[gnirkatto]

I think this German company should show proof, physical proof via video.

They won't, but this won't change anything.
An estimated 99.8% of all people who take notice of what they are saying, believes them, and does not want to dig into details.

[LoneStarRed]

I've been following this thread with interest. Please, before some of you react emotionally, defend BBM and diminish Stiftung Warentest , understand the main point our German speaking friends are making! That point is this: Stiftung Warentest is THE standard for many who see themselves as "logical decision makers first and emotional decision makers second" (at the risk of being stereotypical) i.e. Germans. Yes we can engage in LOTS of debate here but let's keep moving. Companies live and die by their verdicts. So the FIRST order of business is to adroitly react to the Stiftung Warentest piece and minimize the damage if it is deemed as priority.

They are the German version of the American testing agency Consumer Reports. Obviously testing a toaster, vacuum cleaner or washing machine is not the same as testing the end to end encryption of electronic messages. Many such organizations are susceptible to hubris and can be reluctant to acknowledge their shortcomings of expertise in very specialized areas such as electronic message traffic. So be it. Blackberry's primary mission is to get it's own message out if it is deemed profitable to do so. That may not always mean immediate and direct refuting of Stiftung Warentest's findings. As SW enjoys credibility in the mind of the consumer a direct attack can be very counter productive. In the past I would not be confident that BB would handle this matter adroitly. Today , I think we are in good hands.Valid questions were raised in the minds of consumers and must be addressed by BB if they intend to see growth in that market. Let's "watch this space" to see how BB responds.

As a very new CB forum member, I am encouraged to see the passion that members here exhibit for BB. I have reposted the link to the Globe and Mail about BBM .

‘Incredible demand’ for BlackBerry’s BBM service - The Globe and Mail

[gdarmy]

They won't, but this won't change anything.
An estimated 99.8% of all people who take notice of what they are saying, believes them, and does not want to dig into details.

I've bluntly asked that German review company if they have a video showing any vulnerabilities on BBM 2.0 iOS/android apps including getting information via SIP-TLS tunnel to BBM servers. If they are bluffing, people should call their bluff. If they are not bluffing then BBM coders have some work to do.

[gnirkatto]

I've bluntly asked that German review company if they have a video showing any vulnerabilities on BBM 2.0 iOS/android apps including getting information via SIP-TLS tunnel to BBM servers. If they are bluffing, people should call their bluff. If they are not bluffing then BBM coders have some work to do.

I'm looking forward to their answer!
Chances are low, but it's worth the try.

[gdarmy]

I'm looking forward to their answer!
Chances are low, but it's worth the try.

Hopefully they will respond back in the open on their twitter feed.

[Q10Bold]

Hi everyone, it's Victoria from the BBM team at BlackBerry. We’ve seen this article and we are working on correcting any inaccuracies, and at the very least shedding better light on some of the info from the article.

There are a few really important points being made on this thread so far. One is that when it comes to consumer messaging, people are often more concerned with privacy and protection of personal info than security.... We are very much about putting control of personal information back into our users' hands. We shouldn't be able to share your personal information with other people, just because they have you in a contact list, thus the PIN (or email or NFC or barcode, if you prefer) for inviting and sharing. You should be able to decide if you want to BBM and chat with someone, so we have a double opt-in. We let you decide what Channels you want to follow or want info on. We give options for users to choose how they want to see updates - all, contacts, or just channels. And we layer this on the security we have in BBM. I will circle back with more info on that in greater detail, but we are fact checking first.

For the enterprise, we offer a variety of services and policies to help them manage BBM and with BBM Protected we will offer enhanced encryption as a policy for regulated comms. (Best part? One instance of BBM gives you regulated level encryption and comms for your internal contacts, while still giving access to external contacts with our regular levels of security and control.) We also have policies around logging and auditing already for compliance industries and highly competitive IP industries. We get that they have those needs and we work to provide options to them and their employees.

We're not slowing down and we're continuing to look at the needs of all of our users, in all walks of their lives.

Again, I will share more as I have it. Thanks for your continued support. I'm @berryvic on twitter and I'm vberry at blackberry dot com (I am trusting the CrackBerry community with my email and I'm pretty conservative about that usually, even though I'm in PR) and you can always reach out to me. I may not always have an answer and I may not always respond as quickly as you would like, but I always read my emails (on my BlackBerry - how could I not???).

Hi. Ive converteted over 20users to BBM and over 5users to buy a new BB10 phone.
I hope you are real, (if yes it would be awsome)- so please PR BlackBerry BBM Lady make some clear moves out here in Europe /Germany/Poland. Just show the great BB10 experience and some of the great features!! We/ the whole BB Fans/ Company need this.
Thanks


Posted via BlackBerry Q10Bold

[phsieben]

Just to clarify, the Stiftung Warentest does not do hacking. They look at the terms & conditions for the customer here (only the legal situation - What do all these competitors do with our personal information?). For the hacking look for Chaos Computer Club. This test, unfortunately, was
performed in a way that does not match the importance of the topic. The conclusion this leads to is the problem.

