[jefbeard911]

I

Anyways, if someone is belonging to any "persecuted minority" and doesn't live in a stable democracy: BBM is not for you (by design), sorry.

I appreciate your entire post but I will take issue with this...

Why shouldn't BlackBerry be a choice for someone in the "persecuted minority"? BlackBerry's reputation in these areas is one of a highly secure, trustworthy company (whether or not it's totally deserved - that's what we all are debating now). If anything, it's a naive view on their part and one that has led to some bad consequences. After all it was called the "BlackBerry Revolutuon".

One of the reasons I'm so passionate about coming clean with just how secure BlackBerry is and what others offer is the fact that misinformation can lead to imprisonment or worse if someeone in a less than democratic, lawful country is mistaken in just what is really secure and what is not.

I'm not sure if everyone understands just what using a globally shared crypto key in BBM means. It means that if your messages are redirected to another BlackBerry device they can be read as if it was the original phone. This is a big deal. This capability is not difficult for those who understand this stuff. Am I a likely target? Probably not. But others are.


Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[Superdupont 2_0]

Re: OpenVPN. Agreed.

I'm using TorGuard now which is one of two I've found supporting IKEv2.

I had a look at TorGuard once, but it seems they don't have NAT Firewall?
PureVPN offers a NAT Firewall (and charge a few bucks extra for that)

[sinkingphoenix]

Why isn't PGP the defacto standard everyone loves and uses? The problem is in key management. If a middleman is involved in storing and providing keys, you're vulnerable to them. Otherwise, you have to handle passwords and keys off channel, and that is just a pain in the ***.

Everyone is, "trust me, we won't do harm". Out of BB, Google and Apple, my personal trust is in BlackBerry. It's been shown time and time again, Apple TRIES really, really, hard, but epic fails over and over.

There are better write ups including the one by the initial researcher who counterpoints Apples response. This isn't it, this is just the first google hit. Unbreakable Apple's iMessage encryption is vulnerable to eavesdropping attack

The part that you highlighted and discussed is actually my signature and not part of the post, but that's hard to see in these forums. In any way, if you want to be truly secure you have to verify key fingerprints in person or over a third channel, trusting a company with the encryption key is not an option. The reason why it makes not much difference is that we cannot be sure that BlackBerry 10 doesn't have it's own backdoor, but in the discussion at hand, which is just about the messengers, BBM lacks in this very crucial department.

BlackBerry should give us S/MIME and PGP capabilities!

[Superdupont 2_0]

I'm not sure if everyone understands just what using a globally shared crypto key in BBM means. It means that if your messages are redirected to another BlackBerry device they can be read as if it was the original phone. This is a big deal.

Actually it is not a big deal.
Please take a look at page 15 of this paper and read under point 5.5

"However, the BBM app used certificate pinning for communication with the SIP server, meaning it has its own built-in list of trusted certificates. Because the signing certificate was not in there, and could not be imported in there without modifying the APK file, the app would not accept the wrong certificates."

Certificate pinning in combination with a robust TLS protocol and cipher suite is bulletproof.
I am convinced, if any LEA wants to read BBM traffic in 2014, they need the help from BBRY.

Only exception is BBOS devices when connected to a mobile network, that's the only scenario when TLS isn't used (and only the 3DES encryption key is used).
So you should either upgrade to BB 10 or buy an Android/Apple phone.


Finally:
iMessage and WhatsApp are lacking certificate pinning.

iMessage Privacy

Crypto weaknesses in WhatsApp ?the kind of stuff the NSA would love? | Ars Technica

[jefbeard911]

I had a look at TorGuard once, but it seems they don't have NAT Firewall?
PureVPN offers a NAT Firewall (and charge a few bucks extra for that)

Ah, not sure BUT I did get this email from them today offering a "Stealth mode" option for free.

From their email:

"TorGuard has recently engineered new ?Stealth? VPN connections that are guaranteed to bypass Deep Packet Inspection (DPI) firewalls or VPN blocks and provide invisible VPN access anywhere in the world. Stealth VPN options are provided to all clients at no additional charge and can be accessed by selecting a Stealth enabled server option on the TorGuard VPN app.

Unlike normal VPN traffic which can be filtered or blocked by an Internet Service Provider, TorGuard Stealth VPN service will appear as regular HTTP traffic making it virtually impossible to block or detect. This is accomplished with OpenVPN by wrapping the tunnel in a layer of obfuscation, which then transforms all data back into normal looking traffic. In this way, strict network admins or draconian ISP?s won?t be able to detect or even block VPN usage."

I don't have a preference either way who people choose, just sharing..

Cheers


Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[jefbeard911]

Actually it is not a big deal.
Please take a look at page 15 of this paper and read under point 5.5

"However, the BBM app used certificate pinning for communication with the SIP server, meaning it has its own built-in list of trusted certificates. Because the signing certificate was not in there, and could not be imported in there without modifying the APK file, the app would not accept the wrong certificates."

