[Dodger52]

From my understanding the Indian government wanted access to a basic BBM SIP-TLS server(s) placed on Indian soil. All the rest of these servers are on Canadian soil.

Correct.

Posted via CB10

[richardat]

Just to verify Victoria is legit! I met her at CES 2013 and TM13 Launch Party. Plus she has been hefairly lpful to me via email in the past. Don't bug her gang, BUT she can and does get stuff done!

Brutal.

I was hoping that she was a fake and he reply fanboy tripe.

BB: Seriously, if your reply to this is going to be " who cares about security?.... And we appear to give you options for privacy. Get our business service for security! "

Then no reply is better. Appreciate bb responding there- really- but that kind of answer insults anyone who can parse it, and tacitly confirms the validity of the original assertions.

[gnirkatto]

Brutal.

I was hoping that she was a fake and he reply fanboy tripe.

BB: Seriously, if your reply to this is going to be " who cares about security?.... And we appear to give you options for privacy. Get our business service for security! "

Then no reply is better. Appreciate bb responding there- really- but that kind of answer insults anyone who can parse it, and tacitly confirms the validity of the original assertions.

Hmm...I'm not sure I understand what about her post made you mad - but maybe it is a language issue and I'm lacking ability to read between the lines (but in all honesty, I don't really think so)?

I think it is great that an official BB person responded. That does not happen very often. For me a sign that they take the issue seriously.
I understand that a first reply cannot contain acomplete answer in such an important and delicate matter. It would be grossly negligent of her to immediately shoot out an answer/counterstatement in the name of the company without discussing it internally first, and to maybe even acquire top management approval before releasing a statement.
I am not upset now.
I will start geting upset if - let's say - by 2nd half of next week still no statement will be available. Such corporate processes normally take even longer, but in this case, they should react a tad quicker, imho.

[LoneStarRed]

Dude ,
What exactly are you ranting about?

[gnirkatto]

Dude ,
What exactly are you ranting about?

Dude,
Which post exactly are you referring to?

[LoneStarRed]

Brutal.

I was hoping that she was a fake and he reply fanboy tripe.

BB: Seriously, if your reply to this is going to be " who cares about security?.... And we appear to give you options for privacy. Get our business service for security! "

Then no reply is better. Appreciate bb responding there- really- but that kind of answer insults anyone who can parse it, and tacitly confirms the validity of the original assertions.

Dude... this one.

[iN8ter]

As to your question why else they would announce this feature to be coming with BBM protected:
Because Now they are specifically targeting enterprise (the regulated markets) and are incorporating FIPS 140-2 approved encryption and incorporation with BES

As for the Privacy Policy that Stiftung points out while these concerns are legitimate in theory the practice of combining information from third party's is simply necessary for day to day operations.
For example when someone calls their carrier complaining about his or her carrier purchased BlackBerry not working as it should, this information is forwarded to BlackBerry along with the persons details BlackBerry may then combine this data with PIN info and/or BBID details to troubleshoot the problem.

Being a Law-Student finishing up his last year I can attest to the fact that the Privacy Policy of BlackBerry is one of the clearest, most transparent policies being used.

That being said I take this 'research' with a grain of salt for instance they are suggesting that the content of BBM iOS messages "might not be encrypted" but they don't even begin to explain as why they think it might not be encrypted


Posted via CB10

BlackBerry is adding Ads to Channels. It raises too many red flags to too many people there. A pure IM like WhatsApp doesn't need to do this, cause they don't even advertise in app.

This is why I hate bolting social services onto IM services/apps, how ever they are using the Google tactic to push Channels on the back of BBM.

Sent from my Galaxy Note 3 using Tapatalk

[AndiS1983]

No comments here from BlackBerry to BBM security so far? Please bring light into darkness. I want to know it exactly. I always thought that sending an invitation is similar to sending my public key - just simple PKI concept. Isn't it?

Posted via CB10

[gnirkatto]

Is this the response that we have been waiting for?