I remember a slew of tests including Apple products. They never won although they were the best products on the market at the time with the best user experience. They may not like BBRY but they certainly hate Apple with a vengeance. Now guess which products I bought? I am very happy with them.

[NephrenKa667]

One more thing.
Why did I start this thread in the first place?
Over the last few days and weeks, I tried to convert as many people to BBM as possible. A tough job, as many of you will understand.
It's mainly the partly clumsy handling and the unclear & confusing invitation/acceptance process that is BBM inherent, that made these people hesitate.

So a lot of personal effort was spent by myself in order to convince my friends, and finally most of them agreed, with only a few exceptions, who refused, mainly because they found "...BBM handling to suck big time....".
My main argument was always that BB invented this type of service, and that data will be much safer than on any other platform, encryption, no data misuse, etc. etc. blablabla. Some of my friends already started calling me Mr. BBM Sales Rep.

And then this this "review" gets published. My friends who I converted keep on sending me this on a regular basis. Some being sarcastic, some just wanting to know the truth.

So this is what I would like to get as well. Solid information on whether or not these claims are correct, to help me to preserve my friends as BBM users. Or, to leave for something else, being frustrated by the absence of valid and useful information.

gnirkatto, I hear you! Same with me here. It's hard enough to get people to use BBM here in Germany, but this test coming from a well-known and well-established company, destroys whatever small faith people had in BBM when you finally convinced them to change to the "best" messenger there is out there. All this nagging not to change to threema and all these other messengers, but to give BBM a try, has been quite for nothing. The German tech blogs, which are mostly run by people using iOS and Android, now state that BBM is not an option any longer. As a consequence, BBM is out of the race here.

This then also reflects on BB as a whole. Why buy a new BB z10, q10 or whatever if the only thing this device maker has always been famous for is actually not true or at least questionable if you trust the article in any way.

Still glad to see, that there are some other loyal BB users out there struggling in the same fashion.

[bobo616]

I have come to the conclusion that no messages I send from my phone by whatever means can't be read so the safest thing I can do is limit the information I send.

Posted via CB10

[georg4BB]

I want again to clarify the situation in Germyany a bit: The by far biggest IMS is WhatsApp. But a strong minority who uses WhatsApp cares about privacy and is ready to switch to an other IMS after the FB deal. The media is full with articles about alternativs to WhatsApp and many people are switching right now - not the masses, sure.
The SW review makes them switch NOT to BBM for sure. As stated above, the SW is NOT a random magazin. It's much more important and a bad review can damage a business.

[Dodger52]

They haven't done a video review. What points are you skeptic about? This review was purely about privacy/security matters. You could check out BBMs terms and conditions and find their criticism about them valid.

And about the lack of end-to-end encryption: Why else should they announce this security feature to be coming with BBM Protected if it already was there? And how else could have BlackBerry helped authorities by granting them access to messages (again: not BES connected BBM only)? That wouldn't have been possible with end-to-end encryption: Even if BlackBerry would want to help , they couldn't read the messages as only the one sending and the one receiving it have the key to access it.

As to your question why else they would announce this feature to be coming with BBM protected:
Because Now they are specifically targeting enterprise (the regulated markets) and are incorporating FIPS 140-2 approved encryption and incorporation with BES

As for the Privacy Policy that Stiftung points out while these concerns are legitimate in theory the practice of combining information from third party's is simply necessary for day to day operations.
For example when someone calls their carrier complaining about his or her carrier purchased BlackBerry not working as it should, this information is forwarded to BlackBerry along with the persons details BlackBerry may then combine this data with PIN info and/or BBID details to troubleshoot the problem.

Being a Law-Student finishing up his last year I can attest to the fact that the Privacy Policy of BlackBerry is one of the clearest, most transparent policies being used.

That being said I take this 'research' with a grain of salt for instance they are suggesting that the content of BBM iOS messages "might not be encrypted" but they don't even begin to explain as why they think it might not be encrypted


Posted via CB10

[anon2100101]

The problem is a typical german one. We germans love traditional truths cause it relieved everybody to think autonomous. In the meantime Stiftung Warentest becomes an untouchable institution like the T�V Rheinland (Germans know what I�m talking about). But beside the fact that the T�V Rheinland has an unspoken affinity to Siemens and german economy Stiftung Warentest isnt compentent in all questions! They known for absurd test arrangements and in the meantime some companys with damaged reputation have the courage to file a suit against the semingly objective test results. But its like to offend a figure of a saint.... Beside this germans are absolutely contradictory and subservient to authority. BEFORE our chancellor Angela Merkel has discovered that the NSA spy on her telephon even the government wasnt interested in this problem. But now everybody upset the apple cart.... BEFORE Stiftung Warentest published the test results nobody cares about WhatsApp, Facebook and all this bullsh+t. But now everybody is an expert professional for data security... This kind of manner reminds me to other german habits: anybody allegedly knows anything whats happend between 1933 and 1945 with the jewish neighbor who disappears suddenly.... and most of this ignorant germans told us (AFTER 1945) that they were all actually member of the resistance...
Same now- all the sheeps of WhatsApp, Facebook, PayBack, etc. suddenly are interested for data safety.... But wait two weeks- the next news (about a new food outrage or sexual lapse of a celebrity for example) will make this test forgotten.... But for now germans are pizzed by BBM...

[pkcable]

Just to verify Victoria is legit! I met her at CES 2013 and TM13 Launch Party. Plus she has been helpful to me via email in the past. Don't bug her gang, BUT she can and does get stuff done!

[Pete The Penguin]

Stiftung Warentest is a well known German testing and rating agency for all kinds of goods, like cars, toasters, cameras, food, phones, software/apps etc. Just a few hours ago, they published a review on a couple of Whatsapp Alternatives. One of them was BBM. It received the worst rating available, "very critical", the same as Whatsapp! I will try to translate and highlight their key arguments:

• it could not be clarified if BBM usese end-to.end encryption.
• the iOS-version transfers user data partly unencrypted.
• the iOS version forwards first and last names to others.
• the iOS version potentially transfers message content without encryption.
• the iOS version transfers the email id of the user in encrypted format.
• the Android version transfers user data in encrypted format
• the Android version transfers user name, password, first and last name, date of birth, home country, security question & answer
• both versions transfer address book entries, but only with the user agreeing explicitely.
• one can also use BBM if the user does not allow the address book data to be read.
• the Ts&Cs the user has to agree to contain a couple of problematic clauses.
• collected data can be combined with data from other sources
• the company (BBRY) can easily create personal profiles and tailor advertising campaigns accordingly
• BBRY leaves it open, which information will be shared with who.
• the app is not open source, therefore it couldn't be clarified which other data is being transferred

Well. 1st of all don't shoot me, I'm just the messenger. I don't believe everything that they said, but can't prove all of it to be wrong. All I know is that giving BBM the same disastrous rating as Whatsapp is just plain BS & outright ridiculous.
The problem is, as always, that 99.9% of all users who read this will not dig into the details and just put BBM into a box with all the almost criminal organizations that steal, misuse or sell data.

By the way, the other messengers that were tested got the following ratings: Threema (not critical), Telegram (critical), Line (very critical), Whatsapp (very critical).

BlackBerry have never said BBM is encrypted, they have said it's more 'scrambled'.

[BCITMike]

BlackBerry have never said BBM is encrypted, they have said it's more 'scrambled'.

That's exactly what I was going to say. This came up a year ago when Canadian government spoke about it. I'd like to know if people can quote BlackBerry or show advertising saying it was encrypted so we know what expectations were set. The fact that the press release talking about encryption in eBBM wasn't a clue about this?

Edit: The Globe and Mail story says "What makes BBM different from regular SMS? For one, the application encrypts data traffic in transit between the BlackBerry Server and BlackBerry devices automatically."

After reading that report, and the lack of details, I can easily say it DOES NOT compare to a Consumer Reports report (in many, many ways). Perhaps that was a special quick summary and there are more details and better criteria than that.

" The Android version transmits user data, although only encrypted, but much more inquisitive: they sent a username and password, first and last name, date of birth, country of origin, the email address and security question and its answer."

This is a translation, but if its encrypted, why is date of birth sent (and how can they tell)? Do you even need to enter date of birth anywhere to sign up for BlackBerry ID? I don't recall, and if I did, it certainly wasn't my real date of birth.

Hehe, the date of birth thing could be a 'feature', so you can wish a friend a happy birthday.

[gnirkatto]

Just to verify Victoria is legit! I met her at CES 2013 and TM13 Launch Party. Plus she has been helpful to me via email in the past. Don't bug her gang, BUT she can and does get stuff done!

I can confirm that.
She PMed me, telling that the teams at BB are working on a fact sheet to help dealing with these statements.
Great to hear from BB, and I'm looking forward to that.
Sorry for questioning her authenticity in the first place, but there are so many nuts out there ....

[gnirkatto]

BlackBerry have never said BBM is encrypted, they have said it's more 'scrambled'.

