[Omnitech]

Granted the best security will come with *your* own OS on your own hardware...

If by "your" you mean the end-user, I disagree. Most end-users are not remotely in a position to build a secure OS by themselves. If you mean a platform provider like BlackBerry.. depends on the platform provider.

No doubt many feel that Android - Google = what's the point, yet, there are also a good number of people who simply do not want Google let alone need GApps. iOS users proved that big time. Sure, GApps are available on the iOS platform but outside of GMaps I think it is safe to say that most iPhone/iPad users do not rely on them as the same sort of defacto need like the Android crowd tends to believe.

There are also small, sure, subsets of users over at XDA and AC who claim to enjoy Android more without the GApps, GServices, Play. Milage will very, of course, and BB10 would likely have had more sales if it shipped with Play, but to suggest that Google is the be all end all to the mobile experience is just plain silly. It sounds like you need Play. I can say with honesty that I do not. I mean, I have mentioned a few times that if/when BB10 finally breathes its last breath then I am likely to go with a W10 phone. What does that say about *my* need for apps?

Don't forget that there are just a handful of well-developed, up-to-date, reasonably well-performing mobile OS platforms, even forgetting about app support. To use myself as an example, here is a long way of explaining how the decision process goes with myself and probably lots of other people:

Q: iOS
Pros: well polished, large ecosystem, nice looking hardware, decent support (if you can stomach the attitude)
Cons: overpriced single-source products, inflexible, arrogant company attitude, annoying customer attitude, insular "walled garden" approach
A: Fail

Q: Android
Pros: extremely flexible and configurable, limited open source, gigantic ecosystem, many hardware suppliers and forks, cost-effective, hackable
Cons: infamous security and privacy problems, OS fragmentation, uninspiring UI
A: Fail (mostly)

Q: Winphone
Pros: Decent security, future cross-hardware compatibility, 'interesting' UI
Cons: Microsoft becoming privacy-abusive and sneaky just like Google/Facebook, tiny app ecosystem, questionable UI efficiency, nearly sole-source hardware
A: Fail

Q: Firefox OS
Pros: Open-source, mostly non-snoopery, hackable
Cons: Extremely tiny ecosystem, unfinished/simplistic functionality, mostly sold on low-end devices for cost reasons
A: Fail

Q: Tizen
Pros: Not sure
Cons: Controlled by Samsung, tiny following
A: Fail


So after you go through that mental list, what are you left with? Lots of us end up migrating towards Android on some level because even if the stock variants aren't what you want, you can twiddle with and hack on them and put together something more to your liking. Eg, without GApps if that's your thing. (Which is what I did with CM on my Nexus 7) It's still not ideal, but the alternatives are way crappier, unfortunately. :-|

For what it is worth, I believe that Thor was the only one who honestly tried to sell BB10.

You may be quite right about that. Though a lot of it was timing.

Is this not what Canonical does? Perhaps Fedora and other "big" legacy Linux distros?

Canonical yes, but I don't think Fedora exists for money-making reasons, it's basically a testbed. Using the users as guinea-pigs. RHEL is a whole other matter - they "sell" the OS and also the various support/consulting services.

I still think Copperhead probably has little idea about how to build a successful smartphone business though. Maybe their strategy is to get bought, cash out and go live in the Bahamas for the rest of their lives.

Easy answer, it's Chen. At the most recent Techonomy event Chen said that he, in a round about sort of way, repeated the mantra that BlackBerry = security over the last two years yet admitted that he would not have been able to tell you how or why that is true. He claims that as of now he can in fact give you the break down but warned that it would take 1/2 hour of your time.

BlackBerry's CSO is more open about this subject, however, I am not familiar enough to know if he is on the money or not.

This is a disturbing thing about Chen: he seems to have little detailed knowledge of actually what the company is doing and what the products actually do, and he makes some really embarrassing faux pas about them too.* Either that or he is just really lousy at communicating his knowledge. TBH he strikes me as more of a financial caretaker at this point than anything else. Like he should be the COO or CFO instead of the CEO.

*(I found it really interesting that about a week or two after Chen in an interview referred to QNX as basically "a kind of Linux", that Dan Dodge, the founder of QNX and its longtime head, left the company. I'll bet Dodge screamed at the TV when he saw/heard that Chen interview.. )

[Omnitech]

The thing about FIPS, the dual_ec_drbg, and the random number generator doesn't make any sense. Any link for clarification?

The only one who defaulted to the back doored dual_ec_drbg suite was RSA and BlackBerry doesn't use that algorithm, just patented it.

All FIPS 140-2 approved cryptographic modules have to include dual_ec_drbg as an available PRNG. Whether or not they default to using or not, it has to be there.

With all the deep connections that RIM/BlackBerry has with the 5-eyes crowd, it wouldn't surprise me in the least if they were using that as a default. I've certainly never seen any documents confirming or denying it. I'm just saying in general that I'm not sure I would crow about FIPS 140-2 these days, at least until they update or replace the standard.

http://csrc.nist.gov/publications/fi...1402annexc.pdf
http://csrc.nist.gov/publications/ni.../SP800-90A.pdf

[Omnitech]

It's pretty amazing how some of the regulars went from "android is trash" to parroting "BBRY android is the most secure" while refusing to actually discuss security.

I tried to have this conversation about the Copperhead comments as well and virtually all of the posts were a desperate attempt to discuss anything but security.

