[greyw0lf01]

From Spiegel, the NSA can hack all smartphones including Blackberry devices.

Privacy Scandal: NSA Can Spy on Smart Phone Data - SPIEGEL ONLINE

[zten]

No they can't







End of discussion

Posted via CB10

[GTiLeo]

lmao did they seriously post the photoshopped pic of the sad face from the german lady:P

[greyw0lf01]

No they can't





End of discussion

Posted via CB10

I didn't think it possible but the fact that they have a hand in setting standards spooks (no pun intended) me.

[rayporsche]

GOOD....I hope they are able to hack into my camera so they can see my big hairy b@@@lls.......LOL

[greyw0lf01]

I wonder if this affects legacy encryption techniques or whether elliptic curve cryptology is affected?

If the latter then it could affect the value of BBRY's patents.

[tickerguy]

On BB10 if you're not running your own CA, and generating your own certificates, and thus controlling what you're doing, you're asking for it.

Beyond your phone's border is an entirely different matter. Without BES10 you can't use S/MIME. Presuming that WITH BES10 you can use both a private CA and high-quality generated certificates, I wouldn't be to worried. Without it, you better be using APG+K9Mail, because BlackBerry (thus far) refuses to enable S/MIME for non-BES users.

The other alternative is to run everything over the VPN using IPSEC/IKEv2, use perfect forward security (which thwarts at least one known means of attack) and again, generate your own CA and machine keys using high-quality moduli.

Good luck cracking that.

As soon as you let someone else into your web of trust on certificates you're asking for trouble. BlackBerry's BB10 devices, however do stop one common MITM attack if you're paying attention -- if someone MITM's your secure connection for email and VPN (the key changes) even if it verifies under the CA you have loaded you will be prompted.

Other common devices do not warn you​ if the key has changed so long as the CA "certifies" it's ok. That's a serious problem if someone (e.g. the NSA) has compromised the CA's private key (and you know damn well they have...... )

Note that MANY common web servers (e.g. Apache 2.x) do NOT allow the use of elliptic-curve cryptography, even if the OpenSSL layer under it has it enabled. You need to be running modern code all the way through "or else."

[greyw0lf01]

Tickerguy,

It looks like until (if ever) we get additional colour on what the NSA code breakers can do, it'll be a guessing game in the security community.

Taking additional steps now make just make something more vulnerable later.

We are in interesting times for sure.

[kbz1960]

Just today I got a certificate notice. I kept telling it no and I wasn't doing anything. If I said yes would a wipe rid me of it? BBOS 7.1

[RADEoN1337]

Good post ticker guy, very informative. Everything breaks at the weakest link.

Posted via CB10

[m1kr0]

BlackBerry and BES seems to be a problem for the "rogue viewers", if you catch my drift.

[Gambit_DE]

SpOn is not the best source, but reading through big newspapers, even BIS encryption is broken. IPhones get infected when synced with pc and I don't know what way they take to break android.
NSA hooray

Posted via CB10

[canderson85]

I really can't find any f#cks to give about this whole NSA thing.

In fact I would hope they have this ability.

Posted via CB10

[greyw0lf01]

Of all the possible negatives from this cryptology breaking biz, having the NSA leading the charge is probably the best...

But that would be naive if the Russians & Chinese don't have the same capabilities...

[gariac]

Tickerguy has a post on installing APG and K-9 mail. I got that going, but haven't got around to the CA yet.

Steve Gibson made some noise about a "how to" on GPG, but that never seems to be materializing. So I guess I have to do this myself. This looks like a good guide:
Phil's PGP Docs
Not explicitly stated in the above guide, but you don't have to put your public key on the MIT server. That sounds like a spam magnet to me. If you have a website, you can put it there. Even dropbox.

I can't say I care much for K9 mail, but it does give you the ability to send plain email versus html mail on the Z10.

It would be nice if Blackberry would show the BIS users some love and give us some basic security like openvpn and S/MIME. It was a research project to find a commercial VPN using IPSEC, Of course, now I can't find the link.

[IgotsThis]

GOOD....I hope they are able to hack into my camera so they can see my big hairy b@@@lls.......LOL

Bwuahahaha

BBM channels: c00121c99 for some knowledge and c00123fca for some real hip hop

[mad33man]

I figured that's why all phones had to clear the fcc, so they could test their ability to break in.

Posted via CB10

[SaltyBrine]

It all comes down to privacy as we know begins to disappear we use evermore electronic devices as they get connected to each other through the internet. The assumption that you have a right to a private life is ludicrous. I'd rather have my government go through my trash than a rogue state or private corporation. Yet it's the private industry that did it first and there is no law to stop them once you begin to leave a public record your in the system and will be unless new laws are passed this is the new normal.


Posted via CB10

[ray689]

I really can't find any f#cks to give about this whole NSA thing.

In fact I would hope they have this ability.

Posted via CB10

Why do you hope they have this ability?

Posted via CB10

[mad33man]

The NSA could call everyone in this forum right now and not one soul would stop using their cell phone. More than half would get on Facebook and tell all their friends immediately.

Posted via CB10

[zten]

The NSA could call everyone in this forum right now and not one soul would stop using their cell phone. More than half would get on Facebook and tell all their friends immediately.

Posted via CB10

You underestimate us, almost all of us would go on Facebook and tell our friends.



Posted via CB10

[thatplaybookguy]

For 60 years you all speculated this thought without proof and guess what Life went on. Now that everyone knows that it is proof, Life comes to a standstill.

Humans are a funny odd sort.

[zten]

For 60 years you all speculated this thought without proof and guess what Life went on. Now that everyone knows that it is proof, Life comes to a standstill.

Humans are a funny odd sort.

You are human

Posted via CB10

[tickerguy]

Gariac: I have set up an IPSEC/IKEv2 gateway on my machine here, moved my calendar and contacts storage to my own SSL-protected cloud (with my own CA) and put the entire thing under keys that nobody else has (including the certificate chain.) I also encrypt the phone storage itself in an attempt (possibly in vain) to prevent physically stealing the device from being of value to someone.

This problem is not mostly about the NSA, despite the furor over it. It is mostly about the hubris of the NSA thinking they're the smartest guys in the world and nobody else is as good as they are.

That is, once they tampered with someone's CA key (e.g. stole or coerced it out of someone) or similar, that nobody else will get ahold of that information and/or be able to do the same thing.

That's ridiculously arrogant. Others will be able to do so and almost-certainly have.

IT security is a process, not a product. I've been involved in this general area of information technology for a very long time, and it has been on my mind and part of how I conduct myself online since the 1980s, before there was a commercial Internet.

The impact of these revelations on US companies is likely to be quite severe but this is the NSA's and our government's own fault and they have nobody to blame but themselves, especially their attempts to systematically weaken cryptography or insert themselves into the middle of conversations via various means whether extralegal, "legal" (technically or not) or otherwise.

The NSA has a legitimate function in gathering intelligence outside the US border. The moment they turned that inward they did critical damage to the information technology industry of this nation. They've been caught doing very bad things before, and as you can see the leopard has not changed its spots.

[qwerty4ever]

The assumption that you have a right to a private life is ludicrous. I'd rather have my government go through my trash than a rogue state or private corporation.

You, sir, are a fool. Please climb into the boxcar for that free trip to a countryside resort mentioned in the lottery notice left in your mailbox. Oh don't worry about those men wearing black uniforms, they are here to ensure your trip is uneventfully until you arrive at the resort. Yes, yes, the resort is called Auschwitz. Hurry climb aboard before the train pulls out of the station.