Certificate pinning in combination with a robust TLS protocol and cipher suite is bulletproof.
I am convinced, if any LEA wants to read BBM traffic in 2014, they need the help from BBRY.

Only exception is BBOS devices when connected to a mobile network, that's the only scenario when TLS isn't used (and only the 3DES encryption key is used).
So you should either upgrade to BB 10 or buy an Android/Apple phone.


Finally:
iMessage and WhatsApp are lacking certificate pinning.

iMessage Privacy

Crypto weaknesses in WhatsApp ?the kind of stuff the NSA would love? | Ars Technica

Will check it out . Always looking to learn.
Thanks!

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[RubberChicken76]

Exactly this. The government couldn't access BBM communications so they forced RIM to install a server that they can monitor in India or be banned.

Is there a source for this? I've heard people say this before and articles suggest this before, but it seemed to be more of a rumour mill thing, vs. a "known fact".


I don't think, honestly, any of us would have any clue about what Apple, Google or anyone else discuss with governments in this capacity. it would be pretty high ranking discussions on both sides.

[Superdupont 2_0]

Ah, not sure BUT I did get this email from them today offering a "Stealth mode" option for free. ...

The stealth mode means only that your ip is no longer associated with a VPN service.

What you want is NAT-Firewall and here is why:

https://www.bestvpn.com/blog/4246/wh...-nat-firewall/

[jefbeard911]

This is not a rumor. It happened. I will do my best to find a source link.

[jefbeard911]

Thanks! I was unaware of this.

I did some checking on Torguard's website and found that they support pfsense. I am not an expert but it seems their config guide allows you to set up a NAT firewall using pfsense.

How to Setup pfsense with TorGuard OpenVPN | TorGuard Anonymous VPN & Proxy.

Is this what you mean?

[Superdupont 2_0]

Thanks! I was unaware of this.

I did some checking on Torguard's website and found that they support pfsense. I am not an expert but it seems their config guide allows you to set up a NAT firewall using pfsense.

How to Setup pfsense with TorGuard OpenVPN | TorGuard Anonymous VPN & Proxy.

Is this what you mean?

This set-up guide for devices with OpenVPN won't help you.
I think you should contact TorGuard.
If they wouldn't be able to say straight: "Yes, a NAT Firwall is enabled"...then you know that all ports on their server are open and will forward all request unfiltered to your Berry.

If you want to check your own router at home:
https://pentest-tools.com/discovery-...r-online-nmap#

https://www.grc.com/x/ne.dll?rh1dkyd2

... you hopefully find that all ports of your router are closed, but that doesn't help you if your computer/smartphone/tablet is connected to a VPN server, because your router cannot check the encrypted VPN traffic .

[jefbeard911]

This set-up guide for devices with OpenVPN won't help you.
I think you should contact TorGuard.
If they wouldn't be able to say straight: "Yes, a NAT Firwall is enabled"...then you know that all ports on their server are open and will forward all request unfiltered to your Berry.

If you want to check your own router at home:
https://pentest-tools.com/discovery-...r-online-nmap#

https://www.grc.com/x/ne.dll?rh1dkyd2

... you hopefully find that all ports of your router are closed, but that doesn't help you if your computer/smartphone/tablet is connected to a VPN server, because your router cannot check the encrypted VPN traffic .

Understood.

Thanks!

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[jefbeard911]

By the way. One of the reasons (besides the fact they offer IKEv2) that I selected TorGuard is the fact that they don't keep logs and take privacy seriously. Of course anyone can say that but Torrentfreak was pretty favorable to them, as well as PureVPN.

Sent from my awesome BlackBerry Z3 running BlackBerry 10 - 2BBEAACF

[sinkingphoenix]

This stuff is off-topic, please keep this thread on track.

BlackBerry should give us S/MIME and PGP capabilities!

[Superdupont 2_0]

BlackBerry should give us S/MIME and PGP capabilities!

Yeah, basically I hope consumers will get BBM Protected as a paid feature in 2015, at least for BB 10.
BBRY should have a sharp look at competitors like Threema.

[Old_Mil]

I like the EFF and the issues they raise should be important to one degree or another to everyone.

It's interesting that they rate Facetime and iMessage the most secure of the big corporate messaging services, Google the worst and Berry in between. But a few of the areas that the Apple products do well in (Is the code open to independent review? Is security design properly documented? Has the code been audited?) is pretty subjective.

[Bluenoser63]

I like the EFF and the issues they raise should be important to one degree or another to everyone.

It's interesting that they rate Facetime and iMessage the most secure of the big corporate messaging services, Google the worst and Berry in between. But a few of the areas that the Apple products do well in (Is the code open to independent review? Is security design properly documented? Has the code been audited?) is pretty subjective.

