[endevour]

BBM on BIS uses the NOC, BBM on BB10 uses the NOC. Nothing has changed.

I wish I knew for sure that "nothing" has changed!

Let me add a dumb comment... when everyone out there has my encryption keys, can it be secure or is it just another security through obscurity?

I still think if people want real security using BBM the only option is the BES way (or BBM protected), consumer BBM will stay as "secure" as it was 10 years ago imo...

[Superdupont 2_0]

, consumer BBM will stay as "secure" as it was 10 years ago imo...

You may read points 5.3, 5.4 and 5.5 on page 15 of this paper.

And according to BBRY Security Note, BBM on BB 10 is always using a combination of TLS + BBM Encryption Key for messages, while BBOS sometimes use only the BBM Encryption Key.

As a BB 10 user, I am 100% confident that BBM is protected against criminal attacks.

The problems could start when BBRY must cooperate with any local LEAs in countries with significantly higher corruption, weak implementation of human rights, etc. etc. ...but I have the impression BBRY has always been aware of their responsibilities to protect the human rights of their customers:
Former NSA's chief lawyer: BlackBerry's encryption efforts led to its demise | ZDNet

...and in some countries like India, where I have mixed feelings, BBRY announced their (limited) cooperation with the government in advance, so that everybody was warned.


I don't think that BBRY is intercepting your BBM traffic for any LEA...., as long as you don't try to be the next Tony Montana:

Blackberry messages helped police crack Montreal Mafia ring | Toronto Star

[birdman_38]

The fantasizing is strong in this one (thread.)

Fantasizing about what? That BBM is the most secure messaging platform of them all?

[jefbeard911]

For those courageous few, I offer you the RED pill(s)

The Danger of Fetishizing BlackBerry Messenger Security | Technology, Thoughts & Trinkets

https://citizenlab.org/

For those less so, I offer you the BLUE pill. You can remain in the Matrix ad finem.

[Bluenoser63]

For those courageous few, I offer you the BLUE pill(s)

The Danger of Fetishizing BlackBerry Messenger Security | Technology, Thoughts & Trinkets

https://citizenlab.org/

For those less so, I offer you the RED pill. You can remain in the Matrix ad finem.

Hey, its 2014, not 2012. BBM on BB10 devices is different. They were talking BBOS. Why don't you be courageous and read the following

http://btsc.webapps.blackberry.com/b...ListHelperImpl

And then admit you are wrong.

[beamerboym3]

Good point!

[Superdupont 2_0]

For those courageous few, I offer you the BLUE pill(s)

The Danger of Fetishizing BlackBerry Messenger Security | Technology, Thoughts & Trinkets

https://citizenlab.org/

For those less so, I offer you the RED pill. You can remain in the Matrix ad finem.

Good read, but this article clearly says that there is no mass surveillance
Quote: "Decryption is usually mandated because of lawful access requirements that RIM must comply with; the company doesn�t proactively make these messages available in the absence of legal pressures. " is no problem for citizens in the developed countries.
We have rights protecting us from our governments. Criminals do not have these rights. Deal with it.

(I am totally against any mass surveillance, when data are collected for no particular reason, but that's not described in this article here.)

In countries like Russia a person like Tim Cook could be classified as criminal, but I don't see BBRY collaborating with Russia.
Anyways, for certain less stable, uhm,developing countries where the situation with human rights is more problematic, BBRY should re-consider to provide end-to-end encryption for regular BBM or strictly limit the collaboration with the LEA as they did in the past.

[bbjdog]

Good point.

BlackBerry Protected offers end to end encryption.

Makes you wonder then, why would BlackBerry need to offer another version of BBM if the original was so secure? hmmmmm...note the sarcasm.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

One word, money.

Posted via CB10

[Witmen]

BlackBerry collects data from their users and will happily hand it over to other parties without your consent. They even say so in their own terms of service agreements!

18. USER DATA
In addition to any disclosures authorized by Section 17, You and Your Users consent and agree that the BlackBerry Group of Companies may access, preserve, and disclose Your or Your Users' data, including personal information, contents of Your communication, or information about the use of the Services functionality and the services or software and hardware utilized in conjunction with the Services where available to us ("User Data"), to third parties, including foreign or domestic government entities, without providing notice to You

BBM TERMS OF SERVICE

In the same terms, BlackBerry spells out what type of personal information they collect:

Personal information Processed may include information such as name, display picture, status and personal messages, email address, telephone number, BBM contact list, language preference, BlackBerry ID or other account credentials, settings, country and time zone, Service Provider information and IP address, information about the use of the Services' functionality and the software and hardware utilized in conjunction with the Services, including device or computer information (for example, device PIN, IMEI, IMSI, UDID, MAC address or similar identifiers, and device model), or other information that may be required by law to be collected. In some cases, address book information, device location data (including real-time location information), calendar and reminder entries, and photos may be accessed

How much of that do they hand over to the government? Who knows! But they have your permission to do it.

