04-18-16 12:33 AM
292 ... 7891011 ...
tools
  1. sorinv's Avatar
    I'm on a password locked BlackBerry 10, my device and media card files are encrypted, and I am still confident that no "law enforcement" up to state police levels (I'll even speculate to FBI level) will get meaningful access to those encrypted files even with BlackBerry's help.
    TheAuthority, I hope you are right about the last statement.
    02-26-16 10:16 PM
  2. anon(9607753)'s Avatar
    TheAuthority, I hope you are right about the last statement.
    Depends. If they contain schematics for a bomb I would beg to differ.

    Posted via CB10
    Alain_A likes this.
    02-26-16 10:32 PM
  3. southlander's Avatar
    I'm on a password locked BlackBerry 10, my device and media card files are encrypted, and I am still confident that no "law enforcement" up to state police levels (I'll even speculate to FBI level) will get meaningful access to those encrypted files even with BlackBerry's help.
    Assuming you have a sufficiently complex password I would say not.

    Posted via the CrackBerry App for Android
    02-26-16 11:33 PM
  4. sorinv's Avatar
    Assuming you have a sufficiently complex password I would say not.

    Posted via the CrackBerry App for Android
    What do you mean? If his password were 1234 he would be safer than if he has a 16 character password?
    02-27-16 01:37 AM
  5. Paintman321's Avatar
    That is not really a conclusion that you can draw from that article.
    All he said was that BlackBerry does not save the text of the message sent.
    Here we are talking about files encrypted on the phone that may never be sent out through BBM, email, sftp, or whatever.

    If BlackBerry or NSA, or CSICS, or GCHQ, or the FSB (Russian secret service) or Chinese Secret service or whatever secret service can get into the phone and decrypt and extract those files, it is definitely a backdoor.
    I agree that from thatwe can't draw the conclusion about getting access from the device from the quote . However, he has also stated previously that:
    "However, it is also true that corporations must reject attempts by federal agencies to overstep. BlackBerry has refused to place backdoors in its devices and software."

    I believe that when he says backdoors it is also backdoors for BlackBerry to our devices if encrypted and password protected.

    Posted via CB10
    02-27-16 01:37 AM
  6. sorinv's Avatar
    Depends. If they contain schematics for a bomb I would beg to differ.

    Posted via CB10
    I see it now. The encryption only works for some people and its efficiency changes with the content of the information on your phone which is known apriori, before they decrypt the file, to the security agencies.
    I wish they were that smart, but 9-11 and all the terorism and mass shootings in US prove otherwise.
    02-27-16 01:38 AM
  7. buwee's Avatar
    It's hilarious to see some paranoid posters on here, world leaders use Blackberry phones to communicate everyday and we have a few individuals on this forum feeling the phones aren't secure enough for their own use LOL. Time to make some more popcorn and put up my feet.
    Alain_A and web99 like this.
    02-27-16 03:05 AM
  8. sorinv's Avatar
    Well, the world leaders are not geeks. They most likely use their phones to talk and message, and not much else.

    They likely have more secure communications than us, but they shouldn't.
    Besides, as we have seen with Angela Merkel's phone, they aren't that secure either. I am pretty sure the NSA can break into Obama's phone and monitor his communications as they most likely do with those of congressmen. Remember Watergate?

    Some of us use our phones as laptops, unlike world leaders, some of us actually create IP on our mobile laptops, don't just consume, or use apps, or listen to advisors to tell us what happened in the world today and what is new.

    Just because some want to use a large laptop for work (old school), does not mean that everyone is like that. Besides these days, a laptop is almost as hackable and has as many backdoors as a cellphone if connected to the Internet. So you cannot really protect your IP even on a laptop.

    So I can see how Obama does not need his device encrypted, maybe only his phone calls and messages. I doubt he creates strategic plans for the South China Sea on his phone.

    Second, all men are created equal, even world leaders. They are public figures. They were elected to SERVE. We pay them. If anything, we should all be able to monitor what they do and what they say.

    It's a matter of principle. BlackBerry should not intentionally make my phone less secure than the one they give to Obama. Sure, the NSA or whoever then takes that phone and modifies it to add extra protection, but that is a different matter altogether.

    Here we are talking about phone companies that intentionally leave backdoors such that the phones of everyone in the public can be decrypted if needed.

    We are all considered terrorists and not to be trusted.
    A government or state who does that has already lost the trust of its citizens.
    That is already a failed state. That's what happened to the former communist countries in Eastern Europe.

    Their security services spied on everyone and assumed everyone was a potential terrorist and a threat to the state.


    So, to summarize a long posting, this is a matter of principle.

    In Canada, the privacy law is the same for everyone, including the prime minister.
    It was his dad who said " the state has no business in the bedrooms of the nation".
    We can extend that now to the smartphones and and computers of the nation. They are just as private as the bedroom, more so because they contain a lot of what we think, who we are, what was only in our brains before.

    Short of torture, there was no way to get into our brains, even with a legal warrant.
    Last edited by sorinv; 02-27-16 at 04:19 AM.
    02-27-16 03:31 AM
  9. Frehley's Avatar
    Now for $24 a year for BES Cloud my BlackBerry is even more secure

    Posted via CB10
    Where can I get more information on this?
    02-27-16 04:17 AM
  10. TheAuthority's Avatar
    Depends. If they contain schematics for a bomb I would beg to differ.

    Posted via CB10
    Whether the NSA could get meaningful access (with or without BlackBerry's help) is a mystery, but if it could we would not know about it. NSA would not reveal that capability, that advantage in a local or federal court just because someone might have information about drug dealing or other alleged contraband on his BlackBerry.

    Assuming you have a sufficiently complex password I would say not.

    Posted via the CrackBerry App for Android
    What do you mean? If his password were 1234 he would be safer than if he has a 16 character password?
    I see it now. The encryption only works for some people and its efficiency changes with the content of the information on your phone which is known apriori, before they decrypt the file, to the security agencies.
    I wish they were that smart, but 9-11 and all the terorism and mass shootings in US prove otherwise.
    I use a long, complex password just in case, with my reasoning being that if a short, simple one was good enough, the option to use a long, complex one would not be there.

    If local police and FBI had any chance to crack BlackBerry, it would be well known as these things are discussed openly on forensic forums. The companies that serve as vendors to police and attorneys, those manufacturers who make the tools and the forensic labs who offer the services would be bragging about the capability as they have been all along with apple and android products. Now, with apple and android, their hands are tied also, but the question remains, and they remain hopeful, that apple and google can help them, and if so, will help them even if it's pursuant to a precedent the FBI is trying to set through a court order. Can apple do what the FBI wants and do something to circumvent the ten tries before wipe and the iteration safeguards? Probably/maybe with a lot of work as apple has already stated in its reply brief. Can BlackBerry do it? I would say probably not for all practical purposes. Someone mentioned certifications. There is clearly much more to device security than merely turning on encryption. If BlackBerry could somehow (remotely or physically) get access to users' encrypted data at rest, only BlackBerry and the NSA type agencies would know.
    02-27-16 06:56 AM
  11. Richard Buckley's Avatar
    For those of you who are thinking decryption of full disk encryption can be easily accomplished by anyone there is an online resource that will be you put things in perspective. It estimates the length of time it will take to crack passwords of various strengths, but with a little arithmetic can be used to compare password strength to encryption strength.

    To start let's assume that the phone has well implemented 128 bit AES. Unless there is information on what the key is it would take on the order of a thousand trillion centuries to brute force the key, even if you could make one hundred trillion guesses per second. Using the same technology cracking a 12 character complex password (one with upper and lower case, numbers and special characters) would take 3.76 years. Add one more character raises that to 2.59 centuries.

    Now if you recall that what the FBI has asked Apple to do is remove the protection against brute force password guessing from the OS on this one phone, thought I suspect that if Apple does this there will be more requests. The lesson here is that if you are worried about the FBI or anyone else doing the same thing to your phone just use a 13 character complex password. Or if you think you will still care in 250 years, a 14 character complex password.

    LeapSTR100-2/10.3.2.2876
    southlander likes this.
    02-27-16 07:51 AM
  12. byex's Avatar
    It's hilarious to see some paranoid posters on here, world leaders use Blackberry phones to communicate everyday and we have a few individuals on this forum feeling the phones aren't secure enough for their own use LOL. Time to make some more popcorn and put up my feet.
    World leaders may use BlackBerry's.
    They're not even remotely close to the ones the general public uses. They have been heavily modified for security.


    Posted via CB10
    02-27-16 08:11 AM
  13. bobshine's Avatar
    No, Apple cannot do that today. Apple would need to build a specialized version of iOS which would remove features that prevent brute-force hacks of the iPhone's passcode. Apple is refusing to create this, which is what the FBI is attempting to make them do.
    What you're saying is that they can't do that today, but they can do it in a reasonable amount of time.

    So... that's your definition of secure?

    BTW... decrypt is removing the encryption and yes, but building a custom OS so that it can be brute forced in is decrypting a phone!


    Posted via CB10
    02-27-16 08:13 AM
  14. sorinv's Avatar
    For those of you who are thinking decryption of full disk encryption can be easily accomplished by anyone there is an online resource that will be you put things in perspective. It estimates the length of time it will take to crack passwords of various strengths, but with a little arithmetic can be used to compare password strength to encryption strength.

    To start let's assume that the phone has well implemented 128 bit AES. Unless there is information on what the key is it would take on the order of a thousand trillion centuries to brute force the key, even if you could make one hundred trillion guesses per second. Using the same technology cracking a 12 character complex password (one with upper and lower case, numbers and special characters) would take 3.76 years. Add one more character raises that to 2.59 centuries.

    Now if you recall that what the FBI has asked Apple to do is remove the protection against brute force password guessing from the OS on this one phone, thought I suspect that if Apple does this there will be more requests. The lesson here is that if you are worried about the FBI or anyone else doing the same thing to your phone just use a 13 character complex password. Or if you think you will still care in 250 years, a 14 character complex password.

    LeapSTR100-2/10.3.2.2876
    It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.

    http://www.scientificamerican.com/ar...ption-scandal/
    02-27-16 08:14 AM
  15. z10Jobe's Avatar
    Well, the world leaders are not geeks. They most likely use their phones to talk and message, and not much else.

    They likely have more secure communications than us, but they shouldn't.
    Besides, as we have seen with Angela Merkel's phone, they aren't that secure either. I am pretty sure the NSA can break into Obama's phone and monitor his communications as they most likely do with those of congressmen. Remember Watergate?

    Some of us use our phones as laptops, unlike world leaders, some of us actually create IP on our mobile laptops, don't just consume, or use apps, or listen to advisors to tell us what happened in the world today and what is new.

    Just because some want to use a large laptop for work (old school), does not mean that everyone is like that. Besides these days, a laptop is almost as hackable and has as many backdoors as a cellphone if connected to the Internet. So you cannot really protect your IP even on a laptop.

    So I can see how Obama does not need his device encrypted, maybe only his phone calls and messages. I doubt he creates strategic plans for the South China Sea on his phone.

    Second, all men are created equal, even world leaders. They are public figures. They were elected to SERVE. We pay them. If anything, we should all be able to monitor what they do and what they say.

    It's a matter of principle. BlackBerry should not intentionally make my phone less secure than the one they give to Obama. Sure, the NSA or whoever then takes that phone and modifies it to add extra protection, but that is a different matter altogether.

    Here we are talking about phone companies that intentionally leave backdoors such that the phones of everyone in the public can be decrypted if needed.

    We are all considered terrorists and not to be trusted.
    A government or state who does that has already lost the trust of its citizens.
    That is already a failed state. That's what happened to the former communist countries in Eastern Europe.

    Their security services spied on everyone and assumed everyone was a potential terrorist and a threat to the state.


    So, to summarize a long posting, this is a matter of principle.

    In Canada, the privacy law is the same for everyone, including the prime minister.
    It was his dad who said " the state has no business in the bedrooms of the nation".
    We can extend that now to the smartphones and and computers of the nation. They are just as private as the bedroom, more so because they contain a lot of what we think, who we are, what was only in our brains before.

    Short of torture, there was no way to get into our brains, even with a legal warrant.
    Much like Mr. Buwee (presumably not his real name) it is interesting to say the least to watch this thread. However I gotta step in at this point for clarification. Merkel used to use a Nokia, but because her Nokia was hacked, she switched to a BlackBerry Z10, which as far as we know is quite secure. Also another 40,000 or so Z10 were bought by the German government for high level uses. Ipads are also banned from high level meetings because of security concerns.

    Ok, now back to the average person. I have a BES z10 that I also use for work and work makes me use a super secure password that I have to keep changing. BlackBerry's excellent picture password isn't even deemed good enough where I work. I am confident that this phone is as secure as reasonably can be.

    The downside to all this security is the inconvenience of having to enter this password all the time. So if I want to quickly text, call, bbm, check weather, place sport betting, etc etc., I quickly grab my Q5 or Z30 which don't even have passwords because, much like the average person, I don't care about that much about security. So it is a balance of convenience vs. security and at 82% Android share, the market has spoken as to what side of that equation they side with.

    Have a great day folks.

    Posted via caseless and passwordless z30.



    Posted via CB10
    TgeekB likes this.
    02-27-16 08:32 AM
  16. sorinv's Avatar
    The downside to all this security is the inconvenience of having to enter this password all the time. So if I want to quickly text, call, bbm, check weather, place sport betting, etc etc., I quickly grab my Q5 or Z30 which don't even have passwords because, much like the average person, I don't care about that much about security. So it is a balance of convenience vs. security and at 82% Android share, the market has spoken as to what side of that equation they side with.

    Have a great day folks.

    Posted via caseless and passwordless z30.
    Posted via CB10
    This is such basic stuff. We had to change our password every month in 1991 when I was a graduate student. It's basic stuff that normal people have to do. It's not for the security of presidents.
    When I started work in 1994, I had to use a hardware key whose number would change every minute to log in remotely to my work computer.
    And I did not work for a security agency, just a hitech company.

    I type in my two passwords every time I use my banking app. I have never saved a passport on my phone or in a browser or in the cloud or with password keeper.
    This is so simple and basic.
    People are just too lazy.


    Last edited by sorinv; 02-27-16 at 09:26 AM.
    02-27-16 09:04 AM
  17. TheAuthority's Avatar
    What you're saying is that they can't do that today, but they can do it in a reasonable amount of time.

    So... that's your definition of secure?

    BTW... decrypt is removing the encryption and yes, but building a custom OS so that it can be brute forced in is decrypting a phone!


    Posted via CB10
    Apple phones with or without encryption have never been as secure as BlackBerry phones. For example, in the past (not sure about today), plug-in forensic equipment has been able to circumvent iphones' passwords and allowed access to their data whether encrypted or not. This has never been the case with BlackBerry smartphones. There has never been any way to bypass a BlackBerry's password with plug-in equipment; to access a password protected BlackBerry's data, it has been necessary to physically remove the device's memory chip, a more difficult process which runs the risk of destroying the chip and its data. This means that conceivably some password locked, unencrypted BlackBerry smartphones have been more secure than even password locked, encrypted iphones if their encryption and/or encryption implementation has been weak. This means that the iphone's entire security design (encyption, its implementation, its os, update process, password implementation, etc.) has been and, going back to certifications, likely still is weaker than BlackBerry's. Even if apple can force an os update or new os to the iphone in question doesn't mean that BlackBerry can do that to any password locked BlackBerry that has automatic updates turned off.

    It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.

    NSA Efforts to Evade Encryption Technology Damaged U.S. Cryptography Standard - Scientific American
    The stuff Snowden revealed including the NSA's tampering with components during manufacturing and the weakening of things like random number generators has not been revealed to have been used in convicting people of crimes. One could probably even commit an ordinary murder and never have this stuff used against him. Assuming the NSA's capabilities are as robust as they have been reported to be, and if one was suspected of plotting an act of war, he would probably find his plot foiled with no admission of encryption breaking or phone hacking. Even with the NSA's purported capabilities, the Boston marathon incident was not prevented (assuming it was perpetrated by the accused and not by the government itself). The Paris attack was not prevented even when relevant communications were not encrypted. I would propose that if the NSA's capabilities were as robust as reported, they would more likely be used to exercise control over world leaders (figureheads) and over pain in the *** dissidents, to keep all of them in line with blackmail, skeletons in the closet, threats to famiy, etc. to maintain the status quo as the people in positions of ultimate power direct.
    02-27-16 09:05 AM
  18. Richard Buckley's Avatar
    It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.

    http://www.scientificamerican.com/ar...ption-scandal/
    You are correct, it is not that simple.

    Have you looked into how successful that project was. Most knowledgeable developers would not have used Dual EC DRNG because of the performance in comparison to other algorithms available in the standard. BlackBerry who holds the patent for the algorithm through their purchase of Certicom never used it. When those shenanigans came to light it significantly damaged the relationship between NIST and the NSA.

    Time moves on. If anyone significant was using that algorithm they stopped in 2013. The need to use DRNG has all but faded into the past. The ability to generate truly random numbers on systems has become ubiquitous. I have a $20 Raspberry Pi that has a hardware random number generator capable of providing all the entropy the system needs.

    Will state level actors try something similar in the future? Perhaps, but once bitten twice shy. There is lots of public discourse about cryptographic standards and implementations today, even when compared to 2013. Any major manufacturers who use questionable algorithms or implementations will be quickly discovered, and they know it.

    LeapSTR100-2/10.3.2.2876
    02-27-16 09:27 AM
  19. dusanvn's Avatar
    It is not that simple. It is not clear that the encryption algorithms have not been tampered with again.

    http://www.scientificamerican.com/ar...ption-scandal/
    Improbable. Many experts have tried cryptanalizing the AES. Some have broken it with a marginally small success. So, the general consensus is AES is safe. The elliptic-curve PRNG which was probably tampered with by the NSA (cited article) is another story.

    Posted via CB10/BB PP SE.
    02-27-16 09:34 AM
  20. Richard Buckley's Avatar
    ... There has never been any way to bypass a BlackBerry's password with plug-in equipment; ...
    Actually if you go back far enough there was a time when plug in equipment could bypass the password lock on a BlackBerry. There was also a time when someone could determine your BlackBerry password by examining your encrypted SDCARD.

    Security is an arms race. You build the defence you can, and it withstands attacks for a while. Attacks always get better and eventually you have to improve your defence. And on it goes.




    LeapSTR100-2/10.3.2.2876
    02-27-16 09:40 AM
  21. early2bed's Avatar
    I type in my two passwords every time I use my banking app. I have never saved a passport on my phone or in a browser or in the cloud or with password keeper.
    This is so simple and basic.
    People are just too lazy.
    Well, either you are very good at remembering several changing alphanumeric passwords or you use the same password for multiple accounts or some kind of pattern that is keyed to each account, etc. Most people use their smartphones to store complex passwords, enable two factor authentication, biometric verification, or serve as a hardware key. It's a great tool for doing this.

    It allows you to conveniently enable two factor authentication. Sure, physical access to your smartphone can be compromised but that's why the encryption on your handset is so important. Anyone who can do that has access to literally everything.
    02-27-16 09:54 AM
  22. tickerguy's Avatar
    The NSA doesn't give a flying spaghetti monster about chain-of-custody or related forensic matters when it comes to what they intercept and do. Their remit is to prevent the US government from being "surprised" by foreign parties, whether allegedly friendly or not, because "surprises" in this context are usually of the ugly kind.

    The FBI is a LAW ENFORCEMENT agency. It therefore specifically does care about such issues, because if they do things that ignore said issues and then allegedly "catch" someone and try them in a courtroom they lose the case if they violate those rules and the person they charged, even if guilty, walks.

    I have done forensic work for various parties before and it is absolutely critical that you be able to document and prove, in court, that whatever was seized under the authority you had is EXACTLY what you are presenting as evidence. If you cannot do that then the evidence is suppressed and anything it led to without another independent means of discovery is also suppressed. That quite-frequently means someone who is guilty gets away with whatever they did.

    It is easy enough to say that the NSA should simply hack the phone, provided they can. But the act of doing so will render anything on there and anything it leads to inadmissible. That doesn't stop the FBI from disrupting a future attack but it most-certainly would prevent them from prosecuting anyone that they find who was connected to the San Bernardino attacks through that examination.

    Needless to say they're not at all interested in potentially destroying the only chain of evidence they have that might lead to other people that they can lock up, even if it means they are unable to disrupt a potential second or other future attack.

    BTW without a hardware trust store that enforces both a rate limit and maximum number of tries after which is erases the encryption keys it holds if the software on the device can be updated without unlocking it (until and unless proved otherwise you must assume that it can, and no, that an autoloader ASKS for a password does not prove it cannot be overridden by BlackBerry) then all limits on the means of "guessing" said passcode, even if everything else is secure, can be removed. Yes, this means that said prohibition on updates must also apply to any firmware that (independently, in some cases) runs the trust store. A TCM that can have a firmware update applied to it while it holds encryption keys that are sealed is NOT secure, period.

    What Apple has successfully managed to "sell" people is that a 4-digit PIN is "reasonably" secure because the odds of guessing it successfully before it auto-erases is 1-in-1,000. What they didn't bother to tell you is that their bootloader will allow the loading of code DIRECTLY into RAM or into the flash of the device even if it is locked. Apple's motion to vacate makes clear in the declaration of one of their security engineers that in fact this capability exists.

    That makes their ENTIRE so-called "security model" similar to putting an "uncrackable" lock on a door made out of cardboard painted to look like solid metal.
    02-27-16 09:54 AM
  23. Ralph Ellis's Avatar
    When you look at the nation state level, at the top levels Iphones cannot be used because they have been remotely hacked. Ask Angela Merkel about how the US hacked her communications. With some tweaking, you can secure a BB10 device so other hackers at the nation state level cannot hack it. You can even still get that level of security with a BB7 Blackberry 9900 with some custom work. Unfortunately, security does not sell vs having 20 Candy Crush clones on a consumer phone.
    02-27-16 10:07 AM
  24. dusanvn's Avatar
    ...

    A TCM that can have a firmware update applied to it while it holds encryption keys that are sealed is NOT secure, period.

    What Apple has successfully managed to "sell" people is that a 4-digit PIN is "reasonably" secure because the odds of guessing it successfully before it auto-erases is 1-in-1,000. What they didn't bother to tell you is that their bootloader will allow the loading of code DIRECTLY into RAM or into the flash of the device even if it is locked. Apple's motion to vacate makes clear in the declaration of one of their security engineers that in fact this capability exists.

    That makes their ENTIRE so-called "security model" similar to putting an "uncrackable" lock on a door made out of cardboard painted to look like solid metal.
    This update capability is a backdoor. And Apple's security model is a model equipped with this capability. I would say every security model with backdoor _less_ secure with respect to confidentiality but _more_ secure with respect to availability of information.

    There're other kinds of backdoors, to name a few representatives:

    * iCloud, which stores backup copy of data to cloud in cleartext or independently-decryptable form.

    * Cliper chip, which escrows backup copy of the [device-unique] encryption key to server for independent decryption.

    * NSAKEY, which allows its owner (NSA) to independently sign any update to the OS (Microsoft Windows). (Microsoft has confirmed NSAKEY exists and it belongs solely to MS but failed to prove ownership although such a proof, a digital signature, could take only milisecond to create and to verify.)

    So, as I've said, BB is more secure than iPhone (in the sense of confidentiality) because it does not pose anything like iCloud. Whether it is secure enough (read: backdoor-free) is another story.


    Posted via CB10/BB PP SE.
    02-27-16 10:54 AM
  25. filanto's Avatar
    What do you mean? If his password were 1234 he would be safer than if he has a 16 character password?
    The same password as my luggage

    Posted via CB10
    02-27-16 11:18 AM
292 ... 7891011 ...

Similar Threads

  1. How to submit a BB10 feature request to BlackBerry?
    By RootingForRIM in forum BlackBerry 10 Apps
    Replies: 3
    Last Post: 04-02-16, 01:57 PM
  2. Is BlackBerry the way to go?
    By Jones Andrew in forum New to the Forums? Introduce Yourself Here!
    Replies: 4
    Last Post: 04-02-16, 01:22 AM
  3. Experience with BlackBerry support?
    By kksblueberry in forum Ask a Question
    Replies: 2
    Last Post: 02-19-16, 02:10 PM
  4. Replies: 1
    Last Post: 02-19-16, 06:59 AM
  5. Blaq for BlackBerry 10 gains Quote Tweet option, adaptive theme and more
    By CrackBerry News in forum CrackBerry.com News Discussion & Contests
    Replies: 0
    Last Post: 02-19-16, 06:22 AM
LINK TO POST COPIED TO CLIPBOARD