Yep which is what I was saying - at this point it seems that a lot of the die-hard loyalists have more of an emotional attachment to RIM/BlackBerry than factual, so it's similar to how a religious affiliation often works. They've made their choice, and when the facts seem to undermine that choice, they will find ways to rationalize the choice anyway.

Same problem we have with die-hard fans of any product/platform, including Apple.

[Omnitech]

I am running the final version of Android Marshmallow on my tablet. A few things I observed. Google Now On Tap is an opt-in screen scraper (yikes). I say opt-in because it can be turned off (I think). It even provides programmatic access to its functionality. There should be more awareness to this, but probably will fall on deaf ears. So much for the security aspect of M. [...]

Also, I've noticed that to use Google Now, you have to enable web search history. This is something I always turn off for Google searches, but it gets turned back on when you set up a new Marshmallow device. Just trolling through each and every privacy setting I'm seeing how sneaky and insidious Android is. Users need to be careful.

Actually none of that surprises me whatsoever. Personal data is the currency of the digital age. Sad but true.

I find this YouTube Red thing very interesting. I wonder if it's a sort of trial balloon that Google's sending up to see if they can replace personal data collection with a traditional fee-for-service model. Well the Pollyanna in me hopes it is, anyway.

The app permissions are nice, but it's more of a way to provide transparency than security. At least you can configure perms to alert you at runtime.

To me they are only impressive when compared next to the obnoxious former state of affairs with Android. And Google seems to architect the Gplay UI to make it really inconvenient to check things like that, pushing people to just click "update all". One of the top things on my mental shortlist of necessary Gplay features is a way to filter out apps from searches based on their required system perms. I can just imagine Google's response to that:

[gizmo21]

Btw DTEK is not watching google or BB apps:

http://forums.crackberry.com/showthr...=440&t=1051144

Could at least have implemented an option for that.


-- Sent from my Palm Pre using Forums

[mister2d]

Btw DTEK is not watching google or BB apps:

dtek not watching google apps - BlackBerry Forums at CrackBerry.com

Could at least have implemented an option for that.


-- Sent from my Palm Pre using Forums

Well, the precedent sure is set for a DTEK whitelist. I knew that feature was overrated.

[gizmo21]

Well at least BB beat googles nexus devices (5.1 AND 6.0) on the OTA release of 5.1 december security layer patches. Not bad.

I know not in all countries/carriers but releases in waves are common in droid land:

Is there a new Android update? STOP, don�t hit that �Check for Updates� button!:
https://productforums.google.com/for...us/fOAWe8jMRsQ

-- Sent from my Palm Pre using Forums

[meltbox360]

Just wanted to point out that technically copperhead OS is less secure because it's run on a non-secure base. Saying you theoretically have better security post boot means nothing when you are practically vulnerable during boot. Meanwhile both operating systems appear to be rock solid post book. So yes BlackBerry could have hardened it less but if a nuclear bunker makes it through the apocalypse do you need a stronger nuclear bunker? Not really...

Posted via CB10

[Omnitech]

Btw DTEK is not watching google or BB apps:

http://forums.crackberry.com/showthr...=440&t=1051144

Could at least have implemented an option for that.

Once again, that is exactly as would be expected. As I've said previously, the only way BlackBerry could truly make the Priv a "privacy phone", is to stick their finger in Google's eye, which ain't gonna happen. Because in order to make a credible claim to that, they would have to put all sorts of Google apps and frameworks and OS functionality on a leash, along with making it clear to users that a huge part of the problem is the underlying OS and platform itself.

Do you see that happening any time soon? I don't. Google is their sugar-daddy right now. Ain't gonna bite the hand of the only platform they have a fighting chance of generating any significant revenue from in devices these days.

[Omnitech]

Just wanted to point out that technically copperhead OS is less secure because it's run on a non-secure base. Saying you theoretically have better security post boot means nothing when you are practically vulnerable during boot. Meanwhile both operating systems appear to be rock solid post book. So yes BlackBerry could have hardened it less but if a nuclear bunker makes it through the apocalypse do you need a stronger nuclear bunker? Not really...

Is there actually a significant number of people running Copperhead right now? I thought their primary objective was to eventually sell a phone with the OS bundled, which would address the secure boot issue.

At the moment I don't see the biggest problem with the Priv as the security issue, it's the privacy thing. The grand swindle being: Android is the worst possible platform in that regard, and BlackBerry has done little of substance to address that.

Amazingly, even with Lollipop, they could have implemented granular permissions just like CyanogenMod does, and like their own Android runtime on BB10 does. But we don't even get that (actually moving backwards from the BB10 Android runtime in that respect), they are simply going to wait until Marshmallow ships and (I would guess) just use Dtek as an alternate UI to that built-in Marshmallow functionality.

I would expect any "privacy phone" to have features like location spoofing(1), and an app/OS firewall.(2)

(1) To circumvent the pernicious Google location tracking that doesn't just use GPS (in case you think you can circumvent it by turning GPS off), but also uses cell tower triangulation, and failing that, Google's massive database of every WiFi Access Point/Router that is able to be picked up by all those Google mapping cars that drive around everywhere taking pictures. (One of the key functions of those cars is to build that WiFi database. And they have other input sources to that database too. Including everyone who uses an Android device.)

(2) To address all the data that is sent in the background that Android's new permissions control in Marshmallow doesn't have any impact on. You cannot revoke internet access or analytics/advertising network access from 3rd-party apps, nor can you revoke most permissions from Google's own apps. Having a firewall would address that. (Something you can do with a rooted device, or something BlackBerry as OS steward can write into their build and provide the necessary "privs" to make work. But they don't.)