You have to agree to these terms before you can even use BBM. They spell it out in black and white for people, but fools still believe that their personal information is secure just because they are on BBM.

[jefbeard911]

Hey, its 2014, not 2012. BBM on BB10 devices is different. They were talking BBOS. Why don't you be courageous and read the following

http://btsc.webapps.blackberry.com/b...ListHelperImpl

And then admit you are wrong.

Well, out of your 26 page document this is all that's devoted to BBM encryption keys and protocol:

"BBM encryption key: The BBM encryption key is a Triple DES 168-bit key. A BlackBerry device uses this key to encrypt BBM messages that it sends to other BlackBerry devices, Authenticate and decrypt BBM messages that it receives from other BlackBerry devices. Each device uses the same global BBM encryption key, which BlackBerry adds to the device during the manufacturing process."

Bla bla bla..This is old news.

Note the last sentence.."each device uses the same global BBM encryption key..."

Come back when you have a reputable security source mentioning this method as a good one for secure messaging. You won't find one.

The 2012 doc I linked above is accurate in its description of BBM's encryption protocol currently used in 2014. Nothings changed.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[jefbeard911]

Good read, but this article clearly says that there is no mass surveillance
Quote: "Decryption is usually mandated because of lawful access requirements that RIM must comply with; the company doesn�t proactively make these messages available in the absence of legal pressures. " is no problem for citizens in the developed countries.
We have rights protecting us from our governments. Criminals do not have these rights. Deal with it.

(I am totally against any mass surveillance, when data are collected for no particular reason, but that's not described in this article here.)

In countries like Russia a person like Tim Cook could be classified as criminal, but I don't see BBRY collaborating with Russia.
Anyways, for certain less stable, uhm,developing countries where the situation with human rights is more problematic, BBRY should re-consider to provide end-to-end encryption for regular BBM or strictly limit the collaboration with the LEA as they did in the past.

Yeah, agreed.

Carrier and manufacture initiated surveillance is a whole nother issue. I'm not sure BlackBerry has the balls to deny a NSA request for user information.

This is why I prefer other messenger services that offer ephemeral, self destructing messages and are client to client, not client to server, server to client.

Anyway, I hoping BlackBerry will shore up BBM and/or offer BlackBerry Protect to consumers, but I don't see that happening.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[SethDove]

For those courageous few, I offer you the RED pill(s)

The Danger of Fetishizing BlackBerry Messenger Security | Technology, Thoughts & Trinkets

This is a good read. Thank you for posting. Hopefully it will get through to some of the blind devotees here.

Also: Blackberry needs to support OpenVPN soon or I may move on.

Posted via CB10

[beamerboym3]

Good point!

[CherokeeMarty]

It was banned for its popularity, not it's security.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

OOOOOOH? I'm throwing the BS flag on the for this statement. Bangladesh banned BB phones for exactly the security issue.
Regulator directs GP, Airtel to discontinue BlackBerry services

[crackberry_geek]

It's bizarre is what it is. Cult-like. Reminds me of another fan base that will remain nameless.

Posted via CB10

That's exactly what I was thinking. This place is turning more and more into a cult.

I love my BlackBerry, but it is not a religion to me. I come here in search of answers to problems and to hopefully debate areas where BlackBerry could and should become better.

More and more such debate is not accepted around here.

Posted via CB10

[Tre Lawrence]

That's exactly what I was thinking. This place is turning more and more into a cult.

I love my BlackBerry, but it is not a religion to me. I come here in search of answers to problems and to hopefully debate areas where BlackBerry could and should become better.

More and more such debate is not accepted around here.

Posted via CB10

There are still pockets of moderate thought, to be fair. There are plenty of reasoned voices.

Notice that the members/staffers that are probably most keyed into to BBRY affairs don't buy into the illogical nonsense.

[Bluenoser63]

That's exactly what I was thinking. This place is turning more and more into a cult.

I love my BlackBerry, but it is not a religion to me. I come here in search of answers to problems and to hopefully debate areas where BlackBerry could and should become better.

More and more such debate is not accepted around here.

Posted via CB10

Actually I find it more like a place for non-Blackberry users come to bash Blackberry. I see the most vocal ones don't like Blackberry openly. I owned Apple products before I owned a Blackberry device. I write software for all three major platforms. We have a wide range of hardware and software in our IT. I use three different OS as servers. I like to use stuff that is open and works with other systems. I dislike systems that lock you into one platform and limit the choices you can make as an organization.

Once I started using Blackberry devices and mostly since BB10, I have found Blackberry to be the best communication device and the best ecosystem that doesn't tie your hands in moving from it. My experience with Apple is one that I dread and I will never us the products again personally as I want choice. Blackberry gives that to me with an open reliable product.

There are many that people like yourself call a cult, but there are so many armchair CEOs, developers, marketers, etc that make suggestions and comments that I find laughable. Debate is good, but at least have good ideas.

