than a decade ago when I undertook a project to do a security and email front-end to Exchange for a "very sensitive" client, who was (justly so!) concerned about having an Exchange server connected to the Internet. Figuring out all the things Microsoft did that were direct violations of the standards and how to evade having that either exploited or having it blow up code downstream was a lot of "fun" and consumed a very sizable amount of my time on that product.

    I had all sorts of fun with this back in the BB10 days on my own implementation as well because BB10 followed what Outlook did, which was demonstrably broken (specifically, it emitted illegal Base64 encoded stanzas but Microsoft's Exchange and Outlook both happily swallowed them!) BlackBerry finally got their crap together in this regard when they did the Hub for Android; there were a few of these instances fairly early on that I flagged to them but this time, unlike in BB10, they actually fixed them!
    valer466 likes this.
    10-11-17 10:05 AM
  21. mister2d's Avatar
    That's just total nonsense; you're assuming the base code never changes and thus it's a patch set that is applied and then the code built.

    That's not how the real world works, however. The base code changes constantly, and any of those changes might impact your patch set. You thus must go examine all of the deltas on the base code to see if there's an interaction and, if you detect that there might be, no matter how small the risk, your entire validation process has to be re-run from the top down.

    Needless to say there has to be a reason for me to go back through that today with my code. Unfortunately for BlackBerry that process is an every month hassle, since Android is riven through like swiss cheese (look at the monthly CVE sets) and every month there's another batch of surprises. Google ought to be strung up by their testicles for the outrageously insecure base code they've run for more than a decade, along with Qualcomm which is equally bereft of QA/QC when it comes to security from a standpoint of the number of problems in those monthly CVE lists.

    But that is what it is, and since people wouldn't buy phones that wouldn't run Google's crap this is what BlackBerry (and now BlackBerryMobile/TCL) got stuck with. The alternative is don't make phones at all.

    I've only been been doing this since the 1990s, by the way; I think I know just a wee bit about it.
    I've been doing it before the 90s.

    And I'll refrain from calling any of your comments nonsense. You actually brought up a very valid example initially with your BSD post. Fortunately, tools have gotten significantly better than the old days.
    10-11-17 10:11 AM
  22. mister2d's Avatar
    I'm somewhere in between you guys on the hardening thing and how long it should take. First of all, the kernel between the first developer releases of Oreo and the GM had hardly any revs, and is actually not very different at all from Nougat . So if they really did wait until the final public release of Oreo, then they waited way too long IMO.

    The secure bootloader is also not something that needs to change very much between Android versions. Its job in loading Oreo is the same as it is in Nougat or earlier: Verify the signatures of each and everything it loads. It should not be very dependent on what is being loaded (if it were then even minor updates to the OS would be very difficult!). The loader just needs to verify sigs.

    I don't know what other hardening they are doing. So I don't know what would delay their version so many months behind Google. The first developer release was in March, and the again the kernel hasn't changed much at all from March to Oct.
    Pretty much in line with my comments. Very good post.

    I'm not here to hurt feelings, if that's how some are taking it.
    10-11-17 10:14 AM
  23. conite's Avatar
    Pretty much in line with my comments. Very good post.

    I'm not here to hurt feelings, if that's how some are taking it.
    Occam's Razor.

    It actually IS harder than you think, OR there is either a huge conspiracy or a group of hopelessly incompetent BlackBerry developers.
    tickerguy likes this.
    10-11-17 10:21 AM
  24. Invictus0's Avatar
    10-11-17 10:23 AM
  25. mister2d's Avatar
    Occam's Razor.

    It actually IS harder than you think, OR there is either a huge conspiracy or a group of hopelessly incompetent BlackBerry developers.
    conite, it's not that serious.
    10-11-17 10:29 AM
124 1234 ...

Similar Threads

  1. Anyone with 10.3.3.2205 os
    By Jobin m vadath in forum BlackBerry Z3
    Replies: 23
    Last Post: 12-08-17, 02:02 PM
  2. ARDA system app - What is it?
    By scottjm17 in forum BlackBerry Priv
    Replies: 1
    Last Post: 11-11-17, 06:52 PM
  3. Verizon will get Motion but not K1?
    By Emaderton3 in forum General Carrier Discussion
    Replies: 2
    Last Post: 10-20-17, 12:31 PM
  4. Charging starting and stopping with 12v source
    By yourhums in forum BlackBerry KEYone
    Replies: 7
    Last Post: 10-12-17, 01:38 PM
  5. Blackberry android runtime
    By iqbalmd in forum Ask a Question
    Replies: 2
    Last Post: 10-11-17, 02:29 AM
LINK TO POST COPIED TO CLIPBOARD