Yes, privacy and security matter to customers. BBM delivers on both. | Inside BlackBerry

What do you people think?

[bobo616]

No encryption so you still have to assume anybody could read your messages.

Posted via CB10

[aiharkness]

Not just anyone, but, yes, someone who can intercept the message and has the key. That latter is the issue. The key is the same for every BlackBerry on BIS and it apparently isn't much of a secret. So don't operate on the assumption that nobody can read your BBM but you and the recipient. Strictly speaking it isn't true.

[SirJes]

Wth, where are you all getting this from? , who has the key?...come on

Posted via CB10

[aiharkness]

Been discussed going on years now. Should not be news.

Let me search....

PIN encryption keys - Security Technical Overview - BlackBerry Enterprise Server - 5.0.2

"By default, each device uses the same global PIN encryption key....."


EDIT: I'm not worried, by the way. Just saying don't make BBM out to be more than it is. And don't make it out to be less than it is.

[Blty]

This is marketing stuff - I am interested in technical information about the security system.

[berryvic]

Hi everyone,
This will be a lengthy post - apologies. Sorry it took so long to get back on here with more info.

We have gone back to Stiftung Warentest - our PR lead from Germany, as well as a security expert we have in Germany are in talks with their testing team and we are learning a lot about their processes and educating their team on our security as well. It's going well. They are good to work with.

I will share below some of the pieces that we have provided them, and wanted to let everyone know that the teams at BlackBerry are working on a more comprehensive whitepaper around BBM. I do not have the dates for availability yet, but it's shaping up to be a pretty big doc, so it will take some time.

This whitepaper will offer insights and technical details greater than anything I have at my fingertips currently. We can update CrackBerry when we have the whitepaper ready.

In the meantime, here is some of what we have shared with Stiftung. We did this in a point/counterpoint format that we labeled as Q&A for ease of consumption...

Q: ‘Whether the BlackBerry Messenger uses an end-to-end encryption could not be verified clearly’
A: Data sent through BBM is secured using a series of encryption, scrambling and security measures.

Q: ‘At least the iOS version transmits user data but partially unencrypted’
A: Incorrect. User data is encrypted while in transit.

Q: ‘first and last name are shared from the app even with third parties [in the iOS version]’
A: Incorrect. The iOS version of BBM provides users with the option of using a ‘Find Friends’ feature in BBM so that the user may invite other individuals to become his/her BBM contact. If the BBM user chooses to use the Find Friends feature during the set up process, first and last names of potential BBM contacts that are shown within BBM to the user come from the user’s local address book (provided that the user gave the appropriate permissions). No personal identifiable information is displayed to another individual unless the BBM user sends a BBM invitation to another individual and both parties have agreed to be contacts.

Q: ‘user entered data, possibly including message content, they transmitted unencrypted [in the iOS version]’.
A: Incorrect. Messages are encrypted while in transit.

Q: ‘In addition, the email address of the user is encrypted and sent [in the iOS version]’.
A: Yes. User data collected as part of the set up process (name, email, date of birth, country, security question, answer and password) are encrypted when sent to BBM servers.

Q: ‘The Android version transfers user data in encrypted format … it transfers user name, password, first and last name, date of birth, home country, the email address, and security question & its answer’
A: Yes. User data collected as part of the set up process (name, email, date of birth, country, security question, answer and password) are encrypted when sent to BBM servers.

Q: ‘Both [iOS and Android] versions transmit address book entries, but only with the express consent of the user.’
A: Yes. As noted in the Terms of Service, BlackBerry services include “social” functionality that allows the user to make him/herself discoverable and connect with other individuals. The data is sent over a secure TLS connection between the smartphone and BBM servers.

Q: 'BBM can also be used if the user does not agree to the reading of his address book.'
A: Correct. While the ‘Find Friends’ feature is the easiest way to find and invite others to be your BBM contacts, it can be skipped and the user can simply start using BBM and manually invite other individuals to become BBM contacts.