[bbjdog]

I'm only going to give this thread a one line sentence. Here it goes, BlackBerry is as secure as the governing body allows it to be. Blackberry rocks the house! Sorry, two sentences.

Posted via CB10

[kraidx]

Yeah, agreed.

Carrier and manufacture initiated surveillance is a whole nother issue. I'm not sure BlackBerry has the balls to deny a NSA request for user information.

This is why I prefer other messenger services that offer ephemeral, self destructing messages and are client to client, not client to server, server to client.

Anyway, I hoping BlackBerry will shore up BBM and/or offer BlackBerry Protect to consumers, but I don't see that happening.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

I agree.

BlackBerry should consider a client to client model with encryption end to end.

The competition is becoming more fierce, besides the messengers mentioned in the report, there are more in beta.

Take Bleep and Ricochet for example that according to initial reports take into account metadata besides all the other security features.

It's becoming a crowded space.



Posted via CB10

[Superdupont 2_0]

... I'm not sure BlackBerry has the balls to deny a NSA request for user information.

This is why I prefer other messenger services that offer ephemeral, self destructing messages and are client to client, not client to server, server to client.

I have carefully read all revelations from Edward Snowden. There is no single hint that BBRY was in bed with NSA.
And actually the recent ZDnet article I posted above indicates that BBRY was acting quite ethically over the last years.

Anyways, if someone is belonging to any "persecuted minority" and doesn't live in a stable democracy: BBM is not for you (by design), sorry.

Uhm, if I am not misleaded BBM is client-to-client.
The server in between is just ensuring authentication to keep MITM attackers out. That's also why governments can't read the traffic without help from BBRY.

How do your messengers clients find each other without a server in between?

[sinkingphoenix]

The biggest problem with BBM is missing end-to-end encryption, simple as that. And if other messengers do have it (like BBM protected does), it does make those automatically better for any person seriously considering their privacy.

People who know crypto would never use the standard issue BBM for any important stuff that should not be decrypted by adversaries, period.

It's funny how many people are rushing to defend BlackBerry when they don't even know the meaning of those features tested. Not everyone needs all the features, and BBM is lacking in some departments, that's just a simple fact.

BlackBerry should give us S/MIME and PGP capabilities!

[jefbeard911]

OOOOOOH? I'm throwing the BS flag on the for this statement. Bangladesh banned BB phones for exactly the security issue.
Regulator directs GP, Airtel to discontinue BlackBerry services

Your link doesn't pull up your intended article, just the current Daily Star Web page.

No worries. I'll concede. I'm too tired to aruge..lol...anyway, thanks.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[jefbeard911]

I have carefully read all revelations from Edward Snowden. There is no single hint that BBRY was in bed with NSA.
And actually the recent ZDnet article I posted above indicates that BBRY was acting quite ethically over the last years.

Anyways, if someone is belonging to any "persecuted minority" and doesn't live in a stable democracy: BBM is not for you (by design), sorry.

Uhm, if I am not misleaded BBM is client-to-client.
The server in between is just ensuring authentication to keep MITM attackers out. That's also why governments can't read the traffic without help from BBRY.

How do your messengers clients find each other without a server in between?

Yeah, Agreed.

I didn't say that BlackBerry HAD given info, just that I thought they may be vulnerable to a NSA request.

I'll get back to you in you C-2-C question. I'm interested in the details too.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[BCITMike]

The biggest problem with BBM is missing end-to-end encryption, simple as that. And if other messengers do have it (like BBM protected does), it does make those automatically better for any person seriously considering their privacy.

People who know crypto would never use the standard issue BBM for any important stuff that should not be decrypted by adversaries, period.

It's funny how many people are rushing to defend BlackBerry when they don't even know the meaning of those features tested. Not everyone needs all the features, and BBM is lacking in some departments, that's just a simple fact.

BlackBerry should give us S/MIME and PGP capabilities!

Why isn't PGP the defacto standard everyone loves and uses? The problem is in key management. If a middleman is involved in storing and providing keys, you're vulnerable to them. Otherwise, you have to handle passwords and keys off channel, and that is just a pain in the ***.

Everyone is, "trust me, we won't do harm". Out of BB, Google and Apple, my personal trust is in BlackBerry. It's been shown time and time again, Apple TRIES really, really, hard, but epic fails over and over.

There are better write ups including the one by the initial researcher who counterpoints Apples response. This isn't it, this is just the first google hit. Unbreakable Apple's iMessage encryption is vulnerable to eavesdropping attack

[jefbeard911]

This is a good read. Thank you for posting. Hopefully it will get through to some of the blind devotees here.

Also: Blackberry needs to support OpenVPN soon or I may move on.

Posted via CB10

Re: OpenVPN. Agreed.

I'm using TorGuard now which is one of two I've found supporting IKEv2. The other is PureVPN. I happen to like TorGuard's privacy policy and methods better. Of course I'm paying a little ($30USD/6 months) for it but that's ok.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF