Is Apple more secure than BlackBerry?
- I'm on a password locked BlackBerry 10, my device and media card files are encrypted, and I am still confident that no "law enforcement" up to state police levels (I'll even speculate to FBI level) will get meaningful access to those encrypted files even with BlackBerry's help.02-26-16 10:16 PMLike 0
- I'm on a password locked BlackBerry 10, my device and media card files are encrypted, and I am still confident that no "law enforcement" up to state police levels (I'll even speculate to FBI level) will get meaningful access to those encrypted files even with BlackBerry's help.
Posted via the CrackBerry App for Android02-26-16 11:33 PMLike 0 - That is not really a conclusion that you can draw from that article.
All he said was that BlackBerry does not save the text of the message sent.
Here we are talking about files encrypted on the phone that may never be sent out through BBM, email, sftp, or whatever.
If BlackBerry or NSA, or CSICS, or GCHQ, or the FSB (Russian secret service) or Chinese Secret service or whatever secret service can get into the phone and decrypt and extract those files, it is definitely a backdoor.
"However, it is also true that corporations must reject attempts by federal agencies to overstep. BlackBerry has refused to place backdoors in its devices and software."
I believe that when he says backdoors it is also backdoors for BlackBerry to our devices if encrypted and password protected.
Posted via CB1002-27-16 01:37 AMLike 0 -
I wish they were that smart, but 9-11 and all the terorism and mass shootings in US prove otherwise.02-27-16 01:38 AMLike 0 - It's hilarious to see some paranoid posters on here, world leaders use Blackberry phones to communicate everyday and we have a few individuals on this forum feeling the phones aren't secure enough for their own use LOL. Time to make some more popcorn and put up my feet.02-27-16 03:05 AMLike 2
- Well, the world leaders are not geeks. They most likely use their phones to talk and message, and not much else.
They likely have more secure communications than us, but they shouldn't.
Besides, as we have seen with Angela Merkel's phone, they aren't that secure either. I am pretty sure the NSA can break into Obama's phone and monitor his communications as they most likely do with those of congressmen. Remember Watergate?
Some of us use our phones as laptops, unlike world leaders, some of us actually create IP on our mobile laptops, don't just consume, or use apps, or listen to advisors to tell us what happened in the world today and what is new.
Just because some want to use a large laptop for work (old school), does not mean that everyone is like that. Besides these days, a laptop is almost as hackable and has as many backdoors as a cellphone if connected to the Internet. So you cannot really protect your IP even on a laptop.
So I can see how Obama does not need his device encrypted, maybe only his phone calls and messages. I doubt he creates strategic plans for the South China Sea on his phone.
Second, all men are created equal, even world leaders. They are public figures. They were elected to SERVE. We pay them. If anything, we should all be able to monitor what they do and what they say.
It's a matter of principle. BlackBerry should not intentionally make my phone less secure than the one they give to Obama. Sure, the NSA or whoever then takes that phone and modifies it to add extra protection, but that is a different matter altogether.
Here we are talking about phone companies that intentionally leave backdoors such that the phones of everyone in the public can be decrypted if needed.
We are all considered terrorists and not to be trusted.
A government or state who does that has already lost the trust of its citizens.
That is already a failed state. That's what happened to the former communist countries in Eastern Europe.
Their security services spied on everyone and assumed everyone was a potential terrorist and a threat to the state.
So, to summarize a long posting, this is a matter of principle.
In Canada, the privacy law is the same for everyone, including the prime minister.
It was his dad who said " the state has no business in the bedrooms of the nation".
We can extend that now to the smartphones and and computers of the nation. They are just as private as the bedroom, more so because they contain a lot of what we think, who we are, what was only in our brains before.
Short of torture, there was no way to get into our brains, even with a legal warrant.Last edited by sorinv; 02-27-16 at 04:19 AM.
02-27-16 03:31 AMLike 0 -
-
I see it now. The encryption only works for some people and its efficiency changes with the content of the information on your phone which is known apriori, before they decrypt the file, to the security agencies.
I wish they were that smart, but 9-11 and all the terorism and mass shootings in US prove otherwise.