Q: "BlackBerry may combine the information collected via the messenger with the knowledge about the user from other sources. In this way, the company can create accurate personality profiles and tailor advertising specifically to the users"
A: In the newest versions of BBM for iOS and Android, BlackBerry has included a social networking feature within BBM called BBM Channels that extends the user’s network beyond family and friendship circles, and enables the user to connect with people and communities that interest him/her. As is noted in the BBM Terms of Service, if the BBM user chooses to use BBM Channels, BlackBerry may use information like age, country and device type to help provide a personalized BBM Channels experience to BBM users. BBM users have the ability to disable features such as geo-tracking as well.

[bobo616]

Thanks for the information, the encryption is the concern for me as if the key is widely available then it weakens the whole security.

[gnirkatto]

@berryvic:
THank you for this information. I was already wondering if there is still work in progress....
I think everybody is looking forward to getting the whitepaper that you announced.
However, the most powerful response would be to convince Stiftung Warentest to release a corrective statement and/or an improved rating. The majority of people out there don't read Crackberry nor BBRY whitepapers, but they do get aware of what Stiftung Warentest or the media say.

[AndiS1983]

@berryvic Thanks for this post and this mass of direct statements. Can't wait to get this whitepaper.

Posted via CB10

[no-ri]

My sight of that topic: Statement Stiftung Warentest says BBM is less securing than other IMs is one more reason that prevent potential customers to change to BB. The mainstream of Smartphone customers doesn't really care for their data security. But the small number on people that care on their data could see BB as interesting platform. My experience as private user of BB therefore is:
Bought a BB Smartphone, shortly later there was the information in the media that BB send my email password to their server, obviously without encryption and without need! Later on I wanted to install a VPN tunnel between my BB10 Smartphone and my home router (Fritzbox = Most common private used router in Germany) and found out, that it isn't possible to install such a VPN between that devices! Now I read that forum posts and learned that there is no end to end encryption installed in BBM, the used encryption is said to be rater weak, as the same key is used for all users and is assumed to be revealed. In that situation I don't understand that the policy of BB is to install a E2E encryption only for business users, not for private customers. Independent to the Warentest assessment, I see that BB doesn't take their opportunity to be attractive for safety concerned private user.

[Anar Verdiyev]

Hey,

I wonder how I can set my birthday in BBM. If I click on myself where I can set my status, display name, etc I can also see my birthday but I can not change it. Anyway, the date I can see is wrong by one day. Where can I change it? Somewhere in BBM? In my ID settings? Or somewhere else in the phone settings? I use the Q10 with 10.2 but have never seen this before.


Posted via CB10

[CarbonKevin]

I'm going to have a stroke - they complain about security issues, then complain that BBM isn't open source?

I'm not a software person, but it seems open source software is the most prone to having security vulnerabilities discovered and exploited - yes, some people will report issues they find, but others will not. Depending on the goodwill of third parties is a ridiculous strategy for a secure messaging platform.

I suspect most of these so-called weaknesses are owing to the inherent vulnerabilities of iOS and Android more than anything. They don't seem to have much to complain about when it comes to BBM on a BlackBerry.

Posted via CB10

[aiharkness]

Open source is not inherently less secure.

Open source has its proponents, and it is a cause for some. Some see open source as good in and of itself and everything else as bad in and of itself, so in their perspective other than open source is to be avoided always.

[LoneStarRed]

BlackBerry Live announced for Cologne, Germany. Chen is not afraid to take the fight to wherever it is needed.

Posted via CB10

[z10baby]

I don't think Stiftung Warentest will issue an apology. berryvics rebbutal makes them look like fools who have made comments on technology in which they clearly had no understanding...

[LoneStarRed]

Don't need them to issue an apology. Just need some major players to see BlackBerry's rebuttal and BlackBerry security protocols and word will spread. Press WILL be invited.

Posted via CB10