I kinda understand such companies not wanting to disclose too many details on their encryption (or "scrambling") technologies.
However, in this case, BB needs to say something, or the damage will get even bigger.

I found this on the internet, it looked real, might be old news for many, but others might be interested:

• Every BBM device carries a unique key that is only known by itself and the BB server.
• As a BBM message gets sent, the device encrypts it, acording to this key.
• The BB server's job then is to "recrypt" the message according to the receiver's key, and to pass it on.
• Only the receiver's device can decrypt it.
• A BBM message NEVER gets decrypted outside of the BB server's firewalls. And on the receiving device, of course.

IT gurus pls forgive me if that is a well known process which has a professionally sounding name - which I don't know.
I think that if the keys get replaced from time to time, and if the encryption/decryption algorithms are professional grade quality, this should be pretty safe - for a messaging app. The likelihood for someone to be able to steal key, algorithm and message from a BB device at the same time is small, imho.
However, to me this makes sense for now, and I hope for the details that BB is going to publish to confirm that in one way or the other.

[gnirkatto]

This is a translation, but if its encrypted, why is date of birth sent (and how can they tell)? Do you even need to enter date of birth anywhere to sign up for BlackBerry ID? I don't recall, and if I did, it certainly wasn't my real date of birth.

Hehe, the date of birth thing could be a 'feature', so you can wish a friend a happy birthday.

To enter a birth date is optional, at least on Android. I helped a friend to register the other day.
Maybe they referred to that in their "review", as the data has to be transferred somewhere, at least once, if entered.

[norrynew]

Not every Newspaper is so uncritcal to Stiftung Warentest Sorry it is in german.
http://nordhessen-rundschau.de/it-ne...omment-page-1/

Posted via CB10

[gnirkatto]

Not every Newspaper is so uncritcal to Stiftung Warentest Sorry it is in german.
Messenger: Warum ein Warentest nicht unbedingt ein wahrer Test ist � Seite 1

Posted via CB10

many thanksfor this, norrynew.
THis is an excellent article that criticizes the testing methods of Stiftung Warentest as nonprofessional, and many of the negative statements that they made on BBM as false! And this, based upon facts and serious questions on the statements that they made, not just by ridiculing them.
Unfortunately it is too much for me to translate, but I encourage everybody with German language skills to read it, or to get it translated. It's woth it!

I will definitely forward it to all the many BBM friends of mine who started laughing at me after the Stiftung Warentest "review"got published.

[gdarmy]

Not every Newspaper is so uncritcal to Stiftung Warentest Sorry it is in german.
http://nordhessen-rundschau.de/it-ne...omment-page-1/

Posted via CB10

Finally a German newspaper shedding light on the misinformation about BBM security. BBM is an extremely secure professional IM for cross-platforms.

[Rjinswand]

Not every Newspaper is so uncritcal to Stiftung Warentest Sorry it is in german.
http://nordhessen-rundschau.de/it-ne...omment-page-1/

Posted via CB10

The example for BBM security they give (Indian government) is misleading. That was actually about the government wanting to access data of devices connected through BES and BlackBerry argued that they simply can't grant access since they can't access it themselves. As already stated, you can choose your own key on a BES server.

As seen in the London protests, BlackBerry cooperated with authorities regarding the standard, non BES connected BBM.

[norrynew]

Maybe i am wrong, but what I understand in India, there is a Server in this country for BBM and BIS for the gouverment to listen. But in BES there is no way for BlackBerry to share the Info, because you will use no BlackBerry server instead you use your own server. So for my understanding it is no misleading.

Posted via CB10

[Dodger52]

The example for BBM security they give (Indian government) is misleading. That was actually about the government wanting to access data of devices connected through BES and BlackBerry argued that they simply can't grant access since they can't access it themselves. As already stated, you can choose your own key on a BES server.

As seen in the London protests, BlackBerry cooperated with authorities regarding the standard, non BES connected BBM.

Untrue, the example about the Indian government is actually spot on. The Indian government wanted, and did in the end get, access to the BBM over BIS. Since they couldn't decrypt and/or get access to BBM over BIS themselves.

Our very own Chris Umiastowski explained this a couple of years back:
http://crackberry.com/indian-governm...p-bbm-messages

Posted via CB10

[gdarmy]

Untrue, the example about the Indian government is actually spot on. The Indian government wanted, and did in the end get, access to the BBM over BIS. Since they couldn't decrypt BBM over BIS themselves.

Our very own Chris Umiastowski explained this a couple of years back:
http://crackberry.com/indian-governm...p-bbm-messages

Posted via CB10

From my understanding the Indian government wanted access to a basic BBM SIP-TLS server(s) placed on Indian soil. All the rest of these servers are on Canadian soil.