If local police and FBI had any chance to crack BlackBerry, it would be well known as these things are discussed openly on forensic forums. The companies that serve as vendors to police and attorneys, those manufacturers who make the tools and the forensic labs who offer the services would be bragging about the capability as they have been all along with apple and android products. Now, with apple and android, their hands are tied also, but the question remains, and they remain hopeful, that apple and google can help them, and if so, will help them even if it's pursuant to a precedent the FBI is trying to set through a court order. Can apple do what the FBI wants and do something to circumvent the ten tries before wipe and the iteration safeguards? Probably/maybe with a lot of work as apple has already stated in its reply brief. Can BlackBerry do it? I would say probably not for all practical purposes. Someone mentioned certifications. There is clearly much more to device security than merely turning on encryption. If BlackBerry could somehow (remotely or physically) get access to users' encrypted data at rest, only BlackBerry and the NSA type agencies would know.02-27-16 06:56 AMLike 0 - For those of you who are thinking decryption of full disk encryption can be easily accomplished by anyone there is an online resource that will be you put things in perspective. It estimates the length of time it will take to crack passwords of various strengths, but with a little arithmetic can be used to compare password strength to encryption strength.
To start let's assume that the phone has well implemented 128 bit AES. Unless there is information on what the key is it would take on the order of a thousand trillion centuries to brute force the key, even if you could make one hundred trillion guesses per second. Using the same technology cracking a 12 character complex password (one with upper and lower case, numbers and special characters) would take 3.76 years. Add one more character raises that to 2.59 centuries.
Now if you recall that what the FBI has asked Apple to do is remove the protection against brute force password guessing from the OS on this one phone, thought I suspect that if Apple does this there will be more requests. The lesson here is that if you are worried about the FBI or anyone else doing the same thing to your phone just use a 13 character complex password. Or if you think you will still care in 250 years, a 14 character complex password.
LeapSTR100-2/10.3.2.2876southlander likes this.02-27-16 07:51 AMLike 1 -
They're not even remotely close to the ones the general public uses. They have been heavily modified for security.
Posted via CB1002-27-16 08:11 AMLike 0 -
So... that's your definition of secure?
BTW... decrypt is removing the encryption and yes, but building a custom OS so that it can be brute forced in is decrypting a phone!
Posted via CB1002-27-16 08:13 AMLike 0 - For those of you who are thinking decryption of full disk encryption can be easily accomplished by anyone there is an online resource that will be you put things in perspective. It estimates the length of time it will take to crack passwords of various strengths, but with a little arithmetic can be used to compare password strength to encryption strength.
To start let's assume that the phone has well implemented 128 bit AES. Unless there is information on what the key is it would take on the order of a thousand trillion centuries to brute force the key, even if you could make one hundred trillion guesses per second. Using the same technology cracking a 12 character complex password (one with upper and lower case, numbers and special characters) would take 3.76 years. Add one more character raises that to 2.59 centuries.
Now if you recall that what the FBI has asked Apple to do is remove the protection against brute force password guessing from the OS on this one phone, thought I suspect that if Apple does this there will be more requests. The lesson here is that if you are worried about the FBI or anyone else doing the same thing to your phone just use a 13 character complex password. Or if you think you will still care in 250 years, a 14 character complex password.
LeapSTR100-2/10.3.2.2876
http://www.scientificamerican.com/ar...ption-scandal/02-27-16 08:14 AMLike 0 - Well, the world leaders are not geeks. They most likely use their phones to talk and message, and not much else.
They likely have more secure communications than us, but they shouldn't.
Besides, as we have seen with Angela Merkel's phone, they aren't that secure either. I am pretty sure the NSA can break into Obama's phone and monitor his communications as they most likely do with those of congressmen. Remember Watergate?
Some of us use our phones as laptops, unlike world leaders, some of us actually create IP on our mobile laptops, don't just consume, or use apps, or listen to advisors to tell us what happened in the world today and what is new.
Just because some want to use a large laptop for work (old school), does not mean that everyone is like that. Besides these days, a laptop is almost as hackable and has as many backdoors as a cellphone if connected to the Internet. So you cannot really protect your IP even on a laptop.
So I can see how Obama does not need his device encrypted, maybe only his phone calls and messages. I doubt he creates strategic plans for the South China Sea on his phone.
Second, all men are created equal, even world leaders. They are public figures. They were elected to SERVE. We pay them. If anything, we should all be able to monitor what they do and what they say.
It's a matter of principle. BlackBerry should not intentionally make my phone less secure than the one they give to Obama. Sure, the NSA or whoever then takes that phone and modifies it to add extra protection, but that is a different matter altogether.
Here we are talking about phone companies that intentionally leave backdoors such that the phones of everyone in the public can be decrypted if needed.
We are all considered terrorists and not to be trusted.
A government or state who does that has already lost the trust of its citizens.
That is already a failed state. That's what happened to the former communist countries in Eastern Europe.
Their security services spied on everyone and assumed everyone was a potential terrorist and a threat to the state.
So, to summarize a long posting, this is a matter of principle.
In Canada, the privacy law is the same for everyone, including the prime minister.
It was his dad who said " the state has no business in the bedrooms of the nation".
We can extend that now to the smartphones and and computers of the nation. They are just as private as the bedroom, more so because they contain a lot of what we think, who we are, what was only in our brains before.
Short of torture, there was no way to get into our brains, even with a legal warrant.
Ok, now back to the average person. I have a BES z10 that I also use for work and work makes me use a super secure password that I have to keep changing. BlackBerry's excellent picture password isn't even deemed good enough where I work. I am confident that this phone is as secure as reasonably can be.
The downside to all this security is the inconvenience of having to enter this password all the time. So if I want to quickly text, call, bbm, check weather, place sport betting, etc etc., I quickly grab my Q5 or Z30 which don't even have passwords because, much like the average person, I don't care about that much about security. So it is a balance of convenience vs. security and at 82% Android share, the market has spoken as to what side of that equation they side with.
Have a great day folks.
Posted via caseless and passwordless z30.
Posted via CB10TgeekB likes this.02-27-16 08:32 AMLike 1 - The downside to all this security is the inconvenience of having to enter this password all the time. So if I want to quickly text, call, bbm, check weather, place sport betting, etc etc., I quickly grab my Q5 or Z30 which don't even have passwords because, much like the average person, I don't care about that much about security. So it is a balance of convenience vs. security and at 82% Android share, the market has spoken as to what side of that equation they side with.
Have a great day folks.
Posted via caseless and passwordless z30.
Posted via CB10
When I started work in 1994, I had to use a hardware key whose number would change every minute to log in remotely to my work computer.
And I did not work for a security agency, just a hitech company.
I type in my two passwords every time I use my banking app. I have never saved a passport on my phone or in a browser or in the cloud or with password keeper.
This is so simple and basic.
People are just too lazy.
Last edited by sorinv; 02-27-16 at 09:26 AM.
02-27-16 09:04 AMLike 0 - What you're saying is that they can't do that today, but they can do it in a reasonable amount of time.
So... that's your definition of secure?
BTW... decrypt is removing the encryption and yes, but building a custom OS so that it can be brute forced in is decrypting a phone!
Posted via CB10
It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.
NSA Efforts to Evade Encryption Technology Damaged U.S. Cryptography Standard - Scientific American02-27-16 09:05 AMLike 0 - It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.
http://www.scientificamerican.com/ar...ption-scandal/
Have you looked into how successful that project was. Most knowledgeable developers would not have used Dual EC DRNG because of the performance in comparison to other algorithms available in the standard. BlackBerry who holds the patent for the algorithm through their purchase of Certicom never used it. When those shenanigans came to light it significantly damaged the relationship between NIST and the NSA.
Time moves on. If anyone significant was using that algorithm they stopped in 2013. The need to use DRNG has all but faded into the past. The ability to generate truly random numbers on systems has become ubiquitous. I have a $20 Raspberry Pi that has a hardware random number generator capable of providing all the entropy the system needs.
Will state level actors try something similar in the future? Perhaps, but once bitten twice shy. There is lots of public discourse about cryptographic standards and implementations today, even when compared to 2013. Any major manufacturers who use questionable algorithms or implementations will be quickly discovered, and they know it.
LeapSTR100-2/10.3.2.287602-27-16 09:27 AMLike 0 - It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.
http://www.scientificamerican.com/ar...ption-scandal/
Posted via CB10/BB PP SE.02-27-16 09:34 AMLike 0 -
Security is an arms race. You build the defence you can, and it withstands attacks for a while. Attacks always get better and eventually you have to improve your defence. And on it goes.
LeapSTR100-2/10.3.2.287602-27-16 09:40 AMLike 0 -
It allows you to conveniently enable two factor authentication. Sure, physical access to your smartphone can be compromised but that's why the encryption on your handset is so important. Anyone who can do that has access to literally everything.02-27-16 09:54 AMLike 0 - The NSA doesn't give a flying spaghetti monster about chain-of-custody or related forensic matters when it comes to what they intercept and do. Their remit is to prevent the US government from being "surprised" by foreign parties, whether allegedly friendly or not, because "surprises" in this context are usually of the ugly kind.
The FBI is a LAW ENFORCEMENT agency. It therefore specifically does care about such issues, because if they do things that ignore said issues and then allegedly "catch" someone and try them in a courtroom they lose the case if they violate those rules and the person they charged, even if guilty, walks.
I have done forensic work for various parties before and it is absolutely critical that you be able to document and prove, in court, that whatever was seized under the authority you had is EXACTLY what you are presenting as evidence. If you cannot do that then the evidence is suppressed and anything it led to without another independent means of discovery is also suppressed. That quite-frequently means someone who is guilty gets away with whatever they did.
It is easy enough to say that the NSA should simply hack the phone, provided they can. But the act of doing so will render anything on there and anything it leads to inadmissible. That doesn't stop the FBI from disrupting a future attack but it most-certainly would prevent them from prosecuting anyone that they find who was connected to the San Bernardino attacks through that examination.
Needless to say they're not at all interested in potentially destroying the only chain of evidence they have that might lead to other people that they can lock up, even if it means they are unable to disrupt a potential second or other future attack.
BTW without a hardware trust store that enforces both a rate limit and maximum number of tries after which is erases the encryption keys it holds if the software on the device can be updated without unlocking it (until and unless proved otherwise you must assume that it can, and no, that an autoloader ASKS for a password does not prove it cannot be overridden by BlackBerry) then all limits on the means of "guessing" said passcode, even if everything else is secure, can be removed. Yes, this means that said prohibition on updates must also apply to any firmware that (independently, in some cases) runs the trust store. A TCM that can have a firmware update applied to it while it holds encryption keys that are sealed is NOT secure, period.
What Apple has successfully managed to "sell" people is that a 4-digit PIN is "reasonably" secure because the odds of guessing it successfully before it auto-erases is 1-in-1,000. What they didn't bother to tell you is that their bootloader will allow the loading of code DIRECTLY into RAM or into the flash of the device even if it is locked. Apple's motion to vacate makes clear in the declaration of one of their security engineers that in fact this capability exists.
That makes their ENTIRE so-called "security model" similar to putting an "uncrackable" lock on a door made out of cardboard painted to look like solid metal.02-27-16 09:54 AMLike 0 - When you look at the nation state level, at the top levels Iphones cannot be used because they have been remotely hacked. Ask Angela Merkel about how the US hacked her communications. With some tweaking, you can secure a BB10 device so other hackers at the nation state level cannot hack it. You can even still get that level of security with a BB7 Blackberry 9900 with some custom work. Unfortunately, security does not sell vs having 20 Candy Crush clones on a consumer phone.02-27-16 10:07 AMLike 0
- ...
A TCM that can have a firmware update applied to it while it holds encryption keys that are sealed is NOT secure, period.
What Apple has successfully managed to "sell" people is that a 4-digit PIN is "reasonably" secure because the odds of guessing it successfully before it auto-erases is 1-in-1,000. What they didn't bother to tell you is that their bootloader will allow the loading of code DIRECTLY into RAM or into the flash of the device even if it is locked. Apple's motion to vacate makes clear in the declaration of one of their security engineers that in fact this capability exists.
That makes their ENTIRE so-called "security model" similar to putting an "uncrackable" lock on a door made out of cardboard painted to look like solid metal.
There're other kinds of backdoors, to name a few representatives:
* iCloud, which stores backup copy of data to cloud in cleartext or independently-decryptable form.
* Cliper chip, which escrows backup copy of the [device-unique] encryption key to server for independent decryption.
* NSAKEY, which allows its owner (NSA) to independently sign any update to the OS (Microsoft Windows). (Microsoft has confirmed NSAKEY exists and it belongs solely to MS but failed to prove ownership although such a proof, a digital signature, could take only milisecond to create and to verify.)
So, as I've said, BB is more secure than iPhone (in the sense of confidentiality) because it does not pose anything like iCloud. Whether it is secure enough (read: backdoor-free) is another story.
Posted via CB10/BB PP SE.02-27-16 10:54 AMLike 0
- Forum
- Popular at CrackBerry
- General BlackBerry News, Discussion & Rumors
Is Apple more secure than BlackBerry?
Similar Threads
-
How to submit a BB10 feature request to BlackBerry?
By RootingForRIM in forum BlackBerry 10 AppsReplies: 3Last Post: 04-02-16, 01:57 PM -
Is BlackBerry the way to go?
By Jones Andrew in forum New to the Forums? Introduce Yourself Here!Replies: 4Last Post: 04-02-16, 01:22 AM -
Experience with BlackBerry support?
By kksblueberry in forum Ask a QuestionReplies: 2Last Post: 02-19-16, 02:10 PM -
Why is my phone network browser still in lower egde while it suppose to be in upper egde?
By CrackBerry Question in forum BlackBerry Bold SeriesReplies: 1Last Post: 02-19-16, 06:59 AM -
Blaq for BlackBerry 10 gains Quote Tweet option, adaptive theme and more
By CrackBerry News in forum CrackBerry.com News Discussion & ContestsReplies: 0Last Post: 02-19-16, 06:22 AM
LINK TO POST COPIED TO CLIPBOARD