I highly doubt that Apple allowed an independent auditor to come in and check in the iMessage code.

EFF is OK, but they are a black and white and the world isn't. EFF is against laws that punish people for for actions revenge porn. They want privacy to be absolute, even if it protected criminals and terrorists. That is black and white.

[Superdupont 2_0]

I like the EFF and the issues they raise should be important to one degree or another to everyone.

It's interesting that they rate Facetime and iMessage the most secure of the big corporate messaging services .

It's helpful to read the introduction above the scorecard:
"Blablabla....As such, the results in the scorecard below should not be read as endorsements of individual tools or guarantees of their security; they are merely indications that the projects are on the right track."

BBM Protected is definitely on the right track, and I hope EFF will revise their rating.

BBM for consumers is perhaps not on the right track ( I don't know if Forward Secrecy is used, perhaps EFF doesn't know either), though such points could be easily improved by BlackBerry.

However, it will be interesting to watch phases 2,3.. of this project..

[heading4tomorrow]

The lack of responses in this thread shows how much the new Blackberry user base cares about security...

[anon62607]

2) With bbm protected "sender and recipient have unique public/private encryption and signing keys.". So why exactly can't I verify the idendities of my contacts?!?

I think that is actually referring to providing an out of band method of verifying the key fingerprints to know that you aren't being man-in-the-middled. With Threema, for example, a QR code representation of the fingerprint can be displayed which is then scanned by your contact's phone when you are in physical proximity to the contact. So identity verification really means "verify that the key that I am encrypting to really belongs to the contact I am sending to" in this context, I think

[anon62607]

Actually it is not a big deal.

Certificate pinning in combination with a robust TLS protocol and cipher suite is bulletproof.
I am convinced, if any LEA wants to read BBM traffic in 2014, they need the help from BBRY.

I think the more concerning thing (and what is covered in the EFF checklist) is that, as is mentioned on page 16, 6.2.2 of your link, "All messaging in the BlackBerry Messenger app runs through this server. Within theTLS 1.0 tunnel, cleartext messages are sent with a sender and receiver in the header. " - it's sort of a secure messaging no-no to allow the plaintext to exist anywhere except in the memory of the source device and the target device.

To me it appears that when a BBM is sent, the message is sent via TLS to a server where it passes in unencrypted form (and perhaps waits in unencrypted form to be relayed to the target device, where it is then once again sent from sever to target device via TLS.

I think the goal of the EFF scorecard is to inform where the weaknesses are - BlackBerry Messenger does do an adequate job (based on your link) of providing assurance that the BlackBerry Messenger device is talking to the server it's intending to talk to and that is reflected in the scorecard that messages are encrypted in transit.

also, thanks for posting that analysis of BlackBerry Messenger (on android), interesting reading.

[Superdupont 2_0]

... With Threema, for example, a QR code representation of the fingerprint can be displayed which is then scanned by your contact's phone when you are in physical proximity to the contact...

Okay, challenge accepted.

Please read page 13 of the whitepaper

[...]

"2. The initiator chooses or autogenerates a secret password and sends this out-of-band to the recipient using an SMS text
message, email, phone call, or in person"

[...]

"4. The recipient responds to the invitation and provides the highest version of BBM Protected that the recipient supports, proof that they know the secret password, and the recipient's long-lived public encryption and signing keys."

I think your understanding of the EFF criterion is correct.
Nevertheless, I don't understand why BBM Protected should fail here.

[Jose Casiano]

http://www.dhabkirkdesigns.com/2014/...cure-imessage/

Posted via CB10

[bbjdog]

Reading material for the clan.
BlackBerry Ltd (BBRY): BBM is Security that Can be Trusted

[Superdupont 2_0]

I think the more concerning thing [...] - it's sort of a secure messaging no-no to allow the plaintext to exist anywhere except in the memory of the source device and the target device.

Now you are talking about BBM for consumers, not BBM Protected.

Last time when I switched my BB 10 device all my BBM messages were lost (I didn't back up on my pc).
Afaik, BBM messages are never stored on the server.
The server is just forwarding traffic between the two clients.

Of course, we all know that BlackBerry has the perfect MITM position and could read this traffic, however, nobody else can read this traffic!
That's the point. So it all comes down to the question:
Do you think that BBRY will respect your privacy and defend your human rights against shameless requests from all these spying agencies all over the globe?

[...] providing assurance that the BlackBerry Messenger device is talking to the server it's intending to talk to and that is reflected in the scorecard that messages are encrypted in transit.

Yes, agree, but I didn't criticized this point.
I am afraid that the Security Note on consumer grade BBM wasn't detailed enough, so BBRY lost categories "Forward Secrecy" and "Proper Documentation"...if they just would have added a few more words on